What Could Go Wrong?

A popular electric scooter is vulnerable to hacking. This includes acceleration and braking controls. Xiaomi electric scooter reportedly vulnerable to hijacking hack.

Because the idea that no security is required for a system that controls the actual operation of a vehicle seems to be the thing. Especially if it is a scooter that is used by some of the big scooter rental companies. And no security is what they have.

The Xiaomi M365 is an electric scooter used by some scooter rental companies that contains a flaw that could allow a hacker to take full remote control over the vehicle, including causing the scooter to suddenly accelerate or brake, according to information released Tuesday by security research group Zimperium. The firm blames the scooter’s password authentication process, which is done via Bluetooth communications.

It is apparently very similar to a bug in Segway’s hoverboard that was found in 2017.

You can file this under “I for one, welcome our self-driving overlords,” or “Nobody does proper systems design anymore,” but I’ve used both of those already in the past 7 days.

Advertisements

I, for one, welcome our self-driving overlords

Ain’t technology wonderful. (The title to this post is stolen shamelessly from Small Dead Animals, a link can be found in the sidebar.) ‘Autopilot’-ed Tesla Crashes Off NJ Highway, Driver Reportedly Unable To Regain Control Of Vehicle.

Yet another example came to light on Monday when a driver in North Brunswick, New Jersey wrecked his Tesla on a highway while the vehicle was in Autopilot mode. According to a report published by News 12 New Jersey, the driver said that the vehicle “got confused due to the lane markings” at a point where the driver could have stayed on the highway or taken an exit. The driver claims that Autopilot split the difference and went down “the middle”, between the exit and staying on the highway.

The car then drove off the road and collided with several objects before coming to a stop. The driver claims that he tried to regain control of the vehicle but that “it would not let him”.

This crash reminds me of the one that happened in Mountain View, California in March of last year. (Hat tip to Borepatch.)

The Lie That Accompanies EVERY Data Security Breach

Corporate PR hacks need more original material. Stop saying, “We take your privacy and security seriously”.

About one-third of all 285 data breach notifications had some variation of the line.

It doesn’t show that companies care about your data. It shows that they don’t know what to do next.

Companies don’t care about your security. You have to care about your security. Companies collect data about you, and use that data to make money. Actually putting security in place, keeping systems up-to-date, removing old data, and in general being responsible doesn’t make them money and in fact costs a fair amount. They can’t be bothered.

So they get hacked. Then they deflect, defend and deny. Case in point: OkCupid.

Instead, OkCupid’s response was to deflect, defend, and deny, a common way for companies to get ahead of a negative story. It looked like this:

  • Deflect: “All websites constantly experience account takeover attempts,” the company said.
  • Defend: “There’s no story here,” the company later told another publication.
  • Deny: “No further comment,” when asked what the company will do about it.

And if they are really caught behind the eight-ball, they will pay for 1 year of credit monitoring. Thanks, but I already pay for that, it is a better service than they usually offer, and I need more than 1 year.

Who Will Manage the Managers?

I have really tried to cut down on the security-related posts the past few weeks, but there is so much going on right now that I find a little ironic.

First up, Managed Service Providers are the target of Hacks. And the hacks are against code problems from a while back. Ransomware Attacks Target MSPs to Mass-Infect Customers.

If you are going to hire someone to remotely manage your systems, they should probably not be using year-old software.

In a recent post on the MSP Reddit channel, a user reports that a local mid-sized MSP was hacked and used to distribute the GandCrab Ransomware to 80 of their client’s endpoints.

It is such a big problem at this point that the Dept. of Homeland Security had to issue an advisory.

On a similar note, Google and Microsoft have teamed up to set cryptomining software loose on unsuspecting customers. Cryptojacking Coinhive Miners Land on the Microsoft Store For the First Time.

Coinhive takes over a system and uses most of the resources to mine the cryptocurrency Monero on behalf of the hackers. Monero is one of the principle alternatives to BitCoin. This exploit makes use of a “system designed by Google to help developers inject JavaScript and HTML content within their apps for tracking and analytics purposes.”

You just have to love Google and their penchant for wanting to track everything everyone does anywhere on the web.

WordPress, Accessibility, and Legality

You can file this under “No one does proper systems design anymore.” And this is mostly so you can get a feeling for the pinball-like workings of my mind….

Earlier today, I was reading a posting entitled Short Circuit from the Institute for Justice. (How did I get there? Via The Volokh Conspiracy.) Anyway one of the stories was about a pizza company being sued, under the Americans With Disabilities Act, for not providing accessible websites or mobile apps. Which caused me to think immediately of the problems that WordPress is having with their Super-duper-new-and-improved-editor, Gutenberg.

I spent enough time with it to let me know I didn’t need any of its new and (not so much) improved features, but the folks who use accessibility software – like screen readers – can’t use it at all. (OK maybe they have improved it, but the next story makes me wonder.)

