DOUG. Cryptology, cops hacking again, Apple updates and… card counting!
All that, and extra, on the Bare Safety podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do right now?
DUCK. I’m very nicely, thanks, Douglas.
And I’m very excitedly trying ahead to the card-counting bit, not least as a result of it’s not nearly counting, it’s additionally about card shuffling.
DOUG. All proper, excellent, trying ahead to that!
And in our Tech Historical past phase, we’ll talk about one thing that was not random – it was very calculated.
This week, on 25 October 2001, Home windows XP was launched to retail.
It was constructed upon the Home windows NT working system, and XP changed each Home windows 2000 and Home windows Millennium Version as “XP Skilled Version” and “XP Residence Version” respectively.
XP Residence was the primary shopper model of Home windows to not be based mostly on MS-DOS or the Home windows 95 kernel.
And, on a private observe, I cherished it.
I may be remembering less complicated instances… I don’t know if it was truly nearly as good as I keep in mind it, however I keep in mind it being higher than what we had earlier than.
DUCK. I agree with that.
I feel there are some rose-tinted spectacles you could be carrying there, Doug…
DOUG. Umm-hmmm.
DUCK. …however I must agree that it was an enchancment.
DOUG. Allow us to speak a bit about comeuppance, particularly, comeuppance for undesirable facial recognition in France:
Clearview AI image-scraping face recognition service hit with €20m superb in France
DUCK. Certainly!
Common listeners will know that we have now spoken about an organization known as Clearview AI many instances, as a result of I feel it’s honest to say that this firm is controversial.
The French regulator very helpfully publishes its rulings, or has revealed a minimum of its Clearview rulings, in each French and in English.
So, mainly, right here’s how they describe it:
Clearview AI collects images from many web sites, together with social media. It collects all of the pictures which are immediately accessible on these networks. Thus, the corporate has collected over 20 billion pictures worldwide.
Due to this assortment, the corporate markets entry to its picture database within the type of a search engine by which an individual will be discovered utilizing {a photograph}. The corporate gives this service to regulation enforcement authorities.
And the French regulator’s objection, which was echoed final 12 months by a minimum of the UK and the Australian regulator as nicely, is: “We take into account this illegal in our nation. You may’t go scraping folks’s pictures for this industrial function with out their consent. And also you’re additionally not complying with GDPR guidelines, information destruction guidelines, making it straightforward for them to contact you and say, ‘I wish to decide out’.”
So, firstly, it needs to be decide in if you wish to run this.
And having collected the stuff, you shouldn’t be hanging on to it even after they wish to guarantee that their information is eliminated.
And the difficulty in France, Doug, is that final December the regulator stated, “Sorry, you may’t do that. Cease scraping information, and eliminate what you’ve received on everyone in France. Thanks very a lot.”
Apparently, based on the regulator, Clearview AI simply didn’t appear to wish to comply.
DOUG. Uh-oh!
DUCK. So now the French have come again and stated, “You don’t appear to wish to pay attention. You don’t appear to grasp that that is the regulation. Now, the identical factor applies, however you additionally must pay €20 million. Thanks for coming.”
DOUG. We’ve received some feedback brewing on the article… we’d love to listen to what you assume; you may remark anonymously.
Particularly, the questions we put forth are: “Is Clearview AI actually offering a useful and socially acceptable service to regulation enforcement? Or is it casually trampling on our privateness by accumulating biometric information unlawfully and commercialising it for investigative monitoring functions with out consent?”
All proper, allow us to keep on with this theme of comeuppance, and speak about a little bit of comeuppance for the DEADBOLT criminals.
That is an fascinating story, involving regulation enforcement and hacking again!
When cops hack again: Dutch police fleece DEADBOLT criminals (legally!)
DUCK. Hats off to the cops for doing this, although, as we’ll clarify, it was sort-of a one-off factor.
Common listeners will keep in mind DEADBOLT – it’s come up a few instances earlier than.
DEADBOLT is the ransomware gang who mainly discover your Community Connected Storage [NAS] server if you happen to’re a house person or small enterprise…
…and if it isn’t patched towards a vulnerability they know methods to exploit, they’ll are available, and so they simply scramble your NAS field.
They figured that’s the place all of your backups are, that’s the place all of your large information are, that’s the place all of your essential stuff is.
“Let’s not fear about having to jot down malware for Home windows and malware for Mac, and worrying what model you’ve received. We’ll simply go straight in, scramble your information, after which say, ‘Pay us $600’.”
That’s the present going price: 0.03 bitcoins, if you happen to don’t thoughts.
