Thursday, October 29, 2015

U.S. Plans to Sell Down Strategic Oil Reserve to Raise Cash (BusinessWeek)

  • White House to sell 58 million barrels from 2018 to 2025
  • Sale comes as China and India build their strategic reserves

The U.S. plans to sell millions of barrels of crude oil from its Strategic Petroleum Reserve from 2018 until 2025 under a budget deal reached on Monday night by the White House and top lawmakers from both parties.

The proposed sale, included in a bill posted on the White House website, equates to more than 8 percent of the 695 million barrels of reserves, held in four sites along the Gulf of Mexico coast. Sales are due to start in 2018 at an annual rate of 5 million barrels, rising to 10 million by 2023 and totaling 58 million barrels by the end of the period. The proceeds will be “deposited into the general fund of the Treasury,” according to the bill.

The sale is the second time the U.S. has raised cash from the reserve, created as a counter-balance to the power of Arab producers after the first oil crisis of 1973-74. The U.S. may sell also additional barrels to cover a $2 billion program from 2017 to 2020 to modernize the strategic reserve, including building new pipelines.

The White House on Tuesday urged lawmakers to support the budget deal, including the proposed partial sale of the SPR, saying it was “a responsible agreement that is paid for in a balanced way.”

Average Prices

Supporters of the sale argue the U.S. doesn’t require such a big emergency reserve as rising domestic production on the back of the shale boom offsets the need for imports. Critics, including oil analysts and former U.S. energy officials, say using the underground reserve as a piggy bank makes it less effective in meeting its intended purpose: combating a “severe energy disruption.” What’s more, the government would be selling at a time when oil is unlikely to have recovered from its slump over the past 18 months.

The Energy Department, which oversees the reserve, says on average the U.S. paid about $29.70 a barrel for the oil. But after adjusting for inflation and other items, the average cost rises to $74 a barrel, according to ClearView Energy Partners, a Washington-based energy research firm. On Tuesday, West Texas Intermediate, the U.S. oil benchmark, traded at less than $44 a barrel.

At current prices, the extra sales to fund the modernization of the strategic reserve would be equal to 45 million barrels and bring the draw-down to almost 15 percent of the total.

China Reserves

The draft bill states that “the age and condition” of the reserve “have diminished its value” as an energy-security asset, requiring its modernization. “Global oil markets and the location and amount of United States oil production and refining capacity have dramatically changed in the 40 years since the establishment of the Strategic Petroleum Reserve,” it said.

The sale comes as countries including China and India build their own reserves, buying crude in the market to fill up huge tank facilities. The International Energy Agency estimates that China has already stockpiled 200 million barrels and will add nearly 20 million more this year. Beijing plans to increase the size of its reserve to 500 million by 2020. Germany, Japan, South Korea, France, Spain, Italy and other big importers also have their own strategic oil reserves. 

Washington has released crude from the strategic reserve three times in supply emergencies: in 1991 during the Gulf War to liberate Kuwait from Iraq, in 2005 after hurricane Katrina crippled Gulf of Mexico production, and in 2011 after the war in Libya cut supplies. Between 1996 and 1997, Washington also sold 28 million barrels to reduce the federal deficit.

The U.S. imported 9.5 million barrels of crude a day in July -- the latest monthly data available -- down 35 percent from a record of 14.7 million in August 2006.

The Bipartisan Budget Act of 2015 will extend the government’s borrowing authority until March 2017 and also include a two-year deal on spending, party aides said.

Monday, October 26, 2015

US fears Russia could sever undersea internet cables

Officials are concerned over increased activity along major fiber-optic routes, according to The New York Times

US officials are growing concerned over the activity of Russian submarines and spy ships near undersea internet cables, The New York Times reports, fearing that they could be used to cut vital lines of communication. There is currently no evidence that Russia has severed any fiber-optic lines, which underpin most global communications, though military and intelligence officials tell the Times that they've observed increased Russian activity along cables in the North Sea, northeast Asia, and near American shores.

It's not uncommon for undersea cables to be damaged by ship anchors or natural disasters, and they're usually easy to repair. But the fear is that Russia may be targeting the cables at greater depths, where they're harder to monitor and fix, and that it may seek to disrupt them during times of conflict. Moscow may also be looking for secret cables that the US installed for military purposes.


Russia's activity has become a point of concern at the Pentagon, adding to already mounting tensions between Moscow and the West. A senior European diplomat tells the Times: "The level of activity is comparable to what we saw in the Cold War."

Last month, the US tracked the Yantar, a Russian spy ship, as it travelled off the east coast toward Cuba. The ship carried two deep-sea submersible vehicles, which US officials say can be used to cut cables, according to the Times. One major cable lands near the US military base at Guantanamo Bay. Russia has said that the Yantar is an oceanographic ship used for scientific research.

Undersea cables have long been targeted for intelligence gathering; the US has a nuclear submarine dedicated to tapping them. They've also become vital to the global economy. According to the Times, the fiber-optic cables facilitate $10 trillion in daily global business, and carry more than 95 percent of global communications.

Friday, October 23, 2015

Russian Hackers of Dow Jones Said to Have Sought Trading Tips (BusinessWeek)

A group of Russian hackers infiltrated the servers of Dow Jones & Co., owner of the Wall Street Journal and several other news publications, and stole information to trade on before it became public, according to four people familiar with the matter.

The Federal Bureau of Investigation, Secret Service and the Securities and Exchange Commission are leading an investigation of the infiltration, according to the people. The probe began at least a year ago, one of them said.

Dow Jones, in a statement, said: “Since Bloomberg published its article, we have worked hard to establish whether the allegations it contains are correct. To date, we have been unable to find evidence of any such investigation.”

