[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
www/proprietary proprietary-insecurity.html
|
From: |
Therese Godefroy |
|
Subject: |
www/proprietary proprietary-insecurity.html |
|
Date: |
Wed, 26 Sep 2018 10:10:20 -0400 (EDT) |
CVSROOT: /webcvs/www
Module name: www
Changes by: Therese Godefroy <th_g> 18/09/26 10:10:20
Modified files:
proprietary : proprietary-insecurity.html
Log message:
+ secret audio messages (RT #1324736) & missing items;
fix some links (also in malware-appliances); regenerate from recfile.
CVSWeb URLs:
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/proprietary-insecurity.html?cvsroot=www&r1=1.84&r2=1.85
Patches:
Index: proprietary-insecurity.html
===================================================================
RCS file: /webcvs/www/www/proprietary/proprietary-insecurity.html,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -b -r1.84 -r1.85
--- proprietary-insecurity.html 18 Sep 2018 17:12:37 -0000 1.84
+++ proprietary-insecurity.html 26 Sep 2018 14:10:20 -0000 1.85
@@ -1,5 +1,10 @@
<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.84 -->
+<!--
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Generated from propr-blurbs.rec. Please do not edit this file manually !
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-->
<title>Proprietary Insecurity
- GNU Project - Free Software Foundation</title>
<!--#include virtual="/proprietary/po/proprietary-insecurity.translist" -->
@@ -40,492 +45,526 @@
to inform us. Please include the URL of a trustworthy reference or two
to present the specifics.</p>
-<ul>
-<li>
- <p>Some Samsung phones
- randomly <a
href="https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages";>send
+<ul class="blurbs">
+ <li id="M201809240">
+ <p>Researchers have discovered how to <a
+
href="http://news.rub.de/english/press-releases/2018-09-24-it-security-secret-messages-alexa-and-co";>
+ hide voice commands in other audio</a>, so that people cannot hear
+ them, but Alexa and Siri can.</p>
+ </li>
+
+ <li id="M201808120">
+ <p>Crackers found a way to break the security of an Amazon device,
+ and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html";>
+ turn it into a listening device</a> for them.</p>
+
+ <p>It was very difficult for them to do this. The job would be much
+ easier for Amazon. And if some government such as China or the US
+ told Amazon to do this, or cease to sell the product in that country,
+ do you think Amazon would have the moral fiber to say no?</p>
+
+ <p>These crackers are probably hackers too, but please <a
+ href="https://stallman.org/articles/on-hacking.html";> don't use
+ “hacking” to mean “breaking security”</a>.</p>
+ </li>
+
+ <li id="M201807100">
+ <p>Siri, Alexa, and all the other voice-control systems can be <a
+
href="https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa";>
+ hijacked by programs that play commands in ultrasound that humans
+ can't hear</a>.</p>
+ </li>
+
+ <li id="M201807020">
+ <p>Some Samsung phones randomly <a
+
href="https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages";>send
photos to people in the owner's contact list</a>.</p>
-</li>
-<li>
- <p>One of the dangers of the “internet of stings” is that, if
- you lose your internet service, you also <a
-href="https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/";>
+ </li>
+
+ <li id="M201712240">
+ <p>One of the dangers of the “internet of stings”
+ is that, if you lose your internet service, you also <a
+
href="https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/";>
lose control of your house and appliances</a>.</p>
- <p>For your safety, don't use any appliance with a connection to the real
- internet.</p>
-</li>
-<li>
- <p>Amazon recently invited consumers to be suckers and <a
-href="https://www.techdirt.com/articles/20171120/10533238651/vulnerability-fo";>
- allow delivery staff to open their front doors</a>. Wouldn't you know it,
- the system has a grave security flaw.</p>
-</li>
-<li>
+
+ <p>For your safety, don't use any appliance with a connection to the
+ real internet.</p>
+ </li>
+
+ <li id="M201711204">
<p>Intel's intentional “management engine” back door has <a
-href="https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/";>
