Home Tags Frozen

Tag: Frozen

New processors are now blocked from receiving updates on old Windows

The promised update block is now in effect.

25% off HotLogic Mini Personal Portable Oven – Deal Alert

Hot Logic Mini averages 4.8 out of 5 stars on Amazon from over 1,800 people (87% rate a full 5 stars: read recent reviews).  A cross between a lunch bag and an oven, this personal, portable cooker is great for the office, job site, the campsite, the car, or anywhere you have an outlet.

The Hot Logic Mini will prepare fresh-cooked hot meals, reheated meals or perfectly cooked prepackaged meals without overcooked edges or frozen centers. Whether you're cooking uncooked, frozen chicken breasts with fresh beans on top or reheating last night's pizza, HotLogic will cook it and hold its temperature until you're ready to eat.
Its typical list price of $39.95 has been reduced, for now, to $29.95.
See this deal now on Amazon.To read this article in full or to leave a comment, please click here

Elite: Dangerous crowdfunding campaign reinstated after copyright flap

Spidermind Games’ crowdfunding campaign back in business, closes Wednesday morning.

IBM’s Watson proves useful at fighting cancer—except in Texas

Despite early success, MD Anderson ignored IT, broke protocols, spent millions.

White House Announces Retaliatory Measures For Russian Election-Related Hacking

35 Russian intelligence operatives ejected from the US, and two of the "Cyber Most Wanted" are frozen out by Treasury Department. UPDATED 4:00 PM E.T.

THURSDAY -- The US, today, formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the G.R.U. and the F.S.B.), four individual GRU officers, and three other organizations.

The actions are the Obama administration's response to a Russian hacking and disinformation campaign used to interfere in the American election process. The FBI and the Department of Homeland Security also released new declassified technical information on Russian civilian and military intelligence service cyber activity, in an effort to help network defenders protect against these threats. Further, the State Department is shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes. Plus, the US Department of Treasury sanctioned two members of the FBI's Cyber Most Wanted List, Evgeniy Mikhailovich Bogachev and Aleksey Alekseyevich Belan.
Infosec pros will recognize Bogachev especially as the alleged head of the GameOver Zeus botnet.

A $3 million reward for info leading to his arrest has been available for some time. Treasury sanctioned Bogachev and Belan "for their activities related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain.

As a result of today’s action, any property or interests in property of [Bogachev and Belan] within U.S. jurisdiction must be blocked and U.S. persons are generally prohibited from engaging in transactions with them." This is the first time sanctions are being issued under an Executive Order first signed by President Obama in April 2015, and expanded today.

The original executive Order, gives the president authorization to impose some sort of retribution or response to cyberattacks and also allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks.

That includes freezing the assets of attackers. The sanctions announced today are not expected to be the Obama administration's complete response to the Russian operations.
In a statement, the president said "These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized." The moves will put pressure on president-elect Donald Trump to either support or attempt to lift the sanctions on Russian officials and entities.

Trump has expressed skepticism at the validity of American intelligence agencies' assertions that such a campaign occurred at all. When asked by reporters Wednesday night about the fact that these sanctions were set to be announced, Trump said, “I think we ought to get on with our lives.
I think that computers have complicated lives very greatly.

The whole age of computer has made it where nobody knows exactly what is going on.  The NY Times reported today that immediate sanctions are being imposed on four Russian intelligence officials: Igor Valentinovich Korobov, the current chief of the G.R.U., as well as three deputies: Sergey Aleksandrovich Gizunov, the deputy chief of the G.R.U.; Igor Olegovich Kostyukov, a first deputy chief, and Vladimir Stepanovich Alekseyev, also a first deputy chief of the G.R.U. From the Times: The administration also put sanctions on three companies and organizations that it said supported the hacking operations: the Special Technologies Center, a signals intelligence operation in St. Petersburg; a firm called Zor Security that is also known as Esage Lab; and the Autonomous Non-commercial Organization Professional Association of Designers of Data Processing Systems, whose lengthy name, American officials said, was cover for a group that provided special training for the hacking. Wednesday, The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia." 'Proportional' response The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee.  The administration has used the word "proportional" when discussing cyber attacks before.
In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different. "We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber."  According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict." As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous." "The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences.
Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict.