The breach is described by the people familiar with it as far more serious than a lower-grade intrusion disclosed a week ago by Dow Jones, a unit of Rupert Murdoch’s News Corp. The company said last week that it is working with a cybersecurity firm and law enforcement after learning that hackers had sought contact and payment information of about 3,500 customers.

It’s unclear whether the incursions are related. It’s also unclear whether the company’s news-gathering operations were affected in the insider-trading matter. Two of the people familiar with the investigation said the hackers sought information including stories being prepared for publication.

Kelly Langmesser, a spokeswoman for the FBI New York office, confirmed the office is investigating a breach at Dow Jones but declined to comment further. Jim Margolin, a spokesman for the Manhattan U.S. Attorney’s Office, declined to comment. Peter Carr, a spokesman for the Justice Department’s criminal division, also declined to comment, as did spokesmen for the Secret Service and the SEC.

The White House was briefed on the investigation and the FBI and SEC have spent months trying to determine exactly how the hackers could profit from what they took, consulting financial and market experts among other specialists, the people said.

Information embargoed by companies and the government for release at a later time could be valuable to traders looking to gain an edge over other market participants, as could stories being prepared on topics like mergers and acquisitions that move stock prices.

Dow Jones publishes the Wall Street Journal and Barron’s and provides information through a number of services including Dow Jones Newswires. Bloomberg LP, the parent of Bloomberg News, competes with News Corp. in providing financial news and services.

New Front

The hack investigation shows how quickly law enforcers are shifting to a new front in insider trading: cyberspace. Market-moving, nonpublic information used to trade hands in secret meetings. Hackers are now stealing sensitive information and selling it to traders. This new vulnerability in the financial markets is challenging law-enforcement officials who are trying to keep pace with cyber-criminals’ rapidly evolving moneymaking schemes.

For would-be inside traders, business journalists and data providers are a rich target. Potentially market-moving scoops often develop in-house for days or weeks, promising intruders a long pre-publication window to mine information and execute trades. Data being held for public release at a specified time can also be a gold mine in markets where the profitably of a trade is determined in a fraction of a second.

Dow Jones says in its annual report that its Factiva service provides global business content to about 1.1 million active users. “More than 4,000 sources make information available via Factiva on or before the date of publication by the source,” according to the report. Dow Jones Newswires publishes more than 16,000 news items each day to financial professionals and investors.

Hacking for Tips

U.S. authorities are ramping up their pursuit of hackers after a series of high-profile attacks on corporations.

In August, federal authorities made several arrests in what they called a years-long scheme that fused insider trading and hacking. In that matter, Russian-speaking hackers working from Ukraine were indicted along with traders for siphoning more than 150,000 press releases, including corporate earnings containing data that could be used to anticipate stock market moves, prosecutors said.

Those hackers broke into the servers of PRNewswire Association LLC, Marketwired and Business Wire, a unit of Warren Buffett’s Berkshire Hathaway Inc., over a five-year period, according to prosecutors. The group allegedly made more than $100 million in trades using unreleased earnings releases of companies such as Panera Bread Co., Boeing Co., Caterpillar Inc. and Oracle Corp., through retail brokerage accounts.

Thursday, October 22, 2015

This Drag on U.S. Job Growth Isn't Going Away Anytime Soon (BusinessWeek)

Export industries may keep losing about 50,000 jobs a month into mid-2016

Employment is taking a dive in industries that sell a lot of U.S.-made goods abroad, and things could get worse before they get better.

The double whammy to exports from the stronger dollar and cooling overseas markets was bound to hit employment in the world's largest economy. JPMorgan Chase & Co. has put numbers to the damage.

Export-oriented industries have been losing about 50,000 jobs a month for most of this year, after adding 9,000 a month on average in 2014, according to JPMorgan economist Jesse Edgerton. Recent manufacturing surveys hint the impact could worsen, and the employment erosion may extend into the first half of 2016, he predicts.

In effect, that would mean private payrolls growth takes a step down to around 150,000 a month, from the booming 250,000-plus average of 2014.

"Employment is declining in industries exposed to exports, and we haven’t seen any sign the decline is slowing down," Edgerton said. "The drag from job losses in export industries will linger on for some time at least."

Considering export-oriented jobs are among the better paying ones, that's a pretty sobering forecast. U.S. jobs supported by goods exports, for example, pay as much as 18 percent more than the national average, according to government estimates.  At a time of increased concern that growth is losing momentum, a strong labor market backed by jobs that pay well is key to sustaining consumer spending, the biggest part of the economy.

Edgerton has pieced out the hit to employment, which isn't easy to gauge from the Labor Department's monthly payrolls report. He developed a way to measure the share of each industry's output that is exported, both directly and indirectly through sales to other industries that cater to overseas demand. Using that, he worked out how payrolls are faring in those businesses compared with counterparts that focus on the U.S. market.

Trends in the top four industries with the largest export share — transportation equipment excluding motor vehicles; machinery; computer and electronic products; and primary metals — offer another reason for concern, Edgerton said. Payrolls have been slowing for decades in capital-intensive manufacturing businesses that dominate exports. So there's little reason to expect export jobs will see a return to positive territory.
One consolation is the job losses are "pretty much confined" to exporters, while "plain vanilla" industries selling to U.S. consumers have been largely shielded, Edgerton said. He found payrolls at non-export employers, typically service providers, are currently posting an average monthly gain of 203,000 . While that marks a downshift from 296,000 as recently as June, it's within the 150,000 to 300,000 range seen since 2013.  

Thursday, October 15, 2015

All these devices potentially are spying on you...

These cloud-connected devices are totally spying on you (or just letting others do it)
Worried that one of your devices may be spying on you? You should be.

