Years ago I wrote about Google’s calculator absurdly requiring permission for network access.
A calculator requires network?
Looking back now, and based on recent headlines, perhaps the calculator story should have been front page news.
Someone just prompted me to answer why Google’s Authenticator app needs to track location and data, and the calculator immediately came to mind. I guess Google is giving me a reason to write analysis of 2FA privacy options better than theirs.
In related news, lately we’re all talking a lot about contact tracing safety and, surprise surprise, Google has screwed up that security as well.
Researchers say hundreds of preinstalled apps can access a log found on Android devices where sensitive contact tracing information is stored.
A calculator misstep seems comical, yet this kind of privacy failure can be catastrophic.
Let this forever be proof that “too big to fail” is a logical fallacy, not to mention an economic fantasy.
The Markup digs even deeper at Google, pointing out an apparent slow response and lack of concern about user safety.
The Markup has learned that not only does the Android version of the contact tracing tool contain a privacy flaw, but when researchers from the privacy analysis firm AppCensus alerted Google to the problem back in February of this year, Google failed to change it. […] “This fix is a one-line thing where you remove a line that logs sensitive information to the system log. It doesn’t impact the program, it doesn’t change how it works, ” said Joel Reardon, co-founder and forensics lead of AppCensus. “It’s such an obvious fix, and I was flabbergasted that it wasn’t seen as that.”
The big rub seems to be between Google’s trust of Android apps and the security researcher who knows that’s a very broken model to rely upon.
Reardon also reached out to Giles Hogben, Android’s director of privacy engineering, on Feb. 19. In an email, Hogben noted, in response to Reardon’s concerns, that the system logs could only be accessed by certain apps.
“[System logs] have not been readable by unprivileged apps (only with READ_LOGS privileged permission) since way before Android 11 (can check exactly when but I think back as far as 4),” Hogben said in his Feb. 25 reply.
Reardon, however, said hundreds of preinstalled apps can still read those system logs. “They’re actually collecting information that would be devastating to the privacy of people who use contact tracing,” he said.
Reading the logs is reading the logs, as we used to say. Reardon is right that a preinstalled app that can read the logs means the data boundary is pierced and thus privacy expectations breached.
[Car manufacturers] staged safety campaigns in which actors dressed in 19th-century garb, or as clowns, were hired to cross the street illegally, signifying that the practice was outdated and foolish. In a 1924 New York safety campaign, a clown was marched in front of a slow-moving Model T and rammed repeatedly.
Perhaps Benjamin Bunn, a former Green Beret who served from 2000 to 2016 and deployed in support of the Global War on Terror to both Iraq, Afghanistan, and the Baltic Region… put it best:
People are most vulnerable during travel.
The modern countermeasures for such domestic security threats should be pretty obvious to anyone engineering human-centric networks, as this before/after view illustrates:
Source: Makati, the Philippines by PGAA Creative Design
A new article tries to bring this all to light again, given the recent spate of “pedestrian kill bills”, yet it makes an awful error:
A few years ago, most people would have seen “politically motivated vehicle attacks” as a terrorist tactic pioneered by ISIS. Now American police regularly carry out these kinds of attacks, and Republican policymakers have officially endorsed the practice.
There was ample evidence by 2016 if not earlier that “run them over you won’t be convicted” was a coordinated hate campaign on social media by white nationalists.
Source: Twitter 2016
If anything, ISIS likely took the ideas from American domestic terrorists (although arguably there were foreign accounts stoking the message).
In January 2016, a police sergeant in St. Paul, Minnesota, was suspended after allegedly posting a comment on an article about a Martin Luther King Jr. Day march, instructing drivers: “Run them over. Keep traffic flowing and don’t slow down for any of these idiots who try and block the street.”
This February, Troy Baker, president of the police union in Santa Fe, New Mexico, shared an image from the “Prepare to Take America Back” Facebook page, a right-wing meme factory with links to conspiracy theories. “All lives splatter: Nobody cares about your protest,” it reads over an image of a jeep plowing through a crowd.
Way back in 2013 the problem was described in terms of authorized use and operator error.
Vehicles can do great damage, yet when people drive aggressively or vengefully, the destruction is often dismissed as “an accident.”
