Yottabytes: Storage and Disaster Recovery

October 13, 2019  12:23 PM

Interesting Insights from Video Game Archeology

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Storage, Video games

It’s amazing how much computer scientists of today are learning from the stored data in old video games.

As you may recall, a couple of years ago some British researchers went to all sorts of efforts – including baking old tapes in an oven – to read the data from a series of text-based adventure games called Magnetic Scrolls. Baking the tapes was required because, in the years since the tapes were made, they started accumulating water and got sticky, which meant they weren’t able to play.

Now, there are people called “video game archeologists” who study old video games – not just to relive their childhoods, but to look at  programming techniques of the era. Because of hardware and software limitations, these programs often use remarkably imaginative techniques to work around these limitations.

In this particular case, it was a game for the Atari console called Entombed. It was a pretty obscure game, but that was the point, explained John Aycock at the University of Calgary, in Alberta, Canada, in a 33-page paper explaining the project. He teaches a class in retro game programming, and he wanted to find a game that hadn’t already been extensively studied.

Of course, Aycock and his co-author, Tara Copplestone at the University of York, UK, left out one of the most intriguing aspects of it. “We began by manually reverse-engineering the relevant parts of Entombed’s binary code, via both static and dynamic analysis using the Stella Atari 2600 emulator.” Okay. But how did they get the binary code from the cartridge into the emulator in the first place? No clue. Argh.

Like many games of that era, Entombed used a maze, but not just any maze. “Although the blocky, two dimensional mazes from entombed might look simple by the standards of today’s computer graphics, in 1982 you couldn’t just design a set of mazes, store them in the game and later display them on-screen – there wasn’t enough memory on the game cartridges for something like that,” writes Chris Baraniuk for the BBC. “In many cases, mazes were generated ‘procedurally’ – in other words, the game created them randomly on the fly, so players never actually traversed the same maze twice.”

Anyway, as it turns out, the game has one of those sections of code that many of us remember, that basically are commented “We don’t know how this section of code works, but don’t change it or it breaks the program.” The game uses a table to generate the maze, and neither today’s researchers nor the original writers – several of whom they tracked down and interviewed – know how the table works or how it came to be created. (Especially since, in this particular case, there weren’t even any comments, Aycock writes.)

“The best guess the pair have is that the programmer behind the maze algorithm must have manually fine-tuned the table values until the game worked as desired, but that still doesn’t really explain the logic behind it,” Baraniuk writes.

Alcohol may have been involved.

Aycock got two different stories about how the maze generation section of the code was created. “Regardless of which version of events is followed, it seems fair to say that some level of intoxication was involved in the development of the maze algorithm,” he writes.

Curious about video game archeology? As it happens, there’s a section of the Internet Archive called the Internet Arcade, which includes almost 2,000 arcade games, dating back to the 1970s, which have been emulated and can be run from a browser.

Good luck, Indiana Jones.

September 30, 2019  11:01 PM

Why You May Not Want to Sign Up for the ‘Storage for Life’ Deal

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

The other day, everywhere I looked, I saw an article about the same product.

5 terabytes of cloud storage! For $99! 89% off! For life!

As an indication of how awesome that deal is, I pay $99 for 2 terabytes from Google now. And that’s per year, not for life.

Yet I didn’t jump all over this deal. Why not? What’s wrong with me?

“For life” is a long time. (Hopefully.) And I’ve been covering storage long enough to know that “unlimited” – whether it’s time or size –doesn’t last forever.

Back in the day, when personal cloud storage was just getting going, a number of major providers were offering unlimited data storage. And, one by one, they all quit, because they found out that, for some people, “unlimited” storage is like the buffet at Golden Corral, and they just hadn’t figured how much some people could eat.

And “forever” is worse.

I don’t want to pick on these people. The Polar Backup people – it’s called that presumably because it’s based in Finland – may be very nice and completely aboveboard. They may genuinely believe that they can promise to offer data storage for life.