So that they’re taking that consumer-oriented strategy of making an attempt to hit a number of folks and asking for a considerably reasonably priced quantity every time.
And I suppose if every thing you’ve received is backed up on there, then you definately would possibly really feel, “You recognize what? $600 is some huge cash, however I can nearly afford it. I’ll pay up.”
To simplify issues (and we’ve grudgingly stated, this can be a intelligent half, if you happen to like, of this specific ransomware)… mainly, what you do is you inform the crooks you’re interested in sending them a message by way of the Bitcoin blockchain.
Principally, you pay them the cash to a specified, unique-to-you Bitcoin handle.
After they get the cost message, they ship again a cost of $0 that features a remark that’s the decryption key.
In order that’s the *solely* interplay they want with you.
They don’t want to make use of e mail, and so they don’t must run any darkish net servers.
Nonetheless, the Dutch cops figured the crooks had made a protocol-related blunder!
As quickly as your transaction hit the Bitcoin ecosystem, in search of somebody to mine it, their script would ship the decryption key.
And it seems that though you can not double-spend bitcoins (in any other case the system would disintegrate), you may put in two transactions on the identical time, one with a excessive transaction payment and one with a really low or a zero transaction payment.
And guess which one the bitcoin miners and finally the bitcoin blockchain will settle for?
And that’s what the cops did…
DOUG. [LAUGHS] Very intelligent, I prefer it!
DUCK. They’d stick in a cost with a zero transaction payment, which might take days to get processed.
After which, as quickly as they received the decryption key again from the crooks (they’d, I feel, 155 customers that they type of clubbed collectively)… as quickly as they received the decryption key again, they did a double-spend transaction.
“I wish to spend the identical Bitcoin once more, however this time we’re going to pay it again to ourselves. And now we’ll supply a smart transaction payment.”
In order that transaction was the one which finally truly received confirmed and locked into the blockchain…
…and the opposite one simply received ignored and thrown away… [LAUGHS] as all the time, shouldn’t chortle!
DOUG. [LAUGHS]
DUCK. So, mainly, the crooks paid out too quickly.
And I suppose it’s not *treachery* if you happen to’re regulation enforcement, and also you’re doing it in a legally warranted manner… it’s mainly a *lure*.
And the crooks walked into it.
As I discussed at the start, this may solely work as soon as as a result of, in fact, the crooks figured, “Oh, pricey, we shouldn’t do it that manner. Let’s change the protocol. Let’s await the transaction to be confirmed onto the blockchain first, after which as soon as we all know that no person can come together with a transaction that may trump it later, solely then will we ship out the decryption key.”
DUCK. However the crooks did get flat-footed to the tune of 155 decryption keys from victims in 13 completely different nations who known as on the Dutch police for assist.
So, chapeau [French cycling slang for a “hat doff”], as they are saying!
DOUG. That’s nice… that’s two optimistic tales in a row.
And let’s preserve the optimistic vibes rolling with this subsequent story.
It’s about ladies in cryptology.
They’ve been honoured by the US Postal Service, which is celebrating World Warfare 2 code breakers.
Inform us all about this – this can be a very fascinating story, Paul:
DUCK. Sure, it was a kind of good issues to jot down about on Bare Safety: Girls in cryptology – United States Postal Service celebrates World Warfare 2 codebreakers.
Now, we’ve coated Bletchley Park code breaking, which is the UK’s cryptographic efforts throughout the Second World Warfare, primarily to attempt to crack Nazi ciphers reminiscent of the well-known Enigma machine.
Nonetheless, as you may think about, the US confronted an enormous downside from the Pacific theatre of battle, making an attempt to cope with Japanese ciphers, and specifically, one cipher referred to as PURPLE.
In contrast to the Nazi’s Enigma, this was not a industrial machine that could possibly be purchased.
It was truly a homegrown machine that got here out of the army, based mostly on phone switching relays, which, if you consider it, are type of like “base ten” switches.
So, in the identical manner that Bletchley Park within the UK secretly employed greater than 10,000 folks… I didn’t realise this, nevertheless it turned out that there have been nicely over 10,000 ladies recruited into cryptology, into cryptographic cracking, within the US to attempt to cope with Japanese ciphers throughout the battle.
By all accounts, they had been extraordinarily profitable.
There was a cryptographic breakthrough made within the early Forties by one of many US cryptologists known as Genevieve Grotjan, and apparently this led to spectacular successes in studying Japanese secrets and techniques.
And I’ll simply quote from the US Postal Service, from their stamp sequence:
They deciphered Japanese fleet communications, helped stop German U-boats from sinking very important cargo ships, and labored to interrupt the encryption programs that exposed Japanese delivery routes and diplomatic messages.