This increases risk to civilian populations as countries see the need to retaliate or escalate." ORIGINAL STORY: Officials stated Wednesday that the White House will announce, as early as today, a series of measures the US will use to respond to Russian interference in the American election process.

The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee.  Not all the measures will be announced publicly.

According to CNN, "The federal government plans some unannounced actions taken through covert means at a time of its choosing." Wednesday, CNN reported that as part of the public response, the administration is expected to name names -- specifically, individuals associated with a Russian disinformation operation against the Hillary Clinton presidential campaign. The actions announced are expected to include expanded sanctions and diplomatic actions. Reuters reported Wednesday that "targeted economic sanctions, indictments, leaking information to embarrass Russian officials or oligarchs, and restrictions on Russian diplomats in the United States are among steps that have been discussed." In April 2015, President Obama signed an Executive Order, which gives the president authorization to impose some sort of retribution or response to cyberattacks.

The EO has not yet been used.
It allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks.

That includes freezing the assets of attackers. The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia." 'Proportional' response The administration has used the word "proportional" when discussing cyber attacks before.
In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different. "We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber."  According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict." As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous." "The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences.
Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict.

This increases risk to civilian populations as countries see the need to retaliate or escalate." Related Content:   Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

Police kept inquiry of high school nude pics scheme quiet for...

EnlargeDawn Endico reader comments 64 Share this story Police in Mountain View, California, told Ars on Tuesday that they are set to formally present the results of their months-long investigation of an online nude photo exchange of high school girls. The presentation will go to county prosecutors before the end of the year. “No arrests or charges filed yet in this case,” Katie Nelson, a spokeswoman for the Mountain View Police Department, told Ars by e-mail. “We are presenting the case to the [district attorney] by year's end, and they will ultimately decide what direction this goes.” As has happened in similar cases in other parts of the country for years now, ringleaders could be prosecuted with child pornography, among other felony charges. Over the weekend, the San Francisco Chronicle broke the story of the investigation. The newspaper reported that the investigation involves a “handful of individuals,” both male and female minors, who are believed to be at the “center of the investigation.” There were photos of at least two girls on a private Dropbox account that was circulated among some students at that school and others as well. The Dropbox account was immediately frozen by police, and no one has since been able to view, access, share, download, or upload anything. The San Jose Mercury News reported Tuesday that the existence of the photos was a “relatively open secret among students” for months. It wasn’t until Monday that the Mountain View Los Altos school district formally acknowledged the investigation to families. In a joint letter by the district and the police, the agencies wrote: MVLA first learned of this incident in August and immediately referred the matter to the Mountain View Police Department. The police department, which has been meticulously investigating this case over the past few months, immediately disabled the Dropbox account when they began their investigation to prevent any further access. Additionally, Mountain View detectives instructed MVLA administrators to maintain confidentiality in order to ensure that no evidence was compromised. More than a year ago, a high school in nearby San Jose was hit with a similar scandal when a student was found to have been distributing nude photos of students via Instagram. As Ars reported previously, a 2014 Drexel University survey found that while the majority of teens sext with each other, an even higher percentage was unaware that engaging in such behavior could be prosecuted as child pornography. The National Conference of State Legislatures began tracking sexting legislation in 2009 and reported that at least 20 states and Guam have enacted bills to address youth sexting.

In the three years since IETF said pervasive monitoring is an...

IETF Security director Stephen Farrell offers a report card on evolving defences FEATURE After three years of work on making the Internet more secure, the Internet Engineering Task Force (IETF) still faces bottlenecks: ordinary peoples' perception of risk, sysadmins worried about how to manage encrypted networks, and – more even than state snooping – an advertising-heavy 'net business model that relies on collecting as much information as possible. In a wide-ranging 45-minute, 4,000-word interview (full transcript in this PDF), IETF Security Area Director Stephen Farrell gave a report card of what's happened since the Internet Architecture Board declared that “pervasive monitoring is an attack”, in RFC 7258. Much of the discussion used Farrell's presentation to the NORDUnet conference in September, and the slides are here. Let's boil the ocean, so we can cook an elephant.

