Weekly Axis Of Easy #130
Last Week’s Quote was “I’ve learned that the monsters ain’t underneath the bed”. …was Eric Church, nobody got it.
This Week’s Quote: “Life is a long lesson in humility” …by ????
THE RULES: No searching up the answer, must be posted to the blog
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
Listen to the podcast edition of #AxisOfEasy here:
AxisOfEasy 130: Apple dropped plan for encrypted backups after FBI complained from Mark Jeftovic on Vimeo.In this issue:
London deploys facial recognition cams while Europe mulls ban
Google phasing out browser User-Agent string in Chrome
Google CEO calls for regulation of AI
Google’s ads now look a lot like search results
23andMe lays off 100
Apple dropped plan for encrypted backups after FBI complained
Hacker leaks passwords for more than half-million routers, IoT devices
DDoS mitigation company CEO admits to launching DDoS attacks
Jeff Bezos’s phone hacked by Saudis
Breach of the week: Microsoft exposes 250 million customer support records
Your net connected dildo may be hackable
HackerOne finds serious security failure in Paypal’s login system
US Defense Secretary says China is a 21st century surveillance state
The City of London’s Metropolitan police announced Friday that they plan to deploy an array of advanced, real-time facial recognition cameras across the city. The cameras will be deployed in high traffic, heavy tourism areas and actively scan faces for matches from “bespoke watch lists”.
The announcement took place at roughly the same time a leaked white paper emerged from Europe that the European Commission may be enacting the largest ban on facial recognition cameras in the world, affecting most of the continent. The white paper suggests that deploying facial recognition cameras may be incompatible with data privacy protections under the GDPR.
Starting with Chrome version 81 (due out in mid-March), Google will commence the phase-out of the User-Agent string from the Chrome web browser. The UA string describes the browser type to the web server and a lot of processes key on it to decide how to render the pages they’re about to serve. For example: whether to send a desktop or a mobile version of the requested document.
However, UA strings can also be easily spoofed, for myriad reasons, and they can be used by servers in the creation of browser fingerprints: a method of tracking end users even in the absence of cookies.
In its place, Google is introducing a new mechanism called ClientHints, where the web server can request additional information from the client to better determine how to serve the document.
Sundar Pichai, in a reportedly long-winded editorial for the Financial Times, called for “sensible regulation” of Artificial Intelligence (AI), saying that “Artificial Intelligence is too important not to be regulated”.
Regulation raises costs on new entrants and challengers, and grants the incumbent players a wider moat against competition.
An Entrepreneur-in-Residence to a state funded development bank once explained this to me in vivid detail, to whit: Work with the regulators to impose new rules that crowd out the competition, then when you are in place you get to “turn around and pull the ladder up behind you”. He used those exact words. Big smile on his face.
When the CEO of a gigantic incumbent tech platform calls for regulation, what it really means is “regulation for thee / monopoly for me”.
AI is a red herring anyway. Now that my Unassailable book is about to drop, I can resume work on the one I was supposed to be writing since last summer. It’s called “The Singularity has been Canceled: The Perils of Techno-Utopian thinking”.
Last Google item for this week is an article that observes how the latest look-and-feel of the search giants query results has the paid ads looking very similar to the organic search results.
Early data via Digiday indicate that the changes, barely over a week old, may already be resulting in higher ad clicks.
Last week we reported on the 23andMe’s first licensing deal to create drug based on the DNA data supplied by the company’s customers. Despite the deal, and a previous research deal with Glaxo Smith Kline to share data (reported in #AxisOfEasy 79), the company has found it necessary to lay off 100 staff as demand for DNA testing from consumers at large is decreasing.
I will also take this opportunity to share some feedback from a reader around last week’s story. He politely objected to the way I tend to frame the 23andMe business model (you pay them to monetize your data). He pointed out that there is real value derived from getting these tests, beyond what I said about finding out about your genetic heritage. In his case he had himself tested and had he done so sooner would have been aware of a genetic marker he possessed which foretold possible complications with a medication he had been prescribed. That’s an aspect I had not considered.
