DOUG. Cryptology, cops hacking again, Apple updates and… card counting!
All that, and extra, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do at present?
DUCK. I’m very nicely, thanks, Douglas.
And I’m very excitedly trying ahead to the card-counting bit, not least as a result of it’s not nearly counting, it’s additionally about card shuffling.
DOUG. All proper, excellent, trying ahead to that!
And in our Tech History phase, we’ll discuss one thing that was not random – it was very calculated.
This week, on 25 October 2001, Windows XP was launched to retail.
It was constructed upon the Windows NT working system, and XP changed each Windows 2000 and Windows Millennium Edition as “XP Professional Edition” and “XP Home Edition” respectively.
XP Home was the primary client model of Windows to not be based mostly on MS-DOS or the Windows 95 kernel.
And, on a private be aware, I beloved it.
I could be remembering easier instances… I don’t know if it was truly nearly as good as I keep in mind it, however I keep in mind it being higher than what we had earlier than.
DUCK. I agree with that.
I believe there are some rose-tinted spectacles chances are you’ll be sporting there, Doug…
DOUG. Umm-hmmm.
DUCK. …however I must agree that it was an enchancment.
DOUG. Let us speak a bit about comeuppance, particularly, comeuppance for undesirable facial recognition in France:
Clearview AI image-scraping face recognition service hit with €20m effective in France
DUCK. Indeed!
Regular listeners will know that we now have spoken about an organization referred to as Clearview AI many instances, as a result of I believe it’s truthful to say that this firm is controversial.
The French regulator very helpfully publishes its rulings, or has printed not less than its Clearview rulings, in each French and in English.
So, principally, right here’s how they describe it:
Clearview AI collects pictures from many web sites, together with social media. It collects all of the pictures which can be straight accessible on these networks. Thus, the corporate has collected over 20 billion pictures worldwide.
Thanks to this assortment, the corporate markets entry to its picture database within the type of a search engine by which an individual might be discovered utilizing {a photograph}. The firm affords this service to regulation enforcement authorities.
And the French regulator’s objection, which was echoed final yr by not less than the UK and the Australian regulator as nicely, is: “We consider this unlawful in our country. You can’t go scraping people’s images for this commercial purpose without their consent. And you’re also not complying with GDPR rules, data destruction rules, making it easy for them to contact you and say, ‘I want to opt out’.”
So, firstly, it ought to be decide in if you wish to run this.
And having collected the stuff, you shouldn’t be hanging on to it even after they need to guarantee that their knowledge is eliminated.
And the problem in France, Doug, is that final December the regulator stated, “Sorry, you can’t do this. Stop scraping data, and get rid of what you’ve got on everybody in France. Thank you very much.”
Apparently, based on the regulator, Clearview AI simply didn’t appear to need to comply.
DOUG. Uh-oh!
DUCK. So now the French have come again and stated, “You don’t seem to want to listen. You don’t seem to understand that this is the law. Now, the same thing applies, but you also have to pay €20 million. Thanks for coming.”
DOUG. We’ve received some feedback brewing on the article… we’d love to listen to what you suppose; you’ll be able to remark anonymously.
Specifically, the questions we put forth are: “Is Clearview AI really providing a beneficial and socially acceptable service to law enforcement? Or is it casually trampling on our privacy by collecting biometric data unlawfully and commercialising it for investigative tracking purposes without consent?”
All proper, allow us to keep on with this theme of comeuppance, and discuss a little bit of comeuppance for the DEADBOLT criminals.
This is an fascinating story, involving regulation enforcement and hacking again!
When cops hack again: Dutch police fleece DEADBOLT criminals (legally!)
DUCK. Hats off to the cops for doing this, although, as we’ll clarify, it was sort-of a one-off factor.
Regular listeners will keep in mind DEADBOLT – it’s come up a few instances earlier than.
DEADBOLT is the ransomware gang who principally discover your Network Attached Storage [NAS] server should you’re a house person or small enterprise…
…and if it isn’t patched towards a vulnerability they know how you can exploit, they’ll are available, and so they simply scramble your NAS field.
They figured that’s the place all of your backups are, that’s the place all of your huge information are, that’s the place all of your necessary stuff is.
“Let’s not worry about having to write malware for Windows and malware for Mac, and worrying what version you’ve got. We’ll just go straight in, scramble your files, and then say, ‘Pay us $600’.”
That’s the present going charge: 0.03 bitcoins, should you don’t thoughts.
So they’re taking that consumer-oriented method of attempting to hit a number of folks and asking for a considerably reasonably priced quantity every time.