But I wouldn’t want to bet on it. Because a lot of things can happen to a computer company.

In looking at the Polar Storage website – I had never heard of the company before – it turns out they’ve been around for all of two years. At least, that’s how long they’ve been developing this service.

And they’re promising forever?

If you read the FAQs and the terms and conditions and such – you know, the stuff that nobody ever reads – it starts sounding even more dicey. It’s not like it’s particularly out of the ordinary for cloud storage companies, but it doesn’t sound like forever.

“In the event of a change in ownership, or a direct merger or acquisition with another entity, we reserve the right to transfer all of Polar Backup User information, including Personal Data, to a separate entity. We will use commercially reasonable efforts to notify you (by posting on our website or an email to the email address you provide when you register) of any change in ownership, merger or acquisition of Polar Backup assets by a third party, and you may choose to modify any of your registration information at that time.”

“Polar Backup reserves the right in our sole discretion to revise, amend, or modify this policy and our other policies and agreements at any time and in any manner.”

“Polar Backup may (i) automatically update Polar Backup Products installed on your computer without your prior notice, (ii) upgrade, enhance, change and modify (collectively, the “Enhancements”) Polar Backup Products, or (iii) discontinue or retire Polar Backup Products or any aspect or feature of Polar Backup Products, including the types of files and data that are backed-up (not every file on your computer is backed-up) or the availability of Polar Backup Products on any particular device or communications service at any time and from time-to-time in its sole discretion. “

“Polar Backup will use reasonable efforts to provide notice of material changes to the Polar Backup Products or changes to these Terms by posting them to Product Agreement. It is your responsibility to periodically check Polar Backup website to inform yourself of any such modifications. Changes to these Terms, which may be made in Polar Backup sole and exclusive discretion, will be effective upon acceptance of these Terms (as described herein) for new subscriptions and effective for all existing users thirty (30) calendar days after the posting of the new Terms on Polar Backup website at Product Agreement You agree to be bound to these Terms, as modified.”

So are you prepared to log into Polar Backup once a month, for life, just in case the company has changed its terms?

“These Terms, your license and your subscription to the Polar Backup Products will automatically terminate or expire upon the earlier of (i) non-renewal, cancellation, or expiration of your subscription or your failure to pay invoices when due, (ii) Polar Backup discontinuance of the Polar Backup Products, or (iii) failure to comply with these Terms. If any third party makes an intellectual property infringement claim relating to the Polar Backup Products,”

Yes, if they discontinue the products, they won’t work anymore.

“At any time during the term of a product’s life cycle, Polarbackup may increase or decrease its prices for any of its products without notice.”

About that price:

“Polar Backup’s cloud storage plans usually start at $390, but right now you can buy peace of mind and easy file management for 89% off.”

Now why in the world would a company do that? If it was trying to seize market share, or if it were in trouble. Otherwise it’d be tough to try to reduce its charges by 89% lest it tick off all its existing users, because this deal is only good for new users.

And 89% is quite a discount. It’s going to have trouble raising prices ever, or people will start asking why they can’t get the discount anymore.

Sadly, none of the dozen or more websites that advertised this deal brought up any of this. It was all, hey! Look at this deal! Wow!

And they may be right.

But when something sounds too good to be true, it probably is. And I will be interested to see how long Polar Backup stays around.

September 29, 2019  12:06 AM

Baltimore Ransomware Attack Still Causing Problems

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Security

While a number of cities have been hit by ransomware in the past year, few have been hit as hard as Baltimore – but as time goes on, it‘s starting to sound like the city has no one to blame but itself.

It all started in May when several city services went down and the city received a ransom note. Baltimore was then told it needed to pay 13 bitcoin – about $76,000 – to get its data back.

However, city officials refused to pay. That wasn’t to save it money, though. “City officials expect to spend about $10 million rebuilding and replacing affected systems, and take an additional $8 million hit from lost revenue,” writes Benjamin Freed in StateScoop.

