Re: [projectvrm] Vendor entitlement run amok

[Doc Searls < >]

Thanks Judi.

I love how yhou bring together what T.Rob and Jennifer Stisa Granick said. 

So, leveraging those, I just added some text (and an image/metaphor) to my 
Advertising Wheat & Chaff piece <http://bit.ly/wheatchaff>, and tweeted that 
too, with a HT to @idcoach: 
<https://twitter.com/dsearls/status/634374330030264320>.

In the meantime I’ve also had some conversations with browser and ad blocking 
people, and I think what I propose is do-able.

Just scroll down to the subhead “An easy solution” and see what you think. 
And what we can do together.

Enough with the complaining and thrashing through the weeds. Let’s fix this 
thing.

Doc


> On Aug 19, 2015, at 8:58 PM, Id Coach 
> <
 >
>  wrote:
> 
> Thanks T.Rob, blogged this in response:
> http://digitalidcoach.com/2015/08/tracking-and-profiling-run-amok/
> 
> Included some stats from Pew study on attitudes about privacy and
> surveillance, also a link to Jennifer Granick's keynote at Black Hat.
> 
>  j.
> 
> On 8/19/15 9:02 AM, T.Rob wrote:
>> My main issue with vendors turning us into instrumented data sources isn't
>> the data so much as the lack of consent. My Fitbit knows a lot about me but
>> it's an add-on that I self-selected and it provides value to me. The
>> tracking in my browser is not something I can easily avoid since the 
>> browser
>> is now an integral part of my life. Between those extremes there are lots 
>> of
>> IoT devices that you can currently choose a private version but where that
>> choice is rapidly disappearing. You can still buy a dumb light switch but
>> not a dumb car, for example. Your shiny new GT phones home.
>> 
>> Among the vendors who seem to feel an entitlement to our data is Microsoft,
>> whose Windows 10 is basically a box of spyware disguised as a
>> user-productivity-gaming-and-cat-video-watching platform. I've already
>> written about the issues there, how to mitigate them, and the disheartening
>> number of those "features" that can't be disabled. Yet as bad as all that
>> is, this latest revelation still managed to surprise me across several
>> metrics: the lack of consent, the extent of the invasion, the degree of
>> exposure, the fact that it's already been exploited to infect user devices,
>> the fact that the entity who exploited it is a "legitimate" vendor, and the
>> fact that said "legitimate" vendor egregiously exposed the exploit to the
>> Internet.
>> 
>> Ars Technica is reporting that Microsoft has included in Windows 8 and 
>> above
>> the ability to load executables from the device firmware. This means that
>> even a clean install of Windows on wiped hard drives will run the
>> executables from the firmware. This is intended for anti-theft protection
>> which is generally exposed to the user in the BIOS and can be disabled.
>> However, Lenovo used it to load software that reports information about the
>> device, downloads executables over the Internet and installs them into
>> Windows, overlays some of Microsoft's system files, is riddled with bugs
>> such as buffer overflow, updates itself unsecurely, and does all this over
>> plaintext HTTP connections.
>> 
>> http://iopt.us/1LkR5D2 
>> http://arstechnica.com/information-technology/2015/08/lenovo-used-windows-an
>> t
>> i-theft-feature-to-install-persistent-crapware/
>> 
>> The design of the firmware executable injection features to support
>> anti-theft has always been a compromise. We give up some security in the OS
>> and firmware to get the ability to retrieve/wipe the PC if it is stolen or
>> lost. However, it opens the possibility of malware taking up residence in
>> the hardware and there are examples of this being exploited. The delta in
>> difficulty between stealing a laptop versus exploiting the firmware
>> bootloader injection results in this feature being a net security benefit
>> but not by a very big margin. Should it become easier to exploit the
>> firmware bootloader injection, this could turn very bad, very fast.
>> 
>> Microsoft and Lenovo, in stunning examples of the pervasive attitude of
>> vendor entitlement, significantly reduced the degree of difficulty for
>> exploiting firmware bootloader injection to where any script kiddie can 
>> root
>> the device. Worse, it was done without the ability for the user to disable
>> it. The patch released by Lenovo reportedly disabled the function but even
>> people comfortable using the BIOS setup will have difficulty disabling it.
>> 
>> Microsoft has effectively weaponized firmware bootloader injection.
>> 
>> Lenovo has not only exploited it, but their code is so incompetent as to
>> make a new class of vulnerability available remotely, anonymously, and with
>> almost no skill requirement whatsoever.
>> 
>> In terms of privacy invasion, this is not a difference in degree. It's a
>> difference in kind. It's a new line that has been crossed and which, due to
>> the technical complexity of explaining the risk to regular folks, will fly
>> completely under the radar. It's custom-designed to root your device 
>> without
>> knowledge, consent, or recourse, so functional that "legitimate" vendors
>> apparently find malicious uses irresistible, and impossible to constrain to
>> "legitimate" vendors. If you have a Lenovo PC today and haven't disabled
>> this "feature", all sorts of uninvited guests can come camping out in your
>> firmware and you won't be able to kick them out. If you have any other 
>> brand
>> of device running Windows, well it's just a matter of time now.
>> 
>> But try telling any vendor - or your representative - that just because we
>> can doesn't mean we should. Nobody treats this as a privilege. Access to 
>> our
>> data and the internals of our devices is assumed to be an entitlement, even
>> when the implementations are clearly incompetent and capable of causing
>> significant emotional, financial, and even physical harm to the owner of 
>> the
>> device or user of the service.
>> 
>> So let's say there's a vendor with retail customers who wants to improve
>> their profitability. Do they consult with the merry band of VRM minstrels?
>> Why should any vendor treat unlimited and intimate access to us as a
>> privilege when the competition sees it as a right, capably exploits it, and
>> the current regulatory regime fully supports that approach? VRM doesn't
>> become mainstream until there's a line imposed by the market such that
>> vendors need a way to remain competitive without crossing it. Not only are
>> vendors crossing that line today, they are having long jump competitions to
>> see who can go the furthest, and then advancing the line while we aren't
>> looking.
>> 
>> 
>> Blogged here: 
>> http://iopt.us/1NuI0Y2
>> https://ioptconsulting.com/vendor-entitlement-run-amok/
>> 
>> Kind regards,
>> -- T.Rob
>> 
>> T.Robert Wyatt, Managing partner
>> IoPT Consulting, LLC
>> +1 704-443-TROB (8762) Voice/Text
>> https://ioptconsulting.com
>> https://twitter.com/tdotrob
>> 
>> 
>