Category Archives: Uncategorized

Google Play apps with 150 million installs contain aggressive adware

Google Play apps with 150 million installs contain aggressive adware
NurPhoto | Getty Images

Researchers have identified a massive adware campaign that invaded the official Google Play market with more than 200 highly aggressive apps that were collectively downloaded almost 150 million times.

The 210 apps discovered by researchers from security firm Checkpoint Software bombarded users with ads, even when an app wasn’t open, according to a blog post published by the company on Wednesday. The apps also had the ability to carry out spearphishing attacks by causing a browser to open an attacker-chosen URL and open the apps for Google Play and third-party market 9Apps with a specific keyword search or a specific application’s page. The apps reported to a command-and-control server to receive instructions on which commands to carry out.

Once installed, the apps installed code that allowed them to perform actions as soon as the device finished booting or while the user was using the device. The apps also could remove their icon from the device launcher to make it harder for users to uninstall the nuisance apps. The apps all used a software development kit called RXDrioder, which Checkpoint researchers believe concealed its abusive capabilities from app developers. The researchers dubbed the campaign SimBad, because many of the participating apps are simulator games.

“With the capabilities of showing out-of-scope ads, exposing the user to other applications, and opening a URL in a browser, SimBad acts now as an Adware, but already has the infrastructure to evolve into a much larger threat,” Checkpoint researchers wrote.

The top 14 apps were collectively downloaded a whopping 75 million times, with the No. 1 app receiving 10 million installs and the next 13 getting 5 million downloads each. The next 53 each received 1 million downloads. They are:

Package Name App Name # Installs
com.heavy.excavator.simulator.driveandtransport Snow Heavy Excavator Simulator 10,000,000
com.hoverboard.racing.speed.simulator Hoverboard Racing 5,000,000
com.zg.real.tractor.farming.simulator.game Real Tractor Farming Simulator 5,000,000
com.ambulancerescue.driving.simulator Ambulance Rescue Driving 5,000,000
com.heavymountain.bus2018simulator Heavy Mountain Bus Simulator 2018 5,000,000
com.firetruckemergency.driver Fire Truck Emergency Driver 5,000,000
com.farming.tractor.realharvest.simulator Farming Tractor Real Harvest Simulator 5,000,000
com.carparking.challenge.parksimulator Car Parking Challenge 5,000,000
com.speedboat.jetski.racing.simulator Speed Boat Jet Ski Racing 5,000,000
com.watersurfing.carstunt.racing.simulator Water Surfing Car Stunt 5,000,000
com.offroad.woodtransport.truckdriver Offroad Wood Transport Truck Driver 2018 5,000,000
com.volumen.booster.equalizer Volumen booster & Equalizer 5,000,000
com.ks.prado.Car.parking.race.drive.apps Prado Parking Adventure 5,000,000
com.zg.offroad.Oil.tanker.transporter.truck.cargo.simulator Oil Tanker Transport Truck Driver 5,000,000
com.monstertruck.demolition Monster Truck Demolition 1,000,000
com.hummerlimotaxi.simulator.driving Hummer taxi limo simulator 1,000,000
com.excavator.wreckingball.demolition.simulator Excavator Wrecking Ball Demolition Simulator 1,000,000
com.offroad.gold.transport.truck Offroad Gold Transport Truck Driver 2018 1,000,000
com.sea.animals.trucktransport.simulator Sea Animals Truck Transport Simulator 1,000,000
com.water.surfingrace.motorbike.stunt Water Surfing Motorbike Stunt 1,000,000
com.policechase.thiefpersecution Police Chase 1,000,000
com.police.plane.transporter.game Police Plane Transporter 1,000,000
com.ambulance.driver.extreme.rescue.simulator Ambulance Driver Extreme Rescue 1,000,000
com.hovercraftracer.speedracing.boat Hovercraft Racer 1,000,000
com.cars.transport.truckdriver.simulator Cars Transport Truck Driver 2018 1,000,000
com.motorbike.pizza.delivery.drivesimulator Motorbike Pizza Delivery 1,000,000
com.heavy.excavator.stonecutter.simulator Heavy Excavator – Stone Cutter Simulator 1,000,000
com.bottle.shoot.archery.game Bottle shoot archery 1,000,000
com.offroadbuggy.car.racingsimulator Offroad buggy car racing 1,000,000
com.garbagetruck.city.trash.cleaningsimulator Garbage Truck – City trash cleaning simulator 1,000,000
com.tanks.attack.simulator.war.attack Tanks Attack 1,000,000
com.dinosaurpark.trainrescue Dinosaur Park – Train Rescue 1,000,000
com.pirateshipboat.racing3d.simulator Pirate Ship Boat Racing 3D 1,000,000
com.flyingtaxi.simulator.race Flying taxi simulator 1,000,000
com.jetpackinwater.racersimualtor.danger Jetpack Water 1,000,000
com.boostervolumen.amplifiersoundandvolumen Volumen Booster 1,000,000
com.farmgames.animal.farming.simulator Animal Farming Simulator 1,000,000
com.monstertruck.racing.competition.simulator Monster Truck 1,000,000
com.simulator.offroadjeep.car.racing Offroad jeep car racing 1,000,000
com.simulator.flyingcar.stunt.extremetracks.racing Flying Car Stunts On Extreme Tracks 1,000,000
com.simulator.tractorfarming.driving Tractor Farming 2018 1,000,000
com.impossible.farming.transport.simulator Impossible Farming Transport Simulator 1,000,000
com.volumenbooster.equalizerboost Volumen Booster 1,000,000
com.mustang.rally.championship.racingsimulator Mustang Rally Championship 1,000,000
com.deleted.photo.recovery Deleted Photo Recovery 1,000,000
com.race.boat.speedy Speed Boat Racing 1,000,000
com.cycle.bike.racing.game Super Cycle Jungle Rider 1,000,000
com.write.name.live.wallpaper.hd My name on Live Wallpaper 1,000,000
com.maginal.unicorn.game Magical Unicorn Dash 1,000,000
com.grafton.cycle.jungle.rider.race Super Cycle Jungle Rider 1,000,000
com.lovecallingapps.lovecaller.Screen Love Caller Screen 1,000,000
com.city.car.funny.racing.stunt.game.pro Racing Car Stunts On Impossible Tracks 1,000,000
com.citycar.funny.racinggame.stunt.simulator Racing Car Stunts On Impossible Tracks 2 1,000,000
com.urban.Limo.taxi.simulation.games Urban Limo Taxi Simulator 1,000,000
com.cg.heavy.tractor.simulator.game Tractor Farming Simulator 1,000,000
com.campervan.drivingsimulator.caravan Camper Van Driving 1,000,000
com.bootleshoot.sniper Bottle Shoot Sniper 3D 1,000,000
com.globalcoporation.fullscreenincomingcaller.app Full Screen Incoming Call 1,000,000
com.mustache.beard.editor Beard mustache hairstyle changer Editor 1,000,000
com.volumenbooster.increaservolumen Volumen Booster 1,000,000
com.photoeditor.girlfriend.addgirlstophoto.pic girlfriend photo editor 1,000,000
com.tracker.location.number.free.spy Mobile Number Tracker & Locator 1,000,000
com.garden.editor.app Garden Photo Editor 1,000,000
com.fortunewheel.game Fortune Wheel 1,000,000
com.farming.transport.tractor.simulator Farming Transport Simulator 2018 1,000,000
com.offroad.tractor.transport.drivingsimulator OffRoad Tractor Transport 1,000,000
com.customwallpaper.mynameonlivewallpaper my name on live wallpaper 1,000,000