Naturally, Baltimore has been trying to understand how this all happened – and it’s asking itself some pretty hard questions. Sadly, it mostly seems to be trying to come up with pretty good excuses.

In the process of this introspection, city officials discovered that Baltimore didn’t have a disaster recovery plan, and that it would take nine months to develop one.

It didn’t have cyber insurance, either. Though hey! It’s considering it!

As it turns out, the city hadn’t been backing up employee hard disk drives anywhere, and data was stored only on individual PCs – which meant it got wiped out in the ransomware attack.

That also meant that the city had trouble during a recent audit.

“Baltimore’s IT agency could not prove that it was meeting certain performance metrics in a recent audit because the relevant data had been stored locally on employees’ computers that were corrupted by a ransomware attack that crippled the city’s municipal networks earlier this year,” Freed writes.

One member of the city council – who chaired the audit committee – was also a former federal IT auditor.

“Wow. That’s mind-boggling to me,” he said, Freed writes. “Do they really understand that’s an issue? Because they’re the agency tasked with educating people that that’s the problem.”

It’s especially mind-boggling because not only had Baltimore had been hit by ransomware just the year before, but the city was warned that it was vulnerable to such an attack a couple of years before. “The risk assessment — which appears to be from before September 2017, when the Baltimore City Information & Technology office took its current name — focused on a pair of servers responsible for more than 100 applications operating on a version of Microsoft Windows that is no longer supported by the technology giant,” writes Freed in a different StateScoop article.

“Despite the two attacks, [IT Director Frank] Johnson said that the city’s computer systems have strong defenses,” wrote the Baltimore Sun in May.

Not surprisingly, Johnson – the highest-paid executive in Baltimore city government — was out of office on leave by September. The new IT director started as Johnson’s deputy one day before the May attack.

But things are better now, right?

Well, except for last week, when county computers went down, reportedly due to a storage issue.

September 25, 2019  9:10 AM

Western Digital 20-TB Hard Disk Drive Announced

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Storage, western digital

Five years ago this month, I wrote about Western Digital announcing a 10-terabyte (TB) hard disk drive. Which makes it appropriate that, this month, Western Digital has now announced a *20*-TB hard disk drive.

“Western Digital announced that it would ship 18 TB conventional magnetic recording (CMR) and 20 TB shingled magnetic recording (SMR) HDDs in the first half of 2020,” writes Tom Coughlin in Forbes. “This helium-sealed 9-disk HDD platform is said to have ‘…leveraged energy-assisted recording technology to deliver areal density leadership at the highest capacity available.’”

Well, at least until five years from now.

Incidentally, 10-TB hard disk drives are now considered to be “commodity” hard disk drives, at least according to Backblaze, which is now using 10-TB Seagate drives – as well as other hard disk drives up to 14 TB – in its storage pods. It doesn’t use the Western Digital ones because it has trouble getting them in quantity, director of compliance Andy Klein wrote earlier this year.

Western Digital said it will sample the 18TB Ultrastar DC HC550 CMR HDD and the 20TB Ultrastar DC HC650 SMR HDD to customers by the end of 2019, Coughlin said.

Like the 10-TB hard disk drive, the new 20-TB hard disk drive uses shingled magnetic recording technology, which puts more data in the same space though it’s is slower. For the 10-TB hard disk drive, Western Digital came right out and said it was mainly intended for “cold storage” facilities, and that is presumably true of the new one as well.

That means “slow,” because you put stuff in cold storage that you don’t need all the time, and so you spin down the drives rather than keep them running all the time because it saves energy. So every time you retrieve something from cold storage, you have to go kick the drive to start it up again. It’s like keeping the beer in the fridge out in the garage. You can put a lot more beer out there, but you have to traipse out to the garage every time you want a beer.

Coughlin did cite Western Digital as saying that the drives are targeted at data center applications and that the company estimated that 50 percent of its hard disk drive exabytes shipped will be on SMR by 2023. The press release also quoted the vice president of engineering at Dropbox.