+
href="https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/";>
unintended back doors</a> too.</p>
-</li>
-<li>
- <p>Bad security in some cars makes it possible
- to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14937";>
+ </li>
+
+ <li id="M201711200">
+ <p>Amazon recently invited consumers to be suckers and <a
+
href="https://www.techdirt.com/articles/20171120/10533238651/vulnerability-fo";>
+ allow delivery staff to open their front doors</a>. Wouldn't you know
+ it, the system has a grave security flaw.</p>
+ </li>
+
+ <li id="M201709290">
+ <p>Bad security in some cars makes it possible to <a
+ href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14937";>
remotely activate the airbags</a>.</p>
-</li>
-<li>
- <p>A “smart” intravenous pump designed for
- hospitals is connected to the internet. Naturally <a
-href="https://www.techdirt.com/articles/20170920/09450338247/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack.shtml";>
+ </li>
+
+ <li id="M201709200">
+ <p>A “smart” intravenous pump
+ designed for hospitals is connected to the internet. Naturally <a
+
href="https://www.techdirt.com/articles/20170920/09450338247/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack.shtml";>
its security has been cracked</a>.</p>
+
<p>Note that this article misuses the term <a
-href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>
+ href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>
referring to crackers.</p>
-</li>
-<li>
- <p>The bad security in many Internet of Stings devices
- allows <a
href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml";>ISPs
+ </li>
+
+ <li id="M201708280">
+ <p>The bad security in many Internet of Stings devices allows <a
+
href="https://www.techdirt.com/articles/20170828/08152938092/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you.shtml";>ISPs
to snoop on the people that use them</a>.</p>
+
<p>Don't be a sucker—reject all the stings.</p>
+
<p>It is unfortunate that the article uses the term <a
- href="/philosophy/words-to-avoid.html#Monetize">
- “monetize”</a>.</p>
-</li>
-<li>
- <p>Siri, Alexa, and all the other voice-control systems can be
- <a
-href="https://www.fastcodesign.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa";>
- hijacked by programs that play commands in ultrasound that humans can't
- hear</a>.</p>
-</li>
+
href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.</p>
+ </li>
-<li id="break-security-smarttv">
- <p><a
-
href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html";>
- Crackers found a way to break security on a “smart” TV</a>
and use its camera
- to watch the people who are watching TV.</p>
-</li>
-<li>
+ <li id="M201706201">
<p>Many models of Internet-connected cameras <a
href="/proprietary/proprietary-back-doors.html#InternetCameraBackDoor">
have backdoors</a>.</p>
- <p>That is a malicious functionality, but in addition it is a gross
- insecurity since anyone, including malicious crackers, <a
href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/";>can
find those accounts and use them to get into
- users' cameras</a>.</p>
-
-</li>
-
-<li>
- <p>
- Conexant HD Audio Driver Package (version 1.0.0.46 and earlier)
- pre-installed on 28 models of HP laptops logged the user's
- keystroke to a file in the filesystem. Any process with access to
- the filesystem or the MapViewOfFile API could gain access to the
- log. Furthermore, <a
href="https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt";>according
- to modzero</a> the “information-leak via Covert Storage
- Channel enables malware authors to capture keystrokes without
- taking the risk of being classified as malicious task by AV
- heuristics”.
- </p>
-</li>
-<li>
-<p>The proprietary code that runs pacemakers, insulin pumps, and other
-medical devices is <a href="http://www.bbc.co.uk/news/technology-40042584";>
-full of gross security faults</a>.</p>
-</li>
-
-
-<li>
- <p>Exploits of bugs in Windows, which were developed by the NSA
- and then leaked by the Shadowbrokers group, are now being used to
- <a
href="https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/";>attack
a great number
- of Windows computers with ransomware</a>.
