Tech Brew Ride Home - Fri. 06/18 – Cell Networks Security Deliberately Nerfed?
Episode Date: June 18, 2021Were some of the base encryption algorithms on cell networks deliberately nerfed? The first ever mass arrest of a ransomware gang? Proof that Google is working on a FindMy network rival? And, of cours...e, the weekend longreads suggestions. Sponsors: Tovala.com/ride Cybereason.com Links: Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened (Vice) Ukraine arrests ransomware gang in global cyber criminal crackdown (Financial Times) Google may be working on an Android version of Apple’s “Find My” network (XDA Developers) Gopuff to Buy Siemens-Backed RideOS in $100 Million-Plus Deal (Bloomberg) Weekend Longreads Suggestions: Ransomware claims are roiling an entire segment of the insurance industry (Washington Post) THE RISE AND FALL OF AN AMERICAN TECH GIANT (The Atlantic) Anatomy of a Seed Round During COVID-19 (Fresh Paint) Meet Wu Dao 2.0, the Chinese AI model making the West sweat (Politico) Tech Companies Are Training AI to Read Your Lips (Vice) How governments and spies text each other (Wired) Airbnb Is Spending Millions of Dollars to Make Nightmares Go Away (Bloomberg) Subscribe to the RideHome+ Feed at: tech.supercast.tech Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to the TechMeme ride home for Friday, June 18th, 2021. I'm Brian McKellah. Today were some of the base
encryption algorithms on cell networks deliberately nerfed, the first ever mass arrest of a ransomware gang,
proof that Google is working on a Find My Network rival, and of course, the weekend long read
suggestions. Here's what you missed today in the world of tech. A bombshell new report says that
cell network encryption, underpinning a lot of phone network.
was deliberately weakened by its original designers, quoting motherboard.
A weakness in the algorithm used to encrypt cell phone data in the 1990s and 2000s allowed hackers
to spy on some internet traffic according to a new research paper.
The paper has sent shockwaves through the encryption community because of what it implies.
The researchers believe that the mathematical probability of the weakness being introduced
on accident is extremely low.
Thus, they speculate that a weakness was in terms.
intentionally put into the algorithm. After the paper was published, the group that designed the
algorithm confirmed, this was the case. Researchers from several universities in Europe found that
the encryption algorithm, GEA1, which was used in cell phones when the industry adopted GPRS standards
in 2G networks, was intentionally designed to include a weakness that at least one cryptography
expert sees as a back door. The researchers said they obtained two encryption algorithms,
G-EA-1 and G-EA-2, which are proprietary and thus not public from a source.
They then analyzed them and realized they were vulnerable to attacks that allowed for decryption
of all traffic.
When trying to reverse-engineer the algorithm, the researchers wrote that, to simplify,
they tried to design a similar encryption algorithm using a random number generator,
often used in cryptography, and never came close to creating an encryption scheme as weak
as the one actually used.
quote, in a million tries we never even got close to such a weak instance, they wrote.
This implies that the weakness in GEA1 is unlikely to occur by chance,
indicating that the security level of 40 bits is due to export regulations, end quote.
Researchers dubbed the attack divide and conquer and said it was rather straightforward.
In short, the attack allows someone who can intercept cell phone data traffic
to recover the key used to encrypt the data and then decrypt all traffic.
The weakness in GEA1, the oldest algorithm developed in 1998, is that it provides only 40-bit security.
That's what allows an attacker to get the key and decrypt all traffic, according to the researchers.
A spokesperson for the organization that designed the GEA1 algorithm, the European Telecommunications Standards
Institute, admitted that the algorithm contained a weakness but said it was introduced because
the export regulations at the time did not allow for stronger encryption.
We followed regulations. We followed export control regulations that limited the strength of GEA1,
a spokesperson for the Institute told Motherboard in an email. Havard Radom, one of the researchers who
worked on the paper, summed up the implications of this decision in an email to motherboard.