Rian Rietveld published the following article: I have resigned as the WordPress accessibility team lead. Here is why. In that article she quotes a former teammate, Andrea.

The main reason for this lack of overall accessibility is in the overall Gutenberg design, where accessibility hasn’t been incorporated in the design process.

Which threw me all the way back to my IBM database days. (How many people remember Information Management System, more generally known as IMS, or DB2?) There was a systems architect who gave a presentation at a bunch of the big conventions (IBM conventions = Guide, and Share). His point was that if you screw up the architecture, it is impossible to fix the problems by coding small workarounds. If you built a 3 bedroom house and then discover you need a 4th bedroom, you may need a bigger furnace/air conditioner. A bigger septic system. etc. While all of this can be done, it can’t be done in a hurry, or on the cheap. And if you aren’t careful, the addition is always going to look wrong when next to the rest of the house. The same thing applies in software. (OR why do you think that after a couple of DECADES of working on computer security, we still don’t have very much? If it was easy…)

There is much in Rian’s article about “We should have written the issues differently” in order to get the programmers to solve them. (Issues that were solved, were broken again in subsequent updates because of development chaos.)

I’m not sure how WordPress development is organized, but I have used it long enough, and dealt with their so-called support often enough, to believe that it isn’t very well organized. Requirements? Documentation? Locked code? Version control? Doesn’t sound like it exists in WordPress. And that’s before you get to issues of architecture, design, etc. (Programmers have to WANT to solve issues and fix bugs? I’m glad they aren’t in charge of supporting my brokerage house’s computer system.) For another perspective on things like User Interface (UI) and Application Programing Interface (API) chaos see the article from November of last year, titled, Pressbooks and Gutenberg.

The lack of clarity in Gutenberg’s development process has hindered us from integrating Gutenberg into our roadmap. We are now two weeks from its production release, and Gutenberg’s API freeze is not yet complete. We’ve been tracking blocking issues over the last year and a half and have tried to contribute where possible, but ongoing API and user interface changes have made it difficult for us to keep on top of things without neglecting Pressbooks core development, and have made us hesitant to invest our limited resources in building on a codebase that has not yet stabilized.

The UI should have been finalized in the design phase – or nearly so. And the API isn’t defined a few weeks before they are going to go live? That should have also, mostly, been defined in requirements and design, before coding started. (What functions exist? What functions do you want to expose via the API? Structure? Error handling? Security?) But then I never worked on systems where we just made it up as we went along.

Now I’m not using Gutenberg; I’m using the “Classic Editor” because it doesn’t suck and it does everything I need it to do, in a way I have been doing things since before there was WordPress. (I was using Generalized Markup Language long before it was extended/co-opted to become Hypertext Markup Language. And WYSIWYG is almost never what I want. Of course I can actually touch type, so that’s a help.) Gutenberg is actually their New, new-editor. Their old, new-editor (that didn’t have a fancy name) also didn’t offer me anything much, even though they tried for a couple of years to get me to use it. They are currently talking about “end of life” for the classic editor. Guess I need to start researching blogging software again.

Maybe the folks working on WordPress will get the accessibility issues ironed out. I hope they do, but I don’t really have much hope that it will get done the way things are going. Consider this: How is it, that in 2017 or 2018, when they started this project, that accessibility of the finished product was not a primary part of the design? It was not even a 2nd thought, but pretty much completely ignored, until they got a ton of bad press on the subject.

This all started because of legal problems a pizza company ran into over accessibility via the web. I’m no lawyer, but my guess is that WordPress and Co. won’t be in hot water as long as the Classic editor supports everything required. (Though making one class of customers go through the back door doesn’t look good in the 21st Century.) WordPress isn’t the first organization to ignore issues of accessibility, and the way programmers work on things, I doubt they will be the last.

Brave Browser: Not as Private as They Want You to Think

But then Facebook and Twitter are the elephants in the room. Facebook, Twitter Trackers Whitelisted by Brave Browser.

The Brave Browser promotes itself on being built from the ground up to provide enhanced privacy to its users. Yet, users voiced concern today after finding a section of the browser’s source code that shows tracking scripts for Facebook and Twitter are whitelisted so that they are not blocked by the browser.

Why? Because not blocking them would cause some sites to break. (Firefox lets me decide how much privacy/breakage I want.)

They Love to Store Personal Info, They Just Can’t Be Bothered to Secure It

How many kids have credit monitoring? For their entire lives they are going to be troubled by possible identity theft. Report: K-12 Schools Experienced 122 Cyber Attacks in 2018.

For instance, in December, it was discovered that the personal data of more than 500,000 students and staff in the San Diego Unified School District were stolen over an 11-month period. The data included names, dates of birth, Social Security numbers, mailing and home addresses, phone numbers, health information and legal notices.

How much do you think the administrators worry about Security? “Oh, those IT folks, they always want to spend money on something.” So the bad guys have all that info. What do you think they are going to do with it?

Actually it looks like suburban districts are targeted more than inner city schools.