Technology + Common Sense + Dumb Aircraft, Spectre Returns, Mars, SEALs, Photo Detectives, China, Cargo Ships, and More! (May 2, 2021 FFI Roundup)
Technology + Common Sense + Dumb Aircraft, Spectre Returns, Mars, SEALs, Photo Detectives, China, Cargo Ships, and More! (May 2, 2021 FFI Roundup)
Franklin Faraday Insights
Welcome to Our Weekly Roundup of Actionable and Interesting Things!
In this issue:
— Sinking containers
— China targeting foreigners
— We might have another Spectre/Meltdown problem…
— Dumb aircraft designs
— Trapped on a cargo ship
— Even with COVID, Google wins
— Bellingcat’s latest amazing detective work
— Childcare is a business issue
— A new mission for the Ingenuity Mars helicopter
— Tenth anniversary of Operation Neptune Spear
— Another shocking credit reporting vulnerability
— The magic behind Daft Punk’s “One More Time”
Don’t forget to follow us on Twitter @FranklinFaraday!
Container (Overboard)
Bloomberg reported that losses from containers falling off ships are at a seven year high due to a combination of factors including weather, larger ships with top-heavy loads, and a strong increase in shipping demand fueled by e-commerce during the pandemic.
When ships approach heavy weather, captains have the option to steer away from the danger. But the attitude is “don’t go around the storm, go through,” said Jonathan Ranger, head of marine Asia Pacific at American International Group Inc.
While the headline is concerning, most of the losses are due to single events:
After gale-force winds and large waves buffeted the 364-meter One Apus in November, causing the loss of more than 1,800 containers [FFG: more than half of the 3,000 containers lost in 2020], footage showed thousands of steel boxes strewn like Lego pieces onboard, some torn to metal shreds. The incident was the worst since 2013, when the MOL Comfort broke in two and sank with its entire cargo of 4,293 containers [FFG: most of the 5,578 lost in 2013] into the Indian Ocean.
Still, while the dollar amounts are high—on average $50,000 per container—overall loses are low given that 226 million containers are shipped each year. The statistics, however, don’t help if it’s YOUR business container or personal belongings that got lost or damaged. We’ve known people who lost everything in overseas moves due to water damage.
China
Surprising no one and playing into decades of western warnings, China passed new regulations this week requiring companies to increase monitoring of foreigners, according to Helen Davidson (@heldavidson) in The Guardian.
According to state media, state security will work with other government departments to “adjust” the list of groups susceptible to foreign espionage and to develop measures to safeguard against it, including Chinese Communist Party and state organs, social groups, enterprises and public institutions.
Once organisations are designated as having anti-espionage responsibility, state security will provide “guidance, supervision and inspection” of their efforts, including personnel vetting, and strict training, monitoring and debriefing for staff trips overseas. Identified organisations must report suspicions and incidents to authorities.
There are several high profile cases of China detaining foreign nationals from Australia and Canada, among other locations, following Canada’s detention of a Huawei executive in 2018.
While the number of incidents are very small compared to the number of (pre-COVID) foreign travelers, the risk is not zero. It’s important to remember not just what you are doing, but what a suspicious entity might think you are doing while observing from a distance.
Cybersecurity
We may have another Spectre problem, and not the kind that James Bond can solve.
Last week researchers at the University of Virginia announced the discovery of a computer attack method that potentially affects billions of computers and devices worldwide. This is a follow on to the 2017-2018 Spectre/Meltdown vulnerability set, which caused great consternation because nearly every system was vulnerable and the fixes, when possible, significantly degraded performance.
As an analogy, think of someone operating a restaurant. The restaurant can wait to start cooking until a customer orders a dish, or the restaurant can try to guess what customers will order and start prepping those meals or parts of those meals. If the restaurant waits for each customer order, it will be much slower than if a customer orders something that the restaurant has guessed and already started (or completed cooking.) Of course if the restaurant guesses wrong, they throw away food, but the tradeoff of speed versus waste may be worth it.