To meet political requirements, millions of users were apparently poorly protected while surfing
for years, he said, end quote.
Well, I guess this sort of news had to come sooner rather than later, and thankfully so,
I suppose. Ukrainian police have arrested members of ransomware gang Klopp, marking what we believe is
the first time that a national law enforcement agency has carried out mass arrests of such a gang,
quoting the Financial Times. The Ukraine National Police said in a statement on Wednesday that it
had worked with Interpol and the U.S. and South Korean authorities to charge six members of the
Ukraine-based Klop Hacker Group, which it claimed had inflicted half a billion dollars in damages
on victims based in the U.S. and South Korea.
The move marks the first time that a national law enforcement agency has carried out mass
arrests of a ransomware gang, adding to pressure on other countries to follow suit.
Russia, a hub for ransomware gangs, has been blamed for harboring cybercriminals
by failing to prosecute or extradite them.
Klopp is one of several ransomware cartels that seize a target's data,
demanding a ransom to release it.
The group has also increasingly threatened to leak sensitive information online
if a target refuses to pay, a tactic known as double extortion.
Recent targets have included oil company Shell and international law firm Jones Day,
as well as several U.S. universities, including Stanford and the University of California.
In most cases, the hackers wielded a vulnerability in a file transfer product run on
Acelion to compromise their victims. The arrests come as ransomware has been thrust into the spotlight
in recent weeks following a number of audacious attacks hitting critical infrastructure.
Last month, hackers disrupted the colonial pipeline supplying petroleum to much of the U.S. East Coast and attack the White House has attributed to a Russian-based group. As a result, governments are under increasing pressure to curb the activities of cybercriminals. This week, U.S. President Joe Biden attended a summit in Geneva with Russia's President Vladimir Putin, in which both parties were expected to discuss the threat of ransomware, end quote.
An APK teardown of a new version of Google Play Services suggests that Google is working to build an Android version of the device network like Apple's Find My Network, according to XDA developers.
Google Play Services version 21.24.13 rolled out today in the beta channel, and after we decoded it, we discovered the following strings were added, and well, click through to the piece to see the strings, which clearly suggests that Google is
working on a Find My Device network leveraging Google Play services to, quote, allow your phone to locate
your and other people's devices, end quote. Google already has an app called Find My Device
available on the Play Store, but it can only find devices that are signed into your Google account.
If this Find My Device network goes live, then you'll be able to help other Android users
locate their lost or stolen devices. Although Android can be found in many different types of
devices, it's likely that a large percentage of the over 3 billion devices running the OS worldwide
is made up of smartphones. The vast majority of Android smartphones sold outside of China have the
Play Services app pre-installed, which could mean they'll be eligible to participate in the
Find My Device Network. For background, Google Play Services is one of the key components of
Google Mobile Services, a suite of Google Made apps and services that the company distributes to
smartphone makers seeking to sell an Android device. GMS also bundles the Play Store, the largest
app store in the Android ecosystem. Device makers seeking to pre-install the Play Store on their
Android devices must also include many of the other components of Google Mobile Services,
including Google Play Services, among other apps, end quote. Delivery startup GoPuff, which,
frustratingly, I still can't try out yet here in Brooklyn, has bought RideOS, which builds
real-time routing and dispatch software for autonomous car fleets.
Sources say the deal was for $115 million in cash in stock.
RiteOS was valued at $180 million in its most recent funding round, quoting Bloomberg.
RideOS is one of the best mapping, dispatching, and technology firms, said Sherrod Sundaraisen,
GoPuff's Senior Vice President of Product and Growth in a statement.
