Parents sue Apple after Amber Alert "tore apart" son's eardrums

The rule of thumb is that if a law is named after a person it’s probably a bad law.

7 Likes

Brannigan’s Law is like Brannigan’s love: hard and fast

4 Likes

It’s the “white blond girl has been kidnapped” alert

6 Likes

This lines up with one of my pet peeves- that on an iPhone there is no way to adjust the sound level for something that isn’t actively being used. If you want to change the volume of, say, the google maps direction voice, you can only change it if it happens to be talking. Or a video will be buffering and I’m turning down the volume but it will only affect the ringer at that point, then the moment the video starts it shifts to video-volume which might be at full blast. Real fun when you’re in a public place or your spouse is asleep in the next room and you just wanted to hear something quietly. And this also happens when you have headphones on.

And because it keeps the headphone level separate from the speaker level and only changeable when headphones are plugged in, multiple times I turn the volume down, plug in my headphones, and proceed to get blasted, hard. Of course I should change my habit to the other way 'round, but why should I have to?

There should be a global volume and global silencing. We shouldn’t have to figure out this mish-mash of a UI.

6 Likes

I believe what shows in the list is really up to the carrier/local/federal government so different areas will have different things in that list. Some classes of emergency alerts won’t show up in the list and can’t be turned off:

3 Likes

Things like Amber alerts, silver alerts, and their ilk are well intentioned. The problem is they are overused with guidelines often being ignored, and their efficacy is debatable.

1 Like

No, it isn’t.

To call them “custody dispute” alerts, however, would not be entirely inaccurate.

15 Likes

Your better half is spot on.

I attended a security conference last week where several presenters were discussing the risks of the “software supply chain” as it’s come to be called. Think of the software supply chain as not only the stack of blocks in the cartoon (or house of cards, if you want to be slightly more accurate), but it also includes the tools developers use to build the complex systems we all enjoy. These kinds of attacks have gone on for decades, but really came to the national forefront last year when the “Solarwinds” breach hit. (Solarwinds sells an email security product used by 18,000 large companies, including most U.S. government agencies. Turns out their product had been tampered with by hackers from a rival nation-state, allowing the attackers to sneak into the networks of anyone running Solarwinds Orion.)


True story time

[ By its nature this gets technical, but I’ll try to explain as I go. Trust me and read to the end – the payoff is worth it. ]

There have been a number of other software supply chain vulnerabilities where the attackers broke into a software producer’s network and subtly modified their tools or code to make their products vulnerable. The most fantastic story of all, hands down, comes from Juniper Networks. Juniper is well known in the computer industry for making big network firewall appliances. They’re analogous to the firewalls in your home routers, but these are the supercharged versions trusted by the biggest companies in the world to help keep attackers out of their networks.

Something to understand up front is that computers need unguessably random numbers to generate encryption keys. If someone can guess or predict the random number you’re using as a key, they can break into your communications. But as random number generation is a really hard problem for computers, the algorithms used to generate them are necessarily complex. These algorithms are known as Cryptographically Secure Pseudo Random Number Generators, or PRNGs.

Something else to know about PRNGs is that they depend upon “constants” (values that are specified up front, agreed to as part of the algorithm, and are never changed.) There’s long been a suspicion among cryptographers as to the source of any constants they see, because it’s nearly impossible to tell a carefully chosen booby-trapped number from a truly random number.

Anyway, the story’s roots start back in 1997, when a pair of clever mathematicians found a way to “booby trap” the Diffie Hellman (DH) key exchange protocol. DH is implemented in virtually every computer on the web; as it’s used to exchange the keys used to encrypt your web traffic (you see the little padlock in your browser.) Adam L. Young and Moti Yung presented a paper at Eurocrypt detailing a “kleptographic” covert key generator that introduced a mathematical backdoor into Diffie Hellman key exchanges. By providing a specially crafted custom constant, they were able to monitor the key exchange and thus break the encryption.

In the early 2000s a random number algorithm called Dual EC DRBG was heavily promoted by a cryptographer associated with the NSA as a replacement PRNG. It was eventually included in cryptographic standards ANSI X9.82 and ISO/IEC 18031:2005, which are American and international standards, both of which are very important to industries everywhere. But this cryptographer really wanted the US Federal Government’s standards body, NIST, to adopt the new algorithm as their standard as well.

RSA (the company that makes the little number changing security tokens of the kind you might find on your key ring) has long been a well respected cryptography company, and they sold cryptographic libraries to large and small companies worldwide. And they adopted the Dual EC DRBG in their BSAFE library as their default PRNG. At one time it was estimated that one-third of all SSL traffic was using keys generated by the Dual EC DRBG [citation needed].

Despite the protests of mathematicians who had analyzed the algorithm and identified some flaws in it, it was eventually published in NIST SP 800-90A in 2006. The original “random” Dual EC constant proposed by the NSA was retained in the final standard.

Some of the mathematicians who studied the Dual EC DRBG algorithm noted a marked similarity between the new PRNG algorithm and the mathematics used in the DH boobytrap postulated by Young and Yung back in 1997. Of course, there was no proof that the Dual EC DRBG was booby-trapped.