Another big customer is likely to be DDN, which Western Digital recently announced would be buying the company’s IntelliFlash business as part of its plan to exit from storage systems. At the same time, though, the two companies agreed to a multi-year strategic sourcing agreement, under which DDN will ncrease its purchase of Western Digital’s HDD and SSD storage devices, according to a Western Digital press release.

According to Coughlin, Western Digital holds 37 percent of the hard disk drive market, while Seagate holds 40 percent and Toshiba holds 23 percent.

The company didn’t say how much the new hard disk drives would cost.

Disclaimer: I am a Backblaze customer.

September 8, 2019  9:11 PM

Government Wants User Download Data from Apple, Google

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, government, privacy, Security

We’ve written more than once about government efforts – in the name of fighting crime, of course – to track down everyone in a particular area where the crime was committed. But there’s a new wrinkle.

The Department of Justice and the Immigration and Customs Enforcement Department are now working to obtain a court order to force Apple and Google to give it the names, as well as phone numbers and IP addresses, of everyone who’s downloaded a particular application since August, 2017, plus whenever they’ve used it. The application in question is called Obsidian 4 and is put out by night-vision specialist American Technologies Network Corp. (ATN). Its purpose is to let gun owners get a live stream, take video and calibrate their gun scope from an Android or iPhone device,  according to Thomas Brewster in Forbes, who broke the story.

While other governments have made similar requests in the past – Brewster describes one non-U.S. government that asked one global technology company for the names and addresses of 58 million users of a single app so it could trace a suspected terrorist cell plotting a suicide bomb attack – this is the first time the U.S. government has tried this, he writes.

The issue is illegal exports of ATN’s scope, which is controlled under the International Traffic in Arms Regulation (ITAR), though the company itself isn’t under investigation, Brewster writes.

Likely this would be considered a “third party” request because the government isn’t requesting the information from the users themselves, but from third parties to which the users had given their information. In the Carpenter case, the Supreme Court ruled that such requests about individuals required a warrant.

However, the Supreme Court also ruled that “tower dumps” – in other words, a download of information on all the devices that connected to a particular cell site during a particular interval — are okay. Or, at least, when ruling on Carpenter, they didn’t rule that they weren’t okay. It could be that the court will see these as similar situations, or will at least allow the Department of Justice access to some of the information, with the ability to issue a warrant to get the remaining data for any individual who looks particularly suspicious.

Needless to say, conservative websites are having kittens about this, because they see it as a back door to track down gun owners.

“Allowing this request to go through would create dangerous precedents,” writes Beth Baumann is Townhall, which describes itself as the leading source for conservative news and political commentary and analysis. “The most dangerous aspect though is the government being able to pinpoint every single person and every single firearm a person has. It’s a form of a gun registry…without calling it that.”

According to American Military News, ATN wasn’t contacted about the court order, and intends to protect its customer data to the extent it is allowable under law.

If the idea is actually to track down overseas users of the application, the government should do that, writes Jazz Shaw for HotAir, a sister publication of Townhall. “Why ask for the data for all users?” he writes. “Surely Google and Apple could provide the user data for just those users outside the United States, right? Why not just ask for that if there are no issues with people using the scopes or the app in America? Seems like a reasonable compromise that both the government and the tech giants could see eye to eye on.”

But the problem with this request is actually broader than that. Keep in mind that, at various times, the government has made certain computer things illegal, ranging from public-key encryption to online gambling. What would it be like if the government could then track down everyone who had downloaded such applications and bust them for owning them?

For example, if the FBI succeeds in outlawing encryption, will the government be able to track down everyone who’s ever downloaded WhatsApp, even if they don’t realize it uses encryption and didn’t download it for that purpose? Or, in a hypothetical oppressive U.S. government that outlawed social media or the use of the Internet altogether, what if the government could get the names and contact information for everyone who ever downloaded Twitter or a TCP/IP stack?

