Hacking 911 systems: an update

It isn’t often that there is a very short trajectory from an academic research paper to reality, but when it comes to hacking the 911 emergency phone network this is indeed the case. The paper was written earlier this year and first given to the Department of Homeland Security before being published online this fall.

The researchers from Ben Gurion University in Israel describe how an attacker could knock a 911 service offline by launching a distributed denial of service (DDoS) attack using a collection of just 6000 smartphones. While that is a lot of phones to gather in one place, it is a relatively small number when this is compared to computer-based attacks. And you don’t really need to gather them together physically: you can infect these phones with some malware and control them all remotely.

Like other DDoS attacks, phones (rather than computers) make repeated calls to 911, thereby blocking the system from getting legit emergency calls. It is a chilling concept, because unlike other DDoS attacks, the hackers aren’t just bringing down a website with large bursts of traffic: they could prevent someone from getting life-saving assistance.

In the paper, the researchers simulated a cellular network modeled after the 911 network in North Carolina and then showed how attackers could exploit it.

Now 911 attacks aren’t new: indeed, the DHS issued this alert three years ago and mentioned that more than 600 such attacks have been observed over the years. What is new is how easily the attacks could be launched, with just a few thousand phones and some malware to make it all work. Also, these previous attacks were launched against the administrative phone numbers of the alternate 911 call center, not to the actual 911 emergency lines themselves. If you are interested in how the 911 center operates, I posted a piece many years ago about this here.

There are other stories about hospitals and other businesses that have had their phone systems flooded with calls, blocking any business calls from being connected. And where there is fire, there is at least one security vendor to put it out or protect an enterprise network from being exploited by telephone-based DDoS attacks.

The problem is in the design of the 911 call centers. These centers have no built-in way of blacklisting or blocking callers: they want to be able to answer any call from anyone who has an emergency. Therefore, in the face of a large attack, they would have no choice but to answer each and every call. But let’s say we could implement such a service: that would prevent an unintentional owner of an infected and blacklisted phone from making a legitimate emergency call.

Well, that was the theory behind the paper. It didn’t take long before someone actually did it “in the wild,” as they say when an actual attack has been observed. Last month a teen was arrested for allegedly doing such an attack and is facing three felony counts. The teen, Meetkumar Hiteshbhai Desai, discovered an iOS vulnerability that was used for launching the attack and flooding a call center in Arizona. Now his phone supposedly was the only one used and it made just 100 calls in a matter of minutes. But that was enough to get the cops on his case.

It is distressing to be sure. But whether these attacks are done by script kiddies or by professional criminals, certainly the opportunity is there and very real indeed.

This campaign isn’t like high school

This week I had a chance to talk to some high school kids in the area. They are part of a business class that is designed to teach kids how to start their own businesses called Spark. The class is taught in a storefront in a local shopping mall, deliberately to give the students a more non-school milleu. I came to talk about using Twitter and other social media tools. I had given this presentation before to previous classes for the past several years, so I wasn’t really focused on the events of the presidential campaign and how current they would be in this context. And I found our discussions quite interesting, but not in the way you might think.

I was actually surprised to the mature responses from the kids. Many of the students thought that some of things being said on social media and on TV about the campaigns were certainly entertaining, but they thought the candidates weren’t acting appropriately. I made the comment that many of the students seemed more mature in their reactions compared to what the candidates Tweeted and posted, and there were nods all around the room.

dick2Xanthe Meyer, the Spark teacher, was also surprised by their responses. “Maybe the kids are more interested in the presidential election this year, because it is racier. But I am also shocked that both candidates’ PR teams allow these kinds and levels of responses. I think this election will be in many studies as an example of what NOT to do,” said Meyer. “I wonder what would have happened if we had social media during the Watergate scandal?”

The class is pretty tech savvy: the kids use Twitter, Slack, Instagram and LinkedIn to communicate with each other and with their teachers, and are encouraged to do so. “It is expected that we use social media more,” said their teacher. I was surprised that many of the kids weren’t really facile with Twitter, and I guess that was one of the reasons why I was there, to help them understand how to use it more effectively.

Meyer has been teaching for decades, and recalls what happened during class when 9/11 happened. “We watched the event live during class on TV. Later, our principal was getting phone calls from parents complaining about my decision. And this was from parents of 17 and 18 year olds. That was crazy. These kids could be drafted!”