And I suppose if all the things you’ve received is backed up on there, you then may really feel, “You know what? $600 is a lot of money, but I can just about afford it. I’ll pay up.”
To simplify issues (and we’ve grudgingly stated, this can be a intelligent half, should you like, of this specific ransomware)… principally, what you do is you inform the crooks you’re inquisitive about sending them a message through the Bitcoin blockchain.
Basically, you pay them the cash to a specified, unique-to-you Bitcoin tackle.
When they get the cost message, they ship again a cost of $0 that features a remark that’s the decryption key.
So that’s the *solely* interplay they want with you.
They don’t want to make use of e mail, and so they don’t need to run any darkish net servers.
However, the Dutch cops figured the crooks had made a protocol-related blunder!
As quickly as your transaction hit the Bitcoin ecosystem, on the lookout for somebody to mine it, their script would ship the decryption key.
And it seems that though you can not double-spend bitcoins (in any other case the system would disintegrate), you’ll be able to put in two transactions on the similar time, one with a excessive transaction payment and one with a really low or a zero transaction payment.
And guess which one the bitcoin miners and in the end the bitcoin blockchain will settle for?
And that’s what the cops did…
DOUG. [LAUGHS] Very intelligent, I prefer it!
DUCK. They’d stick in a cost with a zero transaction payment, which may take days to get processed.
And then, as quickly as they received the decryption key again from the crooks (they’d, I believe, 155 customers that they type of clubbed collectively)… as quickly as they received the decryption key again, they did a double-spend transaction.
“I want to spend the same Bitcoin again, but this time we’re going to pay it back to ourselves. And now we’ll offer a sensible transaction fee.”
So that transaction was the one which in the end truly received confirmed and locked into the blockchain…
…and the opposite one simply received ignored and thrown away… [LAUGHS] as all the time, shouldn’t chortle!
DOUG. [LAUGHS]
DUCK. So, principally, the crooks paid out too quickly.
And I suppose it’s not *treachery* should you’re regulation enforcement, and also you’re doing it in a legally warranted method… it’s principally a *lure*.
And the crooks walked into it.
As I discussed at the start, this could solely work as soon as as a result of, after all, the crooks figured, “Oh, dear, we shouldn’t do it that way. Let’s change the protocol. Let’s wait for the transaction to be confirmed onto the blockchain first, and then once we know that nobody can come along with a transaction that will trump it later, only then will we send out the decryption key.”
DUCK. But the crooks did get flat-footed to the tune of 155 decryption keys from victims in 13 totally different international locations who referred to as on the Dutch police for assist.
So, chapeau [French cycling slang for a “hat doff”], as they are saying!
DOUG. That’s nice… that’s two constructive tales in a row.
And let’s maintain the constructive vibes rolling with this subsequent story.
It’s about ladies in cryptology.
They have been honoured by the US Postal Service, which is celebrating World War 2 code breakers.
Tell us all about this – this can be a very fascinating story, Paul:
DUCK. Yes, it was a kind of good issues to put in writing about on Naked Security: Women in cryptology – United States Postal Service celebrates World War 2 codebreakers.
Now, we’ve coated Bletchley Park code breaking, which is the UK’s cryptographic efforts through the Second World War, primarily to attempt to crack Nazi ciphers akin to the well-known Enigma machine.
However, as you’ll be able to think about, the US confronted an enormous downside from the Pacific theatre of battle, attempting to cope with Japanese ciphers, and particularly, one cipher often called PURPLE.
Unlike the Nazi’s Enigma, this was not a industrial system that may very well be purchased.
It was truly a homegrown machine that got here out of the navy, based mostly on phone switching relays, which, if you concentrate on it, are form of like “base ten” switches.
So, in the identical method that Bletchley Park within the UK secretly employed greater than 10,000 folks… I didn’t realise this, nevertheless it turned out that there have been nicely over 10,000 ladies recruited into cryptology, into cryptographic cracking, within the US to attempt to cope with Japanese ciphers through the battle.
By all accounts, they had been extraordinarily profitable.
There was a cryptographic breakthrough made within the early Nineteen Forties by one of many US cryptologists referred to as Genevieve Grotjan, and apparently this led to spectacular successes in studying Japanese secrets and techniques.
And I’ll simply quote from the US Postal Service, from their stamp collection:
They deciphered Japanese fleet communications, helped forestall German U-boats from sinking very important cargo ships, and labored to interrupt the encryption methods that exposed Japanese delivery routes and diplomatic messages.
You can think about that provides you very, very, usable intelligence certainly… that it’s important to assume helped to shorten the battle.
