Thunderspy: A New Problem With a Simple Old Solution

Sleeping PCs will harm you! | 5/13/2020

Thunderspy , an exploit of a DMA weakness in the Thunderbolt hardware, can take complete control of your PC, your data and your secret encryption key.  Macs are also partially vulnerable. DMA or Direct Memory Access attacks are not new. Every time a computer designer grants direct access to the computer memory, there are risks that can lead to exploits. Some history can be found here: https://en.wikipedia.org/wiki/DMA_attack  

Why should you care? This exploit can affect you even if you have never used Thunderbolt.

Like other DMA exploits, the Thunderspy attack requires physical access to a victim's computer, and several minutes to access internal components. Both PCs and Macs can be affected. This type of exploit is classified as an "Evil Maid Attack" because of people who enter hotel rooms looking for computers that are up and running. 

For anyone who has a system built with Thunderbolt version 3 or earlier - meaning PCs and Macs manufactured prior to 2019, it is a hardware problem, and at this point, cannot be eliminated with a software update. The simplest way to determine if your computer supports Thunderbolt, and which version, is to review your system documentation and specifications. You can also look for the Thunderbolt symbol printed on the side of your computer , which resembles a lightning bolt, to determine which of your port(s) support it.

image.png

During this time while we are all mostly working in isolation, the opportunities for this sort of attack are reduced. If you want to take steps to get ahead of the problem, the most effective mitigation step involves disabling the Thunderbolt capability. This may not be easy and will vary between computer models. There is also a risk if for any reason, Thunderbolt is eventually re-enabled. 

Anyone who must use Thunderbolt or does not use it, but can't determine how to disable it, can follow two basic rules. First, do not leave your computer unattended and running: you are vulnerable even if you have logged out or locked the screen. Second, remove "sleep" as an option for shutting down your system. Instead choose the hibernation mode, or better yet, disable both sleep and hibernation. Today's systems start up quite quickly, so you really don't need those settings.

And it's always in your best interest to enable device encryption. That means BitLocker on a PC and Filevault2 on a Mac.

Want to read more? Look here!

Official statement from Intel

https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/#gs.6dt8j3 

Other sources 

https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/ 

https://en.wikipedia.org/wiki/Thunderspy_(security_vulnerability)

Note that the basis of the vulnerability was reported a year ago...

https://www.theverge.com/2019/2/27/18243503/thunderclap-vulnerability-thunderbolt-computers-attack

Focus on the Mac

https://www.macworld.com/article/3542683/major-thunderbolt-security-flaw-found-in-macs-and-pcs-should-you-be-worried.html 

Apparently the discoverer has written a program to test for the vulnerability. That in itself is a bit worrying! The site was down when I checked. I would advise caution before using any tool that did not originate from an accountable source.

   

Is It You Stuttering? Or Your Internet Connection?

Watch Parties and other hungry events will kill your Internet | 4/15/2020

We have to congratulate the Internet Service Providers (ISPs)! The Internet is holding up pretty well during these difficult times. Backbone capacity is not the big issue. Your problem is the last mile, meaning the connection from your home to the ISP. If you are on a small bandwidth cheaper plan, you may not get what you hoped for.

The equipment is the same but the providers put throttles on your node so that you can't go at full speed. As I said in my separate paper about Telework, it's a good idea to pay for more than the minimum bandwidth. Give yourself enough to deal with kids and spouses, at work and at play. There are lots of sites that will help you estimate not only your real connection speeds, but also the estimated demands of your apps. 

As a case in point, let's consider Watch Parties. Someone plays host.  You may be watching a stream relayed from their PC or you might be watching together in the cloud using a system called multicast. Either way, you have a lot of demand going on. First there is the show that is streaming down to you. Then, there is your own video and audio that are streaming up and out to the other participants. Then there are also streams coming to you from each of the party participants. In no time at all you could eat up most or all of your last mile bandwidth. 

What to do? 

Take your own personal camera off of the HD setting. Run in 560p or 480p instead.

Mute your audio and video when you don't need them.

Lower the resolution of the movie as you receive it. 4K movies can easily use up an entire basic/cheap Internet service connection!

Here are examples of the savings you can make on streaming movies:

4K movies need 15-25 or more Mbps (Ultra is the high end)

1080p and 720p are more manageable at 4 to 5 Mbps

480p needs as little as a 1/2 Mbps on a PC up to 3 Mbps on a TV.

So unless you really feel the need to count the pores on the actor's face, give that 4K resolution a rest for now!

Stories to Keep You Happy During Isolation

It's about people, not tech. | 4/1/2020

This American Life is a weekly public radio program and podcast. Each week brings a new theme and amazing stories.

