DOUG. Cryptology, cops hacking again, Apple updates and… card counting!
All that, and extra, on the Bare Safety podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do at present?
DUCK. I’m very nicely, thanks, Douglas.
And I’m very excitedly trying ahead to the card-counting bit, not least as a result of it’s not nearly counting, it’s additionally about card shuffling.
DOUG. All proper, excellent, trying ahead to that!
And in our Tech Historical past phase, we’ll talk about one thing that was not random – it was very calculated.
This week, on 25 October 2001, Home windows XP was launched to retail.
It was constructed upon the Home windows NT working system, and XP changed each Home windows 2000 and Home windows Millennium Version as “XP Skilled Version” and “XP Dwelling Version” respectively.
XP Dwelling was the primary client model of Home windows to not be primarily based on MS-DOS or the Home windows 95 kernel.
And, on a private be aware, I beloved it.
I may be remembering easier occasions… I don’t know if it was really pretty much as good as I keep in mind it, however I keep in mind it being higher than what we had earlier than.
DUCK. I agree with that.
I feel there are some rose-tinted spectacles chances are you’ll be sporting there, Doug…
DOUG. Umm-hmmm.
DUCK. …however I must agree that it was an enchancment.
DOUG. Allow us to speak a bit about comeuppance, particularly, comeuppance for undesirable facial recognition in France:
Clearview AI image-scraping face recognition service hit with €20m high quality in France
DUCK. Certainly!
Common listeners will know that we’ve spoken about an organization known as Clearview AI many occasions, as a result of I feel it’s honest to say that this firm is controversial.
The French regulator very helpfully publishes its rulings, or has revealed at the very least its Clearview rulings, in each French and in English.
So, principally, right here’s how they describe it:
Clearview AI collects images from many web sites, together with social media. It collects all of the images which are straight accessible on these networks. Thus, the corporate has collected over 20 billion photographs worldwide.
Because of this assortment, the corporate markets entry to its picture database within the type of a search engine during which an individual may be discovered utilizing {a photograph}. The corporate provides this service to regulation enforcement authorities.
And the French regulator’s objection, which was echoed final 12 months by at the very least the UK and the Australian regulator as nicely, is: “We take into account this illegal in our nation. You may’t go scraping folks’s photographs for this business goal with out their consent. And also you’re additionally not complying with GDPR guidelines, information destruction guidelines, making it simple for them to contact you and say, ‘I wish to choose out’.”
So, firstly, it must be choose in if you wish to run this.
And having collected the stuff, you shouldn’t be hanging on to it even after they wish to ensure that their information is eliminated.
And the problem in France, Doug, is that final December the regulator stated, “Sorry, you may’t do that. Cease scraping information, and eliminate what you’ve bought on everyone in France. Thanks very a lot.”
Apparently, in line with the regulator, Clearview AI simply didn’t appear to wish to comply.
DOUG. Uh-oh!
DUCK. So now the French have come again and stated, “You don’t appear to wish to pay attention. You don’t appear to know that that is the regulation. Now, the identical factor applies, however you additionally need to pay €20 million. Thanks for coming.”
DOUG. We’ve bought some feedback brewing on the article… we’d love to listen to what you suppose; you may remark anonymously.
Particularly, the questions we put forth are: “Is Clearview AI actually offering a helpful and socially acceptable service to regulation enforcement? Or is it casually trampling on our privateness by gathering biometric information unlawfully and commercialising it for investigative monitoring functions with out consent?”
All proper, allow us to follow this theme of comeuppance, and discuss a little bit of comeuppance for the DEADBOLT criminals.
That is an fascinating story, involving regulation enforcement and hacking again!
When cops hack again: Dutch police fleece DEADBOLT criminals (legally!)
DUCK. Hats off to the cops for doing this, though, as we’ll clarify, it was sort-of a one-off factor.
Common listeners will keep in mind DEADBOLT – it’s come up a few occasions earlier than.
DEADBOLT is the ransomware gang who principally discover your Community Hooked up Storage [NAS] server in the event you’re a house person or small enterprise…
…and if it isn’t patched towards a vulnerability they know tips on how to exploit, they’ll are available in, and so they simply scramble your NAS field.
They figured that’s the place all of your backups are, that’s the place all of your huge recordsdata are, that’s the place all of your necessary stuff is.
“Let’s not fear about having to jot down malware for Home windows and malware for Mac, and worrying what model you’ve bought. We’ll simply go straight in, scramble your recordsdata, after which say, ‘Pay us $600’.”
That’s the present going price: 0.03 bitcoins, in the event you don’t thoughts.
In order that they’re taking that consumer-oriented strategy of making an attempt to hit numerous folks and asking for a considerably reasonably priced quantity every time.
