I agree with the industry response here. KRACK was the same thing. The author finds a vulnerability that is absolutely valid (no denying here), easy to exploit in a lab but very hard to exploit in practice. Back in the day, we did test our equipment for KRACK. We concluded that someone had to circumvent all our physical security barriers (challenging, but theoretically possible) to get close enough to an AP that would see sensitive stuff, had to know WHEN to do that, or at least plant a device that could easily be noticed, and they would still fail because we didn't have 802.11r enabled on those AP's.
Is it a concern? It depends on what you're doing. It is absolutely a concern if your corporation is handling ultra-sensitive information. However, you should also question your physical barriers in that case and whether you should use Wi-Fi at all for some aspects of your operation. Is it a concern for the vast majority of office workers or someone at home? Probably not; there would be easier ways to find a valid credit card number that don't involve the time and effort for a hacker to travel to your place where they could be discovered. There's no need to replace all your AP's with new hardware, although the Wi-Fi Alliance would love for you to do that.
Does this exploit warrant its own fancy name and domain name? As was the case for KRACK, I don't believe so. That should be reserved for vulnerabilities that have a severe impact AND are extremely trivial to exploit with no proximity requirements. If not, the fancy-name-vulns risk being deprived of their ability to get the attention that is required.
I don't. This sentence serves no purpose other than distraction and needs to stop being used: "there is presently no evidence of the vulnerabilities being used".
It's a standard sentence that is rolled out for any security event or breach usually to misdirect blame. It needs to go away.
I disagree: for defenders trying to establish veracity of flaws and prioritizing defense this is useful information. "Active exploits seen in wild" is a strong signal.
Picking two potentially high impact announcements from the last month or so:
1. There is a severe flaw in the RSA cryptosystem.
2. There is a remote code exec vulnerability in Microsoft Exchange.
One of these was a sketch of an incremental improvement to an attack that remains mostly of theoretical interest. The other was being actively exploited, was tragically simple for 3rd parties to replicate post-announcement and resulted in widespread pain.
There is some (non-linear) scale here (theoretical flaw/poc/weaponized poc/public poc/public weaponized poc/exploited, but limited actors or targets/widely exploited/HAVOC). MS for example uses just "less likely to be exploited", "more likely to be exploited" "being exploited". It's coarse and somewhat subjective but there is value even so.
"This flaw is being actively exploited in the wild" is the best line I can take upstairs. I don't want that to go away just because some parties might misuse it.
That assumes this statement is made out of some sort of particular knowledge. When a Google Zero researcher finds an exploit, then goes through Google crash logging to determine if it's been abused in the wild, there is a reasonable basis for speculation on their part to say if this is an active exploit in the wild or not.
When an sales busybody like the WiFi alliance makes that statement, it comes from ignorance and CYA.
>[KRACK] easy to exploit in a lab but very hard to exploit in practice
How so? Even I have done it (on my own AP). Unless you own a big property that the WiFi signal cannot reach outside it's as easy as pressing GO in one of the hundreds of script kiddie tools.
Several of the implementation flaws allow an attacker to essentially inject plaintext frames in a Wi-Fi network. All that's needed is being within range of the network (with an extender you can still be far away). I agree that the design flaws aren't that serious! But that's also explicitly mentioned on the website so...
Edit: injection can be used to punch a hole in the router's NAT so someone can directly try to attack your devices. As always there world isn't burning down. But I think it's interesting research :)
I agree, it absolutely is interesting research, and I appreciate the detailed explanation that was published.
Although the proximity requirement severely limits the possible impact, it does make us think again about the security of our Wi-Fi networks, and as a result we may identify areas to improve, which is a benefit.
WiFi exploits will always be subject to proximity though? For it to be remotely exploitable, you would be talking about a router or something else in the hardware stack.
In your mind, what kind of WiFi exploit is actually concerning?
After reading your reply, it seems you have ruled out all home networks and any exploit on a company not dealing with ultra-sensitive data. What's left?
>WiFi exploits will always be subject to proximity though?