It's an entertaining kind of journalism that’s built around stories that have compelling people at the center of them, funny moments, big feelings, surprising plot twists, and interesting ideas. The producers characterize it as "little movies for radio."

Check it out here, and stay safe and sane!

Working Online at Home During the Covid-19 crisis?

Tips to Stay Safe, Sane & Productive | 3/27/2020

Remote work has suddenly been thrust upon many, at a massive scale. Whether you are skilled with remote work, or you just got tossed into the mix, the basic best practices to make work and home life easier are worth discussing, right now!

Read the Cyberimbiber's list of important guidelines for managers & teams. You can view it at this link!

I keep hearing that I need a VPN. What is the story with VPNs?

It's about making your network connection private, in a virtual way. | 3/12/2020

If you have never used a VPN, you may be wondering about all of those Nord VPN TV and YouTube ads. If you have used one at your job, then you have some idea of how it works, and the effects are similar for consumers.  Let’s take a moment to review just what it means to have a VPN, and if you need one.

VPN means Virtual Private Network. Taking that backwards, we all connect to things through networks. And the network that scares us all is the Internet because there are so many bad people out there.  We would like for our activities to be private which means, we don’t want anyone peeking at our business, and tagging along for a ride. In cyberspace everything is an address that goes somewhere else, so we want this private network to be virtual, meaning it’s not tied to any one system, server, business and so on. Also it means you can have more than one.

If that makes sense then read on. Otherwise read it again 😊

Myths and facts about VPNs

VPNs are private, but strong security was not part of the original concept, and privacy did not always mean that you get encryption. To be safe on the Internet, you have to add encryption to scramble your messages, and security tests to authenticate yourself.  When using a consumer VPN, you need to have a strong and complex password that you do not share on other systems. 

Your PC and Mac can connect to many network destinations at once. For example, your home printer, thermostat, security camera, at the same time that you can watch NetFlix, do banking, and hook into your company.  This is exciting and dangerous at the same time.

Some VPN companies will set you up with a closed VPN. Closed VPNs stop any of your traffic from being visible. But closed VPNs can cause connection problems. If you are using a closed VPN, then your system may be unable to see the local network and the Internet at all while you are working with the VPN. That will cause you to lose access to places on the Internet and can make it hard to use your home printer, sign into hotel Wi-Fi and so on.

When VPNs are configured to allow you to see other places, this is called a split connection. With a split connection, you will be able to have secure communications to systems that are routed through the VPN, and still use the Internet and your home network to connect outside of the VPN. . This is a sometimes confusing  situation where you can still get attacked, and VPNs are incorrectly blamed for failures. Why? How? If you have malware on your PC or Mac, it may be able to look through your VPN, while sending your secrets out on the split public part of your connection.  That's why you need to follow security best practices at all times.

Forget the paid services for a moment. When you connect to a secure website with your browser, you are invoking a kind of VPN. You will know this is happening because the browser will give some sort of indication, such as showing a lock symbol on the address line, and the address itself will start with https. What happened? The website has authenticated you and started an encrypted session. But only for that website. You see, the default behavior for a browser is a split session, so you can have unsecured connections and secured connections at the same time. That's the sort of problem I described in the preceding paragraph.

So will a VPN help me at all? What should I do?

You can be reasonably safe without a VPN. Follow best practices. For example:

  • Don’t use simple passwords and don’t use the same ones for different systems
  • Save your passwords in a secure vault system such as LastPass
  • Make sure your PC, Mac, phone etc. are completely up to date on security patches
  • For PCs and Macs, you really should run an anti-malware tool. Windows has its own (Defender) and there are many third party tools.
  • Back up your important files regularly in case something really does go wrong.
  • Think three times before accepting any changes that require Administrator permission!

How many of the practices above are improved by using a VPN?

  • None are guaranteed to be safer.  Sorry.

Repeating the question! As a consumer, should I use a VPN?

VPNs give you new privacy options that are desirable. But your privacy has limits.
Consider:

  • A VPN will prevent your Internet Service Provider from tracking your Internet activity, so long as you conduct your activity within the VPN
  • It will not protect you from hackers, if the systems you connect to have already been compromised.
  • The systems you connect to through the VPN will know who you are if you have set up accounts on them. 
  • A VPN can help you to watch US-only programs from outside the USA (same for other countries)
  • It will not protect you from liability from rights management violations
  • A VPN will stop people from seeing your activity within the VPN if you are using a public shared network
  • It will not protect you if you access something outside of the VPN
  • It may interfere with your ability to use hotel, café and other networks that require you to be visible for registration and usage tracking.
  • If the VPN is using AES encryption, it’s the best privacy you can realistically achieve
  • If you have a weak password or you get attacked with malware, hackers may still find you, but you have made it harder for them.
  • Read the VPN documentation so that you understand when a connection will go into the VPN and when it will not. 
  • In my previous job, I liked to demonstrate capturing Internet (VoIP) phone calls while a person was using a split VPN - because the phone call was not configured to go through the VPN.

