The “complete collapse of Bluetooth security”

One day, we will have good security, but that day is not today.

So I’m behind on security. Bluetooth pairing flaw exposes devices to BIAS attacks.

Bluetooth-enabled devices including smartphones, laptops, tablets and Internet of Things (IoT) devices are vulnerable to attack due to fundamental flaws in the Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) configuration.

It is a specification-level vulnerability. That means EVERY Bluetooth device is vulnerable. Some will eventually be patched; many will not. The updated specification will be available “in the future.” (That’s the best info we have.)

But how often does the software in your car’s entertainment system get updated? Are there low-energy Bluetooth devices sprinkled around that won’t get updated? Of course there are.

The title of the post comes from the Show Notes for Security Now, episode 768. The notes are at this link. The video can be found at this link. The relative part of the video starts at about 1 hour, 4 minutes and a couple of seconds in. The quote of the day…

Our attacks are “standards compliant.”

Bluetooth is in literally billions of devices.

From the researchers…

To confirm that the BIAS attacks are practical, we successfully conducted them against 31Bluetooth devices (incorporating 28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

Every Bluetooth front door lock is currently vulnerable. Many, will probably remain vulnerable for all time.

Another County Struggles to Deal with 1990s Tech

A couple of weeks old, but still worth a look. Wright County Receives Grant To Get Closer To Completion Of Next Generation 911.

And by “Next Generation” they mean those newfangled cellular telephones that everyone is using now.

For almost a decade, Minnesota has been in the process of creating an enhanced Next Generation 911 emergency calling system. Catching up with the challenges created with technological advancements that don’t use the traditional means of accessing the 911 system – computers and wireless devices – the need was identified to get past the antiquated landline phone system used to identify callers when the 911 system was created and those advanced technologies didn’t exist

“I’m gonna party like it’s 1999” is running thru my head right now.

Hey, points for trying. You would have gotten more points if you hadn’t waited 30 years to see if this technology was going to catch on.

For those not paying close attention, 2 things happened in 1991. The 2G specification (GSM) was written and released, and Sony introduced the lithium-ion battery. Nokia introduced their 1st cellular/GSM phone in 1992, and Motorola introduced the first cellular phone that was a Flip Phone (the Startac) in 1996.

This is the technology, together with GPS data, that cities and counties are struggling to deal with.

Anyone Have a Decent Alternative to WP?

WordPress is about to force their “New and Improved” block editor on everyone. Whether we want it or not. Because blocks are better, if you are selling soap.

I gave up on Blogger all those years ago, because Google is annoying. On so many levels. And at the time WordPress was much less annoying.

But as someone said, change is the only constant in the universe, and WP is changing into a completely annoying organization.

I think they would be less annoying if I paid the $48/year they want for their entry-level premium service. (What’s the net-present-value of a string of payments that lasts the rest of your life?) But I think they would still be annoying even then. Developers who build things that violate CSS. Developers who know what people want, so why should they bother to ask? And don’t get me started on what passes for support. They can’t be bothered to read the question/statement of a problem you have because they are sooo much smarter than you, they know what you meant to ask.

Keystone Added to I-74 Arch Bridge

I am usually writing about failed or rotting infrastructure. But not all stories are doom and gloom. Crowds come out to watch crews complete first I-74 bridge arch. The piece was installed May 5th.

The I-74 bridge across the Mississippi River between Illinois and Iowa is old, and in bad shape. To fix that 2 new spans are under construction. True-arch, basket-handle bridges are being built just upstream of the existing bridges. They will carry 4 lanes in each direction.

The bridge joins Bettendorf, Iowa and Moline, Illinois, and is pretty much right in the middle of The Quad Cities region. The other 2 cities are Rock Island, Illinois and Davenport, Iowa. The first span of the existing bridge was built in 1935. A second bridge built to the same design was added in 1961. It is handling almost twice the number of vehicles the design called for, and it is NOT up to interstate highway standards.

While on a tour at the base of the bridge in Bettendorf in May 2012, U.S. Transportation Secretary Ray LaHood said that, in comparison with other bridges that he has seen in other states, the current I-74 Bridge is one of the worst he’s seen.

The keystone, or center piece of the arch, of the first span was put in place during the first week in May. A 100,000 pound chunk of steel. raised about 200 feet in the air. The video at the news story linked at the top of this post is about 2 minutes long, and is not too annoying. Other videos will play after the first video if you take no action.

