CDMaST Phase 2 is going to change naval warfare

I’m constantly amazed at the level of tech we are achieving in a relatively short period of time. The “future” is coming fast, and sometimes in ways that even the best of science fiction didn’t anticipate.

Case in point – the CDMaST Phase 2 project from DARPA. Long story short, the idea behind this project “revolves around real-time secure networks of manned and unmanned aircraft, surface ships, and submarines able to attack and defend vast areas of the world’s oceans to hold enemy ships and submarines at risk over wide contested areas.”

The CDMaST project wouldn’t be the only line of defense. The project “would augment aircraft carrier battle groups and manned submarines with networked manned and unmanned systems of systems (SoS) that work collaboratively to control the seas.”

Imagine hundreds or thousands of drone-based ships in the ocean, playing basic defense and surveillance “over ocean areas as large as a million square kilometers”. This 24/7 armada would “hold the line” so to speak, and keep the Navy’s “12 aircraft carriers, 52 attack submarines, and 18 ballistic- and cruise-missile submarines” on a more focused and as-needed basis.

It’s brilliant.

Of course CDMaST is going to be target #A1 for hacking, and CDMaST is probably going to be the focus of some terrible movies when the mainstream media gets wind of this, but the idea that technology has reached the point of 24/7 global defense is astounding.

The article is on the Military and Aerospace website here.

DJI drones and tech banned from US Army for “operational risks”

In an article on Military and Aerospace Electronics, the US Army recently ordered all Army personnel “to cease all use of Chinese-made Dajiang Innovation drone products, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

“This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.”

According to a sUAS article, this full stop shutdown might have something to do with DJI drones collecting “audio, visual and telemetry data on all flights across the globe. The details shared here are perhaps known to a limited number of the worldwide owners and users of the DJI technology.”

In other words, it looks like every DJI flght was copied to DJI / China’s HQ.

The actual Army memo and breakdown is on a sUAS news site, the sharing / data collection of DJI drones is on another sUAS page, and the ban is cross-confirmed on the UPI news site and the Military and Aerospace page.

The new bank heist – hacking Apple’s biometric datbases

Today Apple announced their new shiny shiny – the iPhone X.

<Nicholson Joker Voice> You thought the celebrity photo leak was bad? The Equifax hack terrorized? Wait until you get a load of the biometric hack. </Nicholson Joker Voice>

Apple swears “the detailed biometric data points that Face ID will use to identify individuals will stay local, stored on the phone and not remotely” BUT “face ID will work with third-party apps.

The gold mine of biometric data won’t be held in Apple’s Fort Knox, but shared “on the open road” with third parties?

Never mind Apple. Forget about trying to get into their billion dollar systems. If I was an evil mastermind, this would be by four-step plan…

  1. Wait and see what new app requiring the iPhone X facial recognition takes off in popularity
  2. Hack their low-secure angel-funded 20-people-in-the-whole-company database
  3. Sell the users’ biometric data on the dark web
  4. Profit

If I was an government employee evil mastermind, this would be by four-step plan…

  1. Create multiple new apps requiring iPhone X’s facial recognition (match the celebrity funny face, make your own emojis, group party chat, who’s the hottest, etc)
  2. Keep a master database of all faces using the app AND constantly scan everything the camera “sees” while running in the background
  3. Keep the users’ biometric data in my master database – create cross references of who the user associates with through matching biometric facial scans, their GPS locations, and who they have in their contact list (Apple already allows app access to GPS position and contact lists BTW)
  4. Profit in a very serious long-term way

Read Apple’s statement again. The biometric data points are not generated and deleted with every use. They are stored. On the local phone.

That stored information will be shared with third-party apps.

Biometric scans are a mathematical algorithm. Your facial patterns create an identifier unique to you. There’s no changing it. Once your unique biological mathematical algorithm is out in the open, there’s absolutely no way to put that genie back in the bottle. The last cornerstone of individual security will turn to dust.

I expect the first public-aware hack in two years.

Ask Mondelez how much a successful cyber attack costs

I’m that IT guy. No you can’t have Facebook at your work PC. No you can’t access the company Wi-Fi network with your personal device. No you can’t remote access the work servers from any PC you want to. No you can’t skip this month’s security training.

Know why I’m such a pain? Because one slip up on my part will bring the company crashing down.

Ask Mondelez, the snack maker that owns Oreos and Cadbury, what the cost of a successful cyber attack is. According to an article on Food Business News, it was an immediate $7.1 million loss, another $150 million in lost sales, and an ongoing “to be determined” repair cost.

Back in June, Mondelez got hit with the ransomware strain “Petya”. The effects were immediate and brutal. Production came to a complete stop, and the company scrambled for weeks trying to remove the ransomware infection from their company servers.

According to Food Business News, “The malware affected a significant portion of the company’s global Windows-based applications and its sales, distribution and financial networks across the company.”