Two years ago Apple dropped plans to enable customers to encrypt their iCloud back ups after the FBI complained that doing so would hamper them in their investigations. The decision was not publicized until now, when Reuters broke the story.
The article highlights the discrepancy between Apple’s public stance of being strong on security and privacy and its willingness to lend assistance to law enforcement.
Example: that time when Apple visibly declined the US attorney general’s request to help them unlock a mass shooter’s iPhone, the Air Force officer who shot three people at the Penescola Air Force base in Penescola, it turns out they did provide authorities with the shooters’s backups anyway.
A hacker has leaked the largest known “bot list”, a trove of data containing logins and passwords for over 500 million internet routers, IoT devices and web cams. The list was published online by a so-called “DDoS Stressor” service.
Using a specialized search engine such as Shodan or BinaryEdge, internet devices were scanned and then tested with known default manufacturer passwords as well as simple password combos that turn out to get used a lot. (I once ran a test on some breach data that showed something like 2.7% of the passwords therein was “abc123”).
A court filing in the state of New Jersey reveals that the CEO of a DDoS Mitigation company confessed to paying cyber criminals to launch DDoS attacks. Tucker Preston, of Macon, Georgia, who was the CEO of a company called BackConnect Security LLC faces penalties of up to 10 years in prison and/or fines up to $250,000, or twice the amount gained or lost in the commission of the offence.
This is the same guy who admitted employing the questionable practice of BGP hijacking in order to mitigate DDoS attacks in the past.
In November 2018, Amazon CEO Jeff Bezos received a text via WhatsApp from a number he exchanged with Saudi Arabian crown prince, Mohammed bin Salmen (“MBS”). The message had an image file attached, a picture of Lauren Sanchez, the woman he was having a then-disclosed affair with. Naturally, he opened the file.
That turned out to be a mistake, as it was revealed last week that said image was infected with malware, thus infecting the mobile phone of one of the wealthiest individuals in the world.
The incident has caused a bit of an international s**tstorm with a UN investigation concluding that Bezos was targeted because of his ownership of the Washington Post. The same WaPo that published a series of articles critical of the Kingdom and the same WaPo that employed the Saudi-born dissident journalist, Jamal Khashoggi who had been murdered in the Saudi consulate in Turkey a month earlier.
Oh those Saudis…
Bob Dianchenko strikes again. The security researcher with a knack for finding unprotected, unsecured data dumps on wide open ElasticSearch instances found a trove of 250 million records of Microsoft customer support logs.
The records were exposed for a two-day period in December and were retrievable without authentication. The records included logs of exchanges between Microsoft support agents and customers over a 14-year period.
This piece in Cnet, which I found to be deceptively headlined (“Your sex devices may be spying on you”), points out that in this era of Bluetooth and network connected everything, one must take care to guard against using such devices with weak security.
Networked sex toys, like anything else, seem to fall into a broad range across the security spectrum: some established companies have better security posture regarding these things, while others are lax and vulnerable.
Similar to our guidance on all smart agents within the home: don’t use them or turn off the microphones, our advice is this:
don’t stick anything with a network interface into any bodily orifice (possibly excepting earbuds, into your ears), and
don’t stick any of your body appendages into anything with a network access point.
He reported the bug to Paypal and was paid a bounty of $15,300 USD. Paypal fixed the problem within two days of its being reported. It also turns out that the vulnerability could only be exploited if the victim followed a login link from a hostile source like a phishing site or a malware email.
US Secretary of Defense Mark Esper, in a speech in Washington DC last week called China a “21st Century Surveillance State”. He cited that country’s practice of using AI and ubiquitous surveillance to suppress minority groups, such as the Urgyur Moslems as well as pro-democracy activists,
“In fact, the Chinese Communist Party has constructed a 21st century surveillance state with unprecedented abilities to censor speech and infringe upon basic human rights. George Orwell would be proud”.