How many kinds of VPNs are there?

For consumers you have many choices including: NordVPN, AnchorFree, SurfShark, PrivateVPN, ProtonVPN, VyprVPN, ExpressVPN, SaferVPN and many more. Be aware that these services cost money.

Note that when you use a VPN you are diverting your traffic through another network, and it may slow you down.  The more you pay, the better the performance. And, if you are not a geek you will want tech support until you are comfortable.

Someone mentioned TOR…

TOR is a free, open source autonomy solution that uses a VPN. It can serve the same purpose as the paid services. Note, TOR is also the gateway to the Dark Web, a dangerous place! But it does not automatically send you there. That’s your choice.  

* * * * * 

If you have a VPN story that you would like for me to log for others, just use the contact form to send me your thoughts.

Smithsonian Releases 2.8 Million Images Into Public Domain

Good news for everyone stung by copyrights of old images | 2/27/2020

For the first time in its 174-year history, the Smithsonian has released 2.8 million high-resolution two- and three-dimensional images from across its collections onto an open access online platform for patrons to peruse and download free of charge.  And more images are coming!

This is more than generous to the public. It also solves a long-running copyright problem. You see -- even if an image is so old that no one owns it any more, the person who scanned it and put it up on the Internet can claim copyright of the scanned image. Some graphics companies have trapped us when we look for these older items, which they index for easy finding, and then charge a healthy price for downloads. And if you think you can just get away with it, beware that these same companies can hide markers in their scans that you are not expecting. Maybe it's unlikely that you will get stung, but it's nonetheless annoying. Your CyberImbiber loves images and looks forward to enjoying this wonderful give from the Smithsonian!

Read the news release at this link.

March update! I complained because there were no true stereo images in the released  collections. This was a result of search parameters and also, I was advised that their stereo collections are not all public domain. For you 3D enthusiasts I can provide two helpful links. I am pleased to write that the old stereo pairs can be easily viewed in cheap VR headsets via your phone!
Smithsonian Stereograms     University of California (some images are not stored in pairs, dig deeper into the list)

Engines of Our Ingenuity

A Thoughtful Technology Program You Should Know | 2/21/2020

I came across Engines of our Ingenuity accidentally on a local PBS station back in the 1990s. 

Operated from the University of Houston, it's not as exciting as Wait Wait, Don't Tell Me and other PBS/PRI shows. But that's ok. For a Cyber Imbiber, this is a gold mine of interesting historical collections. Browse the old shows and you may find some surprises. I like Professor Lienhard's comparison of Bill Gates and Windows to Henry Ford and the Model T. 

He also has interesting stories like exploring the cultural differences between engineers and designers from different countries. For example, his work in the USA on heat transfer was largely ignored. But the Japanese loved it, and brought him out as an honored expert. Why so excited? While we worry about look and feel, those other engineers were taking seriously the problems of getting heat out of computing systems. Depending on your perception, that is the number one problem with making our tech reliable. 

The University of Houston keeps all of Professor Lienhard's recordings up and available for free. Go browsing and be inspired. Click on the picture to visit the site!

 

The Death of Cable TV - 2024 is the Tipping Point

Roku predicts this, and I agree. | 2/15/2020

I am truly sick of being forced to take packages of channels that I WILL NEVER WATCH. I don't want to offend anyone, so I won't mention that includes every sports channel.  Even the news channels have lost pretty much all value. Others have made predictions like this, but Roku's timing appeals for me to repeat the death knell for Cable TV.

So how do you satisfy your appetite if you cut the cord? Many ways. And in my opinion they all start with Roku. Why not Amazon Fire, or Apple TV for example? It's easy. Those services lock you in and reduce your choices. Amazon and Apple TV are playing some of the same games that the Cable TV companies are doing!

Let's say that you want to subscribe to Acorn, or BritBox to get a path into British programming. If you want to have that on Amazon, you have to pay Amazon. However, what if you want to have that subscription be free and clear to use on any of your devices? Well then, Amazon and Apple may not honor your subscription, because you made it without them. The difference is that Roku is vendor neutral. They will give you access to any of your subscriptions on any of their devices, provided they have channel support for that service.  And they won't interfere with the original terms of service of your subscriptions.

As a further benefit, the Roku devices are reasonably priced and plentiful, and a lot of low to mid-range TVs have a Roku system built in. It's hard to go wrong with that!