- </p>
-</li>
-
-<li id="intel-me-10-year-vulnerability">
- <p>Intel's CPU backdoor—the Intel Management Engine—had a
- <a
href="https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/";>major
security
- vulnerability for 10 years</a>.</p>
-
- <p>The vulnerability allowed a cracker to access the computer's Intel Active
- Management Technology
- (AMT) <a
href="https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/";>
+ <p>That is a malicious functionality, but in addition it
+ is a gross insecurity since anyone, including malicious crackers, <a
+
href="https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/";>can
+ find those accounts and use them to get into users' cameras</a>.</p>
+ </li>
+
+ <li id="M201706050">
+ <p id="intel-me-10-year-vulnerability">Intel's
+ CPU backdoor—the Intel Management Engine—had a <a
+
href="https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/";>major
+ security vulnerability for 10 years</a>.</p>
+
+ <p>The vulnerability allowed a cracker to access
+ the computer's Intel Active Management Technology (AMT) <a
+
href="https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/";>
web interface with an empty password and gave administrative
- access</a> to access the computer's keyboard, mouse, monitor
- among other privileges.</p>
+ access</a> to access the computer's keyboard, mouse, monitor among
+ other privileges.</p>
<p>It does not help that in newer Intel processors, it is impossible
to turn off the Intel Management Engine. Thus, even users who are
proactive about their security can do nothing to protect themselves
besides using machines that don't come with the backdoor.</p>
+ </li>
-</li>
+ <li id="M201705250">
+ <p>The proprietary code that runs pacemakers,
+ insulin pumps, and other medical devices is <a
+ href="http://www.bbc.co.uk/news/technology-40042584";> full of gross
+ security faults</a>.</p>
+ </li>
+
+ <li id="M201705160">
+ <p>Conexant HD Audio Driver Package (version 1.0.0.46 and earlier)
+ pre-installed on 28 models of HP laptops logged the user's keystroke
+ to a file in the filesystem. Any process with access to the filesystem
+ or the MapViewOfFile API could gain access to the log. Furthermore, <a
+
href="https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt";>according
+ to modzero</a> the “information-leak via Covert Storage Channel
+ enables malware authors to capture keystrokes without taking the risk
+ of being classified as malicious task by AV heuristics”.</p>
+ </li>
-<li>
- <p>Many Android devices <a
href="https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/";>
+ <li id="M201705120">
+ <p>Exploits of bugs in Windows, which were developed by the NSA
+ and then leaked by the Shadowbrokers group, are now being used to <a
+
href="https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/";>attack
+ a great number of Windows computers with ransomware</a>.</p>
+ </li>
+
+ <li id="M201704050">
+ <p>Many Android devices <a
+
href="https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/";>
can be hijacked through their Wi-Fi chips</a> because of a bug in
Broadcom's non-free firmware.</p>
-</li>
+ </li>
+
+ <li id="M201703270">
+ <p>When Miele's Internet of
+ Stings hospital disinfectant dishwasher is <a
+
href="https://motherboard.vice.com/en_us/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit";>
+ connected to the Internet, its security is crap</a>.</p>
+
+ <p>For example, a cracker can gain access to the dishwasher's
+ filesystem, infect it with malware, and force the dishwasher to launch
+ attacks on other devices in the network. Since these dishwashers are
+ used in hospitals, such attacks could potentially put hundreds of
+ lives at risk.</p>
+ </li>
+
+ <li id="M201702200">
+ <p>If you buy a used “smart”
+ car, house, TV, refrigerator, etc., usually <a
+
href="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html";>the
+ previous owners can still remotely control it</a>.</p>
+ </li>
+
+ <li id="M201702170">
+ <p>The mobile apps for communicating <a
+
href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/";>with
+ a smart but foolish car have very bad security</a>.</p>
+
+ <p>This is in addition to the fact that the car contains a cellular
+ modem that tells big brother all the time where it is. If you own
+ such a car, it would be wise to disconnect the modem so as to turn
+ off the tracking.</p>
+ </li>
+
+ <li id="M201701270">
+ <p>Samsung phones <a
+
href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/";>have
+ a security hole that allows an SMS message to install
+ ransomware</a>.</p>
+ </li>
+
+ <li id="M201701130">
+ <p>WhatsApp has a feature that <a
+
href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/";>
+ has been described as a “back door”</a> because it would
+ enable governments to nullify its encryption.</p>
-<li>
-<p>When Miele's Internet of Stings hospital disinfectant dishwasher is <a
-href="https://motherboard.vice.com/en_us/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit";>
