NSA officials worried about the day its potent hacking tool would get loose. Then it did.

Washington Post:

When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.
Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.
But for more than five years, the NSA kept using it — through a time period that has seen several serious security breaches — and now the officials’ worst fears have been realized.


'Today at Apple' Launches


Last month, Apple announced its plans to offer an expanded set of educational sessions at its stores, which will now feature more in-depth training on how to use its devices and products, along with more community involvement ranging from having artists host talks on how they’re using Apple products to having customers venture outside for things like photo and sketch walks. This afternoon, this program is going live on a new, dedicated website called “Today at Apple,” where customers can now view the available courses and sign up for classes.
The launch kicking off this week includes 4,000 sessions per day across Apple’s stores.

Here's Apple's new website for the program. Note that this is for all stores, not just the flagship Apple stores.

Tuesday Morning Reads

Everything you need to know about the WannaCry ransomware

Troy Hunt does a great job of breaking down the chaos around WannaCry/WannaCrypt and why so many businesses have been affected. As I've told others, here's what it boils down to:

  1. If you keep your PCs and servers up to date on a monthly basis, you're OK.
  2. If you back up all your data automatically and test the backups from time to time, you'll be OK. It'll still be a pain if you get hit, but at least you won't go out of business.

If own a business and you're not sure about either of these things, then you have reason to panic.

How to shoot on iPhone 7

I'm a photography novice, so Apple's new guides for shooting with your iPhone are a great resource.

The dual-camera system on the iPhone 7 Plus is a huge leap in quality and performance, and with Depth Effect it creates pretty incredible shots for a smartphone (these were taken with default settings, just point and shoot):

Thursday Morning Reads

Even Apple Can't Make the Internet of Things Tolerable

Perfect rundown of the dumpster fire known as the "smart home" product category, and Apple's feeble attempt to bring some sanity to it:

Things get weirder once you’re set up with all your devices in the Apple Home app. I was lured into HomeKit by the promise of one app to rule them all — which it is, to an extent — but the Home app gives all of your light bulbs, humidity sensors, temperature sensors, and whatever else you have connected the same amount of precedence in the interface. After you’ve added a thermostat, a lock, some light bulbs, a doorbell, sensors, and maybe a security camera, the Home app displays a bunch of buttons that are all the same size and shape, some of which are actionable and others which are simply informing you it’s 70 percent humidity right now. The default Home app, which comes preinstalled on every iPhone, ends up being a useless sea of icons that’s difficult to navigate or search — there’s no way to hide devices, and even useless items like the Philips Hue Bridge, which does nothing more than connect your widgets to the internet, shows up as a button. There are third-party app alternatives which can tap into the standard underneath, but they’re limited in what Apple allows them to do.

The @internetofshit Twitter account is great too.

Protecting Your Data at the U.S. Border

I wrote an article on LinkedIn about the rise in electronic searches at the US border for citizens and visitors, what it all means, and what you can do about it. Here's an excerpt:

The Trump administration, continuing a disturbing trend that started under the Obama administration, is moving ahead with its policy of "extreme vetting" of visitors and immigrants, including stepping up searches of mobile devices and online accounts at the border. Searches of mobile devices increased five-fold in 2016 vs. 2015, from 5,000 to 25,000, and February 2017 alone (just after Trump's inauguration) saw more searches than all of 2015 combined, per CBP stats released earlier this year.
While the number of searches are still a small fraction of total border traffic, policy changes, emboldened border agents who have significant leeway and discretion, and forensic technology that's getting faster and smarter will only drive these figures up. The writing is on the wall. Since search and seizure laws generally don't apply at the border, device searches are a convenient front door for governments to access your data; no need to serve a warrant to Facebook if you can just make someone give up their password.
To be clear, the searches have been happening to citizens and visitors alike. If you think this doesn't apply to you because you have a US passport, think again.