A security analyst quoted by Brewster also notes that people don’t necessarily download an app to use it, but could be checking it for security vulnerabilities and other uses. People could also be less willing to use Google and Apple app stores in response to this, the analyst added.

Another concerning aspect is that the court order was supposed to have been sealed, and Forbes apparently managed to get a copy of it beforehand. One would assume future court orders won’t make that mistake, and people won’t even be able to find out about them.

Presumably the various civil liberties organizations, not to mention Google and Apple themselves, are lawyering up to stop this. Because the precedent, if this passes, is pretty scary.

August 31, 2019  10:59 PM

Concern Arises About Alexa-based Mental Health Checker

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, Storage

Over the past few years, there have been a number of incidents regarding law enforcement and attorneys wanting access to recordings made by smart devices such as the Amazon Alexa and copies of data from devices such as FitBits. Now, there’s some indication that the government may be asking for such data as well, in the name of preventing mass shootings.

“The proposal is part of a larger initiative to establish a new agency called the Health Advanced Research Projects Agency or HARPA, which would sit inside the Health and Human Services Department,” writes Jacqueline Alemany in the Washington Post. “Its director would be appointed by the president, and the agency would have a separate budget, according to three people with knowledge of conversations around the plan. HARPA would be modeled on DARPA, the highly successful Defense Advanced Research Projects Agency that serves as the research arm of the Pentagon and collaborates with other federal agencies, the private sector and academia.”

The lead scientist on the project emphasized that this would be a voluntary program, but nonetheless, people are having kittens about the concept. Because, seriously, how likely is it that someone who exhibits the tendencies of a person who goes on to become a mass shooter will allow the government to collect data about them?

“The idea is for the agency to develop a ‘sensor suite’ using advanced artificial intelligence to try to identify changes in mental status that could make an individual more prone to violent behavior,” Alemany writes. “The document goes on to list a number of widely used technologies it suggests could be employed to help collect data, including Apple Watches, Fitbits, Amazon Echo and Google Home. The document also mentions ‘powerful tools’ collected by health-care provides like fMRIs, tractography and image analysis.”

Opponents noted that mental illness isn’t necessarily a predictor of being a mass shooter, and expressed concern about what would happen to people who were identified by the system as potentially being violent and whether the consent would be buried in some multipage terms of service document.

In addition, governments may be able to collect this data on people whether they volunteer or not, using a policy known as “third party doctrine,” which the Supreme Court has been deciding in connection with what data government and law enforcement can retrieve from cellphone service providers. “The U.S. Supreme Court has long held that when private individuals surrender personal information to third parties and the government subpoenas that information from the third parties, there’s no Fourth Amendment violation,” writes Frank Camp in the Daily Wire, quoting a Cornell Law School professor.

Recall that in a number of legal cases involving smartphone data, the cases have had to do with crimes such as terrorism and child pornography – you know, things that are so heinous that no reasonable person wants to be associated with supporting them, and of course we all want to do whatever is possible to stop them. No doubt, wanting to prevent mass shootings could be seen as falling into that same category.

August 29, 2019  9:29 AM

E-discovery Acquisition on the March Again

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

As you may recall, in January I wrote a blog post about the large number of small e-discovery company acquisitions in the legal space, and pointed out that this was likely to continue because there were still a lot of dinky e-discovery companies out there.

Indeed, that appears to be the case.

Legility has announced a deal to acquire Dallas-based e-discovery provider iControlESI, writes Frank Ready in Law.com. iControlESI will be rechristened as Legility Data Solutions, though its products will keep their names for the time being.

This isn’t the first Legility acquisition, Ready points out, noting that in September, 2017, the company also acquired DSIcovery. The company also changed its name last fall, he writes. “The company already offers e-discovery related platforms such as Relativity, Catalyst and Everlaw, and just last fall underwent a rebranding that saw it ditch its original name—Counsel on Call—in favor of the more streamlined moniker Legility.”