The remainder received 500,000 or fewer downloads each. Checkpoint has a full list of all the apps here.

Web searches found that many apps with similar or identical names were still available in Google Play at the time this story was being reported. This will make it harder for users to determine if an installed app is benign or abusive. One possibly useful method for determining abuse is to use the package name to search a phone for abusive apps. While Google has removed all the reported apps from Play, it wasn’t immediately clear if those apps will automatically be uninstalled from infected devices or if users must do so manually. Company representatives didn’t immediately respond to emails seeking comment for this post.

Malicious and abusive apps in Google Play have been an ongoing problem for years. The company is quick to remove bad apps once they’re reported, but often, by that point, hundreds of millions of users have already been infected. While there’s no sure-fire way to know if a Google Play app is safe, reading user reviews, scrutinizing requested permissions, and avoiding apps from unknown developers or with fewer than 10,000 downloads can often help. When in doubt, or in cases where apps have minimal benefit, it’s best to steer clear.

The original Ghostbusters franchise is getting a new film in 2020

Who ya gonna call? Three of the four original Ghostbusters: Bill Murray, the late Harold Ramis, and Dan Ackroyd.
Enlarge / Who ya gonna call? Three of the four original Ghostbusters: Bill Murray, the late Harold Ramis, and Dan Ackroyd.
Columbia Pictures

Fire up your proton packs, people, because there’s going to be another Ghostbusters movie from Sony Pictures, according to Entertainment Weekly. Jason Reitman (Juno, Thank You For Smoking) will direct the new film, which will be set in the same fictional universe as the 1984 original and its sequel—unlike Paul Feige’s 2016 all-female Ghostbusters.

Reitman is a fitting choice, seeing as how he’s the son of Ivan Reitman, director of the 1980s films. You may have glimpsed Jason, his mother, and his sister in the original Ghostbusters, as residents fleeing their haunted skyscraper. Jason even had a line in the 1989 sequel: he was the birthday boy who told the ‘Busters, “My dad says you guys are full of crap.”