Software for logistics and delivery has become in demand as companies try to make their fleets more
energy efficient. Ford Motor Company on Thursday acquired a software startup that monitors and manages
vans, trucks and buses. Justin Ho, co-founder and CEO of RiteOS, said in a statement that GoPuff's
mission fits with the company's, quote, vision to build software that effectively and efficiently
moves people and things around the world, end quote. GoPuff delivers thousands of products from
ice cream to cleaning products for a flat fee. It's backed by firms including SoftBanks, Vision
Fund, D1 Capital Partners, Bally Gifford, Fidelity and
sell. It was last valued at $8.9 billion, end quote. Time for the weekend long read suggestions,
and first up, something that I had actually been wondering about. What with all the ransomware
attacks lately? Wither the cyber insurance industry? Well, quoting the Washington Post,
the recent surge of ransomware attacks is upending the cyber insurance industry, pushing up the
requirements and cost of coverage just as more companies need it. This is a tipping point this year,
said John Kearns, an executive managing director at insurance brokerage, Beecher Carlson,
a division of Brown and Brown, which sells cyber insurance. I've been in business for 32 years and
haven't seen a market quite like this, end quote. That is pushing insurance carriers to reevaluate
how much coverage they can afford to offer and how much they have to charge clients to do so.
Underwriters are demanding to see detailed proof of clients' cybersecurity measures in ways they
never have before. For example, not using multifactor authentication, which requires a user to
verify themselves in multiple ways might result in a rejection. The majority of insurance companies
are raising premiums for plans that cover damage from hacks, including ransomware attacks.
Prices for at least half of insurance buyers went up 10 to 30% in late 2020, according to a survey
cited by the U.S. Government Accountability Office. In some cases, annual premiums that companies
are expected to pay have increased by as much as 50%, said Joshua Mata, founder of
insurance tech company coalition, end quote. Next, I've read various versions of this story over the years,
but the Atlantic has a long, long read about the sad rise and fall of Kodak, which if you weren't aware,
if you think about it, was actually one of the premier U.S. tech companies of the 20th century,
along with the likes of, say, IBM, quote, founded in 1880, Kodak invented the first easy-to-use consumer
camera and thereby amateur photography. It achieved a near monopoly on the consumer.
film business capturing the imagination of the entire world. It was Hollywood, and it was New York,
and it was as grand as history. With a simple search, even a child can find images of Eastman,
hosting Thomas Edison nonchalantly in his backyard. The city where we stood was just another of his
accomplishments. Eastman funded Rochester's colleges and its hospital system, its cultural institutions,
its non-profits, its parks, its suburban housing developments. In 1920, his free pediatric
Dental Clinic removed the tonsils of 1,400 children in seven weeks. Even in 2003, when I made that
class trip, we were encouraged to believe we should feel lucky that he had chosen Rochester to lavish
his attention upon. Kodak was already past its prime when I visited the Eastman Mansion on my
field trip all those years ago, though it reported 4.3 billion in gross profits that year.
Since then, many of the buildings in the park have been rented out, sold off, or demolished.
The company filed for bankruptcy while I was in college and rebounded slowly in 12.
2019, Kodak reported just 182 million in profits. Still, I'd read a few news items about Kodak pivoting,
a funny word that makes spinning sound intentional to pharmaceuticals. And as a journalist and an adult now,
I had my chance. I emailed and asked to hear the story and was almost immediately told that
I could come for a quick visit during a pandemic, end quote. On the fresh paint blog,
an interesting bit of transparency from this Y Combinator alum.
They take you step by step through their $1.65 million seed round.
And by that, I mean, they literally take you through it day by day, introduction by
introduction, check by check.
Each startup, of course, is different and has different experiences.
But if you want to see the nuts and bolts of what actually goes into raising a seed round
and all the networks you need to tap, do check that out.
From Politico, meet Wu Dow 2.0, unveiled by the Beijing Academy of Artificial Intelligence
last week, a sophisticated AI language model claimed to be 10 times more powerful even than GPT3.
Today, I learned that lip reading technology is something that might be just around the corner,
quoting Vice. It seems like a simple interaction, and in some respects, SRAVI,
speech recognition app for the voice impaired, is still pretty simplistic. It can only
recognize a few dozen phrases, and it does that with about 90 percent accuracy.