“Although the company believes it has now largely contained the disruption and restored a majority of its affected systems, the company anticipates additional work during the second half of 2017 as the company continues to recover and further enhance the security of its systems. For the second quarter, the company estimates that the malware incident had a negative impact of 2.3% on its net revenue growth and 2.4% on its organic revenue growth. The company also incurred incremental expenses of $7.1 million as a result of the incident.”

The worst part? “In an Aug. 2 conference call with investment analysts, Irene Rosenfeld, chairman and chief executive officer, said Mondelez was not yet “back to normal.”

June. July. August. And an untold number of months to go.

Yes, IT guys like me are a royal pain. It’s not because we want to be. It’s because we know what will happen if a cyber attack is actually successful.

Time Warner ended partnership with Dell’s Sonic Wall

In a big giant bit of ugly news today, our local Time Warner rep informed me that Time Warner corporate is no longer offering Dell Sonic Wall products or services.

If you are in a Time Warner corporate environment and are currently using a Dell Sonic Wall product provided by Time Warner, you should have grandfathered-in support for the time being. HOWEVER, if your existing Sonic Wall goes out or you need to add to your WAN/LAN, your only option now will be to switch to Time Warner’s new Cisco/AdTran services or buy and config your own Sonic Wall.

Nightmare scenario: the corporate Sonic Wall goes out. Time Warner has nothing to drop ship you as a replacement. You will either have to re-configure your entire network through their new Cisco/AdTran services or find an identical Sonic Wall online to clone your previous config to. How long will either scenario take?

If you’re in this boat, contact your Time Warner rep for more details.

New research shows 3D through-wall imaging using only two drones and Wi-Fi

This should get the tinfofil hat brigade nice and riled up. New research from the University of California Santa Barbara has shown it is possible to make a “high-resolution 3D through-wall imaging of completely unknown areas” using only basic Wi-Fi signals and two drones.

The concept is pretty straightforward but the tech behind it is fairly complex. One drone acts as the Wi-Fi broadcaster, and the other drone “reads” the signals and maps out the interior. Both drones follow multiple paths around the area until a satisfactory image is created.

The idea is to use this tech for “emergency response, archaeological discovery, and structural monitoring”.

The link to the video showing the drones in action, the tech involved, and article is on the TechTV site here

Notegraphy shutting down web services by June 30th

Notegraphy announced in a press release that as a result of “overhauling their technology platforms”, the web version of Notegraphy will be discontinued on June 30th.

If you have anything on Notegraphy you want to keep before the June 30th purge, you will need to…

  1. Login to www.notegraphy.com with your username and password
  2. Go to Settings
  3. Select Backup my notes
  4. Check your email for the link to download your notes to your PC or Mac

The company has a new app they are pushing (of course!), but to delete all of their user’s works in Notegraphy instead of automatically migrating them to the new app is a boneheaded executive decision. After all, if they are willing to eviscerate Notegraphy with one week’s notice and not offer a full migration path to its’ supposed successor, what’s to stop them from doing the same with any of their future products?

Congress’ basic guidelines for automated vehicles miss the potential problems

In a recent article on Government Tech’s website, Congress announced they have already come up with six basic guidelines to regulate the future of autonomous vehicles.

The six legislative principles that have been defined are…

  • Prioritize safety
  • Promote continued innovation and reduce existing roadblocks
  • Remain tech neutral
  • Reinforce separate federal and state roles
  • Strengthen cybersecurity
  • Educate the public to encourage responsible adoption of self-driving vehicles

While the government is starting off some very generic principles to regulate the industry and have some other concerns they are starting to look into, I see a few very significant problems that must be addressed before fully autonomous vehicles become the nationwide standard.

  1. Since non-automated vehicles as stated in the article are already responsible for “94 percent of crashes” due to “human error or decision”, ownership of a non-connected vehicle will eventually be vilified (if not seen as an outright criminal liability). This issue may play out through a heavy “tax” and/or insurance levy on those individuals who wish to retain their non-automated vehicles, or an outright ban on the manufacture of “human driven” vehicles after a certain date. Will automated vehicles and “human driven” vehicles be allowed to co-exist? Or will there be a mandatory phase-out period in the coming decade?
  2. Navigating any city using an outdated GPS system is already a problem with “human driven” vehicles. What will happen if an automated vehicle is allowed to operate with an outdated GPS system? To avoid a potentially lethal outcome, I expect the government to create an oversight agency to mandate all autonomous vehicles have the most recent firmware and software updates at specific intervals. This may play out through updates as infrequently as every “state inspection”, or be more strict via mandatory updates at every refueling (with the option to penalize or completely restrict owners who continue to use a vehicle with outdated software). This, by proxy, also brings up the issue of standardization of GPS systems. While the government has so far been hesitant to declare a standard for automated vehicles to use, this could soon be a pressing safety issue that will not wait for a consumer verdict.
  3. When automated vehicles can be sent home at any time, as stated in the article, “this could create significantly more vehicle-miles traveled, ultimately causing worse congestion. People could potentially send their car home rather than paying for expensive parking in an urban core.” Cities would lose income on previously reliable parking garage and meter fees and will also have to address the sudden glut of unused parking buildings across their downtown areas. I don’t expect any city to gracefully accept this loss of income, and will instead create toll lanes on previously “free” roads as well as a new universal “miles usage” tax for increased “wear and tear” on the roads. Will the federal government allow this?
  4. When automated vehicles become the majority, what is to stop overreach from non-traffic related issues once vehicles become fully interconnected? If you owe the IRS, a court judgement, have overdue child support payments, or even a late credit card payment, what is to stop a restriction from being placed on a connected vehicle’s use since it will be readily available online? Is driving still a privilege and not a right in the coming era of automated vehicles?
  5. Uber is already a nightmare for city taxi services. What is to stop Uber (or a similar company) from purchasing several automated buses that pick up and drop off passengers at designated areas defined by the users themselves? Instead of losing their bus/subway/transport base (IE: income), I expect a hard push back on Uber-style companies through city-based lawsuits and insurance bribes concerns on the safety of a peer-controlled company with no external oversight.