Reitman resisted following in his father’s footsteps for years, but it seems he’s finally succumbing to the call. “I’ve always thought of myself as the first Ghostbusters fan, when I was a 6-year-old visiting the set. I wanted to make a movie for all the other fans,” Reitman told EW. “This is the next chapter in the original franchise. It is not a reboot. What happened in the ‘80s happened in the ‘80s, and this is set in the present day.”

Reitman co-wrote the script with Gil Kenan (Monster House), but declined to share any details with EW, preferring to let “the film unwrap like a present.” But there’s bound to be excited speculation about the possibility of original cast members returning. Harold Ramis died in 2014, but Dan Ackroyd, Ernie Hudson, and Bill Murray are still around. Murray had a small role in the 2016 reboot, along with cameos by Sigourney Weaver and Annie Potts (who played the shrill receptionist Vanessa in the original.)

Count me among those who genuinely loved Feige’s 2016 vision (especially the extended director’s cut, which was vastly superior to the theatrical release)—Kate Mackinnon as Jillian Holtzmann was a sheer delight and practically stole every scene. I thought the controversy surrounding its all-female cast was ridiculous. Reitman is a fan too. “I have so much respect for what Paul created with those brilliant actresses and would love to see more stories from them,” he said.

Shooting should begin later this year, with a planned release in 2020. But do we really need another Ghostbusters movie, especially since Sony is also developing an animated Ghostbusters film? Reitman certainly thinks so. “The Ghostbusters universe is big enough to hold a lot of different stories,” he said.

Software patents poised to make a comeback under new patent office rules

Software patents poised to make a comeback under new patent office rules
imagedepotpro

A landmark 2014 ruling by the Supreme Court called into question the validity of many software patents. In the wake of that ruling, countless broad software patents became invalid, dealing a blow to litigation-happy patent trolls nationwide.

But this week the US Patent and Trademark Office (USPTO) proposed new rules that would make it easier to patent software. If those rules take effect, it could take us back to the bad old days when it was easy to get broad software patents—and to sue companies that accidentally infringe them.

The Federal Circuit Appeals Court is the nation’s highest patent court below the Supreme Court, and it is notoriously patent friendly. Ever since the Supreme Court’s 2014 ruling, known as Alice v. CLS Bank, the Federal Circuit has worked to blunt the ruling’s impact. In a 2016 ruling called Enfish, the Federal Circuit ruling took a single sentence from the Supreme Court’s 2014 ruling and used it as the legal foundation for approving more software patents.

This legal theory, known as the “technical effects doctrine,” holds that software that improves the functioning of a computer should be eligible for a patent. A version of this rule has long held sway in Europe, but it has only recently started to have an impact in US law.

This week, the Patent Office published a new draft of the section on examining software and other potentially abstract ideas in its Manual of Patent Examination Procedure (MPEP). This is the official document that helps patent examiners understand and interpret relevant legal principles. The latest version, drawing on recent Federal Circuit rulings, includes far tighter restrictions on what may be excluded from patentability.

This matters because there’s significant evidence that the proliferation of software patents during the 1990s and 2000s had a detrimental impact on innovation—precisely the opposite of how patents are supposed to work.

In the decade before 2014, a growing army of patent trolls were acquiring broad, vague software patents and using them to demand big payments from companies producing actual products. One 2012 study estimated that this kind of thing cost the economy $29 billion per year.

Another researcher calculated that 60 percent of the patent troll revenue came from patents related to software and high tech, with the especially aggressive cases focused on pure software: 115 lawsuits against 435 defendants for a patent for “Associating online information with geographic areas,” 106 defendants threatened with a patent for a “Customer based product design module,” and 79 defendants in a case regarding a “digital fingerprinting” patent.

On the flip side, the argument that without software patents modern tech-based companies can’t thrive seems weaker every day. A 2015 article calculated that 30 percent of billion-dollar startups have zero patents.

How the courts legalized—then limited—software patents

You can't patent drawing blood, but you apparently can patent what might be done with the blood afterward.
Enlarge / You can’t patent drawing blood, but you apparently can patent what might be done with the blood afterward.
Olga Efimova / EyeEm

The courts have long held that patents can’t claim abstract ideas or laws of nature. And until the 1990s, courts held that most software patents were attempts to claim mathematical algorithms—a kind of abstract idea. But a series of Federal Circuit rulings gradually watered down this rule. By the turn of the century, there were few meaningful limits to patenting software.

The result was a proliferation of patents that soon turned into a proliferation of software-related patent litigation. The Supreme Court had largely given the Federal Circuit a free hand to develop this area of the law in the 1990s and early 2000s. But then the high court started to check the lower court’s work—and it didn’t like what it found.

In 1996, a team at a teaching hospital in Montreal found that the correct dosage for a certain drug could be partially determined by measuring metabolites in the bloodstream and published the results of its research. While this scientific finding couldn’t be patented directly, a company called Prometheus Laboratories sought a patent on the concept of drawing a patient’s blood, measuring the level of the metabolites, and then providing a diagnosis based on the research. They argued that this was a patent on a process, not an abstract idea.