Fortunately, although the Japanese had been warned (apparently by the Nazis) that their cipher was both breakable or had already been damaged, they refused to consider it, and so they carried on utilizing PURPLE all through the battle.
And the ladies cryptologists of the time undoubtedly made hay secretly whereas the solar shone.
Unfortunately, simply as occurred within the UK with all of the wartime heroes (once more, most of them ladies) at Bletchley Park…
…after the battle, they had been sworn to secrecy.
So it was many many years till they received any recognition in any respect, not to mention what you may name the hero’s welcome that they primarily deserved when peace broke out in 1945.
DOUG. Wow, that may be a cool story.
And unlucky that it took that lengthy to get the popularity, however nice that they lastly received it.
And I urge anybody who’s listening to this to go over to the positioning to learn that.
It’s referred to as: Women in cryptology – USPS celebrates World War 2 codebreakers.
Very good piece!
DUCK. By the way in which, Doug, on the stamp collection that you may purchase (the commemorative collection, the place you get the stamps on a full sheet)… across the stamps, the USPS has truly put a bit of cryptographic puzzle, which we’ve repeated within the article.
It is just not as troublesome as Enigma or PURPLE, so you’ll be able to truly do it pretty simply with pen and paper, nevertheless it’s a very good little bit of commemorative enjoyable.
So come on over and have a attempt should you like.
We’ve additionally put a hyperlink to an article that we wrote a few years in the past (What 2000 years of cryptography can educate us) by which you can see hints that can enable you to resolve the USPS cryptographic puzzle.
Good little bit of enjoyable to go together with your commemoration!
DOUG. All proper, so let’s persist with randomness and cryptography a bit of bit, and ask a query that perhaps some have puzzled earlier than.
How random are these automated card shufflers you may see at a on line casino?
Serious Security: How randomly (or not) are you able to shuffle playing cards?
DUCK. Yes, one other fascinating story that I picked up because of cryptography guru Bruce Schneier, who wrote about it on his personal weblog, and he entitled his article On the randomness of automated card shufflers.
The paper we’re speaking about goes again, I believe, to 2013, and the work that was performed, I believe, goes again to the early 2000s.
But what fascinated me concerning the story, and made me need to share it, is that it has unbelievable teachable moments for people who find themselves at present concerned in programming, whether or not or not within the area of cryptography.
And, much more importantly, in testing and high quality assurance.
Because, in contrast to the Japanese, who refused to consider that their PURPLE cipher may not be working correctly, this can be a story about an organization that made automated card shuffling machines however figured, “Are they really good enough?”
Or may somebody truly work out how they work, and get a bonus from the truth that they aren’t random sufficient?
And in order that they went out of their technique to rent a trio of mathematicians from California, one in all whom can be an achieved magician…
…and so they stated, “We built this machine. We think it’s random enough, with one shuffle of the cards.”
Their personal engineers had gone out of their technique to devise assessments that they thought would present whether or not the machine was random sufficient for card shuffling functions, however they wished a second opinion, and they also truly went out and received one.
And these mathematicians checked out how the machine labored, and had been in a position to come up, consider it or not, with what’s often called a closed method.
They analysed it utterly: how the factor would behave, and subsequently what statistical inferences they may make about how the playing cards would come out.
They found that though the shuffled playing cards would go a major battery of excellent randomness assessments, there have been nonetheless sufficiently many unbroken sequences within the playing cards after they’d been shuffled that allowed them to foretell the subsequent card twice in addition to likelihood.
And they had been in a position to present the reasoning by which they had been in a position to provide you with their psychological algorithm for guessing the subsequent card twice in addition to they need to…
…so not solely did they do it reliably and repeatably, they really had the arithmetic to indicate formulaically why that was the case.
And the story is maybe most well-known for the earthy however fully acceptable response from the president of the corporate that employed them.
He is meant to have stated:
We will not be happy together with your conclusions, however we consider them, and that’s what we employed you for.
In different phrases, he’s saying, “I didn’t pay to be made happy. I paid to find out the facts and to act upon them.”
If solely extra folks did that when it got here to devising assessments for his or her software program!
Because it’s straightforward to create a set of assessments that your product will go and the place if it fails, you understand one thing has undoubtedly gone fallacious.
But it’s surprisingly troublesome to provide you with a set of assessments that it’s *value your product passing*.
And that’s what this firm did, by hiring within the mathematicians to look into how the cardboard shuffling machine labored.
Quite a number of life classes in there, Doug!
DOUG. It’s a enjoyable story and really fascinating.