It sounds like a cool toy: a talking Barbie doll that uses voice-recognition software to "listen" to kids' conversations and respond appropriately.

The downside critics say: It records children's conversations to the cloud, where they could be hacked — or the data could be exploited by the toy's maker.
Smart TVs, dumb data leaks

While you're watching TV, it's also watching you. Electronics maker LG admitted in 2013 to gathering info on customer viewing habits... and selling that data to advertisers.

Samsung is also one of several companies passing along such data. But Samsung took it a step further by recording and sharing your conversations, per their privacy policy: "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."
Potentially deadly data

Hackable or insecure medical devices could spill not only your data, but also your blood.

Highlighting a fear from TV's Homeland, in which a terrorist assassinates a politician by remotely controlling his pacemaker, hacker Barnaby Jack demonstrated how easy it is to hijack medical devices like insulin pumps and pacemakers starting back in 2011.

Talking recipes with your smart oven

Your new high-tech stove might be able to chat it up with you... and also its manufacturer.

LG touts that "owners will be able to talk directly to smart ovens for the purpose of collecting recipe recommendations and discovering exactly which ingredients are needed." That's nice, but LG will also have all your data and probably hawk sponsored food products.

Who's talking to your oven?
Also, as a convenience feature, LG and other smart appliance companies offer remote monitoring and control of these machines through phones and tablets. Hacking caveat: They're not guaranteeing whose phones and tablets will be doing the controlling — and mobile device hijacking is always a concern.
Parents beware

Internet-connected child monitors seem to be leakier than a baby's diaper when it comes to data, with 8 out of 10 receiving a failing safety grade in a recent survey.

And it's not like it's all hypothetical. There are well-documented cases of creepy hackers talking to babies through compromised devices' speakers and following mothers around by swiveling the cameras.
Surprise! Home security systems may not be that secure

If even your oven can rat you out, we're not totally surprised that home security systems are vulnerable.

A study by HP showed that weak security system passwords, hackable phones, and tablet access to systems, as well as cloud video streaming, are among the many, many vulnerabilities.

You're the show, whether you want to be or not
Many newer TVs have built-in cameras and mics (just like your laptop) that are vulnerable to hackers who slither in through Wi-Fi or apps.

Samsung reportedly patched a flaw that allowed spyware to take over and record you, but who knows what other potential exploits are still out there? Sure, maybe you always wanted to be on TV, but not like this.

Gamers are fair game too

Microsoft admits it records Xbox One Kinect gameplay, voice, and video chat to use as they see fit. And Sony does pretty much the same thing, reserving the right to record all activity on PlayStation 4 for any reason at all.

Toasters and dryers and spycraft, oh my!
If it seems like everything except the kitchen sink is spying on you, it could be true. Toasters, coffee makers, dishwashers, and dryers are all internet capable these days, piping info to their manufacturers.

Indeed, former CIA chief David Petraeus says that with all these smart gadgets, Americans are effectively bugging their own homes.
Cable box peep show?
If the hackable cameras in your laptops, phones, and smart TVs have you worried, get ready for more nagging dread. Google and Verizon have considered putting cameras and mics in cable boxes to monitor who's watching. In 2011, Verizon even filed a patent for a system that would monitor the "ambient actions" of viewers and then deliver targeted advertising based on that behavior. From the patent, the cable box would detect "that two users are cuddling on a couch" and then shows commercials "associated with cuddling (e.g., a commercial for a romantic getaway vacation, a commercial for a contraceptive, a commercial for flowers, a commercial including a trailer for an upcoming romantic comedy movie, etc.)."

But it's all for us. No. Really. To help us watch better.

Cable box peep show?

If the hackable cameras in your laptops, phones, and smart TVs have you worried, get ready for more nagging dread. Google and Verizon have considered putting cameras and mics in cable boxes to monitor who's watching. In 2011, Verizon even filed a patent for a system that would monitor the "ambient actions" of viewers and then deliver targeted advertising based on that behavior. From the patent, the cable box would detect "that two users are cuddling on a couch" and then shows commercials "associated with cuddling (e.g., a commercial for a romantic getaway vacation, a commercial for a contraceptive, a commercial for flowers, a commercial including a trailer for an upcoming romantic comedy movie, etc.)."

Will you trust your car?

They're still down the road quite a ways, but self-driving cars are another potentially massive big-data spill. Will you own your car's data, or will it be mined and combined with other info by the car's manufacturer? Hello! Why do you think Google is interested?

But it's all for us. No. Really. To help us watch better.
Hackers just want to drive your car...into the ditch
When hackers can take control of vehicles remotely, as they recently demonstrated with Fiat Chrysler, it's easy to see that data leaks are potentially more dangerous than oil leaks. But it doesn't stop there.
Anyone who's watched a cop show knows your car's GPS can lead to the scene of the crime. In the real world, hackable data from GM's OnStar could also reveal how often you shop, pub hop, and (with the sensor-laden smart roads of the future) possibly even whether you drive erratically afterward.
Your fridge could spill your data
Your tattletale Wi-Fi-enabled fridge reports back to the appliance company (GE, Samsung, LG, etc.) about how often you open it and whether it's functioning properly.
This is good for them to track efficiency and heat-loss patterns, but it's also a potential way for hackers to locate prospects for their robber pals.
Your phone can't be trusted
Everyone knows that what goes in the cloud doesn't always stay in the cloud, and nowhere is that more obvious or omnipresent than with our phones.
It's not just breaches like "The Fappening" iCloud hack; it's also through the not-always-secure data that all your apps are leeching from you daily. FYI: You give 'em permission in the terms of service you never read.
Intelligent homes are vulnerable
The smart home of the future is right around the corner, which means the smart hackers are right behind them.
Even the reportedly secure internet-connected thermostat from Nest could be compromised if someone gains physical access to your system. Once they're in, hackers could control your Wi-Fi and, thereby, all your connected devices.