This is a short video, about 1 minute, from April showing the stage of construction just prior to the keystone being placed. You can see the temporary towers and cables supporting the arch as it is built, and get a feeling for the size and the design. It isn’t my favorite video, but at a minute, it seems to capture what is important. There are more videos, and they are easy enough to find, that are in the 5-6 minute range, taken anytime from January through Easter, if you’re interested in more detailed views of the construction.

You can find an artist’s rendering of the new design at this link.

There is a longer video of the process of getting the keystone in place, but it is 45 minutes, or more, and not particularly interesting. I can’t really recommend it, but I include if for completeness.

Infrastructure Problems

A number of infrastructure problems have come to light due to all the rain.

News Flash: Chicago’s Lower Waker Drive is close to the level of the river. (That’s one of the reasons there is an Upper Waker Drive.) Chicago Weather: Recent Storms Break May Record For Rainfall.

Flooding also overwhelmed Lower Wacker Drive, prompting Fire Department crews to use inflatable boats to help rescue at least six homeless people who were left stranded Sunday night.

The flooding on Lower Wacker Drive also has left Willis Tower without power since early Monday morning, after a ComEd substation was knocked out. Crews were still working to pump out floodwater from the basement of the iconic skyscraper on Tuesday. ComEd said they are not yet able to estimate when power will be restored.

Cars parked in the sub-streets have been destroyed by flooding.

Willis Tower (previously known as Sears Tower) is still without electricity, though it should be restored over the weekend.

Another dam is in danger of failing. This one in Virginia. More than a dozen homes in Roanoke being evacuated due to potential dam failure.

Roanoke City officials say that the Spring Valley Dam located near Lake Dr. is in danger of failing, which would cause flooding in the area surrounding the dam.

The video at the link seems to show the outflow from the spillway. Definitely a potential to cause erosion, and the level of the lake behind the dam is in danger of overtopping the weir. It may have overtopped the weir briefly, but there is no sign of erosion.

Joliet, IL has also had trouble with flooding. Joliet’s Route 53 Closed, Road Damaged From Floods.

That part of Route 53 through Joliet is actually the old Route 66 through that part of the country. So that infrastructure is probably as old as the photos make it look. And viaducts always have problems with flooding. It is easier to dig out a trench for the road, than to build a hill for the train. They always flood, and occasionally a semitrailer will get stuck under the railroad bridge. (Don’t rely on Google Maps to tell you where Route 66 is. They are confused, though you could search for Route 66 raceway in Joliet.)

There are other stories of drownings, and flooding, but not so much tied to infrastructure.

2nd Dam Breached

The Sanford Dam, downstream from Edenville, breached. 2 Michigan dams breached, thousands evacuated amid flooding.

The evacuations include the towns of Edenville, Sanford and parts of the city of Midland, which has 42,000 people, according to Selina Tisdale, spokeswoman for Midland County.

Water in Midland is expected to be about 9 feet deep.

The Sanford Dam, which was built in 1925, received a fair condition rating.

This story say the Edenville dam was built in 1924, which differs from what I say in the Wiki. Anyway the previous post on these dams is at this link.

Edenville Dam Collapse

It was apparently not a surprise to some people that the dam was in danger. Feds revoked failed Edenville dam’s license in 2018 over inability to handle big floods.

Federal regulators in 2018 revoked the hydro-power generating license for the collapsed Edenville Dam in Midland and Gladwin counties, citing years of failure by the dam’s owners to address safety problems — especially the dam’s ability to withstand a major flood.

The Edenville Dam ruptured Tuesday after heavy rains

There is a short video, 35 seconds or so, at the link above that shows the extent of the flooding.

The details on the dam…

The Edenville Dam is a 6,600-foot [1.25 miles or just over 2 kilometers] earthen embankment up to 54.5 feet in height, spanning both the Tittabawassee and Tobacco Rivers in Midland and Gladwin counties. The dam creates a 2,600-acre reservoir known as Wixom Lake, with a gross storage capacity of about 40,000 acre-feet [4.934×107 cubic meters] of water and a 49-mile-long shoreline when full. The dam was equipped with two, 2.4 megawatt turbine generators and was licensed for hydro-power generation in 1998.

According to the Wiki, the dam was completed in 1925. So probably there were both design and maintenance issues with a dam that old.

Apparently they had been trying for 14 years to get some safety concerns addressed, before they finally revoked the license.