Something as simple as a Pringles can will dramatically increase "proximity". If you are in (or as perceived as) a juicy enough target area why wouldn't someone use something like this? Great way to monitor people, find out which houses are ripe to break in, etc.
If you do not trust the network, as you should not, the risk of these attacks is reduced to that of denial of service attacks.
Yes, it’s annoying if an attacker can manipulate your DNS responses. But it’s unavoidable on the internet and your local network should not be your only defense against it.
Oh, we can fulfill them. We'll resort to TLS inspection and force you to trust our CA on your device if you want to continue accessing our corporate network. And now we get to see (almost) everything again, like in the "good old days," not just your DNS queries.
Clear text DNS is the ultimate compromise, a gentleman's agreement if you want, that benefits everyone. We can see just enough to filter what we are required to by law on a best-effort basis, but we never see what you are actually doing thanks to the prevalence of TLS. DoH just broke that agreement.
It's a sad example of how a privacy solution like DoH will eventually result in less privacy, at least in some environments. And I'm not even considering how DoH will be the excuse for totalitarian regimes to up their surveillance antics.
Yeah. The pre-DoH world was good for both. I could say its all filtered for the kids on the locked down machines and the adults who knew something about technology could get on with their lives. Now, we are entering a world where we are going to end up locking down everyone. Good job.
I'm damn sure once I have to do the trusted CA path that someone is going to sell a deep packet inspection solution and present it at some conference where someone in charge will hear about it and then it will be off to the races.
I agree. For several years I have been looking on and off for a layman way to locate a source of a sound, but haven't found anything.
A solution like this could resolve many of the lingering "hum" cases. Often they are only heard by a few people, and those in charge of environmental control don't tend to take it seriously because "they don't hear it", or because they or the higher-ups are hiding something.
Acoustic consultants are extremely expensive, may require many hours if the sound is only apparent during random hours, and even then may come up with nothing.
An app that would at least be able to give a good estimate of the direction from where a sound is coming would be extremely helpful.
Here's hoping it also reduces the exorbitant amount of false positives we've been seeing with Stripe's fraud prevention services, which cost us a lot in lost legitimate sales.
I'm sorry to hear that! Feel free to email me (patrick@stripe.com) and I'll connect you with the team if you'd like us to do a deeper dive.
But, yes, part of the intent here is to enable us to achieve better ROC[1] in our models and to block more fraud while also encumbering fewer false positives. From our testing, it's very clear that these bot-detection techniques do substantially improve the accuracy when compared to other, coarser heuristics.
A user shouldn't have to email a cofounder to get in touch with a team member. The last time I integrated stripe on a site as a final test before it went live I had my cousin make a purchase and the site got flag as potential money laundering because we had the same last name. At the time literally zero customer service. It took 8 years before stripe started doing any customer support. Cool launch pages but personally I'll never use stripe again
I've always launched with fraud turned down. The bots don't know you're there yet and Stripe can figure out your traffic. Then, you can turn it up once you get a few dozen or so sales under your belt.
We have the opposite problem. People with 50 carding attempts and radar scores of 30 or so. There is no value in Radar if so many of these cases pop up because you can’t really tell the truth from the false.
We use Sift as a backup, and that makes it easier at the same time it as really showing how poorly Radar does in some cases.
Truth be told, it is really good with heavy “dumb” carders, but not when it gets complex. Hope this gets addressed at some point.
I had a Little Printer, and I believe the article is slightly over-romanticizing the device. It was slow, not only the printing itself but there would also be a considerable delay before it would start printing as everything had to go through the cloud.
The printing paper had very uncommon dimensions and was hard to find. You could buy them from Berg, but they charged a lot for the rolls. There would also be a lot of paper waste due to the "face" that needed to be printed after every job. Cute, but no practical use.
In the end, however, it did what it advertised, and it did so with remarkably few of the hiccups that were (and are still) common for the IoT devices of the time; it was a good "version 1" for an IoT device. It's unfortunate that they never got to make a second version.
