Show of 06-02-2018

Tech Talk

June 2, 2018

Email and Forum Questions

  • Email from Susan in Alexandria: Hi Dr. Shurtz! What’s the story behind the FBI advice to reboot all routers to “temporarily” twart Russian hackers? I did the reboot, but now the latest advice seems to suggest doing a factory reset and changing the default password!  My family thoroughly enjoys your entertaining and informative show.  Thank you! Susan Church, Alexandria, VA
  • Tech Talk Responds: A new threat which targets a range of routers and network-attached storage (NAS) devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.
  • According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine. While VPNFilter has spread widely, data from Symantec’s honeypots and sensors indicate that unlike other IoT threats such as Mirai, it does not appear to be scanning and indiscriminately attempting to infect every vulnerable device globally.
  • A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include: Linksys E1200, Linksys E2500, Linksys WRVS4400N, Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072, Netgear DGN2200, Netgear R6400, Netgear R7000, Netgear R8000, Netgear WNR1000, Netgear WNR2000, QNAP TS251, QNAP, TS439 Pro, Other QNAP NAS devices running QTS software, TP-Link R600VPN
  • Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.
  • VPNFilter is a multi-staged piece of malware.
    • Stage 1 is installed first and is used to maintain a persistent presence on the infected device and will contact a command and control (C&C) server to download further modules.
    • Stage 2 contains the main payload and is capable of file collection, command execution, data exfiltration, and device management. It also has a destructive capability and can effectively “brick” the device if it receives a command from the attackers. It does this by overwriting a section of the device’s firmware and rebooting, rendering it unusable.
    • Stage 3 modules act as plugins for Stage 2. These include a packet sniffer for spying on traffic that is routed through the device, including theft of website credentials and monitoring of Modbus SCADA protocols. Another Stage 3 module allows Stage 2 to communicate using Tor.
  • Users of affected devices are advised to reboot them immediately. If the device is infected with VPNFilter, rebooting will remove Stage 2 and any Stage 3 elements present on the device. This will (temporarily at least) remove the destructive component of VPNFilter. However, if infected, the continuing presence of Stage 1 means that Stages 2 and 3 can be reinstalled by the attackers.
  • You should then apply the latest available patches to affected devices and ensure that none use default credentials.
  • Performing a hard reset of the device, which restores factory settings, should wipe it clean and remove Stage 1. With most devices this can be done by pressing and holding a small reset switch when power cycling the device. However, bear in mind that any configuration details or credentials stored on the router should be backed up as these will be wiped by a hard reset.
  • The FBI has announced that it has taken immediate action to disrupt the VPNFilter, securing a court order, authorizing it to seize a domain that is part of the malware’s C&C infrastructure.
  • Email from Tom Schum: Dear Tech Talk. I was listening this morning when you described 4K TV as having 4000 pixels in the vertical direction. I looked at specs for this TV and it has only half this many. The product description says, “UHD 3840 x 2160 OLED Panel.” This is only 2160 pixels in the vertical direction. Is this some sort of fraud?  On the other hand, are they right, that 4k TV is 2160 pixels in the vertical direction? Tom Schum
  • Tech Talk Responds: The current standard for HD is 1080p, measured by the number of vertical pixels. 4k measures the horizontal pixels instead, and any TV described as 4K will have a resolution of at least 3840 x 2160. The result is a picture with about 8.3 million pixels, or about four times as many as a standard HDTV.
  • 4k and Ultra-HD are technically different things, but are sometimes used interchangeably. 4K is a standard for professional video production and cinema, while UHD is a standard for consumer displays and broadcast television. True 4k has a slightly different aspect ratio than most consumer displays, and runs at 4096 x 2160, whereas “ultra-HD” is the consumer term that technically refers to the aforementioned 3840 x 2160.