I mentioned that during the last couple of debates, parents were posting thoughts about not letting younger kids watch the debates. “In our community, parents do shelter their kids from the news. We are definitely living in a different world politically, and I think this campaign amounts to one big negative political ad that is running continuously. It is like a long version of a TMZ episode that is embarrassing to our nation. Not sure if I know what the true issues are anymore.”

One issue for this and other teachers: using social media is a tricky situation. Last year, a local special ed teacher was suspended for several days after her profanity-laced tweets got her into trouble with the school district. And there are numerous other examples of other teachers who have gotten in trouble over their tweets, which seem tame now compared to what the candidates say about each other lately. Teaching is a tough enough job already – my mother was a special ed teacher for decades – but having to navigate these waters now has to be done with care.

Still, I thought it instructive with all the “locker room talk” and “boys being boys” – at least when it came to this high school class – the kids took the higher road. Maybe there is something we can learn from this to improve our supposedly “adult” discourse.

The different worlds of digital and analog entertainment options

What do the TV series House of Cards, Moneyball pitcher Chad Bradford, women’s erotica purchases, You Tube Spaces and Harrah’s casinos have in common? I will explain in a moment, as you mull over each of these situations.

In a new book entitled, Streaming, Sharing, Stealing: Big Data and the future of entertainment, two Carnegie Mellon professors present years of researching the book publishing, movie-making, television and music industries and how they treat their customers, their artists, and their data. Their conclusions will both surprise and delight you, and I would urge you to buy this book and read it carefully.

Let’s go back to our intro. In February 2011 when the producers of the show House of Cards approached several cable TV executives to get their show green-lighted. Political dramas weren’t popular, and the execs passed. As you all know, Netflix acquired the rights to the series, but what you may not know is that they paid the production company $100 million for a two-year commitment for he series, rather than buying a single pilot episode.

Why did they do this? Because they knew exactly what were the viewing habits of their customers. They created multiple trailers to promote the series:

  • one for Kevin Spacey fans,
  • one for customers that liked “strong female lead actors,” as they characterize those types of movies
  • one for fans of David Fincher’s movies,
  • and another for the people who had rented the original BBC series on DVDs.

It knew exactly the people who would want to watch the series, because it had all the data about their viewing habits. And we all know what happened: Cards became a hit, and is filming its next season.

The authors question the generally held belief that delaying the release of a movie via DVD rental or online stream hurts sales, or that selling a paperback or ebook hurts hardcover sales. What they found is that there are two separate audiences for content: those that have “crossed over” to the digital world aren’t coming back to the analog world. Delaying an ebook resulted in almost no change in hardcover book sales. Delaying a digital movie release after the physical DVD date could cut digital sales by half. Digital and analog are different products, and operate in different universes. “When digital customers couldn’t find the product they wanted to buy when they wanted to buy it, many of them simply left, and didn’t come back. They are either pirating their content or consuming other types of content on Netflix et al.”

The digital world grew out of a “perfect storm” coincidence of three megatrends: the Internet and better broadband, the rise of digital content such as MP3s and downloadable apps and movies, and lower-cost PCs that were usable and affordable. This created so much turmoil that the existing entertainment industries couldn’t cope.

Take women’s erotica, and other specialty genres in the book-publishing world. These books used to be difficult to find, with only a few stores carrying more than a couple of titles, often hidden on selected shelves. But with Kindles and other ereaders, people can buy what they want without having to show the world their tastes. When the first 50 Shades book was written, it was self-published. Fans through online communities promoted it before it became a blockbuster hit.

What about You Tube Spaces? These are video production facilities that anyone who has a sufficiently large audience can book and use. Think of it as WeWork with a soundstage and digital editing bay, but for free. There are classes on all sorts of production techniques. They are located in major cities around the globe: all with the goal of improving the quality of You Tube videos. (Here is a tour that The Next Web took a few years ago of their LA studio.) Such a thing wouldn’t be conceivable just five or ten years ago.

And then there is Moneyball and the pitcher Chad Bradford. He had a quirky pitching style but incredible power as a pitcher. However, the stats normally used by most baseball scouts didn’t capture his performance, and he was overlooked by most of the teams. Eventually, he was signed by Oakland and delivered for a couple of years. Eventually though the other baseball teams got their Big Data act together and Oakland’s advantage evaporated.

Moneyball illustrates another issue: the culture in tech firms differs from those of the entertainment firms such as major studios or book publishers. “Companies such as Google, Amazon and Apple don’t make gut feel decisions – they make quantitative decisions based on what their data tells them.” Once the digital platforms have learned their customers’ preferences, they can market products directly to them, based on what they watch, read, and listen to. They can design specific promotional campaigns to speak to specific groups, and even target new customers.

One final example is of Harrah’s casinos. Back in 2000, the company was doing well. It operated in more markets, and was very profitable. But the gambling landscape was changing: more casinos were being built across the country, often as destination resorts that included show rooms, luxury-themed shopping malls and five-star restaurants. Harrah’s had to pivot from operating independent casinos to integrating them in a single business that looked closely at its customers’ data and who did what where on its properties. It had to focus on extracting value from that data, and in a way that built customer loyalty countrywide. And contrary to its provincial assumptions of the local property managers, using this central data repository and analytics they were able to increase revenues, promote cross-market players, and design new loyalty programs to increase its overall customer base.

The overall moral of this book: entertainment companies are going to have to take control over the customer interface and their customers’ data if they are going to be successful. It should be required reading for any digital marketer.

The current state of online ad blockers (plus podcast)

The online advertising world is undergoing a massive transition right now, trying to cope with an increasing technology war between the advertisers and us, the people that view their advertising. It is messy, it is contentious, and no one really knows what is going to happen in the coming months and years.

Recently, Facebook made changes to the way it works with displaying online ads. They say in that linked post, “We’ve all experienced a lot of bad ads: ads that obscure the content we’re trying to read, ads that slow down load times or ads that try to sell us things we have no interest in buying. Bad ads are disruptive and a waste of our time.”

Here is the problem: one person’s “bad” ad is another person’s opportunity to sell you something that maybe you might want. So they have attempted to clarify the issue, and give users more control over their ad experience. So far, it hasn’t been good.

How many of you Facebook users know about this page to control your ad preferences? I don’t see many hands being electronically raised. Take a moment, click on the above link, and spend a few minutes browsing around to see what they have done. You will be surprised.

facebookads

The page is full of confusing controls and has a really poor user experience. For example, as you can see from the screen shot, I have given my personal information to three different advertisers, two of whom that I didn’t recognize. When I deleted these two – because I don’t want to hear from them ever again – they first fade, before disappearing from view if I would return back to this page.

Andrew Bosworth, a VP at Facebook, says, “Some ad blocking companies accept money in exchange for showing ads that they previously blocked — a practice that is at best confusing to people and that reduces the funding needed to support the journalism and other free services that we enjoy on the web.” (my emphasis added)  That is a lofty thought.

But let’s not just blame Facebook. At least they are trying to take control over the situation and make improvements, so that users will click on more relevant ads and they will be able to charge more for them. How about the traditional news generators, like newspapers and other media companies? What are they doing about online ads?

The short answer is that they are selling every square pixel they can and finding new ways to pop-up, pre-roll, roll over, mix sponsored and editorial content, and in general pollute the overall browsing experience of their online properties. Just about every publication that I want to read places some obstacle (and that is what I think about them) in my way when I try to click on an article that I want to read. Their home pages automatically start playing noisy videos that have me using the mute button on my PC as a default setting, just so I can have some peace and quiet when I am reading in the mornings.

I know, they have to make money. Print advertisers are leaving in droves, subscribers are few and far between, and newsrooms are ghost towns.

So a few years ago, technology comes to the rescue and creates browser plug-ins called ad blockers. These sense pop-ups and other devious methods, and prevent them from displaying ads. It is a great idea, and most modern browsers have incorporated some of their features too.

However, the problem is the blockers worked too well. So Facebook and other major sites who benefit from advertising revenue have decided to block the blockers. Now we have a cat-and-mouse game, where as one side adds new features, the other side figures out a way around them. Malware authors have been doing this for decades.

“More publishers will have to look to more innovative ways to incorporate their commerce with their content.” So says TechCrunch, who ran this story not too long ago. They proposed a sensible argument for how ad blockers can improve the overall experience and at least eliminate the cheesy online ads. But what is happening is that innovation has turned into just using as many ways as possible to put up online ads.

The pre-eminent ad blocking company is called Ad Block Plus. On their blog, they announced a new version of their software that is used by hundreds of millions of users. It is called “Acceptable Ads Platform.” Basically, they get to choose which ads are “good” and which aren’t. They will continue to block the bad ads, but allow good ads by default. You can change this setting and not allow any ads whatsoever.

The New York Times has said, “instead of blocking bad ads, AdBlock allowed ads it deemed acceptable to be seen, often for a price.” This strikes me as something we used to call “bait and switch.” The Ad Block Plus company now wants to be known as a “web customizing” company. This seems a bit naïve, or misleading, or both. It also puts this company in the hot seat to decide what is acceptable and what is not. They claim to be putting together a panel of judges. We’ll see how well that will work.

As I said, this is all early days for what will come. While the web has been with us for decades, and online advertising too, it seems we need to work together to figure out how to best serve up ads that won’t block the editorial content that we were trying to view and still allow the publishers and media companies to make money from our interests. So far, it is sub-optimal for nearly everyone involved.

To hear more about this matter, listen to our latest podcast from Paul Gillin and I where we discuss this issue. Or leave your comments here.

http://firpodcastnetwork.com/?powerpress_embed=5172-podcast&powerpress_player=mediaelement-audio

‘I have nothing to hide’ doesn’t mean you are anonymous

nothing to hideIn my post from last week, I addressed some of the concerns in the growing conflict between security and privacy. One of the issues that I didn’t talk about, as several readers reminded me, is the difference between privacy and anonymity. This is often summarized by saying, “I don’t care if someone tracks me, I have nothing to hide.” Well, consider the following scenarios.

Scene 1. You are hiking on a remote trail. As you are enjoying the view, someone is taking pictures with their smartphone and pointing their camera in your direction. flash hiding scarfSo essentially your image is being taken without your consent. At first, you think this is fine: after all, you are anonymous, just some random hiker. But when the photographer posts your image on their social feed, your face is recognized thanks to the site’s software. And now, not only are you identified, but your location is also specified. So you have been tagged without your consent. One way around this is to wear specialized clothing that defeats flash photographs, as shown here.

Scene 2. You maintain a very active Pinterest account and post numerous pictures when you are at various events, or when you travel to distant cities. One consequence of this is that anyone who spent time looking at your account could see where you have been and what you have done.

Scene 3. Beginning in 2007, employees of the UK-based News Corp. regularly hack into celebrities’ voicemail accounts. They are sued and eventually pay various fines. Eventually, things come to boil in 2011 and others are charged, and one staffer is actually jailed. Testimony reveals that thousands of phones were involved and dozens of staffers had access to the collected information.

Scene 4. In the neighborhood where I live in St. Louis, the community monitors nearly 100 cameras that continuously capture video imagery to aid in solving crimes. Several dozen people have been arrested as a result of investigations using these images, which are available to law enforcement personnel. While they don’t have facial recognition software yet, it is only a matter of time. But what if anyone could access the video feeds online and monitor what is going on?

Scene 5. Your online activities are being tracked. One of the stories that I wrote about tracking online fraud recently was how security researchers were able to use machine learning to predict when an endpoint device could be considered compromised. They found a series of common characteristics that were easy to discover, without any sophisticated software. These included freshly made cookies (fraudsters clear their cookies often while regular users almost never do), erased browser histories, 32-bit Windows running on 64-bit CPUs and using few browser plug-ins. While any of these factors taken alone might be from a legit user, combined together they almost always indicated a machine used by an attacker.

Still think you have nothing to hide? Maybe so, but it is a bit creepy to know that your digital footprints are so obvious, and show up in so many places.

Some vendors, such as email encryption software Mailpile, have gone to great lengths to document how they address their users’ privacy. Given their market focus, it isn’t surprising. But still the level of detail in that document is impressive. “People should be able to communicate privately,” as they state in their document. That means no eavesdropping on email content, supporting authentic messages and privacy when it comes to the message metadata and storage too. What I liked about the Mailpile manifesto was their non-goals: “Mailpile is not attempting to enable anonymous communication. Most people consider e-mail from anonymous strangers to be spam, and we have no particular interest in making it easier to send spam.”