And eat it. Given the sheer scale of the effort involved – the IETF's list of RFCs passed the 8,000 mark in November – nobody expected the world to get a private Internet quickly, but Farrell told The Register some of the key in-IETF efforts have progressed well: its UTA (Using TLS in Applications), DPRIVE (DNS Privacy), and TCPINC (TCP INCreased security, which among other things is working to revive the tcpcrypt proposal rejected earlier in the decade). UTA: The idea is to get rid of the nasty surprises that happen when someone realises a standard (and therefore code written to that standard) still references a “laggard” protocol – so, for example, nobody gets burned complying with a standard that happens to reference a deprecated SSL or TLS standard. “The UTA working group produced RFC 7525 (Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS), https://tools.ietf.org/html/rfc7525 here).

The last time I looked, there were something like 50 RFCs that are referencing that [The Register checked this list, provided by Farrell – it seems to be close to 70 already].” The idea of UTA is that a protocol written 10 or 15 years ago should be updated so it no longer references the then-current version of TLS, he said. “That's being used in order to provide a common reference: as people update their implementations, they'll reference a more modern version of TLS, currently TLS 1.2, and as TLS 1.3 is finished, we have an automated-ish way of getting those updates percolating through to the documentation sets. “That's quite successful, I think, because it normalises and updates and modernises a bunch of recommendations.” DNSPRIV: Readers will recall that IETF 97 was the venue for the launch of Stubby, a demonstrator for securing DNS queries from the user to their DNS responder. Stubby, a demonstrator of DNS privacy work That, Farrell said, is a good example of where DNSPRIV is at – on the user side, it's ready for experimental code to go into service. “DNS privacy is something that is ready to experiment with.

The current work in DPRIVE was how to [secure] the hop between and the next DNS provider you talk to. “That's an easy problem to tackle – you talk to that DNS resolver a lot, and you have some shared space, so the overhead of doing the crypto stuff is nowhere.” Getting upstream to where DNS queries become recursive – your ISP can't answer, so they pass the query upwards – is much harder, he said. “Assuming that [the ISP] needs to find “where is theregister.co.uk?”, he'll eventually talk to the UK ccTLD, and then he'll go talk to .co.uk and then he'll go talk to theregister.co.uk – it's forking the communications a lot more, and it's a little harder to see how to efficiently amortise the crypto. “The DPRIVE working group are now examining whether they think they can produce some technology that will work for that part of the problem.” TCPINC: Some of the questions in this working group may never be seen by ordinary Internet users, but they're still important, Farrell said. “I think we're close to having some TCP-crypt-based RFCs issued, there's been code for that all along. Whether or not we'll get much deployment of that, we'll see.” “I think there are a bunch of applications that maybe wouldn't be visible to the general public. Let's say you have an application server that has to run over a socket – an application that runs on top of the Linux kernel, say, where you have to use the kernel because of the interfaces involved, and you can't provide the security above the kernel because you need it inside. “That's where TCPINC fits in.
Storage – they have really complex interfaces between the network-available storage server and the kernel, and there's lots of complex distributed processing going on.” That's important to “the likes of NetApp and EMC and so on”, he said: “For some of those folks, being able to slot in security inside the kernel, with TCPINC, is attractive.
Some, I might expect, will adopt that sort of thing – but it may never be seen on the public Internet.” Security and the end-to-end model Farrell said more encryption is changing the Internet in ways the general public probably doesn't think about – but which they'll appreciate. The old end-to-end model – the “neutral Internet” – has been under both overt and covert attack for years: carriers want to be more than passive bit-pipes, so they look for ways that traffic management can become a revenue stream; while advertisers want access to traffic in transit so they can capture information and inject advertisements. Ubiquitous encryption changes both of these models, by re-empowering the endpoints.