Modern computer processors operate the same way. In effect, the computer is executing a set of instructions for your program, but it’s also trying to guess what comes next and executing some instructions for that too.
The vulnerability comes if an attacker can trick the microprocessor into executing those predicted instructions to do something nefarious, usually accessing another part of memory that the program should not be able access. Intel, Microsoft, and other computer industry leaders have invested significant effort into trying to mitigate this type of attack.
What the University of Virginia researchers found was a way to conduct the attack before the safety measures in place could mitigate it. The technical details deal with how the computer grabs instructions from something called a micro-op cache, which is a temporary storage area on the chip that is faster than other forms of memory (such as a hard drive or even RAM.)
"Intel's suggested defense against Spectre, which is called LFENCE, places sensitive code in a waiting area until the security checks are executed, and only then is the sensitive code allowed to execute," [lead researcher Ashish Venkat] said. "But it turns out the walls of this waiting area have ears, which our attack exploits. We show how an attacker can smuggle secrets through the micro-op cache by using it as a covert channel."
How bad is this? We don’t know yet. It’s potentially really bad, though the original Spectre/Meltdown vulnerabilities were very difficult to exploit in practice.
"In the case of the previous Spectre attacks, developers have come up with a relatively easy way to prevent any sort of attack without a major performance penalty" for computing, [student Len Moody] said. "The difference with this attack is you take a much greater performance penalty than those previous attacks."
"Patches that disable the micro-op cache or halt speculative execution on legacy hardware would effectively roll back critical performance innovations in most modern Intel and AMD processors, and this just isn't feasible," [student Xida Ren], the lead student author, said.
Dangerous Machines
Our friend Carl Forsling (@CarlForsling) had a great article this week on “6 Dumb Aircraft That Should Have Died on the Drawing Board.”
Sometimes large budgets and grand ideas merge to create aircraft that seem like great ideas at a late-night brainstorming session. Occasionally those efforts lead to breakthroughs.
Other times, though, after the empty coffee cups and full ashtrays were cleaned out, someone should have also tossed the blueprints in the trash. There’s no such thing as a stupid question, but there is often such a thing as a stupid idea.
It takes more than just being too slow or not being maneuverable enough to make the pantheon of suckitude. It takes a fundamental misreading of the requirements and threats combined with enough determination to actually build such a ridiculous thing.
Of course Carl had some choice words about everyone’s favorite bad airplane design, the XF-85 Goblin:
The first thing one might ask upon seeing the Goblin might be “What the hell is that?” followed shortly thereafter with “Doesn’t it need bigger wings and more space for an engine, fuel, and weapons?”
Yes, it did need those things. It would have been annihilated by even the worst Soviet aircraft, at least any it encountered in the space of 30 minutes, because that’s the extent of time it could fly on the fuel it had.
#FAIL
The BBC reported on the curious case of Mohammed Aisha, who was stuck on the cargo ship MV Aman… for four years!
The Kafka-esque nightmare began when Egyptian authorities in Adabiya, near the Suez Canal, held the ship because of expired safety equipment and certificates. The ship’s Bahrani owners ran into financial difficulties, Lebanese contractors did not pay for fuel, and events continued to spiral. With the captain ashore, an Egyptian court declared Aisha as the ship’s legal guardian. Thus he had to remain aboard the ship—unpaid—with no power.
[Aisha] said the ship was like a grave at night.
"You can't see anything. You can't hear anything," he said. "It's like you're in a coffin."
Aisha claimed he had been ignored by the ship’s owners, but they claimed otherwise:
The Aman's owners, Tylos Shipping and Marine Services, told the BBC they had tried to help Mohammed but that their hands were tied.
"I can't force a judge to remove the legal guardianship," a representative told us. "And I can't find a single person on this planet - and I've tried - to replace him."