-connected to the Internet, its security is crap</a>.</p>
-
-<p>For example, a cracker can gain access to the dishwasher's filesystem,
-infect it with malware, and force the dishwasher to launch attacks on other
-devices in the network. Since these dishwashers are used in hospitals, such
-attacks could potentially put hundreds of lives at risk.</p>
-
-</li>
-<li><p>WhatsApp has a feature that
- <a
href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/";>
- has been described as a “back door”</a>
- because it would enable governments to nullify its encryption.</p>
<p>The developers say that it wasn't intended as a back door, and that
may well be true. But that leaves the crucial question of whether it
functions as one. Because the program is nonfree, we cannot check by
- studying it.</p></li>
+ studying it.</p>
+ </li>
-<li>
-<p>The “smart” toys My Friend Cayla and i-Que can be
-<a
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws";>remotely
controlled with a mobile phone</a>; physical access
-is not necessary. This would enable crackers to listen in on a child's
-conversations, and even speak into the toys themselves.</p>
-
-<p>This means a burglar could speak into the toys and ask the child to
-unlock the front door while Mommy's not looking.</p>
-</li>
-
-<li>
-<p>The mobile apps for
-communicating <a
href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/";>with
-a smart but foolish car have very bad security</a>.</p>
-
-<p>This is in addition to the fact that the car contains a cellular
-modem that tells big brother all the time where it is. If you own
-such a car, it would be wise to disconnect the modem so as to turn off
-the tracking.</p>
-</li>
-
-<li>
-<p>If you buy a used “smart” car, house, TV, refrigerator,
-etc.,
-usually <a
href="http://boingboing.net/2017/02/20/the-previous-owners-of-used.html";>the
-previous owners can still remotely control it</a>.</p>
-</li>
-
-<li>
-<p>Samsung
-phones <a
href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/";>have
-a security hole that allows an SMS message to install
-ransomware</a>.</p>
-</li>
-
-<li>
-<p>4G LTE phone networks are drastically insecure. They can be
-<a
href="https://web.archive.org/web/20161027223907/http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/";>
-taken
-over by third parties and used for man-in-the-middle attacks</a>.</p>
-</li>
-
-<li>
-<p>Due to weak security, <a
href="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844";>it
-is easy to open the doors of 100 million cars built by Volkswagen</a>.</p>
-</li>
-
-<li>
-<p>Ransomware <a
-href="https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/";>
-has been developed for a thermostat that uses proprietary software</a>.</p>
-</li>
-
-<li>
-<p>A <a
href="http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/";>flaw
in
-Internet Explorer and Edge</a> allows an attacker to retrieve
-Microsoft account credentials, if the user is tricked into visiting a
-malicious link.</p>
-</li>
-
-<li>
-<p><a
href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/";>“Deleted”
-WhatsApp messages are not entirely deleted</a>. They can be recovered
-in various ways.
-</p>
-</li>
+ <li id="M201612061">
+ <p>The “smart” toys My Friend Cayla and i-Que can be <a
+
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws";>remotely
+ controlled with a mobile phone</a>; physical access is not
+ necessary. This would enable crackers to listen in on a child's
+ conversations, and even speak into the toys themselves.</p>
+
+ <p>This means a burglar could speak into the toys and ask the child
+ to unlock the front door while Mommy's not looking.</p>
+ </li>
+
+ <li id="M201610230">
+ <p>4G LTE phone networks are drastically insecure. They can be <a
+
href="https://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/";>
+ taken over by third parties and used for man-in-the-middle
+ attacks</a>.</p>
+ </li>
+
+ <li id="M201608110">
+ <p>Due to weak security, <a
+
href="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844";>it
+ is easy to open the doors of 100 million cars built by
+ Volkswagen</a>.</p>
+ </li>
+
+ <li id="M201608080">
+ <p>Ransomware <a
+
href="https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/";>
+ has been developed for a thermostat that uses proprietary
+ software</a>.</p>
+ </li>
+
+ <li id="M201608020">
+ <p>A <a
+
href="http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/";>flaw
+ in Internet Explorer and Edge</a> allows an attacker to retrieve
+ Microsoft account credentials, if the user is tricked into visiting
+ a malicious link.</p>
+ </li>
-<li>
-<p>A vulnerability in Apple's Image I/O API allowed an attacker to
-<a
href="https://www.theguardian.com/technology/2016/jul/22/stagefright-flaw-ios-iphone-imessage-apple";>execute
+ <li id="M201607290">
+ <p><a
+
href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/";>“Deleted”
+ WhatsApp messages are not entirely deleted</a>. They can be recovered