After the project was shuttered I bought an Epson TM-T20II. It prints from the LAN, it prints extremely quick, and the standard paper dimensions that it uses are easy to find on Amazon. It doesn't print a cute face after every job, though, but you can buy a buzzer add-on to make it beep after every job if you want.
well, this is very reassuring! Weird that the face would print every time -- what a waste.
I had thermal printer for a while for another purpose and loved it. It was so handy to have --- but ultimately, thermal paper isn't great for the ol' environment.
Do you still use the thermal printer for lists and stuff?
If the item you're ordering is out of stock or unavailable to ship immediately, the shipping method time starts when the item ships. For example, it will take two business days after an item ships to reach you with Two-Day Shipping.
Amazon could easily make the case that even though the item you ordered was "in stock," it was still unavailable to ship immediately due to warehouse backlog or other operational reasons.
I agree, demonizing the Chinese people is the worst thing anyone can do. They didn't want this virus either, but they taught us how we can contain it, and they paid the price with countless human lives.
The CCP is the one that needs to be made responsible. However, they will label any attempt from the west as racism towards the Chinese, to avoid having to take up that responsibility.
Change will only happen when it doesn't look like the CCP is losing face by listening to what the west is dictating. Economic sanctions are the alternative, but that would threaten the supply of cheap Chinese labor.
Not to mention that all the leafy green recalls, such as E. Coli in the lettuce this January [1] and salmonella in the spinach last September [2]. This happens every few months, and has for as long as I can remember.
E. Coli comes from faecal contamination so someone's been pooping in America's leafy greens for years. Not sure there's a whole lot of moral high-ground there.
Let me think about it... Some people in the food industry fed dead sheep to cows and thus created a whole new form of transmissible, deadly desease. Hmmm... Yes I think that falls into the same category.
Comparatively small. Estimates are that cost about $5.7b USD over the course of 5 years[0]. Conservative estimates are that it's going to cost $2.7t USD, and that was from before it was labeled a pandemic. [1]
I am not sure how this is comparable. There is a concept called degree of risk. Bats are known for being reservoir of zootonic viruses unlike common farm animals like chickens, cows etc. Moreover, eating bats is easier to give up provided that we already have lots of other safer alternatives of meats.
They did, but they also wasted a lot of time in January, allowing the virus to travel the world. But as you mentioned, other nations made similar mistakes, and they had the benefit of being warned.
However, when it comes to the question of responsibility for preventing a third SARS outbreak originating from China, the answer lies with the CCP.
I'm sorry, what? They only started to do the right thing once they realized a cover-up wouldn't be successful [1]. Even then, we're still hearing about attempts to silence scientists and destroy evidence.
> Nobody was going to switch to an entirely different mode of communication just for my sake
Please elaborate. No iPhone user has to switch from the "iMessage" app to the "SMS" app to reach an Android user or include an Android user in a group chat. While it does indeed involve a different mode of communication, it's all handled seamlessly in the background from the same app.
In fact, if it wasn't for the coloring, they wouldn't even have noticed, except if you exchanged other data than pure text, but I can't imagine this being a real deal-breaker for planning?
Note how the Twitter OP also explained how they were texting the Android student from iOS until they decided to abandon him and create a new group. Not because they had to switch to another app to reach him, but "because he was on Android and turned the thread green" (sic).
If you start an SMS (MMS?) group chat with >10 people, any AT&T customers (and possibly others—I'm not sure) attempting to reply will end up replying to 10 arbitrary members, leading to a huge pile of separate chats, each missing a few people. Even under 10 people, SMS/MMS group chats don't support features like adding/removing group members, among others. It's a substantially worse UX.
> In fact, if it wasn't for the coloring, they wouldn't even have noticed, except if you exchanged other data than pure text, but I can't imagine this being a real deal-breaker for planning?
People very frequently exchange data other than pure text when event planning: GIFs, map pins, tapbacks to express [dis]agreement, etc.
The likes being sent as separate message completely defeats the point of the tapback, which is to register a reaction without spamming the screen with extra messages.
