Re: [projectvrm] Vendor entitlement run amok

[Id Coach < >]

Thanks T.Rob, blogged this in response:
http://digitalidcoach.com/2015/08/tracking-and-profiling-run-amok/

Included some stats from Pew study on attitudes about privacy and
surveillance, also a link to Jennifer Granick's keynote at Black Hat.

  j.

On 8/19/15 9:02 AM, T.Rob wrote:
> My main issue with vendors turning us into instrumented data sources isn't
> the data so much as the lack of consent. My Fitbit knows a lot about me but
> it's an add-on that I self-selected and it provides value to me. The
> tracking in my browser is not something I can easily avoid since the browser
> is now an integral part of my life. Between those extremes there are lots of
> IoT devices that you can currently choose a private version but where that
> choice is rapidly disappearing. You can still buy a dumb light switch but
> not a dumb car, for example. Your shiny new GT phones home.
>
> Among the vendors who seem to feel an entitlement to our data is Microsoft,
> whose Windows 10 is basically a box of spyware disguised as a
> user-productivity-gaming-and-cat-video-watching platform. I've already
> written about the issues there, how to mitigate them, and the disheartening
> number of those "features" that can't be disabled. Yet as bad as all that
> is, this latest revelation still managed to surprise me across several
> metrics: the lack of consent, the extent of the invasion, the degree of
> exposure, the fact that it's already been exploited to infect user devices,
> the fact that the entity who exploited it is a "legitimate" vendor, and the
> fact that said "legitimate" vendor egregiously exposed the exploit to the
> Internet.
>
> Ars Technica is reporting that Microsoft has included in Windows 8 and above
> the ability to load executables from the device firmware. This means that
> even a clean install of Windows on wiped hard drives will run the
> executables from the firmware. This is intended for anti-theft protection
> which is generally exposed to the user in the BIOS and can be disabled.
> However, Lenovo used it to load software that reports information about the
> device, downloads executables over the Internet and installs them into
> Windows, overlays some of Microsoft's system files, is riddled with bugs
> such as buffer overflow, updates itself unsecurely, and does all this over
> plaintext HTTP connections.
>
> http://iopt.us/1LkR5D2 
> http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-an
> t
> i-theft-feature-to-install-persistent-crapware/
>
> The design of the firmware executable injection features to support
> anti-theft has always been a compromise. We give up some security in the OS
> and firmware to get the ability to retrieve/wipe the PC if it is stolen or
> lost. However, it opens the possibility of malware taking up residence in
> the hardware and there are examples of this being exploited. The delta in
> difficulty between stealing a laptop versus exploiting the firmware
> bootloader injection results in this feature being a net security benefit
> but not by a very big margin. Should it become easier to exploit the
> firmware bootloader injection, this could turn very bad, very fast.
>
> Microsoft and Lenovo, in stunning examples of the pervasive attitude of
> vendor entitlement, significantly reduced the degree of difficulty for
> exploiting firmware bootloader injection to where any script kiddie can root
> the device. Worse, it was done without the ability for the user to disable
> it. The patch released by Lenovo reportedly disabled the function but even
> people comfortable using the BIOS setup will have difficulty disabling it.
>
> Microsoft has effectively weaponized firmware bootloader injection.
>
> Lenovo has not only exploited it, but their code is so incompetent as to
> make a new class of vulnerability available remotely, anonymously, and with
> almost no skill requirement whatsoever.
>
> In terms of privacy invasion, this is not a difference in degree. It's a
> difference in kind. It's a new line that has been crossed and which, due to
> the technical complexity of explaining the risk to regular folks, will fly
> completely under the radar. It's custom-designed to root your device without
> knowledge, consent, or recourse, so functional that "legitimate" vendors
> apparently find malicious uses irresistible, and impossible to constrain to
> "legitimate" vendors. If you have a Lenovo PC today and haven't disabled
> this "feature", all sorts of uninvited guests can come camping out in your
> firmware and you won't be able to kick them out. If you have any other brand
> of device running Windows, well it's just a matter of time now.
>
> But try telling any vendor - or your representative - that just because we
> can doesn't mean we should. Nobody treats this as a privilege. Access to our
> data and the internals of our devices is assumed to be an entitlement, even
> when the implementations are clearly incompetent and capable of causing
> significant emotional, financial, and even physical harm to the owner of the
> device or user of the service.
>
> So let's say there's a vendor with retail customers who wants to improve
> their profitability. Do they consult with the merry band of VRM minstrels?
> Why should any vendor treat unlimited and intimate access to us as a
> privilege when the competition sees it as a right, capably exploits it, and
> the current regulatory regime fully supports that approach? VRM doesn't
> become mainstream until there's a line imposed by the market such that
> vendors need a way to remain competitive without crossing it. Not only are
> vendors crossing that line today, they are having long jump competitions to
> see who can go the furthest, and then advancing the line while we aren't
> looking.
>
>
> Blogged here: 
> http://iopt.us/1NuI0Y2
> https://ioptconsulting.com/vendor-entitlement-run-amok/
>
> Kind regards,
> -- T.Rob
>
> T.Robert Wyatt, Managing partner
> IoPT Consulting, LLC
> +1 704-443-TROB (8762) Voice/Text
> https://ioptconsulting.com
> https://twitter.com/tdotrob
>
>