+ in various ways.</p>
+ </li>
+
+ <li id="M201607220">
+ <p>A vulnerability in Apple's Image I/O API allowed an attacker to <a
+
href="https://www.theguardian.com/technology/2016/jul/22/stagefright-flaw-ios-iphone-imessage-apple";>execute
malicious code from any application which uses this API to render a
certain kind of image file</a>.</p>
-</li>
-<li>
-<p>A bug in a proprietary ASN.1 library, used in cell phone towers as
-well as cell phones and
-routers, <a
href="http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover";>allows
-taking control of those systems</a>.</p>
-</li>
-
-<li>
-<p>Antivirus programs have so many errors
- that <a
href="https://theconversation.com/as-more-vulnerabilities-are-discovered-is-it-time-to-uninstall-antivirus-software-61374";>they
- may make security worse</a>.</p>
-<p>GNU/Linux does not need antivirus software.</p>
-</li>
-
-<li>
-<p>Over 70 brands of network-connected surveillance
-cameras <a
href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html";>have
-security bugs that allow anyone to watch through them</a>.</p>
-</li>
-
-<li>
-<p>
-Samsung's “Smart Home” has a big security
-hole; <a
href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/";>unauthorized
-people can remotely control it</a>.</p>
-
-<p>Samsung claims that this is an “open” platform so the
-problem is partly the fault of app developers. That is clearly true if
-the apps are proprietary software.</p>
-
-<p>Anything whose name is “Smart” is most likely going to
-screw you.</p>
-</li>
-
-<li>
-<p>
-The Nissan Leaf has a built-in cell phone modem which allows
-effectively
-anyone <a
href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/";>to
-access its computers remotely and make changes in various
-settings</a>.</p>
-
-<p>That's easy to do because the system has no authentication when
-accessed through the modem. However, even if it asked for
-authentication, you couldn't be confident that Nissan has no
-access. The software in the car is
-proprietary, <a href="/philosophy/free-software-even-more-important.html">which
-means it demands blind faith from its users</a>.</p>
-
-<p>Even if no one connects to the car remotely, the cell phone modem
-enables the phone company to track the car's movements all the time;
-it is possible to physically remove the cell phone modem though.</p>
-</li>
-
-<li>
-<p>
-Malware found
-on <a
href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html";>security
-cameras available through Amazon</a>.
-</p>
-
-<p>A camera that records locally on physical media, and has no network
- connection, does not threaten people with surveillance—neither by
- watching people through the camera, nor through malware in the camera.
-</p>
-</li>
-
-<li>
-<p>A bug in the iThings Messages
-app <a
href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/";>allowed
-a malicious web site to extract all the user's messaging history</a>.
-</p>
-</li>
-
-<li>
-<p>Many proprietary payment apps <a
-href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data";>
-transmit personal data in an insecure way</a>.
-However, the worse aspect of these apps is that
-<a href="/philosophy/surveillance-vs-democracy.html">payment is not
anonymous</a>.
-</p>
-</li>
-
-<li>
-<p>
-FitBit fitness trackers <a
href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/";>
-have a Bluetooth vulnerability</a> that allows
-attackers to send malware to the devices, which can subsequently spread
-to computers and other FitBit trackers that interact with them.
-</p>
-</li>
+ </li>
-<li>
-<p>
-“Self-encrypting” disk drives do the encryption with proprietary
-firmware so you can't trust it. Western Digital's “My Passport”
-drives
-<a
href="https://motherboard.vice.com/en_us/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption";>have
a back door</a>.
-</p>
-</li>
-
-<li>
-<p>
-Mac OS X had an
-<a
href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/";>
-intentional local back door for 4 years</a>, which could be
-exploited by attackers to gain root privileges.
-</p>
-</li>
-
-<li>
-<p>Security researchers discovered a
-<a
href="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text";>
-vulnerability in diagnostic dongles used for vehicle tracking and
-insurance</a> that let them take remote control of a car or
-lorry using an SMS.
-</p>
-</li>
-
-<li>
-<p>
-Crackers were able to
-<a
href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/";>take
remote control of the Jeep</a>
-“connected car”.
-<br/>They could track the car, start or stop the engine, and
-activate or deactivate the brakes, and more.
-</p>
-<p>
-I expect that Chrysler and the NSA can do this too.
-</p>
-<p>
-If I ever own a car, and it contains a portable phone, I will
-deactivate that.
-</p>
-</li>
-
-<li>
-<p>
-Hospira infusion pumps, which are used to administer drugs to
-a patient, were rated
-“<a
-href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/";>least
-secure IP device I've ever seen</a>”
-by a security researcher.