Wednesday, October 14, 2015

VW’s U.S. Chief Tells Congress Car Retrofits May Take Years (BusinessWeek)

Image result for VW
> Decision to cheat emissions tests wasn't made by the company
> Cars will be fixed instead of bought back, VW's Horn says

Volkswagen AG’s top U.S. executive said that the emissions cheating was carried out by a few engineers in Germany without any formal decision by the company and conceded it may take years to retrofit 430,000 diesel vehicles.

Testifying before a congressional committee in Washington, Michael Horn, the president and chief executive officer of Volkswagen of America, apologized and promised a full investigation of what he said was cheating carried out by a couple of software engineers in Germany.

“This was not a corporate decision,” Horn said.  When pressed by Representative Joe Barton, a Texas Republican, about whether senior management was aware, Horn said, “I agree it’s hard to believe.”

Responding to tough questioning from members of the House Energy and Commerce investigations subcommittee Thursday, a contrite Horn said most of the cars will need more than a software update to comply with U.S. requirements. Volkswagen is looking at adding hardware such as improved catalytic converters or urea tanks, he said. Engineers are still working on the options and will discuss with regulators when they’re ready, he said.

Volkswagen will compensate customers and address any impact on performance, Horn said. He said the fixes will maintain the car’s fuel efficiency. Losses to the company will depend on the fines and how much money it takes to fix the cars and compensate customers, he added.

First Hearing

The hearing was the first public questioning in the U.S. of a VW executive since the Environmental Protection Agency and the California Air Resources Board announced their investigation Sept. 18. The scandal has rocked the world’s second-largest automaker, leading to the resignation of its chief executive, Martin Winterkorn, and an announced charge of 6.5 billion euros ($7.3 billion) for recall repair costs. Under the Clean Air Act, Volkswagen may be liable for fines as high as $18 billion, based on maximum penalties per car involved.

The hearing was held the same day that state police and prosecutors raided Volkswagen facilities and some employees’ homes in Wolfsburg, Germany, where the carmaker is based, taking documents and electronic media.

Lower Saxony prosecutors opened a criminal probe last month after Volkswagen admitted it used software to cheat on U.S. diesel emissions tests for years. Volkswagen is facing lawsuits and government probes around the world after saying the rigged engines may have been installed in some 11 million vehicles worldwide.

Several lawmakers rejected Horn’s claims that the fraud was carried out by three engineers. Chris Collins, a New York Republican, said he didn’t believe Horn’s assertion that top management wasn’t aware and said that Volkswagen’s response so far has been lacking.
Horn said three people have been suspended but declined to share names because of restrictions in German law.

Lawmakers Incredulous

“I categorically reject everything that VW is saying about a couple of rogue engineers,” Collins said. Either Volkswagen management is incompetent or "they are complicit in a massive cover-up that is continuing today."

Horn reiterated that he didn’t know the carmaker had installed defeat devices until a few days before a Sept. 3 meeting with environmental regulators. Horn said it appeared that the technology was installed because the cars couldn’t otherwise meet U.S. emissions standards. The company doesn’t plan to buy back the affected cars, but aims to fix them, he said.

The executive said he couldn’t provide an exact time frame for when the fixes would be carried out. The software fix should begin early next year, while some hardware repairs could come in the middle of next year, or perhaps a bit later, he said.

“Volkswagen has betrayed a nation -- a nation of regulators, loyalists and innocent customers. It’s time to clean it up or get off the road,” said Representative Fred Upton, a Michigan Republican. “VW will inevitably pay a steep price for its dirty little secret. How it responds to this failure will go a long way to rebuilding or further eroding the public’s trust.”

“We are determined to make things right,” Horn told the committee. “This includes accepting the consequences of our acts, providing a remedy, and beginning to restore the trust of our customers, dealerships, employees, the regulators, and the American public.”
The automaker will ultimately face costs and lost revenue from its damaged image of more than 35 billion euros ($39 billion), according to an estimate by Warburg Research.
Emissions Cheating

Just how much money Volkswagen made by cheating on U.S. emissions tests will be a factor in the penalties that will be assessed, EPA officials said. The agency intends “to assess the economic benefit to VW of noncompliance and pursue appropriate penalties,” Christopher Grundler, director of EPA’s Office of Air and Radiation, and Phillip Brooks, director of civil enforcement for air, told the committee.

"The behavior to which VW admitted represents a fundamental violation of the public trust," said Representative Tim Murphy, the subcommittee chairman, a Pennsylvania Republican.

 "The reverberations of this violation can be seen across the United States and across the world as people grapple with the implications."

Horn learned in early 2014 that the carmaker might not be following emissions regulations on its diesel models, and the topic came up again later that year, when he was told VW’s technical teams had a plan for fixing the cars involved, he said.

Initial Disclosure

The company’s initial disclosure to the California Air Resources Board that it had a “second calibration” governing engines during emissions tests on three different diesel engines occurred on July 8, according to the committee. It wasn’t until Sept. 3 that the company came clean with the EPA and CARB that this alternative mode was a “defeat device,” shutting down pollution-control equipment as the cars drove in the real world.

Volkswagen has withdrawn applications with the EPA for certification of its vehicles for the 2016 model year.

The EPA has added on-road tests and is examining other automakers, trying to be “unpredictable” so the tests can’t be defeated, Grundler said.

“I don’t expect to find widespread problems, but we’re going to be taking a very close look,” Grundler said. “We’ve learned from this episode."