In 2007 a couple of Microsoft employees, Dan Shumow and Niels Ferguson, demonstrated an implementation of the Dual EC DRBG algorithm containing a backdoor they’d constructed by using their own Dual EC constant. http://rump2007.cr.yp.to/15-shumow.pdf This served as confirmation that the algorithm could be tampered with. But it still was not proof that the standard algorithm was tampered with.

In 2008 Juniper Networks implemented Dual EC DRBG as the PRNG used by their ScreenOS operating system, used in their enterprise class NetScreen Firewall systems. They used the original Dual EC constant as provided in the standard.

In 2012, NIST updated SP 800-90A, and despite the continued protests the Dual EC DRBG was still recommended as the preferred random number generator.

In 2013 Reuters published information from Edward Snowden’s leak asserting that the NSA had paid RSA $10 million dollars to implement Dual EC DRBG as their default PRNG.

In 2015, NIST withdrew SP 800-90A, superseding it with SP 800-90A Rev. 1, which finally removed Dual_EC_DRBG from the federal standard as a recommended PRNG.

Removing it from the standards is one thing. Actually removing it from the millions of production systems where it’s already been implemented is something else.

In 2016 Juniper Networks removed Dual EC DRBG from ScreenOS. At that time they revealed that unknown hackers had infiltrated their systems for many years, and in 2012 the hackers had modified the source code to ScreenOS, replacing the NIST-specified Dual EC constant with a constant of unknown origin. Nobody at Juniper noticed the number had been changed.

So from 2008 through 2012, it’s highly probable that the NSA was able to backdoor its way through every corporate Juniper firewall in the world. But from 2012 through 2016, the NSA’s magical all-access pass was lost, while whoever tampered with the constant likely had that ability for themselves.

Epilogue

The deal with the NSA as documented by Snowden ended up delivering a nearly fatal impact to RSA’s business. In 2017 RSA abruptly announced the termination of their popular RSA Key Manager and Data Protection Manager products, which had approximately 70% of the market share for cryptographic key servers. Their key servers were used by web service providers, banks, financial institutions, and other very large companies to protect everything from web server keys, to inter-bank transfers, to the keys used to encrypt credit card PINs. Support for the Key Manager line was completely dropped, the BSAFE library was abandoned, no replacement products were ever released, and no official explanation was ever given. RSA went from a world leader in cryptography to essentially dead in the field – for 30 pieces of silver.

14 Likes

It’s all a veneer, and the xkcd captures it perfectly. For all the slick and fancy stuff at the front, it’s often barely held together by bailing wire and duct tape.

4 Likes

It was established under Trump and he didn’t try to link it directly to his Twitter feed?

The plaintiffs make a good case that Amber Alerts shouldn’t start playing at an ear-blasting, nerve-jarring volume. Listeners should be given a chance to remove their earbuds before the volume reaches an ear-splitting level.

Why are headphones even capable of producing sound so loud it will literally destroy the ear hearing it? In what possible situation is that desirable?

6 Likes

Do you want government regulation? Don’t you know that leads to the government taking your guns away, putting everyone in FEMA camps and forcibly melding you with AI machines?!!!1?

/s

7 Likes

So it would appear you don’t follow the news.
It’s full of Amber Heard alerts.

1 Like

But “it just works” /s
:frowning:

Apple: this is why we can’t have nice things without nasty things. (I’m sure that’s their corporate motto.)

2 Likes

Well, he generally is… he married me, didn’t he? :grin:

But also, it’s the “height of civilization”…

You know that there are actual people actually saying that shit, too.

4 Likes

I’d say that the focus on Amber Alerts(while they are irksome); really misses the point: why should airpods ever produce volumes capable of breaching an ear drum and damaging the cochlea?

This isn’t a case of a device that just has a headphone jack and doesn’t know whether you are driving earbuds rammed right into your ear canal or big, demanding, over-ear headphones, or a small set of unpowered speakers at the far side of the room; where there are some arguments in favor of being capable of power output that is dangerous in certain cases but required for others. The airpods only have one intended operating location; and they generate the audio on their own initiative(ideally based on input from the connected BT device; but with full local control over how they choose to render the audio stream coming in).

It just seems like madness to have wireless earbuds that are capable of this sort of power in response to any input from the BT sound source.

2 Likes

Sadly, yes. Everyone of those things is something lots of people say in all apparent belief that it is actually true.

2 Likes

Amen, here. I live in Austin, TX and get Amber alerts for things happening in El Paso. For anyone not familiar with Texas geography, El Paso is right about the halfway point from here to Los Angeles. I don’t mind getting an alert for something, but I’m not sure folks 8.5 hours away necessarily need to be woken up in the middle of the night when a kid or elderly person goes missing. Also, please don’t destroy my eardrums if I am wearing headphones!

Yeah, even just gradually increasing to full volume over a period of several seconds would go a long way to making the alerts safer, and not just for those wearing earbuds. I’ve often wondered how many car accidents the alert system has caused by sending a sudden startling and distracting noise to thousands of drivers all at the same time. And as noted above, it’s generally for things like Silver Alerts that you can’t do anything about when driving down the freeway anyway. It’s like they designed the system intending to make people disable it out of frustration.

The thinking here as the a lot of these are family members taking the kids and fleeing the location they’re in to elsewhere, so an 8-hour radius isn’t at all a stretch for a day’s drive.

2 Likes