In addition, information governance and digital forensics provider KLDiscovery announced in July that it had acquired e-discovery providers Strategic Legal Solutions and Compiled, writes Victoria Hudgins in Law.com.

KLDiscovery itself was the product of other mergers, Hudgins writes. “To be sure, rebranding isn’t a new concept for KLDiscovery,” she writes. “Originally, the company operated as KrolLDiscovery after the 2016 merger of LDiscovery and Kroll Ontrack. By January 2018, the company decided to drop the ‘Kroll’ name altogether. Later in 2018, KLDiscovery announced it received a ‘significant’ investment from WestView Capital Partners, The Carlyle Group and Revolution Growth, according to a press release.”

Kroll Ontrack was actually one of the granddaddies of the e-discovery marketplace. It had been dropped from the Leaders to the Challengers quadrant in the 2015 Gartner E-discovery Magic Quadrant, due to what Gartner felt was a lack of vision.

Then, KLDiscovery (which ranked 1832 on the Inc. 5000 list of the fastest-growing companies) announced that it was going public, writes John Jannarone in IPO-Edge. “Meet KLDiscovery, an electronic discovery and data recovery provider which is going public through a merger with Pivotal Acquisition Corp., a special purpose acquisition company or SPAC,” he writes. “Pivotal raised money in an IPO to find a target and recently announced a deal with KLDiscovery that will result in a public company with an enterprise value of $800 million. The deal will be put to  a shareholder vote later in the third quarter, after which Pivotal will change its name to KLDiscovery.”

(That’s not the same Pivotal that VMware recently announced it was acquiring. That was Pivotal Software. Hard to keep the players without a scorecard.)

There have been other e-discovery acquisitions in recent months, with Xact Data Discovery (XDD) acquiring fellow e-discovery provider QDiscovery in early July, Ready writes. In January, HaystackID acquired eTERA Consulting and legal services provider Driven Inc. acquired e-discovery company Omnivere, he writes in a different article. In addition, “only a mere two months after being sold, e-discovery company Litera absorbed document manager Workshare in early July,” Hudgins writes.

What’s behind all of this? Venture capital money, apparently. “The pace of acquisitions in that space continues to move at a steady clip, spurred in part by the interest of venture capitalists and a desire by companies operating in the market to bolster scale,” Ready writes,

“An influx of private capital may be behind XDD’s expansion,” agrees Zach Warren in Law.com. Private equity firm JLL Partners acquired XDD in early 2018, in a deal that represented JLL’s first venture into e-discovery, he writes.

Plus, both XDD and QDiscovery already had a history of acquisition, Warren continues. “XDD is certainly no stranger to M&A, having acquired QUiVX’s e-discovery service in early 2019,” as well as F1 Discovery and Orange Legal Technologies in 2016, while QDiscovery had acquired northeast U.S. e-discovery provider Evidox last November.

August 24, 2019  11:41 PM

‘Adversarial Fashion’ Helps Confuse Automated License Plate Readers

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security

In the book Fail-Safe, which is a really scary 1960 book about nuclear war, six planes accidentally get sent to the USSR with atomic bombs in them. Except the sixth plane doesn’t have nuclear bombs; it carries a bunch of reflective material that it releases as the planes approach the USSR, which confuses radar systems by creating a whole lot of extraneous data. This is called “jamming” or “chaffing” (as in, chaff, not wheat).

Similarly, if you ever saw the movie Spartacus – also released in 1960, oddly enough — there’s a scene where the Romans threaten to kill all the slaves if Spartacus doesn’t give himself up, and so Spartacus stands and says “I am Spartacus.” But then all the other guys also stand up and say “I am Spartacus,” so the Romans can’t tell who the real Spartacus is. (Sadly, they kill all the slaves anyway. And yes, I just spoiled this movie for you.)

Now, people concerned with license plate surveillance are dealing with it with what’s called “adversarial fashion” – clothes intended to confuse license plate readers by overwhelming them with information.