  • Email from Ken in Maryland: Shurtz. Nice job, in doing a prerecorded or broadcasting older show as a new one! I listened to lot’s of radio over the years and never seen it done this way. Dead giveaway is not getting or taking an answer to the pop quiz. Last week I think I had the answer “chief lizard wrangler”. ken_in_md.
  • Tech Talk Responds: You are a very observant listener. You can credit Jim for this clever work around.
  • Email from Tom Schum: Dear Tech Talk. If quantum computers can quickly break any encryption, and security on the cloud is completely dependent on encryption, it seems to me that the cloud is on its way out and we are headed back to secure air-gapped in-house computer rooms for data storage. Am I missing something here? Tom Schum
  • Tech Talk Responds: If quantum computers become a reality, internet security will be broken. In particular, the public-private key system will not be secure. These public-key systems rely on the fact that the hidden subgroup problem is too difficult solve. Experts predict that once quantum computers are up and running, they will be able to solve hidden subgroup problems in no time. That is because while traditional computers manipulate every particle of information, or “bit”, as either an 0 or a 1, quantum bits or “qbits” can exist as 0, 1, and all points in between. That makes quantum computers millions of times more powerful than the computers that created those encryption algorithms. Nobody has created a quantum computer that can do anything of real importance yet, but it’s reasonable to assume they’ll be here sometime after 2025.
  • Our only hope is a research consortium on Post-Quantum Cryptography, which includes eleven university and companies to come up with new ways of encrypting data without the use of hidden subgroup problems. They haven’t sofved the problem yet. Hopefully they will by 2025.
  • Email from Dave in Everett, Washington: Hello tech talk! I’m a big fan of your show and listen via your podcasts. I was very proud of myself for cutting the cord due to my very high cable television rates. I tried many of the alternative platforms to include Sling TV, Chromecast and others. Once I was comfortable with a new platform, My internet data provider hit me with a huge price increase due to my high use of data. Apparently, unlimited data it was not really unlimited and they increased my internet rates for data $100 per month. This put me almost back to where I was paying for the entire Internet cable/TV package.  I am hooked on high definition TV, so going to standard definition to decrease data usage would be quite a sacrifice for me. My question is now: What are my options for unlimited data to accommodate the use of these other platforms? I do use over the air broadcasts, but many of the networks are not available. Any advice for me? Is this data charge the Cable TV providers counterpunch to the growth of the cut the cord movement? Many thanks in advance, Dave  in Everett, Washington
  • Tech Talk Responds: I checked you have only two ISPs in your area. You have a distant lack of competition. That is the only solution. In my case, we have many ISPs and competition has made this work for the consumer. I am using FiOS and have not had any data cap issues. FiOS has quite a high data cap, much higher than I would reach in my house. You might lobby for additional ISPs in your area. You might also try Direct TV, with Direct TV Now. They are currently not counting Direct TV Now data usage in their data cap and have appealed to the FCC that they are not violated net neutrality. If you use Direct TV and have ATT cell phones, you get even a better deal of the package. With only two ISPs in the area, you might try to move to the other one and negotiate a better deal and then move back when that runs out. And, of course, use as much OTA TV as you can. I love my Table with an antenna in the attack. I purchased quite a large antenna and can get stations from both DC and Baltimore. You might try to add to you station mix with a larger antenna. You can check available TV stations with several apps on your cell phone. I use TV Towers, WatchFreeTV, and AntennaPoint to check our tower location and distance.