-</p>
-<p>
-Depending on what drug is being infused, the insecurity could
-open the door to murder.
-</p>
-</li>
-
-<li>
-<p>
-Due to bad security in a drug pump, crackers could use it to
-<a
href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/";>kill
patients</a>.
-</p>
-</li>
-
-<li>
-<p>
-<a
href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html";>
-The NSA can tap data in smart phones, including iPhones, Android, and
-BlackBerry</a>. While there is not much detail here, it seems that
-this does not operate via the universal back door that we know nearly
-all portable phones have. It may involve exploiting various bugs.
-There
-are <a
href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone";>
-lots of bugs in the phones' radio software</a>.
-</p>
-</li>
-
-<li>
-<p><a
href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/";>
-“Smart homes”</a> turn out to be stupidly vulnerable to
-intrusion.</p>
-</li>
-
-<li>
-<p>The
-<a
href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/";>insecurity
of WhatsApp</a>
-makes eavesdropping a snap.</p>
-</li>
-
-<li>
-<p><a
href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html";>
-The FTC punished a company for making webcams with bad security so
-that it was easy for anyone to watch them</a>.
-</p>
-</li>
+ <li id="M201607190">
+ <p>A bug in a proprietary ASN.1 library, used
+ in cell phone towers as well as cell phones and routers, <a
+
href="http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover";>allows
+ taking control of those systems</a>.</p>
+ </li>
+
+ <li id="M201606290">
+ <p>Antivirus programs have so many errors that <a
+
href="https://theconversation.com/as-more-vulnerabilities-are-discovered-is-it-time-to-uninstall-antivirus-software-61374";>they
+ may make security worse</a>.</p>
-<li>
-<p><a
href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/";>
-It is possible to take control of some car computers through malware
-in music files</a>.
-Also <a href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0";>by
-radio</a>. Here is <a href="http://www.autosec.org/faq.html";>more
-information</a>.
-</p>
-</li>
+ <p>GNU/Linux does not need antivirus software.</p>
+ </li>
-<li>
-<p><a
href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/";>
-It is possible to kill people by taking control of medical implants by
-radio</a>. Here
-is <a href="http://www.bbc.co.uk/news/technology-17631838";>more
-information</a>. And <a
-href="https://web.archive.org/web/20180203130244/http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html";>here</a>.
-</p>
-</li>
+ <li id="M201605020">
+ <p>Samsung's “Smart Home” has a big security hole; <a
+
href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/";>
+ unauthorized people can remotely control it</a>.</p>
+
+ <p>Samsung claims that this is an “open” platform so the
+ problem is partly the fault of app developers. That is clearly true
+ if the apps are proprietary software.</p>
+
+ <p>Anything whose name is “Smart” is most likely going
+ to screw you.</p>
+ </li>
+
+ <li id="M201604120">
+ <p>A bug in the iThings Messages app <a
+
href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/";>allowed
+ a malicious web site to extract all the user's messaging
+ history</a>.</p>
+ </li>
+
+ <li id="M201604110">
+ <p>Malware was found on <a
+
href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html";>
+ security cameras available through Amazon</a>.</p>
+
+ <p>A camera that records locally on physical media, and has no network
+ connection, does not threaten people with surveillance—neither
+ by watching people through the camera, nor through malware in the
+ camera.</p>
+ </li>
+
+ <li id="M201603220">
+ <p>Over 70 brands of network-connected surveillance cameras have <a
+
href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html";>
+ security bugs that allow anyone to watch through them</a>.</p>
+ </li>
+
+ <li id="M201603100">
+ <p>Many proprietary payment apps <a
+
href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data";>transmit
+ personal data in an insecure way</a>. However,
+ the worse aspect of these apps is that <a
+ href="/philosophy/surveillance-vs-democracy.html">payment is not
+ anonymous</a>.</p>
+ </li>
+
+ <li id="M201602240">
+ <p id="nissan-modem">The Nissan Leaf has a built-in
+ cell phone modem which allows effectively anyone <a
+ href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/";>to
+ access its computers remotely and make changes in various
+ settings</a>.</p>
+
+ <p>That's easy to do because the system has no authentication
+ when accessed through the modem. However, even if it asked
+ for authentication, you couldn't be confident that Nissan
+ has no access. The software in the car is proprietary, <a