Along the way, perhaps surprisingly, Farrell sees this as something that can make innovation on the Internet more democratic. He cited HTML2 and QUIC as important non-IETF examples: “there's a whole bunch of people motivated to use TLS almost ubiquitously, not only because they care about privacy, but because of performance: it moves the point of control back towards the endpoint, not the middle of the network. “One of the interesting and fun things of trying to improve the security properties and privacy properties of the network is that it changes who controls what. “If you encrypt a session, nobody in the middle can do something like inject advertising. “It reasserts the end-to-end argument in a pretty strong way.
If you do the crypto right, then the middlebox can't jump in and modify things – at least not without being detectable.” He argues that the carrier's / network operators' “middleboxes” became an innovation roadblock. “The real downside of having middleboxes doing things is that they kind of freeze what you're doing, and prevent you innovating. “One of the reasons people did HTTP2 implementations, that only ever talk ciphertext, is because they found a lot of middleboxes would break the connection if they saw anything that wasn't HTTP 1.1. “In other words, the cleartext had the effect that the middleboxes, that were frozen in time, would prevent the edges from innovating. Once they encrypted the HTTP2 traffic, the middleboxes were willing to say 'it's TLS so I won't go near it', and the innovation can kick off again at the edges.” Won't somebody think of the sysadmin? Systems administrators – in enterprises as well as in carriers – are less in love with crypto. “Network management people have been used to managing cleartext networks,” he said. For more than 20 years, for perfectly legitimate reasons – and without betraying their users – sysadmins would look into packets, see what they contained, and when sensible do something about them. “Not for nefarious reasons – in order to detect attacks, in order to optimise traffic, and so on. We're changing that, and that also means the technology they're using will be undergoing change, to deal with much more ciphertext than plaintext. “We need to learn better ways of how to fulfil those same functions on the network,” he said. “If you had some security mechanism in your network for detecting some malware attack traffic, instead of being able to operate that from the middle of the network, it pushes a requirement on you to move that to the edge.” Commercial services are starting to understand how this can work, he said: “If you look at some of the commercial instant messaging providers, that have introduced end-to-end encryption of their messaging – they have found they can move those functions in their networks to new places to do what they need to do. “It means change, but it doesn't make network management impossible.” Advertising models will change Companies collaborating to collect advertising data remains a big challenge, he said.

That's likely to change – “there's no reason why a particular business model has to last forever”, but in the meantime, “it's hard to see how we make a dramatic improvement in privacy. “We can make some improvements, but how we make it dramatically better – it's hard.

The incentives are aligned to make all the service providers want to be privacy-unfriendly, from the point of “me”, but not perhaps the point of view of 99 per cent of people who use the Internet, and seem happy enough with it.” Breaches and leaks are frightening the service providers, which helps, because providers “realise that storing everything, forever, is toxic, and in the end they'll get caught by it.” About the cough NSA coughThe Register also asked: what protects future standards against security organisations polluting standards, as they did with DUAL-EC? “As an open organisation, we need to be open to technical contributions from anywhere,” Farrell said, “be that an employee of the NSA, or be that – as we've had in one case – a teenager from the Ukraine who was commenting on RFCs five or six years ago.” It has to be handled socially, rather than by process, he argued, citing the IETF's creation of the Crypto Forum Research Group, chaired by Alexey Melnikov and Kenny Paterson and designed to bring together IETF standards authors and the academic crypto community. He described it as a “lightweight process” designed to assess crypto proposals – have they been reviewed? Is the proposal novel and maybe not ready for prime time? “The number of NSA employees that attend IETF [meetings] – I don't think it's a useful metric at all.
I think how well peoples' contributions are examined is a much more useful metric, and there, things like having the CFRG, having academic cryptographers interacting much more with the standards community – those are more effective ways of doing that. “We've set up a thing called the Advanced Networking Research Prize, which is a prize for already-published academic work.
It pays for the academic come to an IETF meeting, give us a talk, get them involved” (Paterson first became involved in the CRFG as an invited academic who won the prize). Spooks want to monitor everyone because they believe everyone might be guilty, he added, and that's a mistake. “We should not think people are guilty by association.

That's a fallacy – if you believe that NSA employees are not allowed to contribute, you're making the same mistake they're making.” ®

Tesco Bank Stops Online Transactions After Money Missing from 20K Accounts

Tesco Bank, a U.K. retail bank, today put a halt to online transactions from current accounts after some customers reported over the weekend money missing from their accounts. The bank, which has more than seven million customers, told the BBC that 40,000 accounts were accessed and half of which reported missing money. “While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal,” chief executive Benny Higgins said in a statement this morning. “We are working hard to resume normal service on current accounts as soon as possible.” Higgins said that law enforcement and regulators are investigating; no further details on the attack were released, though Higgins told the BBC he knew what the attack was. “We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible,” Higgins said. Tesco Bank is co-owned by U.K.’s largest supermarket and the Royal Bank of Scotland. “We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts,” Higgins said. Customers, meanwhile, complained loudly on social media about the bank’s responsiveness to the situation. @tescobankhelp why is money still being taken out of my account fraudulently ?? My supposedly FROZEN bank account that I can't access???? — Kirsty Brown (@kirstyktweet) November 6, 2016 This getting more and more farcical.
Still no money still no way for my kids to eat in school tomorrow Tesco are beyond a joke — SamAllenAVFC (@samallen72) November 7, 2016