Profiles in IT: Bradford Parkinson

  • Bradford Parkinson United States Air Force colonel best known as one of the fathers of Global Positioning System (along with Roger L. Easton and Ivan A. Getting).
  • Bradford Parkinson was born in Madison, Wisconsin on February 16, 1935.
  • Parkinson attended the Breck School, all-boys prep school, graduating in 1952.
  • He then attended the Naval Academy, graduating in 1957 with a BS in Engineering.
  • Parkinson discovered he had a deep interest in controls engineering, which was not a research focus of the Navy at that time. he decided to transfer to the Air Force.
  • After graduating from the Naval Academy, he served two years as a chief Communications-Electronics officer at an early warning station Southeast Asia.
  • Parkinson then attended MIT, studying controls engineering, inertial guidance, and electrical engineering. He received a MS in Aeronautics in 1961.
  • Parkinson was then assigned to work at Central Inertial Guidance Test Facility at Holloman Air Force Base in Alamogordo, New Mexico.
  • There he continued to study inertial guidance and electrical and controls engineering, gaining a deep understanding of both of both theory and application in the battlefield.
  • After three years, Parkinson was assigned to a Ph.D. program at Stanford University.
  • He returned to combat duty in Vietnam in 1969 after finishing his PhD at Stanford.
  • His assignment was to improve the AC-130 Spectre gunship and to understand how the technology performed. He logged more than 170 hours of combat missions.
  • In 1973, Parkinson was assigned to an Air Force program called Project 621B.
  • This program was a navigation-focused collaboration between The Aerospace Corporation and the Air Force. He became the de facto manager and later the director.
  • When Parkinson first took over 621B, the program was in its early theoretical stages.
  • Parkinson’s responsibilities shifted to managing the program and ensuring funding.
  • The Pentagon was publicly skeptical of satellite-based navigation systems, as they believed the accuracy would always be too poor to be of substantial value.
  • In 1978 the first working prototype of a GPS system was launched. 621B transitioned to the larger NAVSTAR program and Parkinson decided to retire from the Air Force.
  • Parkinson spent a year teaching mechanical engineering at Colorado State University.
  • He then became VP of the Space Systems Group at Rockwell International, Inc., where he was involved in developing the space shuttle.
  • Parkinson joined Intermetrics as VP and helped take them public in 1982.
  • In 1984, Parkinson accepted a research position at Stanford University.
  • He is on the boards of Trimble Nav., EMS Tech, and Navigation Tech Ventures.
  • GPS has become a ubiquitous and a technology and critical to military operations.
  • Most current cell phones include GPS receivers for navigation and location.
  • He is an avid skier, snowshoer, hiker, and sailor.

Impossible’ EM drive doesn’t seem to work after all

  • The so-called EM drive, a rocket engine powered by electromagnetic waves, has been touted as a way to eliminate fuel required for deep space exploration.
  • The idea is championed by inventor Roger Shawyer, whose EM drive uses microwaves trapped in a conical cavity to generate thrust. In previous tests by NASA, the microwaves bouncing off the walls of the engine seemed to produce enough force to push the cavity in one direction.
  • The idea has been criticized by physicists who maintain that an EM drive would break one of the most fundamental laws of physics, conservation of momentum.
  • The EM drive has been put to the test by a group from TU Dresden in Germany led by Martin Tajmar, who presented their results at the Aeronautics and Astronautics Association of France’s Space Propulsion conference on 16 May.
  • The team built their EM drive with the same dimensions as the one that NASA tested, and placed it in a vacuum chamber. Then, they piped microwaves into the cavity and measured its tiny movements using lasers. As in previous tests, they found it produced thrust, as measured by a spring.
  • But when positioned so that the microwaves could not possibly produce thrust in the direction of the spring, the drive seemed to push just as hard.
  • The researchers say the thrust may be produced by an interaction between Earth’s magnetic field and the cables that power the microwave amplifier.
  • Most of their setup was completely shielded from outside fields, but some of the cables did not fit inside the box and there may have been a few centimetres left unshielded, Tajmar says. The current running through those unprotected cables could interact with a magnetic field to push the EM drive forward. When they calculated the strength of this effect, they found that it could produce a few micro-Newtons of thrust. The thrust that they measured from the EM drive was 4 micro-Newtons.

Amazon banning shoppers who return items too often

  • Amazon’s flexible return policy may not be as risk free as you think.
  • The company bans shoppers for violations, which include returning items too often and users aren’t told what they did wrong.
  • Amazon boasts free and easy returns for many of its items, which has pushed many brick-and-mortar stores to offer the same policies as they struggle to compete with the e-commerce giant.
  • Dozens of people have taken to Twitter and Facebook to complain about Amazon closing their accounts without warning or an explanation.
  • Amazon Prime members took to social media to share that their accounts had been closed without explanation, with some threatening a class-action lawsuit.
  • Amazon’s return policy doesn’t tell customers that returning too many items can get them kicked out, but its conditions of use say the company reserves the right to terminate accounts at its discretion.
  • Amazon responded, “If a customer believes we’ve made an error, we encourage them to contact us directly so we can review their account and take appropriate action.”