The Patent Office bought this argument, but the Supreme Court didn’t. In a 2012 ruling called Mayo v. Prometheus, the Supreme Court ruled that the patent was claiming the law of nature itself and adding nothing truly inventive.

From this emerged a two-part test for patentability. Here is the MPEP’s summary of what is often now referred to as the Mayo/Alice test:

The first part of the Mayo test is to determine whether the claims are directed to an abstract idea, a law of nature or a natural phenomenon (i.e., a judicial exception).

If the claims are directed to a judicial exception, the second part of the Mayo test is to determine whether the claim recites additional elements that amount to significantly more than the judicial exception. The Supreme Court has described the second part of the test as the search for an ‘inventive concept’.

Back to software: in 2014, the Supreme Court ruled on the case of Alice v CLS Bank regarding a stock computer on which is loaded software to facilitate trades with a third-party intermediary. Their opinion directly applied the Mayo test: like the research result with a blood test tacked on, the technical details of the Alice software patent were really just a fig leaf over a claim on an abstract concept:

Viewed as a whole, petitioner’s method claims simply recite the concept of intermediated settlement as performed by a generic computer. The method claims do not, for example, purport to improve the functioning of the computer itself or effect an improvement in any other technology or technical field. An instruction to apply the abstract idea of intermediated settlement using some unspecified, generic computer is not “enough” to transform the abstract idea into a patent-eligible invention.

This seemed to be a real blow against all those patent claims for taking a business and doing it on the Internet and possibly any claim for pure software without new hardware. Software patent supporters feared—and opponents hoped—that the Alice ruling could lead to wholesale invalidation of software patents. And these hopes and fears were partially realized: in the months after the Alice decision, a lot of software patents were declared invalid by lower courts. This had an immediate effect on the patent trolls’ favorite strategy, because their nastygrams to businesses of the form “we will win eventually in court so you might as well spare the effort and pay now” lost credibility.

But software patent owners had a powerful ally in the Federal Circuit, which is responsible for interpreting and fleshing out the Supreme Court’s rulings. The Federal Circuit is more favorable to software patents, and since 2014 it has interpreted the high court’s rulings in a way that limits the Alice decision’s impact on software patent holders.

Conservation of energy used to parallelize quantum key distribution

A large number of keys against a light-colored wooden background.

It has been a while since I wrote about quantum key distribution. Once a technology is commercially available, my interest starts to fade. But commercial availability in this case hasn’t meant widespread use. Quantum key distribution has ended up a niche market because creating shared keys with it for more than one connection using a single device is so difficult.

That may all change now with a very inventive solution that makes use of all the best things: lasers, nonlinear optics, and conservation of energy.

Quantum key distribution in less than 500 words

The goal of quantum key distribution is to generate a random number that is securely shared between two people, always termed Alice and Bob. The shared random number is then used to seed classical encryption algorithms.

The rules of quantum mechanics are what allow Alice and Bob to securely generate a shared random number. The process looks like the following: Alice generates a photon via two decisions made randomly. The first is the orientation of a measuring apparatus—vertical/horizontal or diagonal/anti-diagonal. The second is which axis the photon is polarized along—polarization is the spatial orientation of the electric field of the photon. That leaves the photon in one of four possible states, which we will call horizontal, vertical, diagonal, and anti-diagonal.

Bob does not know the settings that Alice has used and can only make a random choice for the orientation of his measurement apparatus: horizontal/vertical or diagonal/anti-diagonal. Bob ends up with a string of horizontal, vertical, diagonal, and anti-diagonal measurement results (one for each photon that Alice sends).

To understand how to make sense of these results, consider two cases: Alice sets her apparatus to horizontal/vertical and sends a vertically polarized photon. Bob sets his apparatus to horizontal/vertical and measures a vertically polarized photon. Everything is entirely predictable.

For the next photon, Alice sets her apparatus to horizontal/vertical and sends a horizontally polarized photon. But Bob has set his apparatus to diagonal/anti-diagonal. In this case, the photon sets off one of the detectors at random. Nothing is predictable.

To make sense of these results, Bob and Alice share the orientation settings of their apparatus but keep everything else secret. When they happen to have the same settings, Alice and Bob know that the measurements they made of the polarization of the photon will agree. All the other results are thrown out. The randomly generated polarization settings and measurements have generated a shared random number without the actual number being transmitted.

Conservation of energy spreads your secret

One of the key points of the distribution system above is that there are only two parties: Alice and Bob. Adding a third would mean that both Alice and Bob have to have a separate connection to the third party and generate another key. The equipment overhead makes that undesirable. This is where the latest bit of research comes in.

