【24年度JCJ賞受賞スピーチ】『東京電力の変節』東電と最高裁判事の癒着暴く=橋詰雅博

3 weeks 3 days ago
 最高裁判事は、権力側で保守的な人が多いが、それなりの正義感や公平さを持ち見識ある人というイメージが強いと思います。しかし、昨年9月に出したこの本でそれを打ち砕きました。この本を読んでいただいた原発被災者には『なーんだこんな人(最高裁判事)たちだった』という声が広がっています。 最高裁第2小法廷判事は福島原発事故の4民事訴訟(仙台、千葉など)の裁判で「国に責任がある」としました。2年前の6月17日でした。 判事4人のうち「国に責任がある」と反対意見を出した一人だけ。国の責任を..
JCJ

[B] 「核のごみ」文献調査の報告書に修正を 原子力資料情報室が声明を発表

3 weeks 4 days ago
原子力発電に伴って発生する高レベル放射性廃棄物、いわゆる「核のごみ」の地層処分をめぐり、原子力発電環境整備機構(NUMO)は、11月22日、最終処分場の選定に向けて北海道寿都町及び神恵内村で実施していた「文献調査」の報告書を、寿都町の片岡春雄町長、神恵内村の高橋昌幸村長および鈴木直道知事に提出した。(小栗俊也)
日刊ベリタ

One Down, Many to Go with Pre-Installed Malware on Android

3 weeks 4 days ago

Last year, we investigated a Dragon Touch children’s tablet (KidzPad Y88X 10) and confirmed that it was linked to a string of fully compromised Android TV Boxes that also had multiple reports of malware, adware, and a sketchy firmware update channel. Since then, Google has taken the (now former) tablet distributor off of their list of Play Protect certified phones and tablets. The burden of catching this type of threat should not be placed on the consumer. Due diligence by manufacturers, distributors, and resellers is the only way to tackle this issue of pre-installed compromised devices making their way into the hands of unknowing customers. But in order to mitigate this issue, regulation and transparency need to be a part of the strategy. 

As of October, Dragon Touch is not selling any tablets on their website anymore. However, there is lingering inventory still out there in places like Amazon and Newegg. There are storefronts that exist only on reseller sites for better customer reach, but considering Dragon Touch also wiped their blog of any mention of their tablets, we assume a little more than a strategy shift happened here.

We wrote a guide to help parents set up their kid’s Android devices safely, but it’s difficult to choose which device to purchase to begin with. Advising people to simply buy a more expensive iPad or Amazon Fire Tablet doesn’t change the fact people are going to purchase low-budget devices. Lower budget devices can be just as reputable if the ecosystem provided a path for better accountability.

Who is Responsible?

There are some tools in development for consumer education, like the newly developed, voluntary Cyber Trust Mark by the FCC. This label would aim to inform consumers of the capabilities and guarantee that minimum security standards were met for an IoT device. However, the consumer holding the burden to check for pre-installed malware is absolutely ridiculous. Responsibility should fall to regulators, manufacturers, distributors, and resellers to check for this kind of threat.

More often than not, you can search for low budget Android devices on retailers like Amazon or Newegg, and find storefront pages with little transparency on who runs the store and whether or not they come from a reputable distributor. This is true for more than just Android devices, but considering how many products are created for and with the Android ecosystem, working on this problem could mean better security for thousands of products.

Yes, it is difficult to track hundreds to thousands of distributors and all of their products. It is hard to keep up with rapidly developing threats in the supply chain. You can’t possibly know of every threat out there.

With all due respect to giant resellers, especially the multi-billion dollar ones: tough luck. This is what you inherit when you want to “sell everything.” You also inherit the responsibility and risk of each market you encroach or supplant. 

Possible Remedy: Firmware Transparency

Thankfully, there is hope on the horizon and tools exist to monitor compromised firmware.

Last year, Google presented Android Binary Transparency in response to pre-installed malware. This would help track firmware that has been compromised with these two components:

  • An append-only log of firmware information that is immutable, globally observable, consistent, and auditable. Assured with cryptographic properties.
  • A network of participants that invest in witnesses, log health, and standardization.

Google is not the first to think of this concept. This is largely extracting lessons of success from Certificate Transparency. Yet, better support directly from the Android ecosystem for Android images would definitely help. This would provide an ecosystem of transparency of manufacturers and developers that utilize the Android Open Source Project (AOSP) to be just as respected as higher-priced brands.

We love open source here at EFF and would like to continue to see innovation and availability in devices that aren’t necessarily created by bigger, more expensive names. But there needs to be an accountable ecosystem for these products so that pre-installed malware can be more easily detected and not land in consumer hands so easily. Right now you can verify your Pixel device if you have a little technical skill. We would like verification to be done by regulators and/or distributors instead of asking consumers to crack out their command lines to verify themselves.

It would be ideal to see existing programs like Android Play Protect certified run a log like this with open-source log implementations, like Trillian. This way, security researchers, resellers, and regulating bodies could begin to monitor and query information on different Android Original Equipment Manufacturers (OEMs).

There are tools that exist to verify firmware, but right now this ecosystem is a wishlist of sorts. At EFF, we like to imagine what could be better. While a hosted comprehensive log of Android OEMs doesn’t currently exist, the tools to create it do. Some early participants for accountability in the Android realm include F-Droid’s Android SDK Transparency Log and the Guardian Project’s (Tor) Binary Transparency Log.

Time would be better spent on solving this problem systemically, than researching whether every new electronic evil rectangle or IoT device has malware or not.

A complementary solution with binary transparency is the Software Bill of Materials (SBOMs). Think of this as a “list of ingredients” that make up software. This is another idea that is not very new, but has gathered more institutional and government support. The components listed in an SBOM could highlight issues or vulnerabilities that were reported for certain components of a software. Without binary transparency though, researchers, verifiers, auditors, etc. could still be left attempting to extract firmware from devices that haven’t listed their images. If manufacturers readily provided these images, SBOMs can be generated more easily and help create a less opaque market of electronics. Low budget or not.

We are glad to see some movement from last year’s investigations. Right in time for Black Friday. More can be done and we hope to see not only devices taken down more swiftly when reported, especially with shady components, but better support for proactive detection. Regardless of how much someone can spend, everyone deserves a safe, secure device that doesn’t have malware crammed into it.

Alexis Hancock

[B] ミャンマー国軍トップの逮捕状請求  国際刑事裁判所、ロヒンギャ迫害容疑で

3 weeks 4 days ago
国際刑事裁判所(ICC)のカーン主任検察官は27日、イスラム系少数民族ロヒンギャを迫害したとして、人道に対する罪の容疑でミャンマー国軍評議会(SAC)トップのミンアウンフライン総司令官の逮捕状を請求したと発表した。SACはこれに対し、「ミャンマーはICCの加盟国ではなく、逮捕状請求について特に反応することはない」とする声明を発表した。
日刊ベリタ