University of Washington DNA Sequencing Security Study | University of Washington

Frequently-Asked Questions (FAQ)
Computer Security and Privacy in DNA Sequencing
Paul G. Allen School of Computer Science & Engineering, University of Washington

tl;dr → it’s a bug report on fqzcomp, fzcomp-4.6, wrapped in some lab work, wrapped in scare piece wrapped in an academic paper. It mentions DNA, people are made of DNA, YOU are made of DNA.

  • In the future, everyone will be famous for fifteen minutes.
    • They did it for the lulz, and the whuffie.
    • They did it for the FUD.
  • They are frontrunning the presntation of the paper at the conference site in Vancouver, CA
  • But there is nothing to worry about.
    • Really.
    • No, Really.
    • And they’ve already contacted the project sponsors with their work product.
However

Today’s theoretical demonstrations are tomorrow’s practice.

Original Sources

Ney, Koscher, Organick, Creze, Kohno; Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More; In  Proceedings of the USENIX Security Symposium; 2017-08-16; 15 pages.

Concept

  • They created DNA with particular patterns.
  • They used buffer overflows in C & C++ programs.
  • FASTQ, a data format.
  • /dev/tcp accessed via bash

Quotes

  • <quote>Although used broadly by biology researchers, many of these programs are written by small research groups and thus have likely not been subjected to serious adversarial pressure. </quote>
  • <quote><snip/> copied fqzcomp from SourceForge and inserted a vulnerability into version 4.6 of its source code; a function that processes and compresses DNA reads individually, using a fixed-size buffer to store the compressed data.<quote>
  • <quote>Our second exploit attempt uses an obscure feature of bash, which exposes virtual /dev/tcp devices that create TCP/IP connections. We use this feature to redirect stdin and stdout of /bin/sh to a TCP/IP socket, which connects back to our server.<quote>

Moral

The “research” coders do not validate their inputs; they use whatever computer tools are handy for their purpose. Their purpose is to publish papers in their field of study. Their code works just well enough; it is MVP for an MPU. Those “researchers” who do validate their inputs, who do test their code, who do read CVE notices, who do remediate latent vulnerabilities aren’t researchers at all. They are drone coders in an on-time-under-budget, time & materials IT shop. “We” need such people and such skill is a valued trade craft by which to make an honorable living.  But such activity is Not New. It is not The Research.

Surprise, Echo Owners, You’re Now Part of Amazon’s Random Social Network | Gizmondo

Surprise, Echo Owners, You’re Now Part of Amazon’s Random Social Network; Kashmir Hill; In Gizmondo; 2017-07-19.

Mentions

  • Amazon Echo
  • Amazon Alexa
  • Google Search
  • Google Voice Search
  • Alexa&Echo becomes a 1980s-style answering machine.
  • Internet of [Consumer] Things
  • late-binding software updates can “change behavior”
  • something about ex-boyfriends.
  • <handwringing>context collapse</handwringing>
  • <handwringing>A hacker could find out…</handwringing>
  • Denegotiating (Opt Out) requires calling Amazon Customer Service.

Time Line

2014
first release 2014.
2017-05
  • force-placed software update
  • features
    • Drop In
    • Alexa Calling and Messaging

Referenced

In rough order of appearance

Roundup: Roomba selling indoor mapping data

In archaeological order, derivatives & summarizations on top, original work lower down.

Mentions

  •  iRobot creates cloud sharing
  • data is stored in the cloud.
  • iRobot has independent use rights to the data produced by you.

Who

  • Colin Angle, CEO, iRobot.

Quoted

<quote>[We may share your personal information with] other parties in connection with any company transaction, such as a merger, sale of all or a portion of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company or third party or in the event of bankruptcy or related or similar proceeding.</quote>
Via: privacy policy, iRobot

Original Sources

iRobot Roomba
Dyson

Previously

Can the Tech Giants Be Stopped? | WSJ

Can the Tech Giants Be Stopped?; Jonathan Taplin; In The Wall Street Journal (WSJ); 2017-07-14.
Teaser: Google, Facebook, Amazon and other tech behemoths are transforming the U.S. economy and labor market, with scant public debate or scrutiny. Changing course won’t be easy.

tl;dr → No, via Betteridge’s Law. Regulation is indicated. See book, nearby. 2200 words.

Jonathan Taplin is

  • the director emeritus, Annenberg Innovation Lab, University of Southern California
  • Move Fast and Break Things: How Facebook, Google and Amazon Cornered Culture and Undermined Democracy; Little, Brown and Company; 2017-04-18; 320 pages; Amazon:0316275778
Scope
  • Amazon
  • Apple
  • Facebook
  • Google
  • Microsoft

Mentions

  • The creative economy
  • Something about job loss unto the mid- hundreds-of-thousands.
  • Flying cars self-driving cars.
  • <paraphrase>calm down</paraphrase>, attributed to Marc Andreessen at Code Conference, CA, WHEN?,
  • <trite>Who will win<snip/>only time will tell.</trite>
  • Claim: 2004-08 started the problem.
    Google raised $1.9 billion in its initial public offering.
    A tale of search market share increase for Google, decline for everyone else follows.
  • Recording Industry Association of America
  • News Media Alliance
    • newspapers
    • U.S. and Canada
    • 2017-07
    • wants an anti-trust exemption
  • Viewability.
  • Fake News
  • voice-activated “personal assistants”
  • Silicon Valley areis considering the moral framework of the digital revolution.