“The patterns on the goods in this shop are designed to trigger Automated License Plate Readers, injecting junk data in to the systems used by the State and its contractors to monitor and track civilians and their locations,” notes the website of one such company. The clothes are covered with pictures of license plates – and, in one especially poetic touch, the license plates spell out the text of the 4th Amendment. You know, the one about unreasonable search and seizure.

The vendor, Kate Rose – who presented the products at the DEFCON security conference in Las Vegas earlier this year – also released information about how to design such fabrics yourself.

“To an automatic license plate reader (ALPR) system, the shirt is a collection of license plates, and they will get added to the license plate reader’s database just like any others it sees,” writes Alex Hern in the Guardian. “The intention is to make deploying that sort of surveillance less effective, more expensive, and harder to use without human oversight, in order to slow down the transition to what Rose calls ‘visual personally identifying data collection.’”

Rose actually shows ALPRs interacting with the fabric and recording the various license plates into their systems on her website.

Hern also notes that in 2016, Berlin-based artist and technologist Adam Harvey worked with international interaction studio Hyphen-Labs to produce the Hyperface, a fabric printed with an abstract that was intended to trigger facial recognition systems.

It’s similar to “dazzle ships,” a way of paining military vessels during the World Wars with zebra stripes to make them more difficult for radar to pick up.

In fact, one anti-surveillance technology is even called CV Dazzle, and is intended to defeat facial recognition systems, writes Courtney Linder in Popular Mechanics.

“It messes with the pattern of a face that an algorithm may be designed to look for while detecting people,” she writes. “Usually, those algorithms are scanning for the spatial relationship between features. You can block detection, then, by creating what Harvey calls an ‘anti-face.’”

Other techniques including wearing a picture of someone else’s face, or some other picture, to confuse facial recognition systems. Oddly, pictures of umbrellas seem to work, Linder writes. And, of course, there are always masks and such that block a person’s face from the facial recognition system.

In addition, some designers are using shiny materials to reflect such systems, writes Jane Hu in Slate.

Finally, if you’re upset that I spoiled a couple of 59-year-old movies and books for you, Rosebud is his sled.

August 18, 2019  9:47 PM

Hacked Biometric Database Could Cause Problems

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Biometrics, privacy, Security

About a year ago, it was discovered that a DNA database was hacked. At least, sort of. It was just email addresses of the users of the DNA database, not any of the DNA itself. And everyone heaved a huge sigh of relief at that, because losing data like that would be really bad.

Now, some data like that has been stolen.

“BioStar 2 is a web-based biometric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs,” writes vpnMentor, an organization that reviews VPNs, particularly their security. “Our team was able to access over 1 million fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive. Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.”

Well, that’s a bummer.

The security software, produced by a company called Suprema, is used by a variety of companies worldwide, including  UK Metropolitan police, defense contractors, and banks, according to Josh Taylor in the Guardian newspaper.

The problem with stealing biometrics, such as fingerprints and faces, as opposed to credit card numbers, is that while people can always get a new credit card if one gets compromised, they can’t get new fingerprints or faces. This is related to the problem of medical identity theft: It’s not something you can change.

The breach was discovered on August 5, reported on August 7, and closed on August 13, the organization writes. Altogether, the company said it was able to access more than 27.8 million records, a total of 23 gigabytes of data. It isn’t clear how long the vulnerability was there, according to Chris Baraniuk of the BBC.

As with many other breaches, this one happened because the security for the system was so bad, the organization writes. Some people had really poor passwords, and even the good passwords were stored in plain text in a database, meaning that anyone who hacked into the database could have access to the data.

“The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company,” the organization writes. For example, instead of saving a hash of the fingerprint (that can’t be reverse-engineered) the company saved people’s actual fingerprints, which could be copied for malicious purposes, it warns.

So what sorts of things could hackers do with the stolen data?