And I suppose if every part you’ve bought is backed up on there, you then would possibly really feel, “You understand what? $600 is some huge cash, however I can nearly afford it. I’ll pay up.”
To simplify issues (and we’ve grudgingly stated, this can be a intelligent half, in the event you like, of this specific ransomware)… principally, what you do is you inform the crooks you’re inquisitive about sending them a message by way of the Bitcoin blockchain.
Principally, you pay them the cash to a specified, unique-to-you Bitcoin tackle.
After they get the cost message, they ship again a cost of $0 that features a remark that’s the decryption key.
In order that’s the *solely* interplay they want with you.
They don’t want to make use of e mail, and so they don’t need to run any darkish internet servers.
Nonetheless, the Dutch cops figured the crooks had made a protocol-related blunder!
As quickly as your transaction hit the Bitcoin ecosystem, searching for somebody to mine it, their script would ship the decryption key.
And it seems that though you can’t double-spend bitcoins (in any other case the system would crumble), you may put in two transactions on the identical time, one with a excessive transaction charge and one with a really low or a zero transaction charge.
And guess which one the bitcoin miners and finally the bitcoin blockchain will settle for?
And that’s what the cops did…
DOUG. [LAUGHS] Very intelligent, I prefer it!
DUCK. They’d stick in a cost with a zero transaction charge, which might take days to get processed.
After which, as quickly as they bought the decryption key again from the crooks (they’d, I feel, 155 customers that they type of clubbed collectively)… as quickly as they bought the decryption key again, they did a double-spend transaction.
“I wish to spend the identical Bitcoin once more, however this time we’re going to pay it again to ourselves. And now we’ll supply a smart transaction charge.”
In order that transaction was the one which finally really bought confirmed and locked into the blockchain…
…and the opposite one simply bought ignored and thrown away… [LAUGHS] as at all times, shouldn’t snigger!
DOUG. [LAUGHS]
DUCK. So, principally, the crooks paid out too quickly.
And I suppose it’s not *treachery* in the event you’re regulation enforcement, and also you’re doing it in a legally warranted manner… it’s principally a *entice*.
And the crooks walked into it.
As I discussed at the start, this may solely work as soon as as a result of, after all, the crooks figured, “Oh, pricey, we shouldn’t do it that manner. Let’s change the protocol. Let’s await the transaction to be confirmed onto the blockchain first, after which as soon as we all know that no one can come together with a transaction that can trump it later, solely then will we ship out the decryption key.”
DUCK. However the crooks did get flat-footed to the tune of 155 decryption keys from victims in 13 completely different nations who known as on the Dutch police for assist.
So, chapeau [French cycling slang for a “hat doff”], as they are saying!
DOUG. That’s nice… that’s two constructive tales in a row.
And let’s maintain the constructive vibes rolling with this subsequent story.
It’s about ladies in cryptology.
They’ve been honoured by the US Postal Service, which is celebrating World Battle 2 code breakers.
Inform us all about this – this can be a very fascinating story, Paul:
Girls in Cryptology – USPS celebrates WW2 codebreakers
DUCK. Sure, it was a kind of good issues to jot down about on Bare Safety: Girls in cryptology – United States Postal Service celebrates World Battle 2 codebreakers.
Now, we’ve coated Bletchley Park code breaking, which is the UK’s cryptographic efforts in the course of the Second World Battle, primarily to attempt to crack Nazi ciphers comparable to the well-known Enigma machine.
Nonetheless, as you may think about, the US confronted an enormous drawback from the Pacific theatre of struggle, making an attempt to cope with Japanese ciphers, and particularly, one cipher often known as PURPLE.
In contrast to the Nazi’s Enigma, this was not a business machine that might be purchased.
It was really a homegrown machine that got here out of the army, primarily based on phone switching relays, which, if you consider it, are form of like “base ten” switches.
So, in the identical manner that Bletchley Park within the UK secretly employed greater than 10,000 folks… I didn’t realise this, however it turned out that there have been nicely over 10,000 ladies recruited into cryptology, into cryptographic cracking, within the US to attempt to cope with Japanese ciphers in the course of the struggle.
By all accounts, they had been extraordinarily profitable.
There was a cryptographic breakthrough made within the early Forties by one of many US cryptologists known as Genevieve Grotjan, and apparently this led to spectacular successes in studying Japanese secrets and techniques.
And I’ll simply quote from the US Postal Service, from their stamp collection:
They deciphered Japanese fleet communications, helped stop German U-boats from sinking very important cargo ships, and labored to interrupt the encryption methods that exposed Japanese delivery routes and diplomatic messages.