Samsung ordered to pay Apple nearly $539M

  • A California jury ordered Samsung to pay Apple nearly $539 million as financial damages for copying patented design and utility features on the original iPhone in its own phones.
  • Apple wanted about $1 billion. Samsung wanted to pay about $28 million.
  • Samsung must pay about $533.3 million for infringing on design patents. The jury said Samsung owes Apple an additional $5.3 million for infringing on utility patents.
  • That Apple was due financial damages from its South Korea rival was not at issue.
  • Both Apple and Samsung tried to persuade the jury how large the damages would be.
  • As part of the earlier verdict, it was determined that Samsung infringed on three of Apple’s iPhone design patents covering a rectangular front face with rounded edges and a grid of colorful icons on a black screen.
  • Samsung hasn’t sold the phones in question in more than five years.

DOJ Looks a Cryptocurrency Manipulation

  • The US Justice Department and Commodity Futures Trading Commission (CFTC) have together launched a criminal probe into cryptocurrency market manipulation.
  • The investigations are looking into all forms of illegal activities that can unfairly affect the market prices of cryptocurrencies, including pump-and-dump schemes, spoofing and wash trading.
  • In February this year, CFTC announced a rewards program for whistleblowing cryptocurrency pump-and-dump schemes.
  • The US federal agency asked users to submit tips about any suspicious activity related to cryptocurrency market manipulation, offering monetary rewards between 10 to 30 percent for any catch above a million dollars.
  • Pump-and dump schemes are rampant in the cryptocurrency community.
  • The schemes are often organized on private groups created especially for this purpose, using services such as Telegram,. The admins of the Telegram groups, which have thousands of members, announce to their members specific times at which the ‘pump’ or ‘dump’ will take place. The users are then encouraged to buy and sell at that time to artificially affect the market price.

Three Skill Sets that will Always be in Demand

  • The greater adoption of artificial intelligence and automation will undoubtedly reshape the workforce and the skills people need to stay employed.
  • According to a report released by McKinsey Global Institute, there are three core skill groups workers need to hone as industries evolve.
  • McKinsey forecasts that AI and automation will kill physical-labor jobs and low-skilled roles such as assembly line workers as well as those in basic cognitive skills positions, such as cashiers and data-entry clerks.
  • But while some jobs may be lost, new ones will be created and they’re across three other skill set groups:
    • Higher cognitive skills include advanced literacy and writing, quantitative and statistical skills, critical thinking, and complex information processing. These skills are tapped by doctors, accountants, research analysts, and writers/editors.
    • Social and emotional skills are still incredibly important in the evolving world of work says McKinsey. These include advanced communication and negotiation skills, empathy, continuous learning, the ability to manage others, and adaptability. Jobs such as business development, programming, emergency response, and counseling all draw on these kind of skills.
  • Technological skills—everything from basic to advanced IT skills, data analysis, engineering, and research—will translate to finding yourself in the future’s most lucrative jobs. Think statistician, software developer, engineer, robotics expert, and scientific researcher.

Mining Malware Continues To Dominate Cybersecurity Threats

  • Mining malware may now be painfully familiar to anyone with even a passing awareness of cryptocurrency.
  • On May 14, Israeli cybersecurity firm Check Point released its latest Global Threat Index, and for the fifth consecutive month it found that the Coinhive crypto-miner is the “most prevalent malware” in the world, affecting 16 percent of organizations globally.
  • Not only does Coinhive – a Javascript malware designed to mine Monero (XMR) – occupy the top spot on April’s list of the ten “most wanted” malware, but second place is taken by Cryptoloot, another stealthy, undetectable miner of XMR.
  • Coinhive and Cryptoloot are gaining footholds in IT systems. Hackers are using basic vulnerabilities, such as unpatched bugs in Microsoft Windows Server 2003 and in Oracle Web Logic.
  • 46 percent of the organizations Check Point surveyed had been attacked in April as a result of the Microsoft Windows Server 2003 vulnerability, while 40 percent had been hit because of the Oracle Web Logic flaw.
  • Mining consumes CPU and bandwidth. The malware should not harm the host machine, nor should it the data on the machine.
  • Infected machines tends to work slower and display higher than usual CPU, power and bandwidth consumption.
  • Given that mining malware generally poses little in the way of an urgent risk, it’s highly likely that its incidence will continue growing in the near future.
  • The prediction that ‘Internet-of-Things’ (IoT) devices will be increasingly targeted as hackers shift their strategies has been made by other experts.