Bank halts online transactions after money stolen from 20,000 accounts

EnlargeTesco Bank reader comments 22 Share this story Tesco Bank has been forced to suspend its online transactions after fraudulent criminal activity was spotted on thousands of its customer accounts over the weekend. A total of 40,000 current accounts were hit by suspicious transactions. Money was pinched from 20,000 of the affected current accounts, Tesco Bank said on Monday morning. "We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts," said the bank's chief, Benny Higgins. He added that Tesco was taking "a precautionary measure" by temporarily taking current account transactions offline. Higgins said: While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments, and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible. Tesco Bank has promised to refund any accounts affected by the fraud and added that it was working with police and regulators to help track down the malefactors behind the crime.

The Financial Conduct Authority says it gives "higher priority to the protection of consumers as potential victims of fraud than to the protection of firms themselves as potential victims." Put another way, banks are expected to act swiftly when such fraudulent activity is detected. Higgins told the BBC that the bank has around eight million customer accounts. He added that the number of customers hit by fraud was big but not huge. "It's 20,000 customers, we think it would be relatively small amounts that have come out but we're still working on that." On Sunday, Tesco Bank said that it had "notified some customers that we have blocked their cards to protect their account." However, some customers complained on social media about access to their current accounts being frozen without them first being informed of the fraudulent activity. @tescobankhelp this has left me unable to feed my kids in school tomorrow can't put money on their dinner accounts can't buy sandwich stuff — SamAllenAVFC (@samallen72) November 6, 2016 my account @tescobankhelp @TescoBankNews has been hacked over the W/E & you text me at 7:21am today, but I cant log on to check how much 😣 — 👀 (@iWaveBack) November 7, 2016 Tesco Bank said it was trying to quickly refund all of the affected accounts, but it didn't reveal when the service would return to normal following the attack. This post originated on Ars Technica UK

Copperhead OS: The startup that wants to solve Android’s woeful security

Guardian Projectreader comments 40 Share this story A startup on a shoestring budget is working to clean up the Android security mess, and has even demonstrated results where other "secure" Android phones have failed, raising questions about Google's willingness to address the widespread vulnerabilities that exist in the world's most popular mobile operating system. "Copperhead is probably the most exciting thing happening in the world of Android security today," Chris Soghoian, principal technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, tells Ars. "But the enigma with Copperhead is why do they even exist? Why is it that a company as large as Google and with as much money as Google and with such a respected security team—why is it there's anything left for Copperhead to do?" Copperhead OS, a two-man team based in Toronto, ships a hardened version of Android that aims to integrate Grsecurity and PaX into their distribution.

Their OS also includes numerous security enhancements, including a port of OpenBSD’s malloc implementation, compiler hardening, enhanced SELinux policies, and function pointer protection in libc. Unfortunately for security nuts, Copperhead currently only supports Nexus devices. Google's Android security team have accepted many of Copperhead's patches into their upstream Android Open Source Project (AOSP) code base.

But a majority of Copperhead's security enhancements are not likely ever to reach beyond the its small but growing user base, because of performance trade-offs or compatibility issues. Dan Guido, CEO of Trail of Bits, has also puzzled over the vulnerability gap between the stock Android OS and Copperhead, and points out that the same could not be said for Apple's iOS. "If I had to imagine a world where there's a Copperhead for iOS, I don't even know what I'd change," he tells Ars. "The Apple team almost always picked the more secure path to go and has found a way to overcome all these performance and user experience issues." A billion people around the world rely on Android to secure their digital lives.

This number is only going to grow. How did we get here, and can Copperhead—or even Google—put out the garbage fire? Enlarge / A general outline of Copperhead's main features. A deal with the devil Google did a deal with the devil for market share, says Soghoian, who has described the current parlous state of Android security as a human rights issue.

By giving Original Equipment Manufacturers (OEMs) and wireless carriers control over the end-user experience, Google allowed handset manufacturers to find ways to differentiate their products, and wireless carriers to disable features they thought would threaten their business model. As a result, Google's power over OEMs—such as Samsung or Motorola, who manufacture and sell Android handsets—consists solely of the Android license and access to the Google Play Store.