Product Lines

Almost all of these aren’t even yet lines of business, not really. They are research or vanity hobbies of interest to the founders.

Fitbit

Still a going concern?

Facebook

  • Instagram
  • Messenger
  • “optical neuroimaging systems,” a brain-computer interface, type-by-thinking.
  • WhatsApp

Google Alphabet

  • AdSense
  • Android (Phone)
  • Android Wear
  • Assistant
  • Home
  • Mail (Gmail)
  • Verily (ex- Google Life Sciences)
  • Waymo

Nostrum

“There is a role for government here”
<quote>The astonishing technological revolution of the past half-century would never have occurred without the impetus of three seminal antitrust prosecutions. </quote>

1956 → AT&T, a consent decree to patent license against Bell Labs
Licensees

  • Comsat,
  • Fairchild Semiconductor,
  • Intel,
  • Motorola,
  • Texas Instruments.
1970s → Justice Department versus IBM
The government did not prevail in 13-years. IBM consented to software portability. IBM created Microsoft.
1998 → Justice Department, versus Microsoft
Question: must the Windows product design require consumers to use Internet Explorer?
Settlement: allowed Google to exist.

Who

  • Mike Allen, reporter, Axios, “thinkpieces”
  • Paul Allen
  • Marc Andreessen
  • Bill Gates
  • Robert Gorwa
    • staff, Project on Computational Propaganda, University of Oxford.
  • Philip N. Howard
    • staff, Internet Studies, Oxford Internet Institute
    • professor, Balliol College at the University of Oxford
  • Kevin Kelly,
    the founding editor, Wired
  • Kai-Fu Lee,
    attributed as “AI venture capitalist”
  • Steven Mnuchin,
    Secretary of the Treasury
  • Ayn Rand,
    theorist, libertarianism; a scrivener, the ghost of.

Referenced

In archaeological order…

Previously

In arbitrary order…

Related Reading

More Saturday Essays

Rarely Patched Software Bugs in Home Routers Cripple Security | WSJ

Rarely Patched Software Bugs in Home Routers Cripple Security; Jennifer Valentino-DeVries; In The Wall Street Journal (WSJ); 2016-01-18.
Teaser: Wi-Fi devices, vulnerable to hackers, show difficulty of updating software after release

Mentions

  • pro bono work
    “security research”

    • Rapid7
  • Perpetrators
    • Allegro Software Development Corp.
    • MediaTek, Inc.
    • Huawei Technologies Co.,
    • TP-Link Technologies Co.
  • Offenses
    • Misfortune Cookie, a vulnerability
    • The Moon, a worm

Targets

  • D-Link
    • a router
  • Google
    • Android
  • Linksys, of CiscoBelkin International Inc.
    • Linksys E1200 N300
  • Mozilla
    • Firefox
  • Microsoft
    • Windows
    • XBox
  • Netgear Inc.
    • some router
  • Sony
    • Playstation

Quoted

  • Tod Beardsley, staff, Rapid7
  • Alastair Beresford, professor, Cambridge University.
  • Eric Kobrin, director of information security, Akamai Technologies Inc.
  • Alan Paller, founder, research director, SANS Institute.
  • Shahar Tal, ex-staff, Check Point Software Technologies Ltd.

Referenced

Previously

In The Wall Street Journal (WSJ)

The Future of Public Wi-Fi: What to Do Before Using Free, Fast Hot Spots | WSJ

he Future of Public Wi-Fi: What to Do Before Using Free, Fast Hot Spots; Joanna Stern; In The Wall Street Journal (WSJ); 2016-01-19.
Teaser: Like New York, cities all over are getting speedy public Wi-Fi, but proceed with caution

tl;dr → PassPoint, Gee Whiz!, blazing fast, dizzying fast; yet dangerous, use a VPN, use TLS/SSL.

Mentions

  • LinkNYC
  • CityBridge
  • Advertising-supported phone booths.
  • Similar systems
  • Technology
    • Passpoint
    • <quote>Passpoint, which is sometimes referred to as Hotspot 2.0.</quote>
    • <quote>When you first join a Passpoint network, you’re required to download a small file called a profile to your phone, tablet or laptop. The network will use it to ID you every time you’ve come back in range of the network. Most new operating systems support Passpoint.</quote>
    • Passpoint uses the same WPA2-encryption as your home or office’s network.

Quoted

For color, background & verisimilitude

  • Mark Wuergler, staff, Immunity.
  • Geoffrey A. Fowler’, reporter, Wall Street Journal (WSJ)

Previously

In The Wall Street Journal (WSJ)

Covert Communication in Mobile Applications | Rubin, Gordon, Nguyen, Rinard

Julia Rubin, Michael I. Gordon, Nguyen Nguyen, Martin Rinard; Covert Communication in Mobile Applications; In Some Venue; 2015-11; 11 pages.

tl;dr → any communication, which when blocked, still allows the application to function is covert communication.