Friday, October 9, 2015

​Moore's Law may be dying, but there's still plenty of demand for faster chips

The demand for faster, more capable processors that use less power is driven by everything from self-driving cars to smartwatches. This week's Linley Processor Conference was all about how the industry plans to meet that demand with less help from Moore's Law.

It is becoming harder and more expensive to scale chips, and Moore's Law--the engine that drives computing and electronics--seems to be winding down. But the demand for faster, more capable processors that use less power remains driven by everything from luxury sedans to smartwatches. At his eponymous processor conference this week, industry analyst Linley Gwennap talked about these conflicting trends and what they mean for the industry.

The conference traditionally focuses on embedded processors. These chips don't have the same name recognition as the Intel Core processor, but there are many more of them toiling away in everyday devices such as ATMs, networking and communications gear, cars and other vehicles, and of course the Internet of Things. Of the total processor IP market (15.3 billon chips shipped in 2014), mobile is the biggest at 6 billion, but embedded is nearly as large and growing faster, followed by enterprise (including PCs), consumer and flash storage. As these applications grow more complex (and demanding), the industry is shifting from general-purpose processors to highly application-specific processors packing more functions onto a system-on-chip (SoC).

Until recently chipmakers could rely on physical scaling to meet most of these challenges. By jumping to the next node, they got better performance, lower power and more transistors to work with in a given area to add new features. But Moore's Law is running out of steam and Gwennap said the cost per transistor increased at 20nm, and again at 14nm, because of additional lithography steps. "It used to be that everybody moved to the next node because it was cheaper, better and faster, and that was great," he said. "Now it is much more complicated."

These complex SoCs also require knowledge of the intended application, access to lots of intellectual property, and a complete platform including software. Many companies are also choosing to design their own custom cores, in particular on 64-bit ARMv8 because the ecosystem is very familiar to the engineers and programmers that are designing these systems. Examples include AppliedMicro's X-Gene, Cavium's ThunderX, Broadcom's "Vulcan" core, and according to Gwennap, a Marvell custom ARMv8 core. ARM SoCs are increasingly using APIs to offload tasks from the CPU to the GPU, DSP (Digital Signal Processor), or specialized image or vision processing engines that can handle them more efficiently. In some cases, they are using network-on-a-chip (NoC) IP from the likes of Arteris, NetSpeed and Sonics to stitch together all these various blocks.

Only the largest semiconductor companies can tackle all of these challenges, and the result has been a wave consolidation. Intel, the leader in embedded because it leverages the PC hardware and software ecosystem, plans to buy Altera for $16.7 billion. The number two company, Freescale is merging with NXP Semiconductors in a $40 billion deal. Avago, already a player in this space through its LSI deal, is the process of acquiring Broadcom for $37 billion. Other players in this space such as Cavium, AMD, Marvell and AppliedMicro could also be acquisition targets as companies like Qualcomm and Intel, as well as consortiums in China, seek to expand into embedded growth areas. Skyworks also announced plans to acquire PMC-Sierra earlier this week.

Things have gotten especially confusing (and cutthroat) in networking and communications. Gwennap said that as the standards fall into place, data centers and service providers starting to implement NFV (network functions virtualization), which makes it possible to use standard servers in place of proprietary hardware. Intel is moving beyond the control plane, and now has server and networking SoCs that extend into the data plane, the ARM guys are all going after servers and embedded, and speedy network processors are starting to look a lot more like general-purpose processors (EZchip's NPS-400, for example, runs Linux and uses standard programming languages and tools). Service providers are also using smart NICs from Cavium, EZchip/Tilera, Netronome to offload basic tasks from server CPUs and improve the efficiency of their networks. Finally security is a big issue here and it requires specialized processing with a custom ASIC or a security engine integrated in an SoC. At the conference AMD even pitched its APUs with on-die Radeon graphics as a way to accelerate IPsec, a protocol for secure Internet communication.

It was interesting to see how another market--automotive--took over this year's conference. The semiconductor industry is clearly counting on it to be the "next big thing." Automotive is already a pretty big market--our cars are packed with microcontrollers that handle everything from the wiper blades to the Engine Control Unit--but more advanced applications such as ADAS (Advanced Driver Assistance Systems) and eventually autonomous vehicles require much more sophisticated technology. ADAS, which includes things like adaptive cruise control, blind spot monitoring, driver monitoring (drowsiness), lane departure and automatic emergency braking, requires either a GPU or a dedicated vision processor. One of the more interesting trends at the conference was the development of advanced vision DSP or processor IP from Cadence/Tensilica, Ceva and Synopsys that can deliver 10x to 100x better performance per watt than a CPU or GPU. These will compete with Mobileye, the market leader, and Nvidia's Drive PX. Eventually we'll get fully autonomous vehicles. These will clearly require a very sophisticated level of processing power. Gwennap also note the progress on self-driving cars and said he expects to see them his the road starting around 2022. Overall  automotive semiconductors is a $10 billion per year market and the Linley Group expects it to double over the next decade.

The Internet of Things story is more mixed. Gwennap noted that IoT is really just a new name for embedded systems with an Internet connection. The industrial IoT market is moving quickly. There are already 300 million smart meters deployed and intelligence is being added to everything from vending machines to harvesters. But ultimately industrial IoT is limited, Gwennap said, because "there just aren't that many factories or hospitals that need this technology." The consumer side is different. It has been slower to take off because the products are still relatively expensive, and they don't save consumers a lot of money. The smart home hasn't really happened yet, and while fitness trackers are doing well, smartwatch sales are still small. But as prices come down, and the apps get better, this market will begin to take off and ultimately it will be a bigger opportunity than industrial. The Linley Group has perhaps the most conservative IoT forecast because it only counts new applications and assumes real growth in consumer IoT doesn't begin until 2017. It expects to see 1.9 billion IoT device shipments per year--or roughly the size of the current mobile phone market--by 2020. That's a far cry from Cisco's 50 billion connected devices and objects by 2020.