+ href="/philosophy/free-software-even-more-important.html">which means
+ it demands blind faith from its users</a>.</p>
+
+ <p>Even if no one connects to the car remotely, the cell phone modem
+ enables the phone company to track the car's movements all the time;
+ it is possible to physically remove the cell phone modem, though.</p>
+ </li>
+
+ <li id="M201510210">
+ <p>FitBit fitness trackers have a <a
+
href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/";>
+ Bluetooth vulnerability</a> that allows attackers to send malware
+ to the devices, which can subsequently spread to computers and other
+ FitBit trackers that interact with them.</p>
+ </li>
+
+ <li id="M201510200">
+ <p>“Self-encrypting” disk drives
+ do the encryption with proprietary firmware so you
+ can't trust it. Western Digital's “My Passport” drives <a
+
href="https://motherboard.vice.com/en_us/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption";>
+ have a back door</a>.</p>
+ </li>
+
+ <li id="M201508120">
+ <p>Security researchers discovered a <a
+
href="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text";>
+ vulnerability in diagnostic dongles used for vehicle tracking and
+ insurance</a> that let them take remote control of a car or lorry
+ using an SMS.</p>
+ </li>
+
+ <li id="M201507214">
+ <p>Crackers were able to <a
+
href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/";>
+ take remote control of the Jeep</a> “connected car”. They
+ could track the car, start or stop the engine, and activate or
+ deactivate the brakes, and more.</p>
+
+ <p>I expect that Chrysler and the NSA can do this too.</p>
+
+ <p>If I ever own a car, and it contains a portable phone, I will
+ deactivate that.</p>
+ </li>
+
+ <li id="M201506080">
+ <p>Due to bad security in a drug pump, crackers could use it to <a
+
href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/";>
+ kill patients</a>.</p>
+ </li>
-<li>
-<p>Lots of <a
href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/";>hospital
equipment has lousy security</a>, and it can be fatal.
-</p>
-</li>
+ <li id="M201505294">
+ <p><a
+
href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html";>
+ Many smartphone apps use insecure authentication methods when storing
+ your personal data on remote servers</a>. This leaves personal
+ information like email addresses, passwords, and health information
+ vulnerable. Because many of these apps are proprietary it makes it
+ hard to impossible to know which apps are at risk.</p>
+ </li>
+
+ <li id="M201505050">
+ <p>Hospira infusion pumps, which are used
+ to administer drugs to a patient, were rated “<a
+
href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/";>least
+ secure IP device I've ever seen</a>” by a security
+ researcher.</p>
+
+ <p>Depending on what drug is being infused, the insecurity could open
+ the door to murder.</p>
+ </li>
+
+ <li id="M201504090">
+ <p>Mac OS X had an <a
+
href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/";>
+ intentional local back door for 4 years</a>, which could be exploited
+ by attackers to gain root privileges.</p>
+ </li>
+
+ <li id="M201405190">
+ <p>An app to prevent “identity theft”
+ (access to personal data) by storing users' data on a special server <a
+
href="http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/";>was
+ deactivated by its developer</a> which had discovered a security
+ flaw.</p>
+
+ <p>That developer seems to be conscientious about protecting personal
+ data from third parties in general, but it can't protect that data
+ from the state. Quite the contrary: confiding your data to someone
+ else's server, if not first encrypted by you with free software,
+ undermines your rights.</p>
+ </li>
+
+ <li id="M201404250">
+ <p>Lots of <a
+ href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/";>
+ hospital equipment has lousy security</a>, and it can be fatal.</p>
+ </li>
+
+ <li id="M201402210">
+ <p>The <a
+
href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/";>insecurity
+ of WhatsApp</a> makes eavesdropping a snap.</p>
+ </li>
+
+ <li id="M201312290">
+ <p><a href="http://www.bunniestudios.com/blog/?p=3554";> Some flash
+ memories have modifiable software</a>, which makes them vulnerable
+ to viruses.</p>
+
+ <p>We don't call this a “back door” because it is normal
+ that you can install a new system in a computer, given physical access
+ to it. However, memory sticks and cards should not be modifiable in
+ this way.</p>
+ </li>
-<li>
-<p><a
href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/";>
-Point-of-sale terminals running Windows were taken over and turned
-into a botnet for the purpose of collecting customers' credit card
-numbers</a>.