Apparently it’s not that unusual for ship owners to abandon crews:
According to the International Labour Organization, there are more than 250 active cases around the world where crews are simply left to fend for themselves. It says 85 new cases were reported in 2020, which is twice as many as in the previous year.
Maybe that office commute isn’t so bad after all…
Future of Work
There was an interesting note in Alphabet’s recent quarterly report: the Google parent saved $268 million in the first quarter of 2021, or more than a billion dollars per year on an annualized basis, thanks to cost savings caused by COVID-19 and working from home. The savings came from reduced promotions, travel, and entertainment — including the notorious office perks such as massage tables, free food, and fancy company retreats. Alphabet’s 2020 annual report (fiscal year end December) reported savings of $1.4 billion in 2020 from reduced advertising and promotional expenses.
As the LA Times noted:
The savings offset many of the costs that came with hiring thousands more workers. And the pandemic prudence allowed the company to keep its marketing and administrative costs effectively flat for the first quarter, despite boosting revenue by 34%.
Win or lose for everyone else… Google always wins.
Investigations
The best detective story you’ll read this month is Bellingcat’s description of how they tracked the location of a photo while looking for a person of interest in a child exploitation case. It’s better than any Sherlock Holmes story.
This work was truly amazing and seemingly impossible. The story involves:
— examining a leaf to determine the type of plant and growing range
— a tiny flag in a shop window
— a specific type of trash can
— a lounge chair
— a 3D model of a pool area to photograph check angles
— tourist reviews and languages on TripAdvisor
Bellingcat is generally comprised of amateur investigators and journalists; yet they consistently produce incredible results!
Intermission
… to sign up for the Franklin Faraday email list (it’s still free!)
Management
An article in the Harvard Business Review this week explained that “Childcare is a Business Issue,” citing a 2020 University of Chicago study that found 50 million workers in the United States—or one third of the workforce—had at least one child under 14 in their household.
The article provided some fascinating statistics from various sources, including their own earlier study published in summer 2020:
[In a 2020 survey of] 2,500 working parents we found that nearly 20% of working parents had to leave work or reduce their work hours solely due to a lack of childcare. Only 30% of all working parents had any form of back-up childcare, and there were significant disparities between low and high-income households.
Of those who lost a job or reduced hours due to childcare, 40% of parents said that the factors for deciding who would be responsible for taking care of the children came down to which parent worked more hours or had a less flexible schedule. Shockingly (but honestly), nearly one third said that deciding who would take care of the kids came down to “who was better at it.” In comparison, less than one quarter cited income as a factor in their decision — suggesting that gender roles still loom large in household decision-making.
In our survey, 26% of women who became unemployed during the pandemic said it was due to a lack of childcare.
Even before the pandemic, inadequate childcare was costing working parents $37 billion a year in lost income and employers $13 billion a year in lost productivity.
The authors also referenced a February 2021 analysis by the National Women’s Law Center, which reported that more than 2.3 million women had left the labor force since the start of the pandemic, which reduced the labor force participation rate to 57%, the lowest since 1988.
The HBR article suggested that solutions include additional support structures for women, flexible work schedules and remote work, childcare subsidies, and more employer-based childcare options.
Mars
As we predicted in our April 10th issue, now that the Ingenuity Mars helicopter has had four (as of this writing) successful flights, NASA has decided to extend the mission from a brief “technology demonstration” to an “operations demonstration phase.”
With short drives expected for Perseverance in the near term, Ingenuity may execute flights that land near the rover’s current location or its next anticipated parking spot. The helicopter can use these opportunities to perform aerial observations of rover science targets, potential rover routes, and inaccessible features while also capturing stereo images for digital elevation maps. The lessons learned from these efforts will provide significant benefit to future mission planners. These scouting flights are a bonus and not a requirement for Perseverance to complete its science mission.
NASA/JPL has brilliantly managed the Ingenuity mission: expectations were set so low that if the helicopter flew at all, then everyone would be happy (and perhaps surprised.) Now that it can fly, NASA has the chance to make the case for future autonomous aerial exploration of Mars and perhaps other locations. This is the exact same playbook as the wildly successful Mars Pathfinder mission in 1997, which was also characterized as a technology demonstration (that more than a few people thought would fail.)