Thursday, October 8, 2015

The dark side of wearables: How they're secretly jeopardizing your security and privacy

The seductive lure of activity and health wearables make it easy to forget, or ignore, the inherent security and privacy risks involved.

The gentle buzz of a wearable device vibrates on your wrist at 7 am. You sync the device with your smartphone to see how well you slept. The result: poor. You feel groggy, so you drink extra coffee, which increases your heart rate, a data point also recorded by your wearable. You trudge through your morning routine more slowly than usual, so you skip that half hour on the elliptical and head for the office.

Along the way, you run into traffic, which boosts your stress level. You finally arrive, and head to your desk. You're crunched for time at lunch and you opt to have a submarine sandwich delivered. By the time you get home, the earlier hope of an evening workout is forgotten. All you want to do is crash on your couch with a cold beer and a takeout pizza. A few beers later, it's time for bed, and you turn out the light and hope for a better night's sleep.

Imagine the impact after a few weeks of this behavior. Your poor sleep quality is triggered by alcohol and lack of exercise. These, combined with a sleep deficit that slowly affects your overall health, leads to weight gain, increased blood pressure, and other problems. And all of this data is stored in your wearable device—or, more accurately, in its cloud software.

The fact that so much data is collected through a wearable device, such as an activity tracker, a smartwatch, or a pulse tracker, means that there are tangible risks involved, according to Conan Dooley, a senior security engineer with Box, and previously a senior security analyst with Bishop Fox.

If that data was carelessly stored, and then stolen through a data breach by a malicious third party and sold to unscrupulous organizations that want to use that data to assess your health risks, you could one day face steep increases in health insurance, or even a policy cancellation. The risk of this is so real that some companies are buying data breach insurance to protect themselves in the case of consumer information getting into the wrong hands.

If you've willingly shared this data with your health insurer, through discount options at work, you may already be facing rising insurance costs without any data breach necessary, since many employers offer "good health" discounts to employees who stay within regulation weight and exercise parameters to receive a significant savings on health insurance.

These are significant repercussions for simply wearing a device on your wrist to tell you how many steps you took a day and what your resting heart rate averages. It's up to the consumer to determine the level of risk they're willing to take versus the benefit they get from their wearable devices.

By the end of 2015, there will be an estimated 200 million wearable devices on the market according to ABI Research. By the end of 2018, there will be 780 million wearable devices on the market. This gives hackers plenty of opportunities to steal sensitive data and benefit financially from it.

What consumers need to know

As more consumers purchase wearable tech, they unknowingly expose themselves to both potential security breaches and ways that their data may be legally used by companies without the consumer ever knowing.

"There is an opaque bubble around all of this data and what we do with it. Until we give people more access to their data and, frankly, the option to delete it, this thing has grown more personal as a result," Dooley said. "As often as not, the complexity of infrastructure means that deleting data is often very difficult to do because of the interconnected nature of databases and the need for historic reference. Your website can't just break. If a person goes to a picture that's no longer available ... there is a complexity around the deletion of data."


Just because you agree to share your data with one company, or the government, doesn't mean that that company will be in business next year, or new laws could be passed that change access to the data that you willingly gave up your privacy rights to share.

"Really we're entering this world where everything is cataloged and everything is documented and companies and governments will be making decisions about you as an individual based on your data trail. If you want to be considered an individual and not just a data point, then it's in your interest to protect your privacy," said Josh Lifton, MIT Media Lab Ph.D. and CEO of Crowd Supply.

And if a company files for bankruptcy, what does that mean for the data they've collected?

Consider the litigation involving RadioShack, said Tatiana Melnik, an attorney who works in healthcare IT and data security. "As part of their bankruptcy they were trying to sell all of the consumer data they had collected over the years. Apple stepped in and said you can't sell data that was collected in conjunction with an iPhone user," she said.

"Enforcement, aside from the actual data aggregation, is going to become a risk. How are you going to keep companies from redistributing that data? What rights do consumers have to their own information?" Melnik asked.

As reported previously on ZDNet, the mass collection of data on US citizens has spurred the Federal Trade Commission to send a report on data brokers to Congress in May 2014, asking for legislation to allow people to know what data is being collected about them and who is collecting it. Data brokers have collected an average of 3,000 data segments on nearly every US consumer, according to the FTC report. This is outside of the data being collected by wearable devices.

As wearable devices make their way into the workplace and corporate networks, they bring a host of security and privacy challenges for IT departments and increase the amount of data that data brokers have to sell about an individual.

Jeff Jenkins, chief operating officer and co-founder of APX Labs, talked about the security and privacy of wearables during a panel interview with Tech Pro Research at CES 2015. Because wearable devices are designed to be small and portable, Jenkins said, "you have to make sure you're thinking security first and you're thinking about the information that's being generated by them. You have situations where it's no longer just personal data that may be exposed or compromised, but also potentially operational data, that could be sensitive in nature."

The reason behind the security breaches is because personal data is extremely valuable. Gary Davis, chief consumer security evangelist at Intel Security, said, "The information that's contained on your wearable that's stored either on your smartphone or stored downstream on a cloud [service] is worth ten times that of a credit card on a black market."

"Credit card companies have gotten so good at being able to detect fraud and if there' s another high profile retail breach, they typically say, 'Okay here is when the breach took place, let's cancel everything done during that breach.' Done. An extremely short life on the black market.