You may think about that offers you very, very, usable intelligence certainly… that it’s important to assume helped to shorten the battle.
Happily, although the Japanese had been warned (apparently by the Nazis) that their cipher was both breakable or had already been damaged, they refused to imagine it, and so they carried on utilizing PURPLE all through the battle.
And the ladies cryptologists of the time undoubtedly made hay secretly whereas the solar shone.
Sadly, simply as occurred within the UK with all of the wartime heroes (once more, most of them ladies) at Bletchley Park…
…after the battle, they had been sworn to secrecy.
So it was many a long time till they received any recognition in any respect, not to mention what you would possibly name the hero’s welcome that they primarily deserved when peace broke out in 1945.
DOUG. Wow, that may be a cool story.
And unlucky that it took that lengthy to get the popularity, however nice that they lastly received it.
And I urge anybody who’s listening to this to move over to the location to learn that.
It’s known as: Girls in cryptology – USPS celebrates World Warfare 2 codebreakers.
Excellent piece!
DUCK. By the way in which, Doug, on the stamp sequence that you could purchase (the commemorative sequence, the place you get the stamps on a full sheet)… across the stamps, the USPS has truly put slightly cryptographic puzzle, which we’ve repeated within the article.
It’s not as troublesome as Enigma or PURPLE, so you may truly do it pretty simply with pen and paper, nevertheless it’s little bit of commemorative enjoyable.
So come on over and have a strive if you happen to like.
We’ve additionally put a hyperlink to an article that we wrote a few years in the past (What 2000 years of cryptography can train us) by which you’ll find hints that may provide help to resolve the USPS cryptographic puzzle.
Good little bit of enjoyable to go along with your commemoration!
DOUG. All proper, so let’s stick to randomness and cryptography slightly bit, and ask a query that possibly some have questioned earlier than.
How random are these computerized card shufflers you would possibly see at a on line casino?
Critical Safety: How randomly (or not) are you able to shuffle playing cards?
DUCK. Sure, one other fascinating story that I picked up because of cryptography guru Bruce Schneier, who wrote about it on his personal weblog, and he entitled his article On the randomness of computerized card shufflers.
The paper we’re speaking about goes again, I feel, to 2013, and the work that was achieved, I feel, goes again to the early 2000s.
However what fascinated me concerning the story, and made me wish to share it, is that it has unbelievable teachable moments for people who find themselves at the moment concerned in programming, whether or not or not within the subject of cryptography.
And, much more importantly, in testing and high quality assurance.
As a result of, not like the Japanese, who refused to imagine that their PURPLE cipher won’t be working correctly, this can be a story about an organization that made computerized card shuffling machines however figured, “Are they actually adequate?”
Or might somebody truly work out how they work, and get a bonus from the truth that they aren’t random sufficient?
And they also went out of their strategy to rent a trio of mathematicians from California, one in every of whom can be an achieved magician…
…and so they stated, “We constructed this machine. We predict it’s random sufficient, with one shuffle of the playing cards.”
Their very own engineers had gone out of their strategy to devise checks that they thought would present whether or not the machine was random sufficient for card shuffling functions, however they needed a second opinion, and they also truly went out and received one.
And these mathematicians checked out how the machine labored, and had been in a position to come up, imagine it or not, with what’s referred to as a closed system.
They analysed it utterly: how the factor would behave, and subsequently what statistical inferences they may make about how the playing cards would come out.
They found that though the shuffled playing cards would move a big battery of fine randomness checks, there have been nonetheless sufficiently many unbroken sequences within the playing cards after they’d been shuffled that allowed them to foretell the subsequent card twice in addition to likelihood.
They usually had been in a position to present the reasoning by which they had been in a position to provide you with their psychological algorithm for guessing the subsequent card twice in addition to they need to…
…so not solely did they do it reliably and repeatably, they really had the arithmetic to point out formulaically why that was the case.
And the story is probably most well-known for the earthy however completely acceptable response from the president of the corporate that employed them.
He’s purported to have stated:
We’re not happy along with your conclusions, however we imagine them, and that’s what we employed you for.
In different phrases, he’s saying, “I didn’t pay to be made blissful. I paid to search out out the details and to behave upon them.”
If solely extra folks did that when it got here to devising checks for his or her software program!
As a result of it’s straightforward to create a set of checks that your product will move and the place if it fails, you recognize one thing has undoubtedly gone incorrect.
However it’s surprisingly troublesome to provide you with a set of checks that it’s *value your product passing*.
And that’s what this firm did, by hiring within the mathematicians to look into how the cardboard shuffling machine labored.
Numerous life classes in there, Doug!