It’s likely lost on no one at NASA that helicopter flights capture the popular imagination far more than studying rocks, at least until they discover evidence of life.
Neptune Spear
This weekend marks 10 years since the daring Navy SEAL raid into Abbottabad, Pakistan, that killed Osama bin Laden. To mark the anniversary, Garrett Graff conducted dozens of interviews to weave together a really interesting account of the secret operation.
ADM. WILLIAM MCRAVEN: I was sitting in my office at Fort Bragg and realized that this mission needed a name, a name that represented both the legacy of the SEALs and the legacy of the great Nightstalkers, the helicopter pilots that were going to fly us in there. I am sitting, thinking, “What do I want to name this? Because if this turns out to be bin Laden, the name will have some historical value.” In my office, I have this small statuette that I bought in Venice, a very stylized statue of Poseidon or Neptune on this fighting seahorse, trident in hand. The symbolism of the seahorse as our helicopter force and the trident—the emblem of the Navy SEALs—in his hand. As soon as I saw that, that’s what I need to call it: NEPTUNE’S SPEAR.
TOM DONILON: I left the Situation Room with the president. We went up to the Oval Office. I went over some other things, and he walked out of the Oval Office over to the colonnade, which separates the West Wing from the main White House mansion where president lives. My distinct memory is standing there watching the president walk in the colonnade all by himself and thinking: “We put these decisions solely on the shoulders of one person.”
And then there’s this:
BILL DALEY, White House chief of staff: We were invading an ally’s sovereign-ness, five miles from their West Point, 10 miles from a nuclear storage facility. This was a very, very big, a very powerful event, even beyond Osama bin Laden.
Perhaps in another 50 years we will learn how Osama bin Laden managed to hide in such a strategic location for so long…
Privacy
The always interesting Brian Krebs (@briankrebs) reported that the credit reporting bureau Experian had a weakness that allowed anyone to look up credit scores for tens of millions of people just with a name and mailing address!
How was this weakness discovered? Internal red team? Dark web data leak? Cybersecurity vendor with a billion dollar market cap?
Nope—a sophomore named Bill Dermikapi (@BillDemirkapi) at the Rochester Institute of Technology found it.
Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”
Demirkapi said that he alerted Experian, but he believed they just cut off the lender that Demirkapi found versus fixing a potential systemic problem.
Krebs again strongly recommended putting a security freeze on your credit, adding:
Leaky and poorly-secured APIs like the one Demirkapi found are the source of much mischief in the hands of identity thieves. Earlier this month, auto insurance giant Geico disclosed that fraudsters abused a bug in its site to steal drivers license numbers from Americans.
Geico said the data was used by thieves involved in fraudulently applying for unemployment insurance benefits. Many states now require drivers license numbers as a way of verifying an applicant’s identity.
Random
Even if you don’t realize it, you’ve definitely heard the Daft Punk song “One More Time.” This amazing video shows how Daft Punk constructed the track by sampling Eddie John’s 1979 song “More Spell On You.” It’s very cool!
Enjoy what you just read? Please share this newsletter or leave a like or comment…
We replaced our lawyer with another ambush predator.
Technology + Common Sense™ is a trademark of Franklin Faraday Group LLC. Meow. All linked content is the property of the respective author(s). Meow. Commentary and non-linked content is Copyright © 2021 Franklin Faraday Group LLC. Feed me or the claws come out!
Oh hii : D
First time seeing my name on Substack is quite an experience! (I wrote that spectre paper!)
Loved the cat, and loved your summary of my paper (How bad is this? We don’t know yet.)
This touches a key point. A lot of security publications are motivated by the fear of the unknown - - and for something like bugs hiding under the bottom of the bottom of your stack of trust, you really don't want to find out how bad they are by actually experiencing a breach LoL