Abstract

This paper studies communication patterns in mobile applications. Our analysis shows that 63% of the external communication made by top-popular free Android applications from Google Play has no effect on the user-observable application functionality. To detect such covert communication in an efficient manner, we propose a highly precise and scalable static analysis technique: it achieves 93% precision and 61% recall compared to the empirically determined “ground truth”, and runs in a matter of a few minutes. Furthermore, according to human evaluators, in 42 out of 47 cases, disabling connections deemed covert by our analysis leaves the delivered application experience either completely intact or with only insignificant interference. We conclude that our technique is effective for identifying and disabling covert communication. We then use it to investigate communication patterns in the 500 top-popular applications from Google Play.

Mentions

  • Definitions
    • overt communications → if the app failed when this communication channel was blocked.
    • covert communications → if the app still worked when this channel was blocked
  • Advertising & Analytics (A&A)
  • Therefore this definition covers
    • advertising
    • analytics
    • crash reporting
    • tracking

Promotions

  • Android battery drain woes? Covert app chatter could be to blame; ; In ZDNet; 2015-11-20.
    Teaser: It’s not clear why Android apps do so much covert chatting with remote servers, especially as there’s nothing in it for the smartphone’s owner.
  • What are your apps hiding?; Larry Hardesty; press release; Massachusetts Institute of Technology (MIT); 2015-11-19.
    Teaser: Half of the communication connections established by the top 500 Android apps have no effect on user experience.

Your Phone Is Listening—Literally Listening—to Your TV | The Atlantic

Your Phone Is Listening—Literally Listening—to Your TV; Kaveh Waddell; In The Atlantic; 2015-11-19.
Teaser: All in the name of serving you more targeted ads

tl;dr → SilverPush scaremongered by CDT commentariat at the FTC Cross-Device workshop; harm not shown.

Original Sources

Comments for November 2015 Workshop on Cross-Device Tracking; Center for Democracy & Technology (CDT); 2015-10-16; 11 pages.

FTC Announces Final Agenda, Panelists for 2015-11-16 Cross-Device Tracking Workshop; press release; Federal Trade Commission (FTC); 2015-11-03; separately filled.

Mentions

  • SilverPush
  • audio beacons
    • ultrasonic (infrasonic) codes in broadcast TV
    • consumers’ always-on handheld device monitors
    • returns device identity to the mother ship via internet backhaul.
  • generalized vague speculation that “the government” might be using it for tracking; a hypothetical about the government of China.
  • Federal Trade Commission (FTC)
    • Workshop on Cross-Device

Unrelated (thrown in for filler)

  • Verizon “supercookies”
    refers to UIDH, but does not use the term
  • Vizio Smart TV

Quoted

For color, background & verisimilitude

  • Joseph Lorenzo Hall, chief technologist, Center for Democracy and Technology (CDT).
  • Piyush Bhatt, product manager, SilverPush

Referenced

Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps | Zang, Dummit, Graves, Lisker, Sweeney

Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, Latanya Sweeney; Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps; In Technology Science; 2015-10-30.

tl;dr → QA was performed; observations were noted: data was sent, data was received; not shown: (absence of) consent, harm.

Abstract

What types of user data are mobile apps sending to third parties? We chose 110 of the most popular free mobile apps as of June-July 2014 from the Google Play Store and Apple App Store, across 9 categories likely to handle potentially sensitive data about users including job information, medical data, and location. For each app, we used a man-in-the-middle proxy to record HTTP and HTTPS traffic that occurred while using the app and looked for transmissions that include personally identifiable information (PII), behavior data such as search terms, and location data, including geo-coordinates. An app that collects these data types may not need to notify the user in current permissions systems.

Mentions

  • Recipients
    • yahooapis.com
    • flurry.com

References

Ninety five (95) citations!!

Promotions

Nine Out of Ten of the Internet’s Top Websites Are Leaking Your Data | Motherboard

Nine Out of Ten of the Internet’s Top Websites Are Leaking Your Data; Brian Merchant; In Motherboard; 2015-11-02.

tl;dr → University guy runs PhantomJS on the Alexa 1,000,000; discovers that analytics & DMP beacons are EVERYWHERE! in online media.  Spying is alleged.  The alarum is sounded.

Original Sources

Tim Libert (U. Pennsylvania); Exposing the Hidden Web: An Analysis of Third-Party
HTTP Requests on One Million Websites
; In International Journal of Communication; 2015-10; 10 pages; landing.

Mentions

  • webXray
  • PhantomJS
  • Alexa
  • the Party System, Same Origin Policy (SOP)
    • First Party
    • Third Party
  • Do Not Track (DNT)
  • Google Analytics
  • Something about the NSA
    Something about the PRISM program

Implicated

  • Airbnb.com
  • Facebook
  • Google
  • Twitter
  • Yahoo