Canadian Police: Vehicles Being Stolen Via Apple AirTag

Multiple incidents have led the police near Toronto to issue a warning about Apple AirTag being used to track and steal cars.

Since September 2021, officers have investigated five incidents where suspects have placed small tracking devices on high-end vehicles so they can later locate and steal them. Brand name ‘air tags’ are placed in out-of-sight areas of the target vehicles when they are parked in public places like malls or parking lots. Thieves then track the targeted vehicles to the victim’s residence, where they are stolen from the driveway.

They say the electronic key of cars are being bypassed by simply resetting to a new one.

Once inside, an electronic device, typically used by mechanics to reprogram the factory setting, is connected to the onboard diagnostics port below the dashboard and programs the vehicle to accept a key the thieves have brought with them. Once the new key is programmed, the vehicle will start and the thieves drive it away.

Police advise scanning regularly for the tiny devices, which can be hidden anywhere. They also recommend locking the “data port” to block reprogramming the key. And finally, they recommend keeping vehicles inside a locked container such as a garage.

Really, they should have said ride a bicycle: easy to notice anything added, no data port, easy to lock inside.

San Francisco Tenderloin Fentanyl Epidemic Kills 3X COVID19

Stunning reporting from San Francisco reveals the crisis situation:

The story that stuck with me most came from Greg Moore, director of safe programs for the Tenderloin Community Benefit District. Last month, he was walking at Turk and Hyde streets when he saw a driver in a sport utility vehicle waiting at a red light doze off. The passenger’s head began nodding, too. The driver’s head bounced, and his eyes rolled back. Moore knew both people in the running car were overdosing. Fortunately, the passenger was able to put the car in park before passing out. Two people injected the driver with Narcan, but it didn’t work. Somebody called 911, and paramedics revived the driver, Moore said. He said he doesn’t know whether the passenger made it.

Reportedly 712 city residents died in 2020 (about triple the number killed by COVID-19) from the drug epidemic.

That’s nearly two corpses, on average, taken to the medical examiner’s office every day.

This is not just about one city, however, but a national expansion westward as has been predicted since at least 2016.

Over 100,000 Americans (about 10,000 in California) were killed by drug overdose in the past year. It has reached a new record high, a massive 29% increase from prior year, with over 60% of deaths by the synthetic opioid fentanyl. Meth overdose deaths went up nearly 50% at the same time. For comparison, meth overdoses in 2020 recorded far more deaths in Fresno County, California than the total combined number of homicides and suicides, one and two-vehicle crashes, fire, falls and drowning.

It’s tempting to blame China, given the economics of American consumption, yet “a primer on fentanyl(s)” debunked that right away in 2018:

…there’s nothing magical about China. India also has skilled chemists and a huge flow of mail to the U.S. So, for that matter, does Canada. And so does the U.S.; if international sources dry up, the stuff will, once again, be made here.

San Francisco is now suffering from a wave that has swept across the whole country, so the real question is whether noise from the Tenderloin will catalyze the kind of change that needs to happen at a national level.

VPN Kill Switch Configuration Uncovers Fake Ubiquiti Whistleblower

Here’s a crime story with multiple interesting twists. Perhaps the biggest news is this part:

…former Ubiquiti developer, who has reportedly been charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Pretending to be a whistleblower in order to gain power or extort money is very serious act not least of all because it may undermine all legitimate whistleblowers.

Let me put that a different way, though. There seems to be a trend among staff attacking their employer while claiming protected status because they try to align their personal gain objectives with some greater interest.

I am reminded of people asking me about Tristan Harris’ real oppositional position to Google, as he suspiciously branded himself a whistleblower.

It seems to me he was most upset that he personally wasn’t profiting enough and given more power — to him the wrong people were getting all the money and fame. Thus Tristan charted a course for himself to get far more of that, and is primarily using his experience at Google to become famous and wealthy.

My favorite take-down of Tristan is from his not-very-ethical self-promotional movie pretending to be a documentary:

The film is really designed to showcase Tristan Harris, who probably takes up 1/3 of the screen time. Tristan made his name by being the internal “ethicist” at Google for a little while before setting out on his own to become the high prophet of “internet companies are trying to manipulate us!” But, as others have pointed out, Tristan has a habit of vastly exaggerating things, or being misleading himself. As just one example, highlighted by Antonio Garcia-Martinez in his must-read dismantling of the film, is that Harris argues that we didn’t have these same problems with earlier technologies — like the bicycle. But as Antonio points out, there was, in fact, quite a large moral panic about the bicycle…

Netflix failing to be in a Netflix film about companies like Netflix that do bad things comes across as a giant nail in Tristan’s attempted whistleblower status claim.