Before we get to the key generation and distribution part, let’s talk about the physical network that connects the parties together. Let’s imagine we have four parties: Alice, Bob, Chloe, and Dave, all of whom wish to have pair-wise encrypted communication. Each receiver is fed by a single optical fiber, but each fiber carries multiple signals using different wavelength channels. Thanks to this capacity, any two of the above group (say, Dave and Chloe) have a pair of channels that are unique to them.

The channels are filled in a very clever way. Alice has a device that generates pairs of photons. These photons are generated by splitting an incoming photon from a laser. The splitting process pairs up the photon’s polarizations (the technical term is entangled). We can then use conservation of energy to divide up the photon pairs among the channels.

Maybe an example is easiest. If the incoming laser has a wavelength of 775 nanometers, the photon split could produce a photon with a wavelength of 1,544.5 nanometers (in this system, that corresponds to channel 41), then the second photon must have a wavelength of 1,555.5 nanometers (which is channel 27). If Alice measures on channel 41 and Bob measures on channel 27, they are measuring a pair of photons that were created together. Given a clever assignment scheme, we can ensure that each pair of receivers in the network has a unique pair of channels and so is always measuring photons created together.

The rest of the process relies on the same method described above to create a secure random number. Critically, by keeping track of the channels used, it’s possible to have a single apparatus handle creating random numbers for multiple pairs of devices.

Open secrets

No one else inside or outside the network knows that number. Indeed, if someone on the network were to measure the photons in either of those channels, doing so would disrupt the measurement process and reveal the eavesdropper’s presence (in practice, the eavesdropper is revealed by errors in the key generation process).

Splitting off the channels at the receiver end is not even necessary. Each receiver is connected via a length of fiber that is, in general, unique. So, the photon pairs have unique arrival times. By synchronizing the detectors, the different channels can be separated. This makes the receiver setup identical to that for a simple pair-wise quantum key distribution link.

In addition to being slow, the researchers’ system has a serious disadvantage. In commercial systems, we cheat. Instead of a true single-photon source, we use very weak laser light: a mostly single-photon source. This weakens the key generation process a little but reduces the cost a lot. In this system, it is absolutely critical that pairs of entangled photons are generated, meaning that each network requires a highly stabilized laser and a delicate nonlinear optical device. As much as I love me some delicate nonlinear optical devices, I am not sure anyone else does.

Nature, 2018, DOI: 10.1038/s41586-018-0766-y (About DOIs)

Microsoft adds Dark Mode support and more to Office 365 for Mac

Microsoft has released version 16.20.18120801 of Office 365 for the Mac platform, bringing support for a couple of key Mac features introduced in September’s macOS 10.14 Mojave release, as well as a number of small features and user experience improvements not related to Mojave.

The headline feature is, of course, dark mode support, which requires Mojave to work. Word, Excel, PowerPoint, and Outlook all support Mojave’s dark theme. Also related to Mojave, you can now use Apple’s Continuity Camera feature to insert a photo directly from your iPhone’s photos to a slide in PowerPoint.

The process for Continuity Camera is outlined in Microsoft’s support documents thusly:

  • Take a photo and then add it.
  • Open an editable document on your Mac in PowerPoint.
  • Select where you want to insert the photo by control-clicking in the document.
  • Under the name of the iOS device you’ll use to take the photo, select Take Photo.
  • On your iOS device, the camera app opens. Take a photo with it.
  • If you’re satisfied with the captured image, tap Use Photo. (Or, if you want to try again, tap Retake.)
  • After a moment, the photo is inserted in the document on your Mac. You may now style, move, or resize it in any way you like.

It still faces the same limitations that we noted in our macOS Mojave review. As Ars contributor Andrew Cunningham noted:

You can only take standard photos—no square mode, no video modes, no filters, no HDR or Live Photo options—images are always sent to your Mac as jpegs rather than HEIF files to maximize compatibility, and images are saved at a lower-than-native resolution with the phone’s EXIF data stripped out.

Most of the notable additions that don’t require Mojave are for Outlook. You can click on a meeting event in your calendar to see a list of attendees or disable forwarding of meeting invites by attendees to keep your meetings from ballooning to include people you don’t want. There’s also support for creating Microsoft Teams meetings directly from Outlook, the ability to share your calendar with other people, and a new multiple-time-zone view for the calendar for up to three time zones.

Microsoft also expanded the proofreading tools in PowerPoint with grammar suggestions. In Microsoft Word, you can now check a box labeled “Embed fonts in file” to make sure that your document looks as intended on the computers it’s viewed on, even if the target computer didn’t already have all the necessary fonts. This feature was already added to PowerPoint back in September.

Microsoft has updated Office 365 for Mac monthly for some time. Last month, the company added Web picture support directly in Word, Excel, and PowerPoint; new mail encryption features for Outlook; and a new view in PowerPoint, called “summary zoom.”

However, some major changes, like a total overhaul and redesign of Outlook, are still pending in future updates.