The AOSP code base is licensed with Apache 2.0, and the kernel uses GPL2, which means there's nothing stopping OEMs from deploying stock Android under a different name.

But doing so would also mean losing access to the Play Store.

This gives Google significant leverage over OEMs, but by no means absolute control—a competitor willing to forgo the Android trademark and offer customers access to their own app store, as Amazon has done, can walk away from the negotiating table with little to no consequence. But Soghoian thinks Google isn't trying very hard.

The company could, he points out, demand that OEMs implement default full-disk encryption as part of the Android and Play Service licence terms.

The company currently requires FDE when the hardware supports it, but extending that requirement to lower-end Android manufacturers might scare off a non-trivial fraction of OEMs—and that would hurt Google's bottom line as an advertising company. "The important thing to remember," he says, "is that if Google goes nuclear and cuts an OEM from the Google Play store, and Gmail, and Google Maps, and YouTube, Google isn't just hurting that OEM and its customers, it's also hurting itself." "Every phone that doesn't have YouTube and Google Mail and search is a phone that isn't making money for Google," he adds. Copperhead, for their part, are not in the business of surveilling users in order to display targeted advertising and so are free to optimise Android for security.

Their first challenge was to find a handset to support that offered regular security updates—no small ask. Just the Nexus, thanks Most OEMs, for instance Motorola, do not ship the monthly security updates available from the AOSP.

The business model for handset manufacturers ends with the sale to a consumer—at which point there are no financial incentives to maintain the devices for the next three years or so. Copperhead chooses to focus on optimising security for what they believe are the most secure handsets currently available: the Nexus devices whose software, if not hardware, Google controls directly, and which receive prompt monthly security updates. "What we're doing is starting with the Nexus; a pretty good starting point," Copperhead's Daniel Micay explains. "And we're significantly improving the security of the operating system. We're making a lot of under-the-hood changes and exploit mitigation to make it harder to exploit the vulnerabilities that are there." Micay's goal is to port the Grsecurity and PaX patches to the Android Linux kernel, which would dramatically improve the security of all Android handsets, but this goal has been stymied by hardware woes—some of which not even Google appears capable of resolving, at least not on its own. Grsecurity for Android Grsecurity and its subset PaX harden the Linux kernel by making whole classes of vulnerabilities difficult, if not impossible, to exploit. Micay got his start as the Arch Linux maintainer of the Grsecurity and PaX patches for that distribution, and embraces the same security vision as Brad Spengler, who founded the Grsecurity project, and who has famously clashed with Linus Torvalds over the years for the latter's reluctance to ship a more secure kernel. But Copperhead's efforts to implement the Grsecurity patches for Android ran into a brick wall: Nexus devices, and indeed all newer mid- to high-end handsets, use the ARM64 architecture. While parts of Grsecurity have been ported to ARM32, little work has been done on ARM64, Micay says, leaving only a small subset of non-architecture-specific code for him to deploy. Porting Grsecurity to ARM64 is not a trivial undertaking—Micay estimates months of work for an experienced engineer, and Spengler and his team are not inclined to help without getting paid. "Work on Grsecurity is still done in our free time," Spengler says. "We don't have any personal need for ARM64 support, so it's not a priority for us in our limited time.
I do have a development board on order, however." "We would have to research how KERNEXEC/UDEREF functionality could be implemented best on ARM64," he adds. "Given our experience with that research and implementation on ARM, I'm not inclined to do more free work for the full-time funded upstream or multi-billion dollar corporations to rip off." Given the dramatic security benefits porting Grsecurity to Android would bring, and the relatively low cost of such work, Soghoian wonders why no one is paying Spengler and Micay to do so. Is Android critical infrastructure? "In an ideal world, the US Department of Homeland Security would write a check to Spengler for $5 million and keep him busy," Soghoian says, pointing to the Core Infrastructure Initiative (CII), founded after Heartbleed to take better care of critical open source security software like OpenSSL. Because the Grsecurity project has the potential to positively benefit every Linux user on the planet—including servers, desktops, and more than a billion Android users—Soghoian argues that the project is the kind of thing the CII should be funding. "The White House announced they were going to put more money into the open source community a few months ago," he says. "It's a totally realistic scenario." Soghoian also criticises Google for failing to step up to the plate. "Google could pay for the development of Grsecurity using the money found between the cushions of their sofa," he insists. "This is not a big-ticket item in the grand scheme of Google's budget." But even if ARM64 support were immediately available for the Android kernel, it would still be a year or two before Copperhead—or even Google—could deploy those patched kernels. Kernel freeze Linux device drivers have been the operating system's Achilles heel since day one, and the Android platform is no exception.

