Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs


In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Send us news
9 Comments

Roger Waters tells Facebook CEO to Zuck off after 'huge' song rights request

Ex-Pink Floyd uber-grouch calls social media mandroid 'one of the most powerful idiots in the world'

Grouchy former Pink Floyd bassist/vocalist Roger Waters launched an expletive-laden attack on human-impersonating Facebook CEObot Mark Zuckerberg after receiving a request from Instagram to use one of his songs in a promotional film.

Speaking at an event in New York to advocate for the release of Julian Assange, Waters held up a printed piece of paper he said he received "on the internet this morning", which included a request to use the Pink Floyd song 'Another Brick In The Wall (Part 2)' in exchange for what Waters described as "a huge, huge amount of money."

Continue reading

Chrome 'Conformance' for JavaScript frameworks says: If you don't follow our rules, your project won't build

Google knows best

Google's Chrome team has introduced projects to assist framework authors with what it considers best practice, starting mainly with the React-based Next.js.

A team of six people (apparently known internally as WebSDK) who work on Chrome introduced what it called project Aurora earlier this week, described as a "collaboration with framework authors." The post talks up the benefits of "strong defaults and opinionated tooling," based on experience with Google applications such as Search and Maps.

Aurora, said Google, will identify weak spots in web frameworks, specifically those that cause "user experience pain," and then fix them in a manner adaptable to other web frameworks as well. All the frameworks mentioned are JavaScript or TypeScript (which compiles to JavaScript), as you would expect from a browser team.

Continue reading

Your spacesuit ran into a problem and needs to restart

ISS solar array installation overran after a good old 'off and on again'

There are two things a spacewalker doesn't want to hear: "Can you turn it off and turn it on again?" and "What's that hissing sound?"

The IT solution of the ancients reached orbit yesterday as one of a pair of astronauts tasked with fitting a new solar array to the International Space Station (ISS) had to make his way back to the airlock in order to restart his spacesuit.

NASA astronaut Shane Kimbrough was not in any great danger during what the US space agency delicately called an "issue" with his spacesuit's display and control module (designed to provide a spacewalker with information on the status of the suit). Controllers also noted a spike in the pressure reading for his sublimator (used to keep things cool) and so sent the astronaut back to the airlock to perform a restart.

Continue reading

Space Force turtle expert uncovers $1.2m Cape Canaveral cocaine haul

30kg stash lost overboard by smugglers enough to get anyone out of their shell

A member of the newly inaugurated US Space Force discovered more than she bargained for as she conducted a survey of turtle nests on the coast around Cape Canaveral last month.

Angy Chambers, a civil engineer and wildlife manager with the 45th Civil Engineer Squadron, was forced to suspend her check on testudinal housing conditions when she noticed that packages containing $1.2m worth of cocaine had washed up on the beach.

Chambers contacted the 45th Security Forces Squadron – another component element of Space Launch Delta 45, the new Space Force unit in charge of Cape Canaveral – to ask them to secure the haul.

Continue reading

Graph DB slinger Neo4j secures $325m round of funding for $2bn valuation

Also touts sharded graph application running on 1,000 servers

Neo4j has secured another $325m in a funding round and said it was ready to demo a distributed graph database with a trillion relationships, sharded across 1,000 servers, returning queries in a matter of milliseconds.

New investors DTCP – formerly Deutsche Telekom Capital Partners – and Lightrock join existing investors One Peak Partners, Creandum, and Greenbridge Partners.

The latest injection of funds – which is said to value Neo4j at $2bn – adds to earlier rounds including $10.6m in 2011, $11m in 2012, $20m in 2015, $36m in 2016, and $80m in 2018.

Continue reading

Gov.UK taskforce publishes post-Brexit wish-list: 'TIGRR' pounces on GDPR, metric measures

Let's 'free up data for innovation and in the public interest,' says paper

A UK government taskforce chaired by the architect of the disastrous £700m "one dole-to-rule-them-all" Universal Credit IT project, Sir Iain Duncan Smith MP, has published a wish list of regulatory proposals it wants to see adopted by a post-Brexit administration.