  • Take over a high-level account, with user permissions and security clearances, and make changes to the security settings in a network
  • Change user permissions and lock people out of certain areas
  • Create new user accounts to give people accessto secure areas
  • Change the fingerprints of existing accountsto their own and hijack a user account to access restricted areas undetected
  • Gain access to activity logs, so they can delete or alter the data to hide their activities

The one bit of good news, according to one security researcher on Twitter, is that perhaps the data was just test data and not actual data. But it isn’t clear yet, and, not surprisingly, Suprema isn’t talking; there’s been very little new information after the initial report.

July 26, 2019  8:23 PM

Federal Government Trying to Mandate Encryption Back Doors Again

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, privacy, Security

Here we go again. Federal governments are talking about encryption back doors.

Oh, excuse me. The latest term of art is “exceptional access,” which actually makes it sound sort of cool. But it’s a back door just the same.

As you may recall, governments have been concerned about encryption for as long as it’s been around. At one point in the U.S., it was actually classified as a munition. It came up again in the fall of 2014, when Google and Apple each released smartphones with encryption that even the respective vendors couldn’t break. Much handwringing on the part of law enforcement ensued, warning us of dire consequences such as pedophilia, terrorism, and so on.

Never mind the fact that plenty of bad guys, including terrorists in Brussels and France, don’t seem smart enough to use encryption in the first place.

Most recently, it came up in late July when US Attorney General William Barr, followed by US Attorneys Geoffrey Berman and Richard P. Donoghue the following day, to again call for government access to encrypted data.

“Although the cast of characters is new, Barr’s arguments echoed the same points Justice Department officials have been making for years: The government needs access to encrypted data, he says, or else devices are ‘law-free zones’ that hinder law enforcement officers,” writes Patrick Howell O’Neill in MIT Technology Review.

It’s not like this is a surprise. People have been expecting this since, oh, mid November 2016.

People with more sense, like German prosecutor Markus Hartmann, disagreed with his US counterparts, pointing that criminals and terrorists will simply turn to different services if a country like the US passes a law to bypass encryption, noting GitHub has plenty of examples, O’Neill writes.

Even former National Security Agency director Michael Hayden weighed in. “Not really,” he Tweeted in response to a Tweet quoting Barr as saying that Americans should accept the security risks of encryption back doors. According to Politico reporter Eric Geller, a number of three-letter government agencies have differing views of the proposal.

The U.S. isn’t alone. Countries such as Germany and Australia have also been looking at ways to outlaw encryption.

The most recent suggestion, from Ian Levy from the U.K.’s equivalent to the NSA, is that an encryption system between two people simply add a “ghost user” – that is, the government – to their conversation, which would give the government access to the conversation should they deem it necessary.

Security expert Jon Callas has a long (four part) series on the American Civil Liberties Union (ACLU) website explaining all the technical issues wrong with the proposal, while other security experts such as Bruce Schneier and Matthew Green have also weighed in on the proposal. The Electronic Frontier Foundation has issued at least three such rebuttals as well.

When the ACLU and Reason are both on the same side of an issue, you know it’s got to have problems.

Security experts such as Schneier have also pointed out that there’s no such thing as a back door that only good guys can use, and that any back door, no matter what you call it, is likely to be exploited by bad guys as well. That argument has worked in the past, and they are trying it on this technique as well, but it is unclear whether it will work this time.

Ironically, a number of government representatives, including President Donald Trump’s son-in-law Jared Kushner, Australian politicians, and members of Britain’s Parliament have all been said to use the encrypted messaging application WhatsApp to conduct government business. It is unclear whether they would continue to be able to do so if WhatsApp were made illegal or given a back door.

But Green people such as Matthew Green, who teaches cybersecurity at Johns Hopkins, pointed out that likely all we need is the cybersecurity equivalent of the Reichstag fire for legal encryption to go bye-bye. “But what they do have is time, and the inevitability that given enough of it, something terrible will happen to America on their watch,” he wrote on Twitter, which is apparently the place people make pronouncements these days. “And they’ll be able to push these proposals without the need for debate. That’s where we are, and it should scare you.”

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: