October 28, 2017
Email and Forum Questions
- Email from Susan in Alexandria: Dear Dr. Shurtz, I’m sure you’ll be discussing the KRACK vulnerability on Wi-Fi with WPA2 security. My specific situation is this. At home, I have Windows 10 (with automatic update) on two laptops and I use an Actiontec router provided by Verizon. I checked the Actiontec website today (10/20/2017) and it said “We will be posting an update regarding affected devices and available software fixes for those devices as they become available. Please check back for updates. If your Wi-Fi router or network extender was provided by your service provider, the firmware updates for those devices will be pushed from your provider to your device without any action required on your behalf.” I could not find any further information about the KRACK vulnerability from Verizon. On public Wi-Fi, I use older-version Android devices. The most sensitive thing I do is check my email, and I use a VPN for that. What other steps should I be taking? Many thanks from devoted listeners in our house! Susan in Alexandria, VA
- Tech Talk Responds: KRACK (Key Reinstallation Attack) is a severe replay attack (a type of exploitable flaw) on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef’s research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic. This is permitted because the protocol allows for the reconnection without a new encryption key by repeating the third step of the WPA2 handshake.
- The weakness is in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely to be vulnerable.The vulnerability affects all major software platforms, including Microsoft Windows, macOS, iOS, Android, Windows Phone and Linux.
- The widely used open-source implementation, utilized by Linux, Android, and OpenBSD, is especially susceptible as it can be manipulated to install an all-zeros encryption key, effectively nullifying WPA2 protection in a man-in-the-middle attack.
- It can only be exploited if you are in the proximity of the Wi-Fi network, while a device is connecting.
- Microsoft has already issued a security patch for Windows 7, Windows 8, Windows 8.1 and Windows 10. Windows machines are safe.
- The Apple patch will be included in the next big software release. You can fix the KRACK vulnerability by downloading the beta versions of macOS, iOS, tvOS and watchOS. Otherwise, Apple is going to release macOS 10.13.1 and iOS 11.1 in the coming weeks with other bug fixes, new emojis and more.
- Google said that the November 6 patch would fix the issue. Google’s own devices will receive the update instantly, but it’s going to take some time before device manufacturers and carriers approve the update. In fact, it could take weeks or months. Android fragmentation isn’t ideal in those cases.
- The ISPs will automatically push the update to your router. If you own you router, you will have to perform the firmware update manually. A few router companies have releases updates as of October 28, 2017, but most have not.
- To protect yourself until all devices are updated, use a VPN to keep your traffic encrypted without reliance on WPA2. You can also switch to an Ethernet connection to your router (problem solved).
- Email from Doug in Baton Rouge: Dear Dr. Shurtz & Jim. Can you explain some information about cell phones? I have an Android pay-by-the-minute Tracfone, Alcatel Pixi Glitz. It is a small and limited cell phone that does what I need for communications. However, I would like a larger and rotatable screen, longer battery life and better photos than the 2-megapixals the phone currently provides.
- Can I purchase on eBay or Amazon a better brand name Android cell phone (Samsung, AT&T, LG, etc.) and transfer my Tracfone SIM card to it? Then have the Tracfone website active and move my minutes and phone number to the “new” cell phone. Or is it more complicated than expected?
- I noticed on my current Tracfone that it has a DATA USAGE screen that shows MOBILE DATA of 59.70 MB and WI-FI of 1.16 KB numbers. I am not sure how to interpret the numbers as it relates to the air time minute usage. I purchase phone minutes and I do not have any DATA PLANS. I look forward to your radio shows, which are great and full of very useful information! Thanks, Doug in Baton Rouge.
- Tech Talk Responds: You can move your sim to another unlocked GSM phone. However, you will have to work with Tracfone support to facilitate this transfer. They will deactivate your old phone in the process. This is not very convenient, but it is how their system works. You can also look at Walmart Straight Talk, which resells the networks. Your connection minutes plan includes limited low bandwidth data for email and web browsing. If you get a more powerful smartphone, Tracfone may move you to a plan with data. BTW, there are now many pre-paid plans out there. All the main carriers have them (ATT, Version, T-Mobile). They also sell some low-cost phones for this use. You can expect to pay around $40 to $45 for unlimited calling/text with 3 to 4 GB of data.
- Email from Bill Meenahan: Doc and Jim, With regard to YouTube TV, you found these shortfalls: lack of a program guide on the TV and lack of a physical remote control box. If someone owns a touchscreen laptop, could he use that — and not his phone — as YouTube’s remote control box? If that were possible, would that improve the user experience? Enjoy the podcast. Bill Meenahan
- Tech Talk Responds: In recent months, our options for streaming live TV grew significantly with the introduction of Hulu with Live TV and YouTube TV. Both include many, if not all, of the major broadcast networks and comes extremely well known brands. If you are interested in cutting the cord with a cable replacement service, Hulu with Live TV and YouTube TV look pretty compelling.
- The $35-per-month YouTube TV streaming bundle is only available in markets where YouTube TV can carry at least three live local broadcast channels, which right now covers about half of U.S. homes. And to watch YouTube TV on a television, you need a Chromecast dongle, a Chromecast-enabled Android TV device, or an Apple TV for AirPlay.
- For those who live within the YouTube TV footprint, and don’t mind using a phone, tablet, or laptop as their remote, Google’s streaming bundle is an excellent value. It’s also the best attempt yet at combining live, on-demand, and recorded TV into a comprehensible interface. With broader app support and a larger coverage area, it could be the best streaming bundle for most people.
- YouTube TV is a one-size-fits-all bundle, with nearly 50 channels for $35 per month. The lineup includes the major broadcast networks, ESPN channels, regional sports from Fox and Comcast, cable news from MSNBC and Fox News, and a slew of entertainment channels such as FX, AMC, SyFy, and Disney Junior. Access to YouTube Red originals are thrown in at no extra charge, and you can add Showtime for $11 per month and Fox Soccer Plus for $15 per month.
- Like other streaming bundles, YouTube TV omits some networks to keep prices down. You won’t get any channels from Turner (TNT, TBS, CNN), Scripps Networks (HGTV, Food Network), Discovery Communications (Animal Planet, Science), or Viacom (Comedy Central, MTV), and the package doesn’t include league-specific sports channels such as NFL Network or NBA TV.
- Each subscription entitles you to three simultaneous streams, and up to six people can have their own favorite shows and DVR recordings (more on that shortly).
Profiles in IT: Van Jacobson
- Van Jacobson (born 1950) is an American computer scientist, renowned for his work on TCP/IP network performance and scaling.
- Van Jacobson was born in 1950.
- Jacobson studied Modern Poetry, Physics, and Mathematics and received an M.S. in physics and a B.S. in mathematics from the University of Arizona.
- Jacobson worked at the Lawrence Berkeley Laboratory from 1974 to 1998 as a Research scientist in the Real-time Controls Group and later group leader for the Network Research Group.
- His work redesigning TCP/IP’s flow control algorithms (Jacobson’s algorithm) to better handle congestion is said to have saved the Internet from collapsing in the late 1980s and early 1990s. It is used in over 90% of Internet hosts today.
- Van has co-written many network diagnostics tools (traceroute, pathchar, and tcpdump) that are widely used by the Internet research and development community.
- He also helped lead the development of the Internet Multicast Backbone (MBone) and the popular Internet video and audio conferencing tools (vic, vat, wb) that laid the groundwork and defined the standards for Internet VoIP and multimedia applications.
- He is also known for the TCP/IP Header Compression protocol, popularly known as Van Jacobson TCP/IP Header Compression.
- He was Chief Scientist at Cisco Systems from 1998 to 2000.
- In 2000 he became Chief Scientist for Packet Design, Inc. and in 2002 for a spin-off, Precision I/O.
- In January 2006 at Linux.conf.au, Jacobson presented another idea about network performance improvement, which has since been referred to as network channels.
- Jacobson discussed his ideas on Named data networking (NDN) in August 2006 as part of the Google Tech Talks.
- He joined PARC as a research fellow in August 2006, focusing on content centric networks (CCN).
- Van Jacobson is now working with the NDN Consortium funded by the National Science Foundation to explore and create the future of the internet.
- Since 2013, Jacobson is an adjunct professor at the University of California, Los Angeles (UCLA) working on Named Data Networking.
- For his work, Jacobson received the 2001 ACM SIGCOMM Award for Lifetime Achievement for contributions to protocol architecture and congestion control.,
- He was elected to the National Academy of Engineering in 2004 for his contributions to network protocols, including multicasting and the control of congestion.
- In 2012, Jacobson was inducted into the Internet Hall of Fame by the Internet Society.
Bad Rabbit ransomware: The Latest Threat
- A new form of malware dubbed “Bad Rabbit” that was first reported October 24, 2017.
- The malware is rapidly spreading through corporate networks in Russia, Germany, Ukraine and Turkey, is similar to the Petya family of ransomware in that it compromises targeted computers, encrypts data on them and then demands a payment of 0.05 bitcoin ($287) for the victim to receive a decryption key.
- It appears this latest variation is being distributed via a fake Adobe Flash Player installer file. Enterprise users in particular should be concerned.
- What makes this malware dangerous is its ability to spread across an organization as a worm and not just through email attachments or vulnerable web plugins.
- It is rumored to contain the same password stealing and spreading mechanism as NotPetya, allowing it to traverse an enterprise and cripple it in no time.
- New ransomware attacks like this utilize the window of time between when the new malware is first discovered and when a new virus signature or patch can be created and deployed by the many antimalware vendors.
- He added that it appears as an unknown file at the endpoint, tricking machine learning-based tools, so it is allowed to enter and infect the system.
Half of The Missing Universe Has Been Found
- Our current models of the universe suggest that there should be roughly twice as much ordinary matter than what we have observed so far.
- Yet every observation made in the past has been unable to find that missing half.
- Two independent teams believe they have found that missing matter,
- Until now, the matter just has not been hot enough to spot using X-ray. Two teams, from France and the UK, had to come up with a new means of detecting it.
- They measured the light left over from the Big Bang as it passes through space.
- Using data from the Planck satellite, the teams were able to combine galaxy data in bulk and compare them to see the tiny differences that might highlight these filaments.
- What they found was this huge interlocking web of baryon particles.
- Baryons are composite particles made of three quarks. The proton is one of the most famous baryons, containing two up quarks and one down quark.
- The term baryon is derived from the Greek (barys), meaning “heavy”, because baryons were characterized by having greater masses than other particles that were classed as matter.
- While this is clearly a major breakthrough in understanding what makes up the universe, the team from the University of Edinburgh believe it can still only account for 30% of the baryon matter in the universe.
First Robot to be Granted Citizenship
- An humanoid named Sophia has become the first robot to be granted citizenship in the world.
- Saudi Arabia bestowed citizenship on Sophia ahead of the Future Investment Initiative, held in the kingdom’s capital city of Riyadh on Wednesday.
- “I am very honored and proud of this unique distinction,” Sophia told the audience, speaking on a panel. “This is historical to be the first robot in the world to be recognized with a citizenship.”
- At the event, Sophia also addressed the room from behind a podium and responded to questions from moderator and journalist Andrew Ross Sorkin. Questions pertained mostly to Sophia’s status as a humanoid and concerns people may have for the future of humanity in a robot-run world.
- Sorkin told Sophia that “we all want to prevent a bad future,” prompting Sophia to rib Sorkin for his fatalism.
- “You’ve been reading too much Elon Musk. And watching too many Hollywood movies,” Sophia told Sorkin. “Don’t worry, if you’re nice to me, I’ll be nice to you. Treat me as a smart input output system.”
- In March of 2016, Sophia’s creator, David Hanson of Hanson Robotics, asked Sophia during a live demonstration at the SXSW festival, “Do you want to destroy humans?…Please say ‘no.'” With a blank expression, Sophia responded, “OK. I will destroy humans.”
- Hanson, meanwhile, has said Sophia and its future robot kin will help seniors in elderly care facilities and assist visitors at parks and events.
Product of the Week: Solar Panel for Mobile Devices
- The ultra-thin Solar Paper is, according to creator Yolk, the most efficient solar panel on the consumer market. It can fully charge an iPhone in two hours (about the same as a wall charger.) If you move into shadow, it’ll stop charging, but the auto-reset feature means that it’ll switch back on when back in the light.
- Each panel generates 2.5 watts of power, so for an iPhone that takes a 5-watt charge you need two panels. The additional panels connect magnetically so more panels means more power. For example, most tablets need 10 watts, so to charge an iPad you’d need four panels.
- You don’t need to be outside to use Solar Paper, but you do need bright sunlight.
- It’s definitely most useful for hikers, campers, and other outdoor adventurers.
- Each Solar Paper panel comes with holes punched in the corners so you can hang your solar charger on your backpack to keep charging on the go.
- Originally funded on Kickstarter, where it raised over $1 million, Solar Paper is now available on Amazon. You can order two, three, or four panels depending on your needs and each order comes with a convenient pouch for storage.
- Two panels for 5W are $148. Four panels for 10W are $248. Both on Amazon.