Affordable Care Act Drove Down Personal Bankruptcy

This is a fairly apolitical blog, but I thought this was an interesting take on the health care debate. From Consumer Reports:

As legislators and the executive branch renew their efforts to repeal and replace the Affordable Care Act this week, they might want to keep in mind a little-known financial consequence of the ACA: Since its adoption, far fewer Americans have taken the extreme step of filing for personal bankruptcy.
Filings have dropped about 50 percent, from 1,536,799 in 2010 to 770,846 in 2016. Those years also represent the time frame when the ACA took effect. Although courts never ask people to declare why they’re filing, many bankruptcy and legal experts agree that medical bills had been a leading cause of personal bankruptcy before public healthcare coverage expanded under the ACA. Unlike other causes of debt, medical bills are often unexpected, involuntary, and large. […]
“It’s absolutely remarkable,” says Jim Molleur, a Maine-based bankruptcy attorney with 20 years of experience. “We’re not getting people with big medical bills, chronically sick people who would hit those lifetime caps or be denied because of pre-existing conditions. They seemed to disappear almost overnight once ACA kicked in.”

Uber’s C.E.O. Plays With Fire

Uber's awful start to 2017 continues unabated. This time the NYT reveals even more shady activity, including violating Apple's App Store restrictions on 'fingerprinting' iOS devices:

The idea of fooling Apple, the main distributor of Uber’s app, began in 2014.
At the time, Uber was dealing with widespread account fraud in places like China, where tricksters bought stolen iPhones that were erased and resold. Some Uber drivers there would then create dozens of fake email addresses to sign up for new Uber rider accounts attached to each phone, and request rides from those phones, which they would then accept. Since Uber was handing out incentives to drivers to take more rides, the drivers could earn more money this way.
To halt the activity, Uber engineers assigned a persistent identity to iPhones with a small piece of code, a practice called “fingerprinting.” Uber could then identify an iPhone and prevent itself from being fooled even after the device was erased of its contents.
There was one problem: Fingerprinting iPhones broke Apple’s rules. Mr. Cook believed that wiping an iPhone should ensure that no trace of the owner’s identity remained on the device.

Warm Takes on Microsoft’s Surface Pro 4

Justin Searls gives his impressions after trying the Surface Pro 4:

I walked into this experiment with a strong and clear bias. I am currently, happily entrenched in Apple’s ecosystem and my recollection of being a Windows user is generally negative. Nothing, so far, nothing has challenged that bias. It’s possible that—and this might be especially true for folks who’ve never strayed from the Microsoft ecosystem—things have been improving dramatically in Windows-land lately, and so the relativistic impression for longtime Windows users may well be that things are great, but I sadly can’t confirm that report.
To my (literally, due to strain) tired eyes, it feels like Microsoft is just barely treading water to stay current with the web, mobile, and touch revolutions that they successively missed the boat on. I don’t get the sense that Windows or the Surface represents an understanding of why its platforms faltered in the past nor does it seem to chart a bold direction towards a clear future. The best thing Windows 10 has going for it is that Microsoft has concluded it’s dominance is not vital to their financial success. If there is a creed among the Windows team, one can only assume it is, “be all things to all people.” A lofty goal, but one which also dooms it to mediocrity. Windows would only be my choice for a task barring a complete lack of alternatives.

AT&T Is Spying on Americans for Profit

Kenneth Lipp, for The Daily Beast:

Hemisphere isn’t a “partnership” but rather a product AT&T developed, marketed, and sold at a cost of millions of dollars per year to taxpayers. No warrant is required to make use of the company’s massive trove of data, according to AT&T documents, only a promise from law enforcement to not disclose Hemisphere if an investigation using it becomes public.

This is the same company that, until recently, spied on its customers' internet traffic for ad-targeting purposes, and charged an additional fee to opt-out.

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

Brian Krebs:

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

As Bruce Schneier noted a few weeks ago, government regulation is the only solution here. Horribly insecure hardware is being to other manufacturers and to end-users, and no one has an incentive to change their ways.