So with no ability to generate power, were the turbines just closed off, and not able to help drain the lake? It doesn’t say anywhere that I can find. And in any event, the dam seems to have been designed only to handle about 50% of the “probable maximum flood.” Which is apparently what they got. Water in that quantity over the spillway caused erosion of the earthen structure, and we see the result.

And while politicians are busy doing all the things that are popular today, like art in the park, and funding cultural centers, or whatever, infrastructure is left to crumble.

A 2018 report card on Michigan dams by the state chapter of the American Society of Civil Engineers found that while the state had improved its D-grade from the society’s 2009 report card, it still had persistent issues.

“There are approximately 2,600 dams in Michigan, of which about two-thirds are older than their typical 50-year design life. In the next five years, about 80 percent of Michigan’s dams will be over 50 years old,” their report stated.

There were 19 high-hazard dams in unsatisfactory or poor condition in Michigan in 2018, ranking 20th among the 45 states and Puerto Rico for which The Associated Press obtained condition assessments.

This won’t be the last dam to fail, or even the last one in Michigan. And I doubt politicians even think about infrastructure.

Nothing lasts forever. And an earthen dam built in 1925 is going to need some maintenance, and maybe even some improvements, and eventually it will need to be replaced. The “What could go wrong?” attitude has got to stop.

There is fairly good video of the breached dam at this link. It is only 35 seconds or so, but part of the video is a clear view of the breach in the dam from an airplane. Not the best video. (People hold your phones horizontal, when taking videos!) but it is clear. There are a few seconds at the end that show the breach from the shore.

Bad Models Yield Bad Predictions

And this is about the model that has been used to predict the spread of COVID-19. Imperial College model Britain used to justify lockdown a ‘buggy mess’, ‘total unreliable’, experts claim.

Experts have derided the coding from Professor Neil Ferguson, warning that it is a “buggy mess that looks more like a bowl of angel hair pasta than a finely tuned piece of programming.”

“In our commercial reality, we would fire anyone for developing code like this and any business that relied on it to produce software for sale would likely go bust,” David Richards, co-founder of British data technology company WANdisco, told the Daily Telegraph.

The original article is at The London Telegraph, but like most of the Telegraph these days everything but the first few paragraphs are behind a pay wall. Neil Ferguson’s Imperial model could be the most devastating software mistake of all time.

Nanfang’ao Bridge Collapse

This bridge was constructed in 1996 in Taiwan. It was intended to last 50 years. On October 1st of last year, at 09:30, it collapsed killing 6 people and injuring 12 more.

Click on the image for a large view.

Rust never sleeps. Rust damage a potential factor in Nanfang’ao Bridge collapse: TTSB

An investigation into the collapse of Nanfang’ao Bridge in Yilan County last year found corrosion in several of the bridge’s steel cables, while the impact of other factors, including road construction projects and overloading, is still being studied

Five of 13 suspenders gave way, causing the arch to fall on one end, and the roadway to fracture.

This is not the first bridge failure in which overloading might be a factor. Bridges are not designed to hold infinite weight. And just because you need to drive across a bridge with your cargo, doesn’t mean that you should. And even if you make it across, doesn’t mean you haven’t damaged the structure so that it will fall tomorrow.

However, we can’t say definitively that was the cause.

The day before the bridge collapsed, the area was hit by Typhoon Mitag, and struck by a 3.8 magnitude earthquake at 13:54 in the early morning before the collapse.[3][19][20] However, MAA Consultants are not able to determine the actual cause as the crucial broken parts of the structure have yet to be recovered.

A typhoon, an earthquake, and a bridge collapse all in 2 days time.

Back to the article linked at the top…

Larger questions surrounding the bridge’s collapse, including the possibility of improper construction and the extent of the rust damage, require further investigation, the TTSB said.

A picture of the bridge before the collapse can be found at this link.

Say Goodbye to All Those GPS Applications

Facepalm X 2That may be an overstatement, and it may not be an overstatement of the issue. The FCC Secretly Approved the Ligado 5G Network Despite Pentagon’s Objections.

Ligado Networks formed after they bought out Lightsquare, a U.S. satellite communications company that had gone bankrupt. Their 5G plan, once established, will disrupt GPS signals that facilitate the U.S. military and U.S. economy by using bandwidth adjacent to what GPS uses. This will create interference that prevents GPS satellite signals from reaching their ground receivers.

Well done you insane bureaucrats. From the outside, it sure looks like there might have been a payoff somewhere.