Speaking of 2013, a car plowed through protestors a year earlier at the University of California Santa Cruz.
He revved his engine, but the crowd briefly stopped him from entering. The driver then revved his engine again and drove through the crowd of demonstrators at the High Street entrance, striking several people and a bike. […] Samson [who was a passenger in the car] said they intend to press charges against those in the crowd. […] The demonstration had been peaceful until the incident with the motorist.
The driver of the car who revved his engine, paused, revved again and then tried to run over a crowd of protestors intended to press charges against his victims?
A very different tone that same year can be found in Cardiff, Wales after a Taxi driver hit eight pedestrians and was sentenced to 15 years in prison.
Sentencing Rehman, the judge said: “It was holy unjust behaviour – intolerable behaviour in a civilised society. To use a motor vehicle as a weapon is a an extremely serious crime.”
Back to a completely opposite perspective, here’s a story from a year before that in Brazil, where police said a car that drove over 12 people during a protest was the fault of the protestors because… they didn’t have a protest license.
De acordo com o delegado, o direito à livre expressão dos manifestantes não podia impedir o direito de ir e vir de pedestres e motoristas. “Aqui não é a Líbia. Aqui tem toda a liberdade para fazer manifestação, desde que avisem as autoridades. Faz a tua manifestação, mas não impede o fluxo de automóveis. Se tu impedes, dá confusão, dá baderna, dá acidente. Fica o alerta”, afirmou.
Roughly translated this is “free expression and demonstration can’t be in the way of the right of car mobility since Brazil is not Libya — people are free to demonstrate as long as they warn authorities and do not prevent car flow”.
But let’s not stop there. In 2009 videos were posted to the Internet from Iran, which showed police vehicles plowing into demonstrators.
In the video — shot Sunday, according to the posting on the Web site YouTube — green-and-white police trucks rush into crowds of protesters in the capital, Tehran. Demonstrators scatter, but one truck drives into a crowd trapped in a narrow street with a wall on one side and parked cars on the other.
Speaking of 2009, eight people were killed in the Netherlands when a car was intentionally driven into a parade in a failed attempt to kill the Dutch royal family.
And three years before that a philosophy/psychology graduate of the University of North Carolina drove a car through crowds of students, injuring almost nobody. Allegedly it was his attempt to “avenge deaths or murders of Muslims“… before calling police to turn himself in.
There are so many examples, I’m unfortunately leaving out many important ones. There’s a very, very important reason why:
Manslaughter with a weapon statistics from the Florida Department of Law Enforcement, from 1996 to 2016, show the number of offenses with firearms and knives, but everything else falls under a category called “other.” There is no readily available breakdown of the number of times that prosecutors said a car was used as a weapon.
Let’s say that again, when we look at weapon statistics there’s NO BREAKDOWN OF TIMES A CAR WAS USED AS A WEAPON.
“He ran over my daughter three times,” she told the South Florida Sun Sentinel. “You’re not going to tell me the car’s not a weapon. He used it as a weapon. That’s all there is to it.”
Just as an automobile’s primary purpose is for transportation, the primary purpose of a steak knife or baseball bat is for use as cutlery or sporting equipment. Yet no one could reasonably dispute that those items are also ‘commonly understood’ as ‘instrument[s] for combat against another person’ when used as such.
Vehicular attacks have caused 45 percent of all injuries and 37 percent of all deaths in Islamism-inspired plots since January 2014
So please allow me instead of trying to capture every incident to just skip back all the way to news from 1977 in Plains, Georgia — a white man drove his Jaguar XKE at 50 mph through a Klan “anti-Carter” rally sending 19 people already wearing white sheets to the hospital.
Sheriff Howard said at a news conference that Mr. Cochran apparently stopped at the Klan rally last night out of curiosity but “didn’t like what was being said” by the speakers. […] Mr. Cochran said “he had a lot of black friends and he was going to get even with Wilkinson for what he was saying about the blacks,” the sheriff said.
He had black friends and wanted to get even sounds very…wrong. I expect the driver to say he did it to fight racism, and not to say “some of my friends are black”.
Ok, I know what you’re probably thinking here. Use of cars as weapon go back as far as cars themselves go in history. But the 1977 incident, let alone other countries, seems to show the risk is to everyone, not linked to any one race.
