Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs


In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Send us news
9 Comments

LG intranet leaks suggest internal firesale of unsold, unreleased smartphones as biz exits the mobile market

Staff offered doomed handsets at knockdown prices in move reminiscent of HP's Palm episode

Following its decision to exit the smartphone biz, LG has reportedly started a fire sale of its unsold and unreleased assets, unloading them to staffers at a cutdown price.

Pics obtained from LG's intranet and leaked on Twitter show the company listing the LG Velvet 2 Pro (also referred to as the LG Rainbow) for the equivalent of ₩200,000, or roughly £125. The predecessor was sold carrier-locked for $599.

The bargain handset came with a few stipulations and caveats attached. For starters, would-be owners were warned the device would not receive any software updates, and would only have a six-month (later reportedly increased to 24 months) warranty. With only 3,000 units available, punters were limited to just two units per person, and were expressly forbidden to re-sell them.

Continue reading

Reports link Bill Gates' departure from Microsoft board in 2020 with probe into employee affair

Gates denies connection

The Microsoft board was conducting an investigation into Bill Gates' alleged "inappropriate" romantic relationship with a female Microsoft employee when he resigned in 2020, according to two investigative reports that appeared over the weekend.

The employee was not named and a Gates Ventures spokesperson denied the two incidents were linked, telling The Register that Gates' "decision to transition off the board was in no way related to this matter. In fact, he had expressed an interest in spending more time on his philanthropy starting several years earlier."

They also stated: "There was an affair almost 20 years ago which ended amicably."

Continue reading

Oracle sues Envisage claiming unauthorized database use amid licensing crackdown

Fiscal year end forecast: Cloudy with a chance of litigation

Oracle this month filed a lawsuit against Envisage Technologies, claiming the Bloomington, Indiana-based IT firm has been violating its copyrights by running Oracle Database on Amazon Web Services in an improper way.

The complaint [PDF], filed in a US federal district court in California, alleges Envisage has been operating its Acadis Readiness Suite – a collection of training and compliance software aimed at public-safety officials – in conjunction with a version of Oracle Database Standard Edition 1 (SE1) from 2006 hosted by Amazon in its cloud.

Envisage, Oracle claims, deploys its applications on Amazon Relational Database Service (Amazon RDS) without the appropriate license, serving more than 2m public safety professionals (police officers, firefighters, etc) and over 11,000 government agencies. That is to say, Envisage uses a version of Oracle Database hosted on Amazon RDS, and Oracle doesn't believe this is correctly licensed.

Continue reading

Space is hard: Rocket Lab's 20th Electron launch fails

Firm working with FAA to 'investigate the anomaly' after second stage sputters

What was supposed to have been a milestone in Rocket Lab's march toward reusability turned into a mishap over the weekend as a borked second stage sent the payload on the company's 20th Electron launch back to Earth considerably earlier than planned.

Delicately described as an "anomaly" by Rocket Lab, problems seemed to begin seconds after the second stage was ignited. Those watching the livestream of the event were treated to the sight of the stage shutting down prematurely after what appeared to be a tumble. Telemetry then showed the rocket slowing down before Rocket Lab pulled the plug.

The flight of the first stage looked to be nominal, having left the pad at launch complex 1A on New Zealand's Māhia Peninsula on 15 May at 11:11 UTC following a hold due to upper-level winds. There was a furore over the loss of the payload - two of BlackSky's satellites were destroyed, but somewhat lost in that was the fact the first stage made a successful descent to the ocean, under parachute and, according to Rocket Lab, the "recovery team is working to retrieve the stage from the ocean as planned."

Continue reading

Staying in the UK this summer? Good news: Temples of IT nerdery are reopening

Computer museums set to be unbolted again

As the UK enters the latest stage of lockdown easing, The Reg can confirm that The National Museum of Computing and the Centre for Computing History will be reopening imminently.

It is heady stuff, although both temples to computing nerdery are taking things slowly after a lengthy enforced closures.

The Centre for Computing History is to be first off the mark and will be opening its doors for this coming weekend: 22 and 23 May. The following two weekends will also see punters invited in to prod at all manner of classic hardware. What happens after that, frankly, depends on how it all goes.