Dam Inspections Do Not Equal Safety

The dam in question got good safety reviews right up until the day it failed. Toddbrook dam collapse | ‘Closing gap between compliance and safety’ must be priority.

First a review of what happened.

On 1 August 2019, a single slab of the dam’s spillway chute collapsed into a large void that had formed underneath, and a brown slurry could be seen discharging from under slabs (which had also failed and lifted) further down the spillway chute. During the day the void enlarged, and more slabs collapsed, risking the integrity of the dam. A full-scale emergency was declared, and, as a precaution, 1,500 people were evacuated from the town of Whaley Bridge immediately downstream of the 25,000m3 Toddbrook Reservoir.

I haven’t read the complete report, but the summary isn’t surprising. The design of the spillway, which was built 100 years ago, and redone in some way in the 1970s, wouldn’t meet design standards today. The concrete in the spillway was too thin, reinforcing was inadequate, there was no under-spillway drainage, etc.

But the problem – to my mind – is the maintenance. Even though they got good reports from the inspections, and had NEVER had a safety violation, it’s clear that something was wrong.

The reports adds: “Maintenance over the years had been intermittent with extensive plant growth in cracks and joints for prolonged periods, suggesting open passageways to the embankment beneath. Generally, the slab concrete remained sound but there was honeycombing and/or deterioration at some joints, some missing chute plums, some cracking and evidence of significant prior plant roots through joints and in some cases through slabs.”

For a more complete review of what happened, see It Isn’t Only The USA That Has Been Ignoring Infrastructure. There is a video from Blancoliro that covers details of the dam and the emergency response, which included a helicopter from the Royal Air Force.

Beware of Free VPNs

I know it has been said before, but it apparently needs repeating… You get what you pay for. This is especially true in the world of Virtual Private Networks. With so many people using the net to work from home or whatever, VPNs are a good idea, but not every VPN is a a good idea.

If it is free, you are paying for it in another way. 100+ VPN Logging Policies Debunked.

And it isn’t just the unknown players that you need to beware of.

For example, McAfee’s Safe Connect claims to encrypt your online activity and defend you against cybercriminals. On their homepage, they also claim to protect your privacy.

But their “privacy policy” says that they keep info about the apps you use, the websites you visit, in addition to aggregate statistics. That sounds like fairly detailed usage logs to me.

After the break find a table that details some of the VPNs and how they are not guarding your privacy.

Torrent Freak hasn’t updated its list of VPNs, so we still have last year’s list. It is good. The Good VPNs don’t change much year-to-year. Which VPN Services Keep You Anonymous

Continue reading

Third Payment Processor Has Security Breach This Year

Someday companies will take security seriously. But it won’t be in 2020. New York payments startup exposed millions of credit card numbers.

The processor is PAAY, a startup in New York left a database online with no password protection. You can click thru for the particulars.

The interesting thing is the attitude and the lies of one of the co-founders. He said they didn’t store credit card numbers.

TechCrunch reviewed a portion of the data. Each transaction contained the full plaintext credit card number, expiry date and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.

Mendlowitz disputed the findings. “We don’t store card numbers, as we have no use for them.” TechCrunch sent him a portion of the data showing card numbers in plaintext, but he did not respond to our follow-up.

So perhaps not a total nightmare, but it is still a screw-up of monumental stature. To put a database online without security and leave it there for 3 weeks, is just plain stupid. Or it shows you don’t care in the least about security. Which they don’t.

Anti Semitic Attacks Were Taking Place While You Were Distracted With Quarantine

First up the University isn’t a safe space. Yale University Rabbi Abused and Beaten in Antisemitic Robbery Praises Swift Police Response.

Rosenstein had been making a call on his cellphone while standing outside the Yale Chabad House when he was approached by two teenage boys, one of whom told him, “Give us everything you have, you f__ Jew.”

Then there is the vandalism in Alabama. Huntsville Synagogue vandalized with swastikas.

A Huntsville synagogue has been vandalized with swastikas and other anti-Semitic graffiti at the start of Passover. News outlets report that Huntsville police are investigating after the Etz Chayim temple was desecrated Wednesday night.

And with everyone using Zoom, the haters are also using it. Zoombombing: New Frontier of Anti-Semitism?

The hijacking and disruption of video teleconferencing on the popular platform Zoom, which has become known as Zoombombing, is a growing concern to those who fight crime and hate, including the FBI and the Anti-Defamation League. It’s especially troubling considering the ubiquitous use of the app for business, education and group meetings during the coronavirus.