Listing image by Apple

Testing the first commercial VPN provider to offer WireGuard connectivity

We don't recommend specific VPN solutions, but we sure like analyzing them.
Enlarge / We don’t recommend specific VPN solutions, but we sure like analyzing them.

Following our earlier WireGuard coverage, commercial VPN provider IVPN‘s chief marketing officer reached out to me to let me know his company was adding WireGuard support to its offering and asked if I’d be interested in covering the launch. Honestly, I planned to brush him off—there are a million VPN providers out there, and at least 999,000 of them are pretty shady—so I answered with a quick, dirty trick question: what are you doing on the Windows side?

Viktor surprised me with a picture-perfect answer that ruined my plans to get rid of him fast:

Since there is no official support for Windows by WireGuard and they advise against any non-official implementation as per https://www.wireguard.com/install/, we are launching this beta without Windows support […] We are in contact with the author however and aim to integrate it first thing as they release a package for Windows (they are working on it).
Viktor Vecsei, IVPN CMO

The official Ars stance on VPN recommendations is that we can’t recommend anyone whose policies we can’t independently verify and whose log retention we can’t audit ourselves. This sounds like a cop-out from having to make a recommendation, but this is a service that readers will likely be putting a significant amount of trust in, and it would be irresponsible to give a recommendation that important without being able to provide assurances.

And to be very clear, we are still not recommending either IVPN or any other commercial VPN provider directly—but knowing and respecting the WireGuard project’s official guidelines, even when that meant minimizing the impact of its own product launch, made me a lot more interested in taking a look at what IVPN is doing.

Fantastic tunnels and where you can find them

IVPN isn’t the first commercial VPN provider to offer WireGuard connectivity. To the best of my knowledge, that would be a widely respected and unusually tech-friendly Swedish provider, Mullvad, which began offering WireGuard support almost a year ago. What makes IVPN’s WireGuard support launch news despite being a year behind Mullvad? Simplicity. While Mullvad (and another Swedish provider, AzireVPN) will offer you a working key that you can use with your own WireGuard client and config files, IVPN is offering you a dead-simple, user-friendly, tap-it-and-it-works application requiring no personal technical ability from the end user.

The sharper-eyed among you might notice something else IVPN is bringing to the table, and it’s a doozy: the first widely available iOS implementation of WireGuard. WireGuard’s Jason Donenfeld has had iOS client code in his Git repo for some time now, but for most of us, that’s been a purely academic curiosity—getting a non-Apple-approved app running on iOS is a non-trivial task, much more difficult than side-loading APKs on an Android device. Donenfeld made a TestFlight release for the stock WireGuard iOS app available in November. The release cut down the difficulty of getting the code working on an iPhone or iPad considerably, but IVPN’s effort is still the only WG client available in the App Store itself.

This brings the list of WireGuard-supported platforms out to, effectively, “everything but Windows.” IVPN itself offers support in its easy-mode app for macOS, Android, and iOS (all of which I directly tested). It also offers basic “here’s your key” support for Linux, BSD, or any other platform that you’ve got your own working WireGuard client running on.

I also tested IVPN’s WireGuard functionality on a Linux workstation—it worked fine, which wasn’t a surprise; what was a mild surprise was that IVPN’s framework still made the process a touch quicker and easier than rolling my own. In your own “clientarea” on IVPN’s website, you can feed it a public key you generated locally, and it’ll automatically set up everything necessary on the back end for you to connect to. The site will also provide you with a boilerplate WireGuard config file into which you can paste your private key and the IP address the site has given you.

Is it fast?

WireGuard itself has the potential to be faster than IPSec or OpenVPN, especially on slower devices. But in my experience, it isn’t really there yet. To realize the full potential, it’ll need to run in kernel mode instead of user mode. That isn’t the case so far on either of the major mobile platforms, whether you’re using Donenfeld’s stock WireGuard app or IVPN’s new easy-mode app.

However, as a pretty heavy VPN user, I’m happy to report that I am already seeing significant decrease in battery usage. My Huawei Mediapad M5 android tablet still likes to warn me that WireGuard wakes up the tablet more frequently than it prefers, but I don’t see any significant difference in experienced battery life whether the app is running or not. By contrast, with an OpenVPN tunnel active and significant Web-browsing use, battery life would go down from a couple of days to no more than four or five hours on either the MediaPad M5 or my Pixel 2XL.

Cutting connect times down from 8+ seconds to a tenth of a second feels downright amazing.
Enlarge / Cutting connect times down from 8+ seconds to a tenth of a second feels downright amazing.

WireGuard also still offers near-magical connection times for those who have to make and break their VPN connections frequently. In my experience, OpenVPN and IPSec tunnels generally require somewhere between eight seconds and 30+ seconds to establish a tunnel, during which time the user must twiddle his or her thumbs and stare uncertainly at a very techy-looking dialog. WireGuard, by contrast, connects in 0.2 seconds or less, every time. No scary dialog talking about key exchanges and whether or not the perfect forward secrecy is perfect enough; just tap—connected—done.

