Law

Law and legislation

S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:
http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

Apple Now “Owns” the Page Turn

A blog posting at the New York Times:

“Yes, that’s right. Apple now owns the page turn. You know, as when you
turn a page with your hand. An “interface” that has been around for
hundreds of years in physical form. I swear I’ve seen similar
animation in Disney or Warner Brothers cartoons.  (This is where
readers are probably checking the URL of this article to make sure
it’s The New York Times and not The Onion.)”

Yet more proof that the US patent system, and possibly the whole concept of intellectual property law, is well and truly insane.

What’s even funnier is that, when I read the New York Times blog page that carries this story, I noticed that NYT may be in grave danger of having their pants sued off by Apple (which is, after all, a much larger and more litigious corporation).  At least two of the animated graphical ads on the page feature a little character that rolls down a corner of the ad, inviting you to “Click to see more.”  If you click or even mouseover the ad, then the little figure “turns a page” to let you see the rest of the ad.

(This interface appears to be a standard for either the NYT or Google Ads, since refreshing the page a few times gave me the same display for two different auto manufacturers and, somewhat ironically, for Microsoft.)

(In discussing this with Gloria, she mentioned an online magazine based in Australia which uses a graphical page turning interface for the electronic version of the magazine.  Prior art?  Or are they in danger of getting sued by Apple as well?)

Border (relative) difficulties

I have experienced all kinds of difficulties travelling down to the US to teach.

It used to be a lot easier, in the old days.
Border agent: “Business or pleasure?”
Me: “Business.”
BA: “What are you doing?”
Me: “Teaching.”
BA: “OK.”
Then The-Conservative-Government-Before-The-New-Harperite-Government-Of-Canada decided, in it’s infinite wisdom, to bring in something called the North American Free Trade Agreement, which had provisions to make it “easier” to trade and travel.  Now it’s a royal pain.

(I’ve travelled and taught elsewhere, of course.  Some places I’ve had to get visas.  Nigeria was a nusiance.  Australia was a $20 charge, online, no problem at all.  Last time I taught in Ireland it was “Business or pleasure?”  “Business.”  “Welcome to Ireland!”  Last time I taught in Norway there wasn’t even anyone at the immigration desk.)

Occasionally Americans have complained that they have had troubles coming to work in Canada.  So far I have never heard anything like what I’ve had to go
through.

At the moment I’ve been dealing with American lawyers again.  This has generally been OK, since I usually don’t have to travel for that.  However, this time the other side wants to depose me.  (I suspect they are just doing this for the nusiance value.  As usuall, I’m not doing this as an “expert” witness, just as the only guy who still has the materials.)  So, the origianl plan was for me to fly down to California, spend a day with the lawyers on one side “prepping” me, and spend an hour or two with the other side for the deposition.  They’d have to pay for my fare and travel expenses, as well as my time during prep.

During the call I mentioned that, since he was a lawyer, and presumably had access to other lawyers in their firm who knew something about immigration, they should check on that point, and see if they wanted/needed to do anything about a visa for me.  He didn’t think it was an issue.  I said that, according to the official rules he was right, but that I had seen plenty of cases where the border agents interpretted the rules in idiosyncratic ways, and maybe he should just check.

Today the plan has entirely changed.  At least three lawyers (possibly more), from at least two firms (and possibly more) are flying up from California, renting a boardroom here in Vancouver, renting a court reporter, and staying at least two days (more likely three) to do the prep and deposition.  With all the extra associated costs.  (And all this on behalf of a company that has very stringent travel cost policies: I had to sign off on them for the original contract.)

I think I’ve proved the point: it’s *way* harder to go to the US than to Canada.

Budget and the chain of evidence

Go Public, a consumer advocacy show on CBC, has produced a show on Budget Rent-A-Car overcharging customers for minor repairs.

This rang a bell with me.

In May of 2009, I rented a car from Budget, in order to travel to give a seminar.  Having had troubles with various car rental companies before, I did my own “walk around” and made sure I got a copy of the damage report before I left.  There were two marks on the driver’s door (a small dent, and a scratch), but the Budget employee refused to make two marks in that spot of the form: he said that the one tick covered both.

When I turned in the car, I was told that the tick was only good for the one scratch, and that I would be charged $400 for the dent.  I was also told that, since I had rented the car using my American Express card, I was automatically covered, by American Express, for minor damage, so I should get them to pay for it.

Since I was neither interested in paying myself, nor in assisting in defrauding Amex, I referred to the earlier statement by the employee who had checked the car.  (I had a witness to his statement, as well.)

Thus started a months-long series of phone calls from Budget.  They kept trying to get me to agree to pay the extra $400, and get Amex to reimburse me.  I wasn’t interested.

The phone calls finally stopped when, on one call, I informed the caller (by now identifying himself as someone in the provincial head office for Budget) that I had kept the copy of the original damage report form.  The caller told me that it clearly stated that there was a scratch on the door.  When I asked him how he interpreted the tick mark as a scratch, rather than a dent, he said that the word “scratch” was written on the form.

Well, of course, it hadn’t been written on the form originally.  I guess the caller must have been reasonable high up in the corporate food chain, because he knew what that meant.  I had the original, and it proved that they had messed with their copy.  That breaks the chain of evidence: they had no case at all.

(I still have a scan of that form.  Just in case …)