Continue reading

We'd love to report on the outcome of the CREST exam cheatsheet probe, but UK infosec body won't publish it

Why? It might reveal whistleblowers' names...

British infosec accreditation body CREST has declared that it will not be publishing its full report into last year's exam-cheating scandal after all, triggering anger from the cybersecurity community.

"The Report of the Independent Investigator contains information that was obtained in confidence and, therefore, in line with both the terms of the Process and CREST's Complaints and Resolution Measures, the Report is confidential and cannot be made public," said CREST in an update published on its website late on 10 May, right before the CyberUK conference began.

Multiple infosec people forwarded this statement to The Register and expressed concern that the scandal was being quietly buried by CREST.

Continue reading

Are you ready to take a stand? Flexispot E7 motorised desk should handle whatever you dump on it – but it's not cheap

Sitting is as bad for you as smoking, and doesn't look nearly as cool

Review Sitting, we're told, is the new smoking. The catastrophic health consequences of hours spent hunched behind a desk are said to include heart disease, colon cancer, and muscle weaknesses.

Your dreary 9-to-5 IT job might as well be a 20-pack of Gauloises, for all the good it's doing you. Or you could get a standing desk.

Standing desks allow workers to use their IT kit from both standing and sitting positions, alternate their posture throughout the day, and thus potentially stave off a fearsome collection of maladies. But they ain't cheap.

Continue reading

Mammoth grab of GP patient data in the UK set to benefit private-sector market access as rules remain unchanged

No policy shakeup to deal with snatch of info from primary physicians

Evidence from NHS Digital's website suggests that patient data held by GPs in England will be available to private-sector companies to help them understand market opportunities in the UK's health service.

In response to government plans to start collecting patient data held by GPs into a central database, NHS Digital said it would "not approve requests for data where the purpose is for marketing... including promoting or selling products or services, market research or advertising."

It said requests for data would be assessed through the Data Access Request Service, part of NHS Digital. Independent oversight and scrutiny of applications would come from a Professional Advisory Group made up of representatives of the Royal College of GPs and doctors' union the British Medical Association, as well as the Independent Group Advising on the Release of Data (IGARD), also part of NHS Digital.

Continue reading

When the chips are down, Intel's biggest gamble isn't what to do – it's whom to do it with

Trade you architecture and production tricks for lithography and yield plans?

Political America likes to judge its presidents by their first 100 days. Corporate America thinks more in 90-day cycles, so as today is Pat Gelsinger's 90th day at the helm of Intel, it's an apt time to look at how he and the company are doing.

The market remains cool on Gelsinger, perhaps because he said that the $80bn of Intel cash spent on share buybacks this past decade may have been better invested in, y'know, making chips.

He has set about proving that by announcing $20bn for a couple of new fabs in Arizona last month, and he's up for more. A quick tour of Europe saw him ask for $10bn in subsidies to build new plants somewhere in the EU, expressing strong interest in Germany and Benelux (sorry, UK, you don't get to play). He also broke bread with BMW and had a neither-confirmed-nor-denied visit to Volkswagen.

Continue reading

Apple sent my data to the FBI, says boss of controversial research paper trove Sci-Hub

Former Sun boss Scott McNealy offers interesting response

Alexandra Elbakyan, the creator of controversial research trove Sci-Hub, has claimed that Apple informed her it has handed over information about her account to the FBI.

Elbakyan made the allegation in a week-old Tweet that went unremarked-upon for longer than you’d imagine, given that Apple and the FBI have a history of conflict over whether the Bureau should be allowed to peer into Apple customers’ devices.

Continue reading

The future is now, old man: Let the young guns show how to properly cock things up

Phoning it in?

Who, Me? We straddle the worlds of IT and telephony in this week's episode of Who, Me? where a reader fails to consider the tinkering of someone too young to know better.

"Al", for that is not his name, was looking forward to a well-earned retirement after a career spent at an IT giant working on everything from compilers and operating systems to firmware and networking.

Faced with a future revolving around daytime television, Al decided to keep his hand in by taking on the role of a part-time IT manager at his local GP practice (usually the first port of call for Brits seeking healthcare).

Continue reading