DOUG. It’s a enjoyable story and really fascinating.
Now, each week we typically speak about some type of Apple replace, however not this week.
No, no!
This week we’ve received for you… an Apple *megaupdate*:
Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!
DUCK. Sadly, you probably have an iPhone or an iPad, the replace covers a zero-day at the moment being actively exploited, which, as all the time, smells of jailbreak/full adware takeover.
And as all the time, and maybe understandably, Apple could be very cagey about precisely what the zero-day is, what it’s getting used for, and, simply as curiously, who’s utilizing it.
So if you happen to’ve received an iPhone or an iPad, that is *undoubtedly* one for you.
And confusingly, Doug…
I’d higher clarify this, as a result of it truly wasn’t apparent at first… and due to some reader assist, thanks Stefaan from Belgium, who has been sending me screenshots and explaining precisely what occurred to him when he up to date his iPad!
The replace for iPhones and iPads stated, “Hey, you’ve received iOS 16.1, and iPadOS 16”. (As a result of iPad OS model 16 was delayed.)
And that’s what the safety bulletin says.
Once you set up the replace, the fundamental About display simply says “iPadOS 16”.
However if you happen to zoom into the principle model display, then each variations truly come out as “iOS/iPadOS 16.1”.
In order that’s the *improve* to model 16, plus this very important zero-day repair.
That’s the arduous and complicated half… the remainder is simply that there are many fixes for different platforms as nicely.
Besides that, as a result of Ventura got here out – macOS 13, with 112 CVE-numbered patches, although for most individuals, they gained’t have had the beta, so this might be *improve* and *replace* on the identical time…
As a result of macOS 13 got here out, that leaves macOS 10 Catalina three variations behind.
And it does certainly look as if Apple is barely now supporting earlier and pre-previous.
So there *are* updates for Massive Sur and Monterey, that’s macOS 11 and macOS 12, however Catalina is notoriously absent, Doug.
And as annoyingly as all the time, what we can not let you know…
Does that imply it merely was proof against all these fixes?
Does that imply it truly wants a minimum of a few of the fixes, however they only haven’t come out but?
Or does that imply it’s fallen off the sting of the world and you’ll by no means get an replace once more, whether or not it wants one or not?
We don’t know.
DOUG. I really feel winded, and I didn’t even do any of the heavy lifting in that story, so thanks for that… that’s loads.
DUCK. And also you don’t even have an iPhone.
DOUG. Precisely!
I’ve received an iPad…
DUCK. Oh, do you?
DOUG. …so I’ve received to go and ensure I get it updated.
And that leads us into our reader query of the day, on the Apple story.
Nameless Commenter asks:
Will the 15.7 replace for iPads resolve this, or do I’ve to replace to 16? I’m ready till the minor nuisance bugs in 16 are resolved earlier than updating.
DUCK. That’s the second stage of confusion, if you happen to like, brought on by this.
Now, my understanding is, when iPadOS 15.7 got here out, that was precisely the identical time as iOS 15.7.
And it was, what, simply over a month in the past, I feel?
In order that’s an old-time safety replace.
And what we now don’t know is…
Is there an iOS/iPadOS 15.7.1 nonetheless within the wings that hasn’t come out but, fixing safety holes that do exist within the earlier model of working programs for these platforms?
Or is your replace path for safety updates for iOS and iPadOS now to go down the model 16 route?
I simply don’t know, and I don’t know the way you inform.
So it’s trying as if (and I’m sorry if I sound confused, Doug, as a result of I’m!)…
…it’s trying as if the *replace* and the *improve* path for customers of iOS and iPadOS 15.7 is to shift to model flavour 16.
And at this present time, meaning 16.1.
That will be my advice, as a result of then a minimum of you recognize that you’ve the newest and best construct, with the newest and best safety fixes.
In order that’s the lengthy reply.
The quick reply is, Doug, “Don’t know.”
DOUG. Clear as mud.
DUCK. Sure.
Nicely, maybe not that clear… [LAUGHTER]
If you happen to depart mud lengthy sufficient, finally the bits settle to the underside and there’s clear water on the highest.
So possibly that’s what it’s important to do: wait and see, or simply chew the bullet and go for 16.1.
They do make it straightforward, don’t they? [LAUGHS]
DOUG. All proper, we are going to regulate that, as a result of that would change slightly bit between now and subsequent time.
Thanks very a lot for sending that remark in, Nameless Commenter.
If in case you have an fascinating story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You may e mail suggestions@sophos.com, you may touch upon any one in every of our articles, and you may hit us up on social @NakedSecurity.
That’s our present for right now, thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Keep safe!
