Re: [projectvrm] Vendor entitlement run amok

[Don Marti < >]

What Oracle strategy would look like if applied to
a non-software business:
  https://en.wikipedia.org/wiki/Amy%27s_Baking_Company
(Just blaming "Internet haters" for reported problems
doesn't usually work.)

begin Patrick Devine quotation of Wed, Aug 19, 2015 at 04:52:42PM +0000:
> 
> Oracle’s CSO wrote a blog (since removed but saved for posterity see link 
> )below lamenting the fact that their customers took the time and effort to 
> discover zero day security vulnerabilities in their software and 
> embarrassed Oracle by publicly the facts if Oracle did not respond to the 
> information.
> 
> Epic Fail
> 
> http://seclists.org/isn/2015/Aug/4
> 
> Patrick
> 
> From: Devon M T Loffreto 
> [mailto:
 ]
> Sent: Wednesday, August 19, 2015 6:46 PM
> To: T.Rob
> Cc: ProjectVRM list
> Subject: Re: [projectvrm] Vendor entitlement run amok
> 
> TRob,
> 
> Agree with you in full. What can a little acronym do about it?
> 
> VRM is not turning into anything... its just a lightning rod.
> 
> At the base are people...engineers in some cases... each with personal 
> context and motivations...and increasingly, given the nature of 
> participation in the "market", one must consider whether sharing specific 
> strategies protecting Individual participation is smart.
> 
> My question: when does the "market" begin?
> 
> These abuses to some, capabilities to others, have their own origin story 
> wired so deeply into the fabric of Society, how can any business pitch a 
> fix with a straight face...knowing they are building solutions on a 
> foundation that introduces the problem at a root much more deeply impactful 
> than any business outcome can pursue?
> 
> Its 2015... people are just waking up to the fact that they are leveraged 
> data. In retrospect...thats not real positive... forward moving... the 
> question revolves around what people do about it...meaningful or 
> meaningless conversations may now ensue...
> 
> Clue: when do you (human) first become data? What is your root structure?
> 
> Devon
> 
> 
> 
> On Wed, Aug 19, 2015 at 12:02 PM, T.Rob 
> <
 <mailto:
 >>
>  wrote:
> My main issue with vendors turning us into instrumented data sources isn't
> the data so much as the lack of consent. My Fitbit knows a lot about me but
> it's an add-on that I self-selected and it provides value to me. The
> tracking in my browser is not something I can easily avoid since the browser
> is now an integral part of my life. Between those extremes there are lots of
> IoT devices that you can currently choose a private version but where that
> choice is rapidly disappearing. You can still buy a dumb light switch but
> not a dumb car, for example. Your shiny new GT phones home.
> 
> Among the vendors who seem to feel an entitlement to our data is Microsoft,
> whose Windows 10 is basically a box of spyware disguised as a
> user-productivity-gaming-and-cat-video-watching platform. I've already
> written about the issues there, how to mitigate them, and the disheartening
> number of those "features" that can't be disabled. Yet as bad as all that
> is, this latest revelation still managed to surprise me across several
> metrics: the lack of consent, the extent of the invasion, the degree of
> exposure, the fact that it's already been exploited to infect user devices,
> the fact that the entity who exploited it is a "legitimate" vendor, and the
> fact that said "legitimate" vendor egregiously exposed the exploit to the
> Internet.
> 
> Ars Technica is reporting that Microsoft has included in Windows 8 and above
> the ability to load executables from the device firmware. This means that
> even a clean install of Windows on wiped hard drives will run the
> executables from the firmware. This is intended for anti-theft protection
> which is generally exposed to the user in the BIOS and can be disabled.
> However, Lenovo used it to load software that reports information about the
> device, downloads executables over the Internet and installs them into
> Windows, overlays some of Microsoft's system files, is riddled with bugs
> such as buffer overflow, updates itself unsecurely, and does all this over
> plaintext HTTP connections.
> 
> http://iopt.us/1LkR5D2
> http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-an
> t
> i-theft-feature-to-install-persistent-crapware/
> 
> The design of the firmware executable injection features to support
> anti-theft has always been a compromise. We give up some security in the OS
> and firmware to get the ability to retrieve/wipe the PC if it is stolen or
> lost. However, it opens the possibility of malware taking up residence in
> the hardware and there are examples of this being exploited. The delta in
> difficulty between stealing a laptop versus exploiting the firmware
> bootloader injection results in this feature being a net security benefit
> but not by a very big margin. Should it become easier to exploit the
> firmware bootloader injection, this could turn very bad, very fast.
> 
> Microsoft and Lenovo, in stunning examples of the pervasive attitude of
> vendor entitlement, significantly reduced the degree of difficulty for
> exploiting firmware bootloader injection to where any script kiddie can root
> the device. Worse, it was done without the ability for the user to disable
> it. The patch released by Lenovo reportedly disabled the function but even
> people comfortable using the BIOS setup will have difficulty disabling it.
> 
> Microsoft has effectively weaponized firmware bootloader injection.
> 
> Lenovo has not only exploited it, but their code is so incompetent as to
> make a new class of vulnerability available remotely, anonymously, and with
> almost no skill requirement whatsoever.
> 
> In terms of privacy invasion, this is not a difference in degree. It's a
> difference in kind. It's a new line that has been crossed and which, due to
> the technical complexity of explaining the risk to regular folks, will fly
> completely under the radar. It's custom-designed to root your device without
> knowledge, consent, or recourse, so functional that "legitimate" vendors
> apparently find malicious uses irresistible, and impossible to constrain to
> "legitimate" vendors. If you have a Lenovo PC today and haven't disabled
> this "feature", all sorts of uninvited guests can come camping out in your
> firmware and you won't be able to kick them out. If you have any other brand
> of device running Windows, well it's just a matter of time now.
> 
> But try telling any vendor - or your representative - that just because we
> can doesn't mean we should. Nobody treats this as a privilege. Access to our
> data and the internals of our devices is assumed to be an entitlement, even
> when the implementations are clearly incompetent and capable of causing
> significant emotional, financial, and even physical harm to the owner of the
> device or user of the service.
> 
> So let's say there's a vendor with retail customers who wants to improve
> their profitability. Do they consult with the merry band of VRM minstrels?
> Why should any vendor treat unlimited and intimate access to us as a
> privilege when the competition sees it as a right, capably exploits it, and
> the current regulatory regime fully supports that approach? VRM doesn't
> become mainstream until there's a line imposed by the market such that
> vendors need a way to remain competitive without crossing it. Not only are
> vendors crossing that line today, they are having long jump competitions to
> see who can go the furthest, and then advancing the line while we aren't
> looking.
> 
> 
> Blogged here:
> http://iopt.us/1NuI0Y2
> https://ioptconsulting.com/vendor-entitlement-run-amok/
> 
> Kind regards,
> -- T.Rob
> 
> T.Robert Wyatt, Managing partner
> IoPT Consulting, LLC
> +1 704-443-TROB (8762) Voice/Text
> https://ioptconsulting.com
> https://twitter.com/tdotrob
> 
> 

-- 
Don Marti 
<
 >
                   
http://zgp.org/~dmarti/
Are you safe from 3rd-party web tracking?  http://www.aloodo.org/test/