While self-driving cars sound like a futuristic utopia we might actually see in our lifetimes, once the industry makes it to the “real world”, I think the early winners won’t be the consumers, but the attorneys who will be litigating every step of the way.

How to make a “thread” (or “tweetstorm”) on Twitter

If you’ve been on Twitter recently, you might have noticed more and more people have a topic they want to discuss that takes far more than the 140 character limit per Tweet allowed. When they have a long topic to discuss, they create a “thread” on Twitter you can read all at once.

Here’s an example of a “thread” that was recently posted by Twitter…

Example of a Twitter thread

The way to create a “thread” like the one above was outlined in a recent Twitter Business post.

The process is very simple…

  1. Create a “first” tweet
  2. Reply to your own “first” Tweet
  3. If your @name appears in the Tweet compose field, delete it. The reply you type will nest under your first Tweet automatically.
  4. Continue replying to the newest / most recent Tweet in your thread until your narrative is complete.

That’s it!

For clarification, multiple posts in a row on the same topic are sometimes also referred to as “tweetstorms”, especially if they carry on for awhile.

If you want to create a “tweetstorm” with a numeric tally at the beginning of each tweet so your followers know how long the post will be (EX: A prefix of 1/12, then 2/12, then 3/12, etc…) there’s a freemium web service called WriteRack that will do that for you. You just paste your entire topic to their website (after you authorize WriteRack to access Twitter), and their service will break up your topic and post it for you with the appropriate sequence.

WriteRack’s free version limits you to 15 tweets in a “thread” and does not allow you to post images or space the postings out in a specified timeframe. Their premium service ($19.95 annually) allows for 100 tweets in a “thread” and removes the restrictions from the “free” version.

Be careful with all the other online apps that offer to post threads / tweetstorms for you. Some “need” to update your profile and add followers to your account as well as access your contacts. Choose another service if you see those requirements when connecting the app to Twitter.

FOSCAM cameras compromised. Affected models should be disconnected.

In a press release yesterday afternoon, Foscam officially announced their branded cameras manufactured by China-based Shenzhen Foscam have severe security vulnerabilities “which leave users vulnerable to hacks which allow attackers to remotely take-over cameras, live stream, download stored files and even compromise other devices located on the local network.”

Foscam recommends “disconnecting your current Foscam branded cameras from the internet until these issues have been resolved”

The models affected are:

  • Foscam R2
  • Foscam C1
  • Foscam C1 Lite
  • Foscam C2
  • Foscam FI9800
  • Foscam FI9826P
  • Foscam FI9828P
  • Foscam FI9851P
  • Foscam FI9853EP
  • Foscam FI9901EP
  • Foscam FI9903P
  • Foscam FI9928P

“The vulnerabilities affect “Foscam” branded cameras and cameras manufactured by China-based Shenzhen Foscam only. The vulnerabilities DO NOT affect Amcrest or FDT branded cameras which are produced by a separate factory and R&D team led by US-based Amcrest (formerly Foscam US and now Amcrest), which is totally unrelated to China-based Shenzhen Foscam.”

There is a damning report by FSecure [.pdf download] on the exact vulnerabilities found on the affected Foscam cameras. For starters, there’s hidden Telnet functionality, hidden hard-coded credentials for the web user interface, the FTP server account to the cameras have a hard-coded password, and the configuration back-up file is protected by hard-coded credentials. Any one of those is a very bad thing, but for all of those hard-coded backdoors to be on every camera system and on all models coming from one location? “Suspicious” would be a kind word.

Like I ranted about master passwords and again on master backdoors, hardware and software with embedded hard coded and/or universal master passwords are a big problem. Regardless of the original intent of having a master password and/or backdoor, once that “core” password gets out, that product is now fair game for anyone for any purpose anywhere anytime.

Good thing everyone on the internet is kind and rational. Oh, wait, that was just that one day back in 1989. Nevermind.