Shameless. But this also doesn’t change the fact that someone attacking their former employer may in fact expose them for serious mistakes.

Thus, the second notable point in the Ubiquiti crime story is a turnabout — how a supposed whistleblower has been exposed for making serious mistakes.

According to the indictment, after securing a job at another company, Sharp allegedly used his still functional privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service to download large amounts of proprietary data. To cover his tracks, Sharp had used a SurfShark VPN connection to mask his real IP address. He then sent a ransom note to Ubiquiti using the same cover, demanding 25 bitcoin in exchange for a promise not to share the data. However, investigators were able to trace the downloads to Sharp because his flaky internet connection briefly failed multiple times, exposing his real IP address. And, he forgot to turn on the Kill Switch on his SurfShark VPN. By default, this is off.

As I said, you can see Ubiquiti exposed for using AWS infrastructure (infamously insecure configurations) leaving privileged access enabled for ex-staff, not to mention allowing massive extractions of data. That’s a lot of oops.

However, far more interesting in this case is Sharp being not so sharp. (They say the only criminals are dumb ones because if they’re smart they never get charged with being criminal.)

He bungled the basics of VPN configuration (likely because impatient, if not just sloppy and incompetant) after he bungled the basics of VPN purchase.

…investigators were also able to link the attacker’s VPN connection to a SurfShark account purchased with Sharp’s PayPal account.

The cost of SurfShark is so minimal, it begs the question why Sharp didn’t think to pay anonymously.

In this case, perhaps we also should ask why SurfShark markets itself for safety online while lacking any warning that it will by default expose your personal information (IP address).

In fact SurfShark warnings go the opposite direction from safety; when you enable the “kill switch” it warns your connection may be protected causing outages. It encourages you to operate less safely for the benefit of smooth connectivity.

How to use Kill Switch” seems incredibly selfish and misleading of SurfShark (emphasizing better availability and thus fewer support calls, while failing at basic confidentiality — they had ONE job).

Windows:

Source: SurfShark

OSX:

Source: SurfShark

Android:

Source: SurfShark

iOS:

Source: SurfShark

Easy Hacks on Telephone Entry Systems

Blast from the past. Here’s my Channel 2600 recording from the Next HOPE (2010):

Telephone entry systems are practically everywhere in the city. An investigation after a series of break-ins uncovered several shockingly simple bypass techniques currently used by criminals. This presentation explains how the common keypad box will grant full access to a building in under ten seconds using only basic tools. The presentation will also give details on a series of countermeasures that can significantly reduce the vulnerabilities.

How to abseil a 200 foot tree with 100 feet of rope

Get a longer rope.

Here is an amusing footnote from British special forces history. In short (pun not intended) there was a distinct shift from Orde Wingate’s 1940s self-reliant “long line” marches by “Chindits” into Burma, let alone F. Spencer Chapman‘s work in Malaysia… to the British SAS getting slightly “hung up” when parachuting in the 1950s:

Equipped with 100 feet of rope, the paratroopers would tie the rope to the tree and abseil down to the ground. The technique was first instigated in 1953. However, it was found that many trees were taller than 100 feet, so the amount of rope carried was doubled to 200 feet.

Perhaps the rank incompetence of the Colonial Office (e.g. Sir Shenton Thomas’ retreat) was foreshadowing?

Whitehall bungling and incompetence leading directly to the fall of Singapore in 1942 has been disclosed for the first time by Whitehall officials. Papers relating to the wartime defence of Malaya and Singapore were considered so sensitive that they have been withheld from public inspection for 50 years – 20 years beyond the normal release date for official files. But the newly published government papers confirm that British efforts to scapegoat Australian forces and the Governor of the Straits Settlements for the most humiliating debacle in the history of the Empire could well have been motivated by a wish to deflect attention from Whitehall’s far greater dereliction of duty.

A need for better knowledge of the environment and risks seems like exactly what the British military should have taken from WWII; as Chapman himself published details in his 1949 public memoir…

1st Edition. Hardcover published 1949 in New York by W. W. Norton & Company

Yet somehow someone in the 1950s didn’t bother to check in with Chapman, let alone the height of trees before jumping into them, especially after at least a decade of prior military missions run beneath them?

This 97.58m tree is 120 feet too tall for a 200 foot rope
To be fair, a 300 foot tall Yellow Maranti stands out

Speaking of being bad at estimating environment/size, I’m reminded of a Delta memoir that made some obvious cultural errors.

the poetry of information security