But this information being stored on these wearable devices doesn't go away. You can't change your Social Security number, you can't change your date of birth. This is personally identifiable information that you can't change," Davis said.

With health information, it goes a step further. "This person had this injury, let's process a claim for a fraudulent pain prescription and go sell it on the black market. It's hard to clamp down on that because of HIPPA. There's a reason why you hear about all these mega breaches going after healthcare companies. Hackers realize this is high value stuff," Davis said.

What manufacturers need to know

Part of the problem with the security of these devices is because wearable makers are rushing to beat their competitors and get their product onto the market first.

"If my challenge is to get my device out there as soon as I can and make it as convenient as I can ... They're basically putting out these devices that are extremely vulnerable to attack. That's true for wearables," Davis said.

"It's all about land grabbing right now. They're all trying to be first to market. The challenge for security people is it's hard enough to get consumers to update their apps on their smartphones or update their operating system and making sure they're applying the right security patches, which is pretty straightforward by updating in the app store. Doing it on a wearable device is significantly more complex. It will be harder once you get these devices out in mass to apply security patches. Users won't go to the time or effort to make these devices more secure," Davis said.

Faster is not always better, even in the technology world.

Melnick said, "Getting a piece of technology out quick is costly. Not in terms of money, but you sacrifice privacy and security and other considerations in order to get technology out as quickly as possible because you want to be first on the market.

"Unfortunately for companies, that's shortsighted because if you build privacy and security as part of your development process you're actually long term saving money because when something happens with your technology, which is inevitable, fixing those errors and dealing with the investigation and dealing with regulators is significantly more costly than compared if you had done it right the first time."

To reduce the risk, companies need to build privacy and security into their existing development process, Melnick said.

John Dixon, director of marketing for Freescale Semiconductor, said that wearables have the same fundamental challenges as Internet of Things (IoT) devices. Wearables can provide a wealth of data on an individual, including information on their location.

There are things for people to consider before buying a wearable device. "A number people will know all of your personal data. Do you care if people know your pulse and movement? There may be situations where that is really important. People like Apple and Samsung and these other bigger companies, I think for the phones [they design], they are big enough companies that they have huge teams looking at device security," Dixon said.

The problem is that this security isn't part of many IoT devices, he said. "The challenge with some of the IoT watches is that if you're paying $500 for a watch the manufacturer can afford to include it, but if you're buying a pulse or an activity tracker it does not include it, most likely. You're counting on the vendors like ourselves having security measures in place," Dixon said.

Wearables with "price points under $300 to $400 you're relying on the semiconductor," he said.

Freescale is focusing on off-the-shelf solutions for startups developing wearable devices. Freescale supports a startup incubator with security guidelines and up to 100 companies can be in one incubator and they're given baseline security measures to implement in devices, Dixon said.

"We've created WaRP. The WaRP platform is an open source smartwatch which allows manufacturers to be able to add any individual functions. There are so many functions you can add to a wearable watch. You can write your own software ... to create whatever functionality you want. The i.MX 6 which is what it's based on is one of our most secure platforms.

"It's not just about the first product, it's about iterations of the product. Once they switch to a new product the cost is quite high. If they don't have security in the first product, they can put it in the second. This platform is field upgradable. If you have a smartwatch you can have the ability to do it remotely and add security," Dixon said.

Fitbit and inherent risks

One well-known manufacturer of wearable tech, Fitbit, is the first wearable tech-focused company to go public. Fitbit filed a successful IPO in June, with CNBC reporting the stock opening 52% above its IPO price at $30.40, and by August 5, 2015 it closed at a high of $51.64.

This shows the interest in wearable tech, but Fitbit's SEC filings also show some of the risks that manufacturers face. In the company's S-1 filing with the SEC on May 7, it outlined the risks, including the following:

"If we are unable to successfully develop and timely introduce new products and services or enhance existing products and services, our business may be adversely affected. We must continually develop and introduce new products and services and improve and enhance our existing products and services to maintain or increase our sales. The success of new or enhanced products and services may depend on a number of factors including, anticipating and effectively addressing consumer preferences and demand, the success of our sales and marketing efforts, timely and successful research and development, effective forecasting and management of product demand, purchase commitments, and inventory levels, effective management of manufacturing and supply costs, and the quality of or defects in our products. The development of our products and services is complex and costly, and we typically have several products and services in development at the same time."

Again, because there is so much competition, it's important to manufacturers to try to be the first to market. Some companies release user agreements that promise security and privacy practices that they cannot live up to. "Companies in the wearable space need to be sure that the things they are telling customers are actually true." If something is included in a company's user agreement that they don't actually do, then they are being 'risk negligent,'" Melnick said.

Data breach insurance

It's not directly related, but important to note that for several years, companies have been purchasing cyber liability insurance to deal with data breach risks and the potential for consumer litigation, Melnick said.

But the insurance companies are starting to fight back.

In May, Columbia Casualty became the first insurance company to challenge their liability after their client, Cottage Health System, had a data breach caused by a lack of encryption on their network servers that made confidential patient information accessible on the internet. The insurance company paid $4.125 million to settle the plaintiff's class action suit against the healthcare provider but the insurance company has now filed to recoup those funds. They say the company misrepresented their control.

The outcome of this case could make it even more urgent for companies to not only protect the data they are collecting via wearables, but make sure that everything they're promising to deliver security-wise in the end user licensing agreements [EULAs] is true, Melnick said.

The overreaching nature of the EULAs are a concern to Josh Waddell, vice president of mobile solution management at SAP.

"If there's ever a big problem, the EULAs are not enforceable. They can write all that stuff in there, 'We have the power to use your data. We're going to take your pulse every second and then we're going to send it to your health insurance company.' They can write that in a EULA but if that got out, no judge is going to say, 'You wrote that in your EULA so that's fine,'" Waddell said.