Stitch Fix Uses AI in Fashion Retail

  • The perfect shopping method for those who hate to shop!
  • Stitch Fix, established in 2011 in San Francisco, has disrupted the fashion retail industry.
  • With input from the customer and collaboration between artificial intelligence (AI) and human stylists, the online styling subscription service eliminates the need for their customers to go out and shop for clothing or even browse online
  • The service delivers personalized recommendations on a regular schedule.
  • The customers can keep all of the products or return what they do not like or need.
  • That feedback gets input into the company’s data vaults to make the algorithms even better at determining the preferred style for each person and even identify trends.
  • In 2017, the company had $1 billion in revenue and 2.2 million active customers, but competitors such as Amazon and Trunk Club are lining up to mimic its style of retail.
  • Stitch Fix uses the insight of AI to analyze data on style trends, body measurements, customer feedback and preferences to arm the human stylists with possible recommendations. This helps the company provide its customers with personalized style recommendations that fit their lifestyle and budgets.
    • The better the Stitch Fix stylists are at providing their customers with products they will love, the better their business runs. They have fewer returns.
    • Using the data it collects, the company is designing its own styles known as Hybrid Designs. Stitch Fix is able to create new designs to share with its human designers to vet the final styles that make it into their inventory.
    • Stitch Fix not only asks customers to fill out a style profile to determine style, size and prize preferences but records every touch point (starting a new job, have a special event, going through a life transition such as divorce).
    • When a shipment is requested, an algorithm determines and assigns it to a warehouse based on the location of the client and the inventory of the warehouse and its match to a customer’s style among other considerations.
    • As clients receive and keep merchandise, they need to restock their inventory to give stylists a large enough inventory to meet demand.

Jack Dorsey, Twitter CEO, Doesn’t Have a Laptop

  • Jack Dorsey does everything from his phone. The CEO of Twitter doesn’t have a laptop.
  • He turns off notifications and works on one app at a time. He can really focus on what’s in front of him instead of everything coming at him.
  • Instead of a keyboard, Dorsey said he uses dictating and voice typing tools. His lack of a laptop appears to be more for practicality and work-life balance than security.
  • He feels that devices can consume all of your time that you can certainly go down a hole. So he has developed a lot of personal practices to limit that. He doesn’t check his phone in the morning until he is about to walk into work and when he’s working on my phone he turn off notifications so he’s not constantly reacting to what’s coming at him.
  • When he conducts meetings, phones down, laptops closed so the team can actually focus and not just spend an hour together but make that time meaningful. Meetings are short and focused. If phones and laptops are open, the team gets distracted.
  • Dorsey believes in mindfulness and awareness.

GDPR is Here and Its Forcing Companies Act

  • The General Data Protection Regulation or GDPR has gone into effect and is threatening huge fines for businesses that abuse Europeans’ data.
  • From now on, companies everywhere must:
    • Get EU citizens’ consent to collect their personal data and explain what it will be used for
    • Let them see, correct, and delete it upon request
    • Make it easy for users to shift their data to other firms
  • Companies must not ignore regulators’ requests to fix GDPR failings, nor take more than 72 hours to report a security breach involving personal data.
  • Offenders can be fined up to 20 million euros ($23 million) or 4 percent of their revenue from the prior year, whichever is greater. There are smaller penalties for less serious transgressions.
  • Some American media groups have already blocked EU users from their sites rather than run the risk of fines.
  • The rules also have huge implications for social-media companies like Facebook, which has asked people to update their privacy settings. Privacy activists have already filed complaints against Facebook and Google.
  • Europe’s tough standards could influence how America and other countries shape their data protection regimes.