You are still wondering how to find the programming you want to watch, that is not on streams that Roku offers. Well, if there really is something that you can't see there, then head over to YouTube. Many shows are available in their entirety and many are free. Still others are available as vignettes. You can watch Bill Maher, Rachel Maddow, news highlights and more quite easily. And some networks such as NBC will allow you stream entire shows and MSNBC for free if you install their Roku app. You may even find that YouTube can be more interesting than regular programming.

If you have not cut the cord yet, you may be worrying about racking up a lot of streaming service fees. Look at it this way. I was paying XFinity $154 per month for Cable TV service that I mostly did not want. True, it was 100 Mbps service, but most of us really don't need that. I switched to pure Internet with Frontier at 50Mbps and I am only paying $40 per month.  1080p TV is good enough for me and the bandwidth (5Mbps) is modest. You want to look for whiteheads in the pores of an actor's face, sure, be my guest and move up to 4K.  I run three computers, two Rokus, a Roku TV and PhonePower VoIP. I have five stream subscriptions. Adding it all up:

Frontier:      $40/mo
NetFlix:       $13/mo
Amazon Prime:  $10/mo
BritBox:       $ 7/mo.
Acorn:         $ 4/mo.
PBS all access:$ 5/mo.
Total:         $79/mo. 

That total is just over half of my Xfinity bill .
Keep in mind that I had those streaming services while I paid for Xfinity, so my cost before was $193!

Beware Harbingers of Failure

Or should you instead pay attention to them? | 2/12/2020

Recently I became aware of validated research that labels groups of consumers as Harbingers of Failure. Wow, that seems dire, don't you think?

Harbingers of Failure are people who buy products that fail. And they buy enough of them to be noticed. The effect is said to be persistent, not only for individuals but also for certain communities.  Harbingers don't do it once, they do it over and over!

The examples given are mostly non-technical, such as Heintz's Green Ketchup (hmmm) and Jello Color Changing Pudding (yuck!). One can get an idea of these products by looking on supermarket clearance shelves although appearances here still need to be verified with failed buying patterns.

It's harder for me to find the examples for high-tech. Some things listed as failures or dead ends are not fueled by Harbingers of Failure, they were either just bad ideas that never sold, such as the Atari ET games that were buried in a dump (and later dug up), ideas ahead of their time but not gone, such as QR codes, or products that were out-competed in markets that exist otherwise, such as the Pebble watch.

What do you think? If you have examples to nominate, please send me your suggestions and I will post them in updates to this story. Use this link

I will nominate the Sony Aibo. I am going to dismiss the comeback because the product really did "die" in more ways than one and stayed "dead" a long time.

Released in 1999 at a cost of $3000 in current money, it only sold 150,000 units in seven years. You might think that is a lot, but consider the cost of parts, and support. People who bought Aibos became very attached to them and had no intention of discarding them. The Aibos were the most realistic pet robot of the time, and for that matter, IMO they still are. Each had distinctive personality traits and could be trained. 

National Geographic reports: "So when Sony announced in 2014 that they would no longer support updates to the aging robots, some AIBO owners heard a much more somber message: Their pet robot dogs would die. The community of devoted owners began sharing tips on providing care for their pets in the absence of official support."

Aibo owners even trained as Robodog Veteriarians and one of them founded an Aibo Cyberhospital. 

And believe it or not, when Aibos finally die, people hold funeral services for them.  Yes, really.

The only lack of harbinger validation that I need to close the loop on the original market study is to know if Aibo owners treat other technologies in the same way. Personally, I don't intend to ask. 

You may be interested to know, the general market craze for little robots has motivate Sony to "reboot" the Aibo and it's available again. 

Interesting articles to read include a summary in the MIT technology review

A longer MIT article

Extended research that documents the existence of harbinger zip codes

Advanced Multi-Factor Authentication in the Animal World

A bird-brained innvovation! | 2/2/2020

In Australia, the Cuckoo is a nasty sort of bird. Mother Cuckoos lay their eggs in other birds' nests to fob off the care and feeding of their young. The Cuckoo hatchlings emerge with murderous intent and will push the other eggs out of the nest if they get a chance.  Fairy-Wrens have developed an advanced defense mechanism. And no doubt they did so long before mankind was getting organized. 

The Fairy-Wren mother sings to her eggs!! That's right. She teaches her babies a unique song -- belonging only to her -- before they have even hatched. When she returns with food, only the babies who know the song will be fed. Instead of just making a general cheeping noise, these little critters start out knowing a full song. This test is especially critical because the nest can be dark inside. If the cuckoo does hatch first and destroys the real eggs, then the Fairy-Wrens abandon the nest and there's still one less Cuckoo that will grow up to cause mayhem to others. 

  

image source: Wikipedia