There are things you can do to avoid Zoombombing. And you should, or you risk getting bombed with everything from porn to hate.

Because People Still Refuse to Use a Password Manager

Zoom has been in the news, but this really isn’t their fault. People use their pet’s name, or their birthday, or whatever as a PW, and then are victims of credential stuffing. Over 500,000 Zoom accounts sold on hacker forums, the dark web.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Free? Who says hackers don’t like to have fun.

If you use the same password on multiple sites, stop. Change them. I don’t want to say “especially if you use Zoom,” but that is the story of the day. Select and use a password manager. LastPass is very popular. I use KeePass. I know exactly 1 person who selected 1password. As always, you are responsible for your own choices. And, as Rush pointed out, not choosing is also a choice.

You can choose a ready guide in some celestial voice
If you choose not to decide, you still have made a choice
You can choose from phantom fears and kindness that can kill
I will choose a path that’s clear
I will choose freewill

Dams and Earthquakes

Not a winning combination. Feds Order Anderson Reservoir to be Emptied.

It should be no surprise that this dam is in California.

A 2009 study concluded the possibility that a 6.6M earthquake with an epicenter right at the dam or a 7.2M one up to a mile away, could cause dam failure due to liquefaction.

Here’s a short video of what soil liquefaction looks like after an earthquake. That isn’t something you want to happen to dam, that has the potential to flood a populated area.

Despite that study, the reservoir stayed full until another study, in 2019, showed what a wall of water would do if the dam collapsed with that much water behind it. The dam has been kept at 58% capacity since then, but now the feds want it drained.

Another result of the [2009] study was the inception of the Anderson Dam Seismic Retrofit Project costing about $550 million to strengthen the dam against a strong earthquake, however a “complicated and time consuming” process including securing a number of permits amidst changing state and federal regulations has delayed the project for over a decade.

So here’s a piece of infrastructure, that is somewhat critical to the water supply of the San Francisco Bay Area, that they have been trying to repair for nearly 20 years. Yet they can’t make any progress because of regulators. And they don’t say it, but I’m sure there are environmental suits involved over getting the dam removed.

There is a quote, which I won’t find, that compares our society with Italy in the dark ages. We are surrounded by all these things built by previous generations, and we’re unable to reproduce them, or even maintain them. Soon, we won’t even understand them.

They Were Told to Stay Off the Bridge

But that is hard so they ignore the signs and warnings. UPDATE: SDOT still working on solutions for both West Seattle Bridges.

When this bridge collapses, people will be shocked and appalled. And it will collapse, soon. The cracks are apparent. (Click the link above for a photo of the cracks.)

Low bridge seeing 15,000 cars a day despite signs restricting access

It is supposed to be limited to freight and buses. But that would be inconvenient.

“The West Seattle High-Rise Bridge was originally designed for 3 lanes of travel in each direction. As Seattle grew, the bridge grew to 3 westbound lanes and 4 eastbound lanes. This added traffic, combined with the increase in size and weight of commercial and transit vehicles, has only compounded the long-term maintenance challenges posed by the bridge. Further, 80 percent of the bridge load is dead load, meaning deterioration is possible even when all traffic is removed.”

As a side note, the average weight of cars and trucks grew by some 900 pounds per vehicle between 1987 and 2020.

High dead load. Increasing live load. Cracks that are visible in the structure. People ignoring the signs restricting access. I wonder if anyone is running a pool on when the bridge will collapse.

Another Dam Failed on Friday

Not much information, but there didn’t seem to be much danger of loss of life when the failure occurred. Flash flooding possible in Putnam, White Counties after dam failure.

Flash flooding is possible Friday evening in areas below Perdue Farms in southeast Putnam County and northeast White County after an [earthen] dam failed Friday afternoon.

As for the edit above, they said “earthing” which is apparently a quack medicine fad, and not a type of dam. But then professional journalists can’t be expected to know these kinds of things.

Tennessee would generally make me think TVA, but this doesn’t sound like that somehow. And I can’t find information to say, one way or another, but I would think that a TVA dam would be named.

There are 2 interesting photos of the breach at the article linked at the top of this post.

There are a lot of small dams all over the place holding back small lakes that were created for various purposes. If you search your county’s website, you might even find one or 2 near you. Probably under emergency management planning or something similar.