-</p>
-</li>
+ <li id="M201312040">
+ <p><a
+
href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/";>
+ Point-of-sale terminals running Windows were taken over</a> and
+ turned into a botnet for the purpose of collecting customers' credit
+ card numbers.</p>
+ </li>
-<li>
-<p>An app to prevent “identity theft” (access to personal data)
-by storing users' data on a special server
-<a
href="http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/";>was
-deactivated by its developer</a> which had discovered a security flaw.
-</p>
+ <li id="M201311120">
+ <p><a
+
href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html";>
+ The NSA can tap data in smart phones, including iPhones,
+ Android, and BlackBerry</a>. While there is not much
+ detail here, it seems that this does not operate via
+ the universal back door that we know nearly all portable
+ phones have. It may involve exploiting various bugs. There are <a
+
href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone";>
+ lots of bugs in the phones' radio software</a>.</p>
+ </li>
-<p>
-That developer seems to be conscientious about protecting personal
-data from third parties in general, but it can't protect that data
-from the state. Quite the contrary: confiding your data to someone
-else's server, if not first encrypted by you with free software,
-undermines your rights.
-</p>
-</li>
+ <li id="M201309054">
+ <p><a
+
href="http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security";>The
+ NSA has put back doors into nonfree encryption software</a>. We don't
+ know which ones they are, but we can be sure they include some widely
+ used systems. This reinforces the point that you can never trust
+ the security of nonfree software.</p>
+ </li>
+
+ <li id="M201309050">
+ <p>The FTC punished a company for making webcams with <a
+
href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html";>
+ bad security so that it was easy for anyone to watch through
+ them</a>.</p>
+ </li>
+
+ <li id="M201308060">
+ <p><a href="http://spritesmods.com/?art=hddhack&page=6";>
+ Replaceable nonfree software in disk drives can be written by a
+ nonfree program</a>. This makes any system vulnerable to persistent
+ attacks that normal forensics won't detect.</p>
+ </li>
+
+ <li id="M201307270">
+ <p> It is possible to <a
+
href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/";>
+ kill people by taking control of medical
+ implants by radio</a>. More information in <a
+ href="http://www.bbc.co.uk/news/technology-17631838";>BBC
+ News</a> and <a
+
href="https://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html";>
+ IOActive Labs Research blog</a>.</p>
+ </li>
-<li>
-<p><a href="http://www.bunniestudios.com/blog/?p=3554";> Some flash
-memories have modifiable software</a>, which makes them vulnerable to
-viruses.</p>
-
-<p>We don't call this a “back door” because it is normal
-that you can install a new system in a computer given physical access
-to it. However, memory sticks and cards should not be modifiable in
-this way.</p>
-</li>
-
-<li>
-<p><a href="http://spritesmods.com/?art=hddhack&page=6";> Replaceable
-nonfree software in disk drives can be written by a nonfree
-program.</a> This makes any system vulnerable to persistent attacks
-that normal forensics won't detect.</p>
-</li>
-
-<li>
-<p><a
href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html";>
-Many smartphone apps use insecure authentication methods when storing
-your personal data on remote servers.</a>
-This leaves personal information like email addresses, passwords, and health
information vulnerable. Because many
-of these apps are proprietary it makes it hard to impossible to know which
apps are at risk.</p>
-</li>
+ <li id="M201307260">
+ <p><a
+
href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/";>
+ “Smart homes”</a> turn out to be stupidly vulnerable to
+ intrusion.</p>
+ </li>
+ <li id="M201212170">
+ <p id="break-security-smarttv"><a
+
href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html";>
+ Crackers found a way to break security on a “smart” TV</a>
+ and use its camera to watch the people who are watching TV.</p>
+ </li>
+
+ <li id="M201103110">
+ <p>It is possible to take control of some car computers through <a
+
href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/";>
+ malware in music files</a>. Also <a
+ href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0";>
+ by radio</a>. Here is <a href="http://www.autosec.org/faq.html";>more
+ information</a>.</p>
+ </li>
</ul>
+
</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
@@ -583,7 +622,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2018/09/18 17:12:37 $
+$Date: 2018/09/26 14:10:20 $
<!-- timestamp end -->
</p>
</div>