Widely used D-Link modem/router under mass attack by potent IoT botnet

Malicious hackers are mass exploiting a critical vulnerability in D-Link DSL routers in an attempt to make them part of Satori, the potent Internet-of-things botnet that’s used to take down websites and mine digital coins, researchers said.

In a blow to e-voting critics, Brazil suspends use of all paper ballots

Enlarge / An electronic voting machine used in Brazil.

In a blow to electronic-voting critics, Brazil’s Supreme Court has suspended the use of all paper ballots in this year’s elections. The ruling means that only electronic ballot boxes will be used, and there will be no voter-verified paper trail that officials can use to check the accuracy of results.

In an 8-2 majority, justices on Wednesday sided with government arguments that the paper trails posed a risk to ballot secrecy, Brazil’s Folha De S.Paulo newspaper reported on Thursday. In so doing, the justices suspended a requirement that 5 percent of Brazil’s ballot boxes this year use paper. That requirement, by Brazil’s Supreme Electoral Court, already represented a major weakening of an election reform bill passed in 2015.

Speaking in support of Wednesday’s decision, Justice Gilmar Mendes equated proponents of voter-verified paper trails to conspiracy theorists.

“After the statements made here [by those who defend paper votes], we have to believe that perhaps we did not actually reach the moon,” Mendes was quoted as saying. “There are beliefs and even a religion around this theme.”

Brazil first introduced the limited use of Direct Recording Electronic voting machines in 1996, ironically in response to regular reports of fraud committed using paper ballots. By 2000, elections were fully electronic. Since then, Brazilian voters have received no paper trail that can be used to audit tallies. The 2015 reform law required, among other things, the use of paper ballots. Brazil’s Supreme Electoral Court had planned to begin phasing in that requirement starting with elections scheduled for October. This week’s Supreme Court decision suspends that deadline.

Computer scientists across the political spectrum have long argued that electronic voting is more susceptible to fraud or glitches than paper ballots. When computers are the sole means used to register a vote, there’s no physical record officials can review later if anomalies are found. That deficiency is largely not found when some form of paper is used. While voting by computer or paper is prone to deliberate tampering or accidents that affect accuracy, electronic voting critics say votes cast by paper, or those that at least leave some form of paper trail, can be verified in ways not possible with votes made solely with computers.

Wednesday’s decision came three months after a team of computer scientists published a research paper that reported a litany of serious technical flaws in Brazil’s current electronic voting system. The vulnerabilities included the hard-coding of cryptographic keys directly into the software, code libraries that were missing digital signatures verifying that they were authentic, and the ability of people with access to the machines to infect them with malicious code.

On Wednesday, one of the coauthors of that paper, Diego F. Aranha of Brazil’s University of Campinas, criticized the suspension.

“Today marks a sad ending to 6 years of hard work to prove our voting system is insecure,” he wrote on Twitter. “I decided to become a scientist with the firm belief that science can change and improve society and the world around us, but maybe I was too naive to think this was possible in Brazil.”

How to protect yourself from megabreaches like the one that hit Ticketfly

A recent hack of ticket-distribution website Ticketfly exposed more than 26 million email addresses, along with home addresses, phone numbers, and first and last names, according to the Have I Been Pwned breach notification service. The intrusion provides the latest reminder that users should provide incorrect or incomplete information to online services whenever possible. More about that later.

The breach was first reported last week by Motherboard, which said the breach was carried out by a hacker who had first offered to provide Ticketfly officials with details of the underlying vulnerability in exchange for one bitcoin, worth roughly $7,500. When the officials didn’t respond, the hacker defaced the site and published the user data online, Motherboard said.

Have I Been Pwned said over the weekend that the data included 26.1 million unique email addresses, names, physical addresses, and phone numbers. It didn’t include password or credit card data. In a blog post, Ticketfly officials said they were in the process of bringing the ticket service back online. Part of that effort involves working with forensic and security experts to investigate the hack and to better secure the new site against similar intrusions.

“We’re rolling out a secure website solution as an alternative to your Ticketfly-powered site to meet your immediate needs,” the post said. “We’ve built a secure, non-WordPress-based website solution with your existing domain, and your site will appear sometime today. We’ll be actively updating your site so that your events will populate and external ticketing links will work. There’s no action for you to take, and we’ll keep you informed as our longer-term website strategy evolves.”

The Ticketfly breach is a good reminder that people should avoid providing services with personal information whenever possible. Ticketfly requires that users provide a full name, billing address, and phone number when using a credit card to buy tickets. But like many services, Ticketfly didn’t check the validity or completeness of most of the information supplied. That made it possible for people to give incomplete addresses and names and list non-existent phone numbers such as 555-1212 and still order tickets.