So as you can see, there is a difference between being anonymous online and maintaining your privacy. Like anything else, it is a balance and everyone has their own trade-offs as to what is acceptable, what isn’t, and what is just creepy. And expect new technologies to upset this balance and make these choices more difficult in the future.

iBoss blog: Beware of wearables!

As more of our users start literally wearing their own gear to work, the number of threats from these devices, such as Fitbits and Apple Watches, increases. After all, they are just another remote wireless computer that can be compromised to gain access to your enterprise network. I talk about the potential threats and ways to mitigate them, along with other factors. You can read my post here on iBoss’ blog.

Why Uber might win

aaaLast week I took my first couple of Uber rides when I was in Los Angeles. I had resisted the temptation for some time, for several reasons. First, I wasn’t happy with their corporate culture and saw my one-man boycott as something personally meaningful, if a bit useless. Second, ride hailing is illegal here in St. Louis, where we have a Neanderthal taxi commission that has laid a nice featherbed for its own drivers. Finally, I don’t take all that many taxis for the most part, other than to and from the airport, and again, see point #2.

The Uber trips in LA were very enlightening. Both drivers appeared within minutes upon clicking the request on the Uber mobile app. In one case, I was at LAX airport and got to see how efficient the Uber pickups were: in the short time that I was waiting for my driver, about a dozen millennials had met their drivers and zoomed off. Before they got into their cars, I could tell they were Uber customers. They were staring at their screens, watching their cars approach the airport. LAX, unlike St. Louis’ Lambert airport, allows Uber to pickup passengers in a certain spots, in between the terminals. There is no need to queue up like at a “normal” cabstand, because you have already been assigned a driver.

This watching your car approach – or indeed, any nearby Uber car available at that moment – is the real genius idea behind the service. Often I have waited for a taxi pickup, not knowing where the cab is. With Uber, this uncertainly is removed. You have a countdown clock that tells you, quite accurately, when your car is to arrive. You see the name of the driver, the license plate, make and model of the car, and you can directly contact the driver to confirm exactly where you will be. With one ride, for some reason the app displayed a nonsense address for my location, but the driver called me and we clarified where I was actually standing.

Most of the cars that morning at LAX were Priuses and both my rides were Priuses, too. (Cnet has a funny story about how people just assume that all Priuses are Ubers here.) One driver explained the economics of operating even a fuel-efficient car with a Prius, showing me how much more profitable the hybrid can be. The cars were clean, relatively new models. One had a charging cable for my phone, a nice touch. The rides were about 20% less than what a typical cab fare would be too. On my return to the airport, I was told by the Uber app that because of congestion at that moment if I wanted a ride I would have to pay 30% more for it, or I could wait a few minutes for the price to drop. I waited, and was notified by the app when this happened to book my ride. That is another nice touch.

A final benefit is that when you get to your destination, you just get out of the car. There is no need to go through the payment process: that is handled automatically by the app. The driver doesn’t carry any cash: my fare is deducted from my credit card and the driver’s fee is added to his or her bank account. You then get an email receipt within seconds.

Both of my drivers shared that they were making decent livings with Uber, more than $50,000 a year and about $30 an hour. This is more when compared with driving a regular yellow cab in LA. One of my drivers was a former cabbie and told me that he never made as much as he does now with Uber. Both drivers also mentioned to me that they can drive when they want to: one gets up early and covers the morning rush, then takes a few hours off and returns for the afternoon and evenings. Many cabbies don’t have that flexibility because they aren’t working for themselves, they have to make the most of their employer’s cabs.

Granted, my data is just incidental. What about overall trends? Fortunately, the New York City taxi commission data is available for anyone to download and Todd Schneider has done just that. His latest post shows that there are more Uber cars in the city, and not surprisingly that yellow cabs are losing market share in terms of the number of daily riders, even though they take more fares per cab.

Schneider also shows that the market for Uber is becoming more competitive, as the number of cars on the road has rapidly increased. (Lyft, Uber’s main competitor, has a smaller market share.) This could be one reason why Uber is dropping its prices in NYC. Schneider estimates that Uber made about $220 million during all of 2015 in NYC. Given their commission rate, that means they have added about a billion dollars to the city’s economy last year.

I know I am late to the ride hailing party, but these services are certainly changing the economics and the process of taking taxis to be sure. I think they have a lot of benefits, and I certainly will use them more frequently in the future. I hope they can win their legal battles here in St. Louis and elsewhere around the world.