You may think about that provides you very, very, usable intelligence certainly… that you need to assume helped to shorten the struggle.
Luckily, though the Japanese had been warned (apparently by the Nazis) that their cipher was both breakable or had already been damaged, they refused to consider it, and so they carried on utilizing PURPLE all through the struggle.
And the ladies cryptologists of the time positively made hay secretly whereas the solar shone.
Sadly, simply as occurred within the UK with all of the wartime heroes (once more, most of them ladies) at Bletchley Park…
…after the struggle, they had been sworn to secrecy.
So it was many many years till they bought any recognition in any respect, not to mention what you would possibly name the hero’s welcome that they primarily deserved when peace broke out in 1945.
DOUG. Wow, that may be a cool story.
And unlucky that it took that lengthy to get the popularity, however nice that they lastly bought it.
And I urge anybody who’s listening to this to go over to the positioning to learn that.
It’s known as: Girls in cryptology – USPS celebrates World Battle 2 codebreakers.
Excellent piece!
DUCK. By the best way, Doug, on the stamp collection that you could purchase (the commemorative collection, the place you get the stamps on a full sheet)… across the stamps, the USPS has really put a little bit cryptographic puzzle, which we’ve repeated within the article.
It isn’t as troublesome as Enigma or PURPLE, so you may really do it pretty simply with pen and paper, however it’s a superb little bit of commemorative enjoyable.
So come on over and have a attempt in the event you like.
We’ve additionally put a hyperlink to an article that we wrote a few years in the past (What 2000 years of cryptography can train us) during which you can find hints that can show you how to remedy the USPS cryptographic puzzle.
Good little bit of enjoyable to go together with your commemoration!
DOUG. All proper, so let’s stick to randomness and cryptography a little bit bit, and ask a query that possibly some have puzzled earlier than.
How random are these computerized card shufflers you would possibly see at a on line casino?
Severe Safety: How randomly (or not) are you able to shuffle playing cards?
DUCK. Sure, one other fascinating story that I picked up due to cryptography guru Bruce Schneier, who wrote about it on his personal weblog, and he entitled his article On the randomness of computerized card shufflers.
The paper we’re speaking about goes again, I feel, to 2013, and the work that was executed, I feel, goes again to the early 2000s.
However what fascinated me concerning the story, and made me wish to share it, is that it has unbelievable teachable moments for people who find themselves presently concerned in programming, whether or not or not within the area of cryptography.
And, much more importantly, in testing and high quality assurance.
As a result of, in contrast to the Japanese, who refused to consider that their PURPLE cipher may not be working correctly, this can be a story about an organization that made computerized card shuffling machines however figured, “Are they actually adequate?”
Or might somebody really work out how they work, and get a bonus from the truth that they aren’t random sufficient?
And they also went out of their solution to rent a trio of mathematicians from California, considered one of whom can also be an achieved magician…
…and so they stated, “We constructed this machine. We predict it’s random sufficient, with one shuffle of the playing cards.”
Their very own engineers had gone out of their solution to devise assessments that they thought would present whether or not the machine was random sufficient for card shuffling functions, however they wished a second opinion, and they also really went out and bought one.
And these mathematicians checked out how the machine labored, and had been capable of come up, consider it or not, with what’s often known as a closed system.
They analysed it utterly: how the factor would behave, and subsequently what statistical inferences they may make about how the playing cards would come out.
They found that though the shuffled playing cards would go a major battery of excellent randomness assessments, there have been nonetheless sufficiently many unbroken sequences within the playing cards after they’d been shuffled that allowed them to foretell the following card twice in addition to probability.
They usually had been capable of present the reasoning by which they had been capable of give you their psychological algorithm for guessing the following card twice in addition to they need to…
…so not solely did they do it reliably and repeatably, they really had the arithmetic to indicate formulaically why that was the case.
And the story is probably most well-known for the earthy however solely applicable response from the president of the corporate that employed them.
He’s presupposed to have stated:
We aren’t happy together with your conclusions, however we consider them, and that’s what we employed you for.
In different phrases, he’s saying, “I didn’t pay to be made comfortable. I paid to seek out out the details and to behave upon them.”
If solely extra folks did that when it got here to devising assessments for his or her software program!
As a result of it’s simple to create a set of assessments that your product will go and the place if it fails, one thing has positively gone incorrect.
Nevertheless it’s surprisingly troublesome to give you a set of assessments that it’s *price your product passing*.
And that’s what this firm did, by hiring within the mathematicians to look into how the cardboard shuffling machine labored.
Various life classes in there, Doug!
DOUG. It’s a enjoyable story and really fascinating.
Now, each week we typically discuss some type of Apple replace, however not this week.
