Author: Shawn K. Quinn

Rootkits in a keyboard? Really?

A recent ZDNet blog entry mentions probably the most bizarre type of exploit I have ever run across in about a quarter-century of computer use. Apparently, a firmware update for an Apple keyboard can be infected with such things as keystroke loggers and nearly undetectable rootkits.

From the post:

Chen, from the Georgia Institute of Technology, said malicious code embedded into the firmware would be immune to the typical rootkit detection methods which examine the integrity of the filesystem, check for hooks or direct kernel object manipulation, or detect hardware and/or timing discrepancies due to virtualization in the case of a virtual-machine based rootkit.

Now, this may sound pretty damned scary to those of you who usually glaze over the technology-related articles I write and happened to land on this, and yes, it’s pretty scary stuff. What I really find scary about this whole thing, is the question that goes completely unanswered in this article and the other articles I have read about this.

That question is: Why the hell does a keyboard need to have a software-updatable firmware capability to begin with?

The function of a keyboard is so simple that it barely needs to have a microcontroller. There has traditionally been no way for PC keyboards with PS/2 connectors to have their firmware updated. I don’t get why Apple would open up their customers to such a gaping security hole, either knowingly or recklessly.

This security exploit highlights the very real risk of having updatable firmware where it is not needed. If Apple’s engineers get firmware programming wrong to the point where keyboards have to be software updatable, I think a manager at Apple needs to start firing engineers and replacing them with people more capable of doing their jobs in a competent fashion. Unfortunately, I don’t see any revolving door installations happening in Cupertino any time soon, as badly as they may be needed.

FCC takes aim at Apple and AT&T re: Google Voice app rejection

Fred von Lohmann, writing for the EFF Deeplinks blog, reports on the FCC’s investigation regarding the highly dubious and potentially anti-competitive rejection of a Google Voice app for the iPhone.

And my not-so-humble opinion, of course, can be summed up thusly: About damn time. Hopefully, a decision on this will be at least useful as some kind of precedent so that Apple’s out-of-control rejections of iPhone apps are at least reined in a bit.

One of the more interesting quotes from the blog entry:

When a dominant hardware platform vendor teams up with a dominant network services provider, and then selectively blocks or hobbles software applications on the platform, consumers should smell an anticompetitive rat. After all, if Microsoft had a veto right over every app that ran under Windows, and used that power to selectively ban competitors who “duplicate” functionality offered by Microsoft’s own apps, we’d expect competition regulators to be up in arms.

Indeed, even Microsoft knows they would never be able to get away with locking down Windows to the extent Apple has locked down the iPhone platform. Of course, it’s much easier and nowhere near as risky (legally and otherwise) to install an alternative operating system on a PC compared to jailbreaking an iPhone.

Hopefully, the FCC will see Apple’s shenanigans for what they are: anticompetitive, unfair, and unacceptable.

The creepiest phone company

Recently, I read a Computer World blog entry on Google Voice, which is Google’s entry into the VoIP telephone service arena.

At the surface, it looks pretty innocuous: a free phone number complete with voicemail and free domestic long-distance dialing. Dig a little deeper, and the disturbing part sinks in. Quoting the article:

Google already has a profile about your interests and surfing habits. If you use Gmail, it examines the content of your mail as a way to target ads. With Google Voice, it will know who you’re talking to, and when you’re talking to them — and will have records of your voice mail, and possibly recordings of your actual calls themselves.

The traffic analysis (call records, i.e., who is calling whom, when, and for how long) is scary enough by itself. The “free” transcription of voicemails, offered by a company called Google, is probably the creepiest thing I have come across in my entire time in cyberspace. Quite possibly it exists to serve Google’s self-interest as much as that of Google Voice users.

An anonymous commenter opines:

Am I worried? No. Why? Because we have laws in place to protect us against the misuse of that information. Frankly, I’d much rather have Google know more about my habits. That way when someone does steal my identity and try to use it maliciously (something that is much more likely to happen then a company using my information maliciously) it’ll be a piece of cake to prove that they are not me.

My response to this is simple. We cannot rely entirely on the law to protect us against misuse of information. A company whose entire reason for existence revolves around indexing data and making it available is not a company I will easily trust with my telephone calling habits. It’s scary enough that Google has developed a mobile phone OS and has used the words “open source” enough in the description of that OS while still failing the criteria for free software as it relates to the SDK (software development kit).

There is a huge difference, now more than ever, with free as in freedom, and
free meaning zero monetary cost.

