My Android Apps Privacy Policy

Some Android app repositories have changed their submission process to require a privacy policy.  This post is in response to those requests and to address concerns of some users.

I create Android games and other programs as a hobby.  As a result, I have no interest in collecting personal information and using it.  My interest is in game creation and development.  There is a great deal of responsibility involved in managing personal data.  

I use third-party libraries in my games to provide social interaction.  Google Play Services is currently used in most of my games, and Swarm is still used in at least one older game and thus examination of their respective privacy policies may be beneficial.  

Most of my games have location sensing flags set to support targeted advertising - this is a requirement by many advertisers.   To those that enjoy my software creations, thank you, and rest assured that I do not collect personal data and currently have no use for it.

Bash Shellshock Vulnerability - What's the threat?

Below is a link on github wherein the Bash Shellshock vulnerability is being discussed:

https://gist.github.com/anonymous/929d622f3b36b00c0be1

For the non-technical, what is being shown by posters is that the now termed Shellshock vulnerability is now being used.  Attempts to use the vulnerability are being captured in log files - particularly note the UserAgent notes in the log files as they illustrate the attempt to use the vulnerability.

What is particularly alarming is just how easily this vulnerability can be used and also what appears to be an attempt in the log files to search for vulnerable machines.  The "grep" command on Linux is an advanced and complex search command that can be used to execute very specific searches.  Note the comments in the link where grep is mentioned.  A list of websites with the vulnerability would be valuable indeed.  However, so would a list that contains any type of machine with the vulnerability. 

This vulnerability affects much more than just websites - MythTV boxes and other entertainment boxes running Linux (Boxee?  TiVo?) could also be affected.  It could even affect security cameras or for that matter any device that has an available Bash shell.

This is a particularly scary vulnerability because of its ease of use and power.  Using the Shellshock vulnerability, it is possible to obtain files that were supposed to be limited to root access.  In other words "Got Root?" isn't a question - it's  an assumption.

Oh and by the way, Mac OSX systems are also affected since they also have Bash available.

Imagine a SCADA running Unix at a steel mill and it is connected to the Internet for customer convenience.  Naturally, there is security in place to prevent anyone except customers from accessing the SCADA webpage data.  However, with the latest Bash vulnerability anyone that can type a simple script can access that SCADA.  Who cares you may ask?  Its just production data.  Why would anyone want it?

The problem, in this case isn't that data may be copied, as in credit card numbers theft.  The problem is what could be done if someone on an outside connection can control that machine?

Of course the attacker would need to be running the actual SCADA software to interact with equipment, or would he?  Could he just directly access the database that the SCADA uses to keep track of and issue equipment commands?  Could he access the database and change the product recipe? 

But who cares about a steel mill right?  Well the issue is that Unix and Linux based SCADA are used in a wide range of industries from power generation, oil production, transportation, semiconductor fabs, and  utilities.  All it takes is one machine connected to another machine connected to the Internet and the scenario depicted above can become very real. 

There's no need to panic - yet unless you happen to be in IT and manage systems that run Unix, Linux, or Mac OSX.  On the other hand,  security research Bruce Schneier is calling the flaw "catastrophic."

If important systems, besides just commerce and finance, do not get patched before a Shellshock worm is released, we could have serious problems that would make the finger vulnerability, the Morris worm, Heartbleed, and the Code Red virus, seem almost innocuous in comparison.

2007 Nissan Sentra accelerates by itself!

On August 22, 2012 I posted about our 2007 Nissan Sentra attempting to accelerate out of control in reverse. We had it checked by Nissan mechanics and they found nothing wrong or in their log. Yep your modern car has a log file in it.

I was even shown that slamming the brakes automatically overrides the accelerator even if your foot is on it. That's a good safety and so I figured if the problem ever resurfaced, we would still be safe - just slam the brakes.

Yesterday, 9/11/14, our 2007 Nissan Sentra accelerated all by itself! It went into runaway mode again but this time in drive!

We were in a McDonalds drive through and had just placed our order. The car was in park. The AC was on but not on Max AC. I put my foot on the brake and shifted to Drive. The car lurched forward but the brake held it. My wife Kelly exclaimed, "what are you doing?" 

This time I was ready except I had no camera or smartphone. Damn!

I said to Kelly, "Look! There it is! Look at my foot, it's not touching the gas at all - just the brake. Look at the tach. It's racing up to 2500 and coming back down. It's in drive." 

Kelly asked, "What do we do?"

I said, "Watch this!" I slammed the brake to the floor as hard as I could. Everything went back to normal. I said, "see that mechanic was right. Just slam it to the floor (the brake)."

"Are we safe," asked Kelly.

I answered, "I guess so. If anything happens we just slam the brakes. Nissan will never find this. It wouldn't do any good to take it in; they couldn't find it the last time."

"You sure we'll be okay", asked Kelly.

"I don't know but I'm putting it online so that it's at least documented somewhere if anything happens. At least we have a brake override to kill it?"

Kelly asked, "do you think Nissan knew about this?"

I answered, I don't know but at least they planned for it. I wonder if they found it in testing and added the override because they couldn't find the bug causing it?"

-- end of story - 

I think it likely has to do with the air conditioning. The engine has to compensate when the air conditioner kicks on or stall. It is likely that the software has an endless loop that occurs when the AC kicks on under just the right circumstances. Or it could be an integrator problem.  When trying to regulate speed electronically, oftentimes a PID loop is used.

PID stands for Proportional Integral Derivative.  To put it simply, an equation would look at the speed command for the engine, see how far off it is which is basically the proportion, and then use integration to consider prior responses and use derivative to offset the integration and proportion.  That is an extremely simplified explanation of PID.  If you understand mathematics pretty well, look up PID equation on Wolfram Alpha to help understand the relationship between the P the I and the D.

The problem that can occur is called integral windup.  What happens is that each new addition to integral becomes progressively larger until derivative is no longer able to offset the integral.  To put it simply, it's like dividing one by zero.  Of course it is undefined but if you instead divide by a number as close to zero as you can possibly get, such as 10 raised to the minus one million, then the result of the equation is enormous.  Just imagine that number being applied to the accelerator of your car!

I used to always include a safety clamp in software for the PID result just in case of integral windup.  Some people frown on such practice and are of the opinion that if the PID loop is setup properly then there's no need for a clamp.  I strongly suspect that the software used in our 2007 Nissan Sentra and in many other cares is the result of such debates and probably lacks and software clamp for the PID loop.

At least Nissan has an override, although scary. I wonder about the other car companies...