Here’s the problem with that “race blind” argument to risk from cars in America. Given the wild and illogical fears being spread about AntiFa, wouldn’t we then see bills being written to criminalize use of cars as weapons against the KKK?
Kill bills are basically handing AntiFa the keys to drive cars through crowds of Nazis. Seems backwards for fascists to be giving anti-fascists license to a weapon, no?
Or as the Blues Brothers movie illustrated the concept back in 1980 (posted to YouTube in 2011):
A comment on that video follows it with this insight:
I’m all for free speech…but the free speech of a revved-up Dodge former cop car sounds even better.
Despite the movie reference, currently the belief is that no white nationalist crowds will be impacted by threat of cars (similar to how white crowds in America are statistically less subject to any police brutality).
Fundamentally (no pun intended) racist whites believe a blanket authorized use of force won’t put whites at any greater risk because blacks can’t target whites with violence in the same way that whites can target blacks (while at the same time claiming that authorization is required because blacks target whites with violence).
Indeed, we know that while the majority of pedestrian deaths in America are blacks, and that jaywalking laws are historically racist, so too the new pedestrian kill bills target non-whites — these laws essentially criminalize being black.
So here’s the real talk. International pressure has been mounting on American systemic white insecurity groups to stop killing black people with police brutality.
Police killings of Black Americans amount to crimes against humanity, international inquiry finds.
As a result, white insecurity surely realizes their racist strategy of police shootings may be over, and thus laws hastily are being pushed with new ways to oppress and terrorize black people en masse with systemic bias in transit and healthcare instead.
There are more than 60% more Black pedestrian fatalities than White, yet Black residents are more than five times more likely to depend on public transportation to access vital services and opportunities.
Kill Bills in America serve no purpose other than to remove protection against known domestic terror threats.
Here’s the sort of cogent warning you will find, written by Robert D. Steele, which seems like it was written just yesterday.
…perhaps the most important aspect of Information Operations is the defensive aspect. Our highest priority, one we must undertake before attempting to influence others, is that of putting our own information commons in order. We must be able to assist and support our consumers with knowledge management concepts, doctrine, and capabilities, such that they can “make sense” of the information chaos surrounding them.
Also notable from Robert Steele was his keynote presentation called “Hackers as a National Resource” at Hackers on Planet Earth (HOPE), New York, 13-14 August 1994.
And perhaps to emphasize again how similar things sound in the 1990s and today, here’s Strassman’s position that a mono-culture of big tech (Microsoft at that time) was a threat to US national security.
Microsoft has projected a vision of a world that is inter-connected with Microsoft centers from where each computer receives not only its operating software but also a continuous stream of data and applications.
Recently I’ve been interviewed for podcasts, etc and people have started asking what it was like being involved in cyber war so “early”… to which I have to admit that to me my timing felt a bit late.
There already was at least a decade if not more of experts and hackers with established reputations, headlines had been alarmist since the early 1980s, and thus I started my professional work in 1994 with a sense of urgency — had a lot of catching up to do. Hope that helps puts 2021 headlines in some perspective.
Saying nuclear power is the safest energy seems inaccurate and misleading, yet often I see people make this claim.
It’s always based on wild assumptions about quality control, which end up forming a logical fallacy (tautology). If absolutely everything is done perfectly by nuclear then nuclear is safest, sure. Except that’s so unrealistic as to be fantasy talk — the many nuclear accidents are the obvious proof and counterpoint.
Whether you go high or low on the nuclear disaster casualty count (high being well over 1000X the low numbers) the point is these counts for nuclear tech are extremely messy and imprecise. Can’t claim to both be safe because absolutely precise methods and then generate wildly varying estimates of harm.
And harms are common because instead of one or fewer core damage events (based on nuclear industry projections) in reality there have been at least eleven. Three Mile Island and Chernobyl both were a function of human error and the risk models have failed spectacularly to account for human error. And that’s not even to speak of massive cleanup costs for nuclear harms that weren’t even accidental.
Perhaps it helps to consider that nearly as many Americans died from radiation and fallout of the Manhattan Project than were killed by the bombs it dropped. That’s not a story often told, but it helps put to rest these odd notions that nuclear is safest just because people aren’t being very scientific about risk, casualties and total harms.