Privacy vs. security

Even the actual health information, without a breach, can pose a problem since there's so much personal data being gathered. This dips into privacy issues rather than security.

A safeguard to privacy is needed, said Ian Chen, marketing manager for Freescale Semiconductor's sensor solution division.

"Companies give you a discount on health insurance if you wear a device. Then you look at the data the wearable is giving you. Is it fair if they say if you don't go to the doctor in the next three months your insurance will go up? What if they can mine the data and find out you're an aggressive driver and raise your insurance rate?" Chen said.

But consider who has access to the data. "Everyone says Apple and Google has all the data. People forget that Verizon and AT&T have it, too," Chen said. "Verizon and AT&T can rent the data out."

To solve this problem, Chen said, "I think we should have a privacy protocol that device to device have to communicate and say that, 'I'm requesting this level of privacy and I'm instructed to protect it up to that level.'"

Privacy rules need to be instituted quickly, because the amount of data being collected is growing at an astronomical rate. "By 2025, there will be more data generated from sensors and devices than all of the data being generated today from every source," Chen said.

As for what consumers should do, the problem is that a lot of consumers aren't particularly knowledgeable about technology and they don't always pay attention to the devices in their house that are connected to the internet, nor are they aware of the things that can happen, Melnick said.

The key turning point will be the first big litigation on the subject, Melnick predicted. The FTC has litigation going on regarding privacy of data, but not of wearables.

Dooley also believes it will take a major lawsuit to spur manufacturers to better protect the privacy and security of the data they are collecting.

"I honestly don't know where we really go from here with that because I feel like unfortunately we're going to have to have that Ford Pinto moment. I think that's a particularly interesting event in retrospect because Ford Pintos were never significantly shown to be more dangerous in the long run than any other car on the road at the time. Any car with a rear mounted gas tank was as likely to cause a similar incident in a similar situation," Dooley said.

After the Ford Pinto's were labeled a fire hazard, standards were set for the auto industry, Dooley said.

Insurance fraud and solving crime

Wearable devices can also be used to support cases where insurance companies are suing for fraudulent claims.

Karhrman Ziegenbein, CEO of Toonari Corp., said his company works with police and insurance companies to solve crime and fraud, using data from wearables and mining social media.

"There's a lot of insurance fraud out there. A lot of people are using wearable tech. If a person a got hit by a car and says, 'I can't walk anymore,' but the person is using a device like that, then you can get the data from this device. Not everybody is planning these things really well out. If the person is wearing this device at the deposition, the attorney can see it. Or the attorney can ask under oath, 'Do you wear a Fitbit?'"

Once it's known that the defendant uses a wearable device, it's considered transactional data. "You can subpoena this data or get it through discovery."

Since distance walked and elevation are part of the data collected, it gives a good indication of someone's fitness level. It can prove fraud, and it can also benefit the user, if they're truthful, because it would show that they're not able to walk and they're not as active as they were before the accident, he said.

"The Android devices are much worse than the Apple device. There are much more things the Android apps have access to. For us it's not as regulated as you have it with Apple. That's why you have more challenges. It's nice because you can do more things with it," Ziegenbein said.

Regulation vs. compliance

Part of the debate involves whether the manufacturers should regulate themselves, or if the government should get involved.

Crowd Supply's Josh Lifton said, "Regulation can work, it can also be a complete failure so I wouldn't put all my eggs in that basket. Regulation is a reflection of public sentiment, or it should be. I think it may be effective without regulation. I would welcome regulation. I think privacy and security of data is a fundamental right. I think this is one of the most important topics to be discussed right now."

Too many people are willing to give up their data without measuring the cost.

Basil Hashem, senior director of end user computing strategy at VMware, said, "I think we're in a world I call the Uber-fication of our lives. You ask someone point blank for their location and credit card number and they say no. You say, 'sign up here and I'll pick you up and they give it to you.' In our lives, conveniences seems to trump privacy every time."

To resolve this, Hashem said, "It's incumbent to the industry to police themselves. I think in certain cases it makes sense to have government regulations. There are a lot of things we can do to educated consumers and device manufacturers to show what data you collect."

Alan Dabbiere, chairman of AirWatch by VMware, said, "You don't want the government invasive but you don't want them late to react to this new world."

Fred Steube, senior director of emerging technology for Cox Target Media, said, "I think the privacy breaches will continue to increase but we'll need guarantees from these companies that they won't resell, reuse or otherwise share our data. Ultimately either on the hardware side or the marketing side they'll try to self impose best practices so it doesn't become creepy and weird and a negative experience for consumers.

"I think that will happen. I just see people getting upset and Congress leading the way in and being regulated by the government," Steube said.

Dooley said the solution would be a collective group of regulators, combining government and manufacturers. "There is a need to have a balance. Where that balance is struck depends a lot on individual's comfort with privacy in general. The fact is most folks aren't even ready to have that conversation yet."

Weighing the risks

Wearable devices will continue to grow in popularity, as consumers appreciate the immediate access to fitness tracking, health tracking and other convenient measurements. As of yet, there have been no well-publicized data breaches involving the data collected by health and fitness wearables and smartwatches, so there hasn't been a public outcry about the privacy and security risks.

But numerous experts say that will eventually happen, because the value of the data is worth much more than that of, say, stolen credit card numbers. Security options are being offered through some resources, such as Freescale, but they are few and far between at this point.

Until solid regulations are in place, either through the government or private industry, or a combination of both, there will be inherent security and privacy risks involved with wearable devices. Meanwhile, it will remain up to the consumer to determine if the risks of wearing that trendy Apple Watch or Misfit Shine are worth the gain.