Android phones ship with kernels frozen to ensure driver compatibility—which usually means that a new Android device comes with a kernel that's already a year or two old. "It's like if you have a printer and the last printer driver made was for Windows 95, you can never upgrade your computer to a newer version," Soghoian explains. "Android is bigger than just Google, and when Google's partners drag their feet it undermines the security of the entire ecosystem." As an Android device ages, the kernel may get backported security patches, depending on the OEM’s willingness to push updates, but the handset will miss out on the latest security advances, since upgrading the kernel would break hardware compatibility with the drivers. This ties Copperhead's hands.

Given limited resources, Micay says he's focusing on implementing new security improvements to Android, rather than backporting a limited, non-architecture-specific subset of Grsecurity to the older kernels currently running on Nexus devices. "Nexus devices are stuck on Linux kernel 3.10, which is not supported by PaX and Grsecurity,” he says. “I've chosen to focus on long-term progress so there's no value in porting stuff back to 3.10 since future devices will use different newer kernels." Google is playing up the security enhancements in Android 7.0, dubbed “Nougat”, which will ship later this year. How significant is the new release in terms of security? Enlarge “N” to the rescue? The Android security team did not respond to requests for comment over the last couple of weeks. On July 27, they published a blog post touting the integration of a subset of Grsecurity patches in Android N. Micay dismisses this announcement, saying that Google has in reality implemented less than one percent of Grsecurity into Android. "Android N is making more progress on kernel exploit mitigations than past releases of Android, but it's basic stuff and doesn't change the fact that the kernel is a very soft target," he says. “They're taking baby steps forward for the kernel's security.
Security elsewhere in Android is moving much faster though (the mediaserver hardening, multiprocess WebView, SELinux policies, hidepid=2, etc.)” Google finally responded to our request for comment on Monday, August 1.
In a brief statement, Adrian Ludwig, Google's director of Android security, wrote: “Copperhead has been a valuable contributor to Android Open Source project. We appreciate their contributions, and hope that they continue to work on research and development that improves security of the entire Android ecosystem.” Can Copperhead succeed where others failed? The marketplace is littered with dead and dying Android security startups.
Silent Circle's Blackphone is going nowhere fast, and nor is backdoor-loving Blackberry’s Priv.

CyanogenMod OS, although by no means optimised for security, has also found competing with stock Android a far-from-profitable venture. Absent an unexpected cheque in the mail from Google or the US DHS, how will Copperhead fund its cutting-edge work on securing Android? Enlarge / The Blackphone 2, another attempt at improving mobile phone security. The startup currently sells Nexus devices with Copperhead OS preinstalled, and Micay says they are in talks with a number of potential enterprise clients and resellers who would benefit from hardened Android devices customised to suit their users. "There are no doubt many organisations globally who want full control over the software stacks on their devices, who do not want the cloud services that are bound to the dominant mobile device operating systems, yet they want modern devices," says David Mirza Ahmad of Subgraph, a Copperhead-like effort to secure desktop Linux. "Copperhead could be the answer." Copperhead ships with F-Droid installed by default, but without Google Play. Nexus owners comfortable with re-flashing their own devices can, of course, download Copperhead OS and install it themselves.

The company also accepts donations and offers a Patreon subscription. For his part, Micay is in this for the long haul, whether Copperhead is financially successful or not: "Even if I have to get a full-time job I'll still going to be doing this because it matters." J.M. Porup is a freelance cybersecurity reporter who lives in Toronto. When he dies his epitaph will simply read "assume breach." You can find him on Twitter at @toholdaquill. This post originated on Ars Technica UK

Feds shut down tech support scammers, freeze assets

Federal authorities have shut down several alleged tech support scammers working out of Florida, Iowa, Nevada and Canada, freezing their assets and seizing control of their businesses. The action was one of the largest in the U.S. against scammers, who...