But the app, which is made by the Irish startup Leopa, represents a massive breakthrough in the field of visual speech recognition or VSR, which involves training AI to read lips without any audio input.
It will likely be the first lip reading AI app available for public purchase.
Researchers have been working for decades to teach computers to lip read, but it's proven a challenging task even with the advances in deep learning systems that have helped crack other landmark problems.
The research has been driven by a wide array of possible.
commercial applications from surveillance tools to silent communication apps and improved virtual
assistant performance, end quote. And today, I learned about the open source matrix protocol,
which is increasingly the tech that governments and spies are turning to to communicate
securely with each other, which makes sense, as we've seen lately, that secure communication
platform that you have been relying on might turn out to have some government or other
behind it that you didn't know was responsible for the platform and was thus probably listening in
all along. This is from Wired UK. Its name was matrix.org, and conveniently, its core team was based
in London and Brittany in France. Quote, it's a rare instance of the French and the English managing
to work together, says Matrix co-founder Matthew Hodgson. He and fellow co-founder Amandine Lapepepe
started working on the project in 2014 as employees of Israeli technology company Amdox. They wanted
to create a messaging system that was decentralized rather than run by one company, was secure by
default, and able to potentially communicate with other chat platforms. We're probably the most
successful attempt to build an open standard for this kind of communication, La Pappy says. Everyone can
run the Matrix Protocol on their own servers and participate in conversations hosted on other
servers if they so wish. In France's case, the government designed a system centered on multiple
separate servers for each ministry, Hodgson says. And yet everybody can still talk to everybody else.
The decentralized architecture modeled after open source software Git reduces the repercussions
of technical incidents which remain confined to the specific affected servers while ensuring that
the conversation goes on. Quote, there is never a single point of control or failure, end quote.
Matrix's makeup has proved attractive for at least three more governments in addition to France,
security services and military organizations including the German army and tech corporations such as Mozilla.
As of early 2021, Matrix was used by over 28 million accounts worldwide.
And finally, as summer kicks off, and hopefully summer holidays and vacations finally return to our lives,
Bloomberg Business Week has a profile of the secret SWAT team at Airbnb that swoops in
to clean up nightmare Airbnb situations, Winston Wolf from Pulp Fiction style.
Quote, the way Airbnb has handled crimes such as the New York attack, which occurred during a bitter
regulatory fight shows how critical the safety team has been to the company's growth.
Airbnb's business model rests on the idea that strangers can trust one another.
If that premise is undermined, it can mean fewer users and more lawsuits, not to mention
tighter regulation.
For all its importance, the safety team remains shrouded in secrecy.
Insiders call it the black box.
But eight former members and 45 other current and former Airbnb employees familiar with the
team's role, most of whom spoke on condition of anonymity for fear of breaching confidentiality
agreements provided a rare glimpse into its operations and internal struggles.
The job, former team members say, is a nerve-wracking one, balancing the often-conflicting
interests of guests, hosts, and the company.
I had situations where I had to get off the phone and go cry, a former agent recalls,
that's all you can do, end quote.
Big, big day today.
My boy, Max, has a graduation from pre-K ceremony here in literally like 20 minutes, so I got to get this out in a hurry.
And of course, it's the old enemy, or the old enemy.
I'm not going to do the Scottish accent this time.
It's the England-Scottland game this afternoon, which I am very much hyped for,
almost the definition of a derby match.
Right Home Plus subscribers, this weekend you've got an interesting gadgets episode coming to you.
Actually, it should be up in a matter of hours.
It's a wild one.
Can I interest you in your own robot dog?
No.
How about a self-balancing electric bicycle?
tech.
comcast.
If you want to
subscribe to
Ride Home Plus,
so you don't
miss out on that.
Talk to you
on Monday.