No, no!
This week we’ve bought for you… an Apple *megaupdate*:
Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!
DUCK. Sadly, you probably have an iPhone or an iPad, the replace covers a zero-day presently being actively exploited, which, as at all times, smells of jailbreak/full adware takeover.
And as at all times, and maybe understandably, Apple could be very cagey about precisely what the zero-day is, what it’s getting used for, and, simply as apparently, who’s utilizing it.
So in the event you’ve bought an iPhone or an iPad, that is *positively* one for you.
And confusingly, Doug…
I’d higher clarify this, as a result of it really wasn’t apparent at first… and because of some reader assist, thanks Stefaan from Belgium, who has been sending me screenshots and explaining precisely what occurred to him when he up to date his iPad!
The replace for iPhones and iPads stated, “Hey, you’ve bought iOS 16.1, and iPadOS 16”. (As a result of iPad OS model 16 was delayed.)
And that’s what the safety bulletin says.
Whenever you set up the replace, the essential About display simply says “iPadOS 16”.
However in the event you zoom into the principle model display, then each variations really come out as “iOS/iPadOS 16.1”.
In order that’s the *improve* to model 16, plus this very important zero-day repair.
That’s the exhausting and complicated half… the remainder is simply that there are many fixes for different platforms as nicely.
Besides that, as a result of Ventura got here out – macOS 13, with 112 CVE-numbered patches, although for most individuals, they received’t have had the beta, so this shall be *improve* and *replace* on the identical time…
As a result of macOS 13 got here out, that leaves macOS 10 Catalina three variations behind.
And it does certainly look as if Apple is simply now supporting earlier and pre-previous.
So there *are* updates for Large Sur and Monterey, that’s macOS 11 and macOS 12, however Catalina is notoriously absent, Doug.
And as annoyingly as at all times, what we can’t inform you…
Does that imply it merely was proof against all these fixes?
Does that imply it really wants at the very least among the fixes, however they only haven’t come out but?
Or does that imply it’s fallen off the sting of the world and you’ll by no means get an replace once more, whether or not it wants one or not?
We don’t know.
DOUG. I really feel winded, and I didn’t even do any of the heavy lifting in that story, so thanks for that… that’s loads.
DUCK. And also you don’t even have an iPhone.
DOUG. Precisely!
I’ve bought an iPad…
DUCK. Oh, do you?
DOUG. …so I’ve bought to go and ensure I get it updated.
And that leads us into our reader query of the day, on the Apple story.
Nameless Commenter asks:
Will the 15.7 replace for iPads resolve this, or do I’ve to replace to 16? I’m ready till the minor nuisance bugs in 16 are resolved earlier than updating.
DUCK. That’s the second stage of confusion, in the event you like, attributable to this.
Now, my understanding is, when iPadOS 15.7 got here out, that was precisely the identical time as iOS 15.7.
And it was, what, simply over a month in the past, I feel?
In order that’s an old-time safety replace.
And what we now don’t know is…
Is there an iOS/iPadOS 15.7.1 nonetheless within the wings that hasn’t come out but, fixing safety holes that do exist within the earlier model of working methods for these platforms?
Or is your replace path for safety updates for iOS and iPadOS now to go down the model 16 route?
I simply don’t know, and I don’t understand how you inform.
So it’s trying as if (and I’m sorry if I sound confused, Doug, as a result of I’m!)…
…it’s trying as if the *replace* and the *improve* path for customers of iOS and iPadOS 15.7 is to shift to model flavour 16.
And at this present time, which means 16.1.
That will be my advice, as a result of then at the very least that you’ve got the most recent and best construct, with the most recent and best safety fixes.
In order that’s the lengthy reply.
The brief reply is, Doug, “Don’t know.”
DOUG. Clear as mud.
DUCK. Sure.
Nicely, maybe not that clear… [LAUGHTER]
When you go away mud lengthy sufficient, finally the bits settle to the underside and there’s clear water on the highest.
So possibly that’s what you need to do: wait and see, or simply chunk the bullet and go for 16.1.
They do make it simple, don’t they? [LAUGHS]
DOUG. All proper, we’ll control that, as a result of that might change a little bit bit between now and subsequent time.
Thanks very a lot for sending that remark in, Nameless Commenter.
If in case you have an fascinating story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You may e mail ideas@sophos.com, you may touch upon any considered one of our articles, and you’ll hit us up on social @NakedSecurity.
That’s our present for at present, thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Keep safe!
/cdn.vox-cdn.com/uploads/chorus_asset/file/24145502/226378_Twitter_Risk_Elon_Musk_Spot_WJoel.png "Twitter’s employees await their fate under Elon Musk")