Included are wholesale reforms of data laws, the development of a "smart" energy grid, new rules governing drones and e-scooters, digital health and the partial return of imperial measures.

Also sitting on the three-person taskforce were Theresa Villiers MP and George Freeman MP.

Continue reading

Tim Cook: Sideloading is a disaster and proposed App Store reforms would harm user privacy and security

Apple CEO stays on message during interview while Epic case rumbles along

Tim Cook has claimed that proposed reforms to the App Store are "not in the best interests of the user" and would "destroy the security of the iPhone."

Cook was speaking remotely at the Brut. America conference, where he was interviewed by the company's CEO Guillaume Lacroix.

Continue reading

Microsoft loves Linux so much that packages.microsoft.com has fallen and can't get up

Ubuntu fans report 404 errors amid 'space issues' TITSUP*

Microsoft demonstrated its deep and meaningful affection for all things penguin overnight by borking packages.microsoft.com and leaving some Linux fans bereft of the company's wares.

For some of the hardcore, an absence of Microsoft software on their fiercely open-source setups might not be such a bad thing. For others, however, getting a 404 from an apt-get is a major workflow blocker.

The issue looks, at first glance, to be related to the Ubuntu paths as users struggled with the likes of Microsoft's OpenJDK and its flagship .NET platform.

Continue reading

Google cosies up to AMD for high-performance scale-out Tau VMs – but makes eyes at Intel and Arm, too

New 60 vCPU VMs come with some bold price-performance claims, but AMD needs to stay on its toes

Google's cloud arm has hooked up with AMD, tapping up its latest EPYC processors for a new family of virtual machines, Tau VMs, aimed at scale-out applications - but the company isn't keen on tying itself down to just one chip-slinger.

"The name 'Tau' also stands for the golden ratio," Sachin Gupta, VP and GM of Compute at Google Cloud, told The Register in an interview. "This is like the balance that you need in the design, with the latest CPU technology from our partner AMD, in order to achieve the best outcome.

"We've taken the latest generation of the CPU and put it into a server that's optimised for performance, rather than for some of the other things and other flexibilities like we have for large-scale databases. Working with key customers like Snap and Twitter, we talked to understand what are the things that we should shift in the server design, in the machine itself, to optimise for this kind of scale-out architecture," Gupta added.

Continue reading

Not very Sage rage over UK pay outage: Opayo says 'ohheyno' as payment processor's payments stop processing

Glitch leaves punters unable to pay for their goods and services

Opayo, the payment processor formerly known as Sage Pay, has not been having a great Thursday, as an unknown systems failure took its systems offline - preventing customers from accepting any payments.

The biz is no small beans: it provides payment processing for companies including Europcar, Krispy Kreme, easyJet, Bunches, Office Shoes, Murco Petroleum, and even provides the technology behind the BBC's Children In Need donation app.

The trouble started in the early hours, with Opayo's status reports on the glitch beginning at 04:20 UTC. Initially, the issue appeared to be limited to the company's Live Payment Gateway - a bad part of the system to go down right before shops begin to open - but it soon spread.

Continue reading

Toyota reveals its work on an honest-to-goodness cloak of invisibility

Though it's mostly just looking to make its cars safer, rather than hide them

A team of researchers have detailed a range of techniques which they suggest could one day lead to a genuine cloak of invisibility - although, thanks to Toyota's involvement, they're looking to start by making the windscreen pillars disappear from your next car.

"We are always looking for ways to keep drivers and passengers safe while driving," explained author Debasish Banerjee of the work, which was led by the Toyota Research Institute of North America in partnership with South Korea's Inha University and the University of Michigan. "We started exploring whether we could make the light go around the pillar so it appeared transparent."

While the stanchions framing a car's windscreen provide a key aspect of its structural integrity, they're annoyingly located right where you would want to look in order to see other road users. Removing them would weaken the car, so Toyota's looking into the next best thing: rendering them invisible.

Continue reading