Some sites are more lenient with incomplete or incorrect information than others. A surprising number of sites will accept completely fictitious addresses such as 123 Any Street. Others will accept a small portion of a correct billing address such as the number portion and the first three or four letters of the street name. Users typically must experiment when using a new site or service to see how much incorrect or incomplete details it will accept.

People should also consider using a separate email address for services they don’t particularly trust to prevent more sensitive email addresses from becoming widely known. Another measure users of Gmail and some other services can take is to append a unique string containing a plus sign and a domain to an existing email address. For instance: dan.goodin+ticketfly.com@arstechnica.com, dan.goodin+amazon.com@arstechnica.com, and so on. It’s never a bad idea to sign up with Have I Been Pwned to get a notification when one of your email addresses has been exposed.

Although the Ticketfly breach didn’t expose password data, many other breaches do, and in many cases weak protections make it trivial for hackers to obtain the underlying plain text. Users should always use a long, randomly generated password that’s unique for each site. Password managers are one of the easiest ways to accomplish this.

Police use of Amazon’s face-recognition service draws privacy warnings

Amazon is actively courting law-enforcement agencies to use a cloud-based facial-recognition service that can identify people in real time, the American Civil Liberties Union reported Tuesday, citing the documents obtained from two US departments.

The service, which Amazon markets under the name Rekognition, can recognize as many as 100 people in a single image and can compare images against databases containing tens of millions of faces. Company executives describe deployment by law enforcement agencies as common use case.

“Cameras all over the city”

Rekognition is already being used by the Orlando Police Department and the Washington County Sheriff’s Office in Oregon, according to documents the ACLU obtained under Freedom of Information requests. Both agencies became customers last year. The entire list of returned documents is here.

Emails and other documents show that Washington County has a database of more than 300,000 mugshots that is indexed by Rekognition. The county obtained a mobile app that allows deputies to query the database by submitting images.

Amazon, meanwhile, is offering free consulting services to build a proof-of-concept implementation of Rekognition for Orlando police. The city’s police chief has praised the arrangement as a “first of its kind public-private partnership.” The ACLU cited this presentation in which an Amazon executive said Orlando officials “have cameras all over the city” that submit images that Rekognition analyzes in real time to track “persons of interest.”

In a post published Tuesday, ACLU officials wrote:

With Rekognition, a government can now build a system to automate the identification and tracking of anyone. If police body cameras, for example, were outfitted with facial recognition, devices intended for officer transparency and accountability would further transform into surveillance machines aimed at the public. With this technology, police would be able to determine who attends protests. ICE could seek to continuously monitor immigrants as they embark on new lives. Cities might routinely track their own residents, whether they have reason to suspect criminal activity or not. As with other surveillance technologies, these systems are certain to be disproportionately aimed at minority communities.

The ACLU and more than two dozen other civil rights organizations called on Amazon CEO Jeff Bezos to stop selling face-recognition services to government agencies. “We demand that Amazon stop powering a government surveillance infrastructure that poses a grave threat to customers and communities across the country,” officials from the ACLU, Electronic Frontier Foundation, Freedom of the Press Foundation, and Human Rights Watch wrote in a letter. “Amazon should not be in the business of providing surveillance systems like Rekognition to the government.”

In a statement, Amazon officials wrote:

Amazon requires that customers comply with the law and be responsible when they use AWS services. When we find that AWS services are being abused by a customer, we suspend that customer’s right to use our services. Amazon Rekognition is a technology that helps automate recognizing people, objects, and activities in video and photos based on inputs provided by the customer. For example, if the customer provided images of a chair, Rekognition could help find other chair images in a library of photos uploaded by the customer. As a technology, Amazon Rekognition has many useful applications in the real world (e.g., various agencies have used Rekognition to find abducted people, amusement parks use Rekognition to find lost children, the royal wedding that just occurred this past weekend used Rekognition to identify wedding attendees, etc.). And the utility of AI services like this will only increase as more companies start using advanced technologies like Amazon Rekognition. Our quality of life would be much worse today if we outlawed new technology because some people could choose to abuse the technology. Imagine if customers couldn’t buy a computer because it was possible to use that computer for illegal purposes? Like any of our AWS services, we require our customers to comply with the law and be responsible when using Amazon Rekognition.

In an email, an Orlando Police Department representative described the department’s use of Rekognition as a “pilot” to see if the service works as Amazon describes. So far, the city has provided facial imagining for only a “handful” of officers who volunteered to participate in the test. Additionally, Rekognition has access to only eight city-owned cameras.

“We are always looking for new solutions to further our ability to keep the residents and visitors of Orlando safe,” Sergeant Eduardo J. Bernal wrote in the email. “Partnering with innovative companies—like Amazon—to test new technology is one of those innovative ways and how we will continue to ensure we offer the best in tools, training, and technology for the men and women who serve our community to do the best job they can, with the best resources available.”

Representatives for the Washington County Sheriff’s Office didn’t respond to a phone message seeking comment.