Now, each week we typically discuss some type of Apple replace, however not this week.
No, no!
This week we’ve received for you… an Apple *megaupdate*:
Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!
DUCK. Unfortunately, you probably have an iPhone or an iPad, the replace covers a zero-day at present being actively exploited, which, as all the time, smells of jailbreak/full spyware and adware takeover.
And as all the time, and maybe understandably, Apple may be very cagey about precisely what the zero-day is, what it’s getting used for, and, simply as apparently, who’s utilizing it.
So should you’ve received an iPhone or an iPad, that is *undoubtedly* one for you.
And confusingly, Doug…
I’d higher clarify this, as a result of it truly wasn’t apparent at first… and due to some reader assist, thanks Stefaan from Belgium, who has been sending me screenshots and explaining precisely what occurred to him when he up to date his iPad!
The replace for iPhones and iPads stated, “Hey, you’ve got iOS 16.1, and iPadOS 16”. (Because iPad OS model 16 was delayed.)
And that’s what the safety bulletin says.
When you put in the replace, the essential About display simply says “iPadOS 16”.
But should you zoom into the primary model display, then each variations truly come out as “iOS/iPadOS 16.1”.
So that’s the *improve* to model 16, plus this very important zero-day repair.
That’s the exhausting and complicated half… the remainder is simply that there are many fixes for different platforms as nicely.
Except that, as a result of Ventura got here out – macOS 13, with 112 CVE-numbered patches, although for most individuals, they gained’t have had the beta, so this will likely be *improve* and *replace* on the similar time…
Because macOS 13 got here out, that leaves macOS 10 Catalina three variations behind.
And it does certainly look as if Apple is simply now supporting earlier and pre-previous.
So there *are* updates for Big Sur and Monterey, that’s macOS 11 and macOS 12, however Catalina is notoriously absent, Doug.
And as annoyingly as all the time, what we can’t let you know…
Does that imply it merely was resistant to all these fixes?
Does that imply it truly wants not less than a few of the fixes, however they only haven’t come out but?
Or does that imply it’s fallen off the sting of the world and you’ll by no means get an replace once more, whether or not it wants one or not?
We don’t know.
DOUG. I really feel winded, and I didn’t even do any of the heavy lifting in that story, so thanks for that… that’s lots.
DUCK. And you don’t even have an iPhone.
DOUG. Exactly!
I’ve received an iPad…
DUCK. Oh, do you?
DOUG. …so I’ve received to go and ensure I get it updated.
And that leads us into our reader query of the day, on the Apple story.
Anonymous Commenter asks:
Will the 15.7 replace for iPads resolve this, or do I’ve to replace to 16? I’m ready till the minor nuisance bugs in 16 are resolved earlier than updating.
DUCK. That’s the second degree of confusion, should you like, attributable to this.
Now, my understanding is, when iPadOS 15.7 got here out, that was precisely the identical time as iOS 15.7.
And it was, what, simply over a month in the past, I believe?
So that’s an old-time safety replace.
And what we now don’t know is…
Is there an iOS/iPadOS 15.7.1 nonetheless within the wings that hasn’t come out but, fixing safety holes that do exist within the earlier model of working methods for these platforms?
Or is your replace path for safety updates for iOS and iPadOS now to go down the model 16 route?
I simply don’t know, and I don’t know the way you inform.
So it’s trying as if (and I’m sorry if I sound confused, Doug, as a result of I’m!)…
…it’s trying as if the *replace* and the *improve* path for customers of iOS and iPadOS 15.7 is to shift to model flavour 16.
And at this present time, which means 16.1.
That could be my advice, as a result of then not less than you understand that you’ve got the most recent and biggest construct, with the most recent and biggest safety fixes.
So that’s the lengthy reply.
The brief reply is, Doug, “Don’t know.”
DOUG. Clear as mud.
DUCK. Yes.
Well, maybe not that clear… [LAUGHTER]
If you permit mud lengthy sufficient, finally the bits settle to the underside and there’s clear water on the highest.
So perhaps that’s what it’s important to do: wait and see, or simply chunk the bullet and go for 16.1.
They do make it straightforward, don’t they? [LAUGHS]
DOUG. All proper, we are going to keep watch over that, as a result of that would change a bit of bit between now and subsequent time.
Thank you very a lot for sending that remark in, Anonymous Commenter.
If you will have an fascinating story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.
You can e mail suggestions@sophos.com, you’ll be able to touch upon any one in all our articles, and you may hit us up on social @NakedSecurity.
That’s our present for at present, thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Stay safe!