>In fact, if it wasn't for the coloring, they wouldn't even have noticed
I have. MMS always has problems, and can result in extra charges from mobile network if it’s an international number. iMessage or whatsapp gives me confidence that it’s using data only and I won’t experience any charges, I can use it via WiFi without a mobile network, it’s not tied to my phone number for when I leave the country and change SIM, and delivery of messages is confirmed.
I also prefer iMessage due to Apple’s stances on privacy, and integration with macOS.
> In fact, if it wasn't for the coloring, they wouldn't even have noticed, except if you exchanged other data than pure text, but I can't imagine this being a real deal-breaker for planning?
There are a number of things that iMessage does that SMS doesn’t support.
83% of US teens have an iPhone according to Piper Jaffray in April 2019 [1].
That number is biased, however, as 1) it's solely based on a survey done in high schools, and not every teen will feel comfortable admitting they have something else than an iPhone 2) the surveys are performed by DECA Inc. which is more affiliated with private schools and public high schools in affluent neighborhoods.
Still, I estimate that about 3 in 4 teens (and increasing) have an iPhone, either new or a model that was previously used by a parent who bought a new one. That's huge, and iMessage plays a very big role in that.
I can't speak for anyone else, but my kids are likely to end up with iPhones at some point (the oldest is 9, so not anytime soon) because Apple's child/family controls for iOS, while far from perfect, are miles ahead of anything I can find on any Android devices. So now they have iPads, and the ecosystem just works for us so it will be natural for them to stay within it when they graduate to phones.
Purchase controls for TV, movies, apps, etc, which all actually work, screen time controls, time-of-day control, web site limits, etc. Along with reporting functionality and integration with parents' phones for ad hoc approvals and time extensions.
I haven't found anything on Android that allowed me age-appropriate fine-grain controls that didn't require exceptions like turning the entire rule off just to allow a single purchase, or having the same functionality controlled in two or three different overlapping spots, etc.
If you really want to see how bad it can possibly get, take a peek at Amazon's Fire Tablet parental controls. Those take the cake for opaque settings that sometimes do what they say, sometimes much more, sometimes nothing.
The most infuriating thing about Android/Google Play from this perspective is that there's no way to prevent a child from installing literally any and every free app which has the lowest rating.
On iOS you can disable installing apps, uninstalling apps, updating apps or disable the app store completely using Screen Time and before that you could (and still can) require a password/fingerprint/face ID for any app install including free.
It would take almost no effort from Google's part to replicate the last of these (add an option requiring a password to install any app, even free with lowest rating) but they seem to be unwilling to do so.
That only works if you set up a separate child account for a separate device and then manage it using Family Link.
If I want to hand my own phone over to a child for a while, there's no way (that I've found anyway) to prevent a child from installing all sorts of crapware on it.
On non-ancient Android versions you can have multiple user accounts. Create a new one and log it into your kid's family linked account. You can switch the user before giving it to them and they'll get the expected restrictions.
That's not how it works. These kids didn't create the stigma for the green bubble. Popular culture did, big-money TV, movie and music productions did, and teens are the most susceptible.
Try finding a recent US-produced music video or hit movie/TV series that shows a green bubble (or Android for that matter, as it still has a higher market share).
Plus, by ensuring your kids use SMS instead of iMessage, you can be assured of your own ‘inclusion’ in their text chat logs through the cell carrier’s parental log.
Is it a concern? It depends on what you're doing. It is absolutely a concern if your corporation is handling ultra-sensitive information. However, you should also question your physical barriers in that case and whether you should use Wi-Fi at all for some aspects of your operation. Is it a concern for the vast majority of office workers or someone at home? Probably not; there would be easier ways to find a valid credit card number that don't involve the time and effort for a hacker to travel to your place where they could be discovered. There's no need to replace all your AP's with new hardware, although the Wi-Fi Alliance would love for you to do that.
Does this exploit warrant its own fancy name and domain name? As was the case for KRACK, I don't believe so. That should be reserved for vulnerabilities that have a severe impact AND are extremely trivial to exploit with no proximity requirements. If not, the fancy-name-vulns risk being deprived of their ability to get the attention that is required.