The part I find scariest is that there is no way to tell a Google Voice number apart from a number whose usage is NOGDB (None Of Google’s Damn Business). At least the people that run, say, AT&T know how to maintain the privacy of a telephone network. I feel somewhat comfortable trusting AT&T with my telephone traffic. I don’t think I’ll ever be that comfortable placing that level of trust in Google. Here’s hoping the FCC, DOC, and equivalent agencies worldwide keep a close eye on them.

Apple demands silence from exploding iPod victims

Yet another censorship-related story: The London Times reported on the case of a father and daughter seeking a refund from Apple for an iPod which literally exploded after the father accidentally dropped it. The drop apparently set off an electrical and/or chemical reaction which caused the device to explode going several feet into the air.

After contacting both Apple and the UK electronics store Argos, Ken Stanborough finally got through to an executive from Apple. The company then sent a letter to the Stanboroughs, which offered a refund but did not accept liability. The disturbing part, however, are the strings attached to the refund. From the article:

The letter also stated that, in accepting the money, Mr Stanborough was to “agree that you will keep the terms and existence of this settlement agreement completely confidential”, and that any breach of confidentiality “may result in Apple seeking injunctive relief, damages and legal costs against the defaulting persons or parties”.

“I thought it was a very disturbing letter,” said Mr Stanborough, who is self-employed and works in electronic security. He refused to sign it.

This is purely shameful conduct on the part of Apple. It is one thing to not own up to a defective and dangerous product; it is another entirely to attempt to silence those who easily could have been injured or possibly even killed by the defect.

Mr. Stanborough did the honorable thing here, refusing the money and telling the story to the public, and he should be commended for that. However, he should not have to choose.

The intentional censorship of stories about a dangerous product is unfair, evil, and unacceptable in decent society.

Simply distasteful: censorship by mutual agreement

Since it looks like I’m on an anti-censorship kick, for better or worse, I offer the following story.

Glenn Greenwald writing for Salon reports on what was originally a New York Times story detailing a highly suspicious agreement between the corporate leadership of both GE and News Corporation, the parent companies of MSNBC and Fox News respectively.

In essence, the chairman of General Electric (which owns MSNBC), Jeffrey Immelt, and the chairman of News Corporation (which owns Fox News), Rupert Murdoch, were brought into a room at a “summit meeting” for CEOs in May, where Charlie Rose tried to engineer an end to the “feud” between MSNBC’s Keith Olbermann and Fox’s Bill O’Reilly. According to the NYT, both CEOs agreed that the dispute was bad for the interests of the corporate parents, and thus agreed to order their news employees to cease attacking each other’s news organizations and employees.

Most notably, the deal wasn’t engineered because of a perception that it was hurting either Olbermann or O’Reilly’s show, or even that it was hurting MSNBC. To the contrary, as Olbermann himself has acknowledged, his battles with O’Reilly have substantially boosted his ratings. The agreement of the corporate CEOs to cease criticizing each other was motivated by the belief that such criticism was hurting the unrelated corporate interests of GE and News Corp:

Note that it is not about ratings. The two companies are engaging in censorious collusion, gagging their respective personalities based purely on corporate interests.

This is corporate sleaziness at its worst. We know damn well MSNBC and other GE-owned networks will be hesitant to report negatively against its corporate parent, and the same for Fox News reporting negatively against its corporate parent.

Most nauseating, would be this quote from Charlie Rose in 2003. The context of this quote is Rose interviewing Amy Goodman, the well-known host of the independent news program Democracy Now! which airs nationwide on Pacifica, a non-profit radio network, and as a TV show on several local cable networks. Rose is responding to Goodman’s explanation of independent news:

ROSE: My point in response to that would be that we do need you… Having said that, I promise you, CBS News and ABC News and NBC News are not influenced by the corporations that may own those companies. Since I know one of them very well and worked for one of them.

Shame on you, Charlie Rose. My outrage at your hypocrisy is only equalled by my disgust at the fact you make absolutely no attempt to hide it.

Glenn Greenwald goes into further detail about GE’s control of NBC and MSNBC. Most of it is more of the same but one highlight of this second article is a quote from Gary Sheffer:

“We all recognize that a certain level of civility needed to be introduced into the public discussion,” Gary Sheffer, a spokesman for G.E., said this week. “We’re happy that has happened.”

Civility? There’s nothing civil about censorship for greed, censorship to keep the stockholders happy. At the end of the day, news organizations exist to report news to the people, not to make money for the shareholders of their corporate parents.

For the benefit of some new readers of the blog I may have picked up in the last couple of weeks: censorship is one of my pet peeves, and the archives speak for themselves. If you have not already, please take a look.