[Axis of Easy] Apple Dropped Plan For Encrypted Backups After FBI Complained


Weekly Axis Of Easy #130


Last Week’s Quote was “I’ve learned that the monsters ain’t underneath the bed”.  …was Eric Church, nobody got it. 

This Week’s Quote: “Life is a long lesson in humility” …by ????

THE RULES: No searching up the answer, must be posted to the blog

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.


We will be spinning out a stand-alone AxisOfEasy channel in the coming weeks. To get a head-start on a more frequent flow of items via that channel, subscribe to our updates via Mastodon or Twitter.

Listen to the podcast edition of #AxisOfEasy here:

  • London deploys facial recognition cams while Europe mulls ban
  • Google phasing out browser User-Agent string in Chrome 
  • Google CEO calls for regulation of AI
  • Google’s ads now look a lot like search results 
  • 23andMe lays off 100
  • Apple dropped plan for encrypted backups after FBI complained
  • Hacker leaks passwords for more than half-million routers, IoT devices
  • DDoS mitigation company CEO admits to launching DDoS attacks
  • Jeff Bezos’s phone hacked by Saudis 
  • Breach of the week: Microsoft exposes 250 million customer support records
  • Your net connected dildo may be hackable 
  • HackerOne finds serious security failure in Paypal’s login system
  • US Defense Secretary says China is a 21st century surveillance state

London deploys facial recognition cams while Europe mulls ban

The City of London’s Metropolitan police announced Friday that they plan to deploy an array of advanced, real-time facial recognition cameras across the city. The cameras will be deployed in high traffic, heavy tourism areas and actively scan faces for matches from “bespoke watch lists”.

The announcement took place at roughly the same time a leaked white paper emerged from Europe that the European Commission may be enacting the largest ban on facial recognition cameras in the world, affecting most of the continent. The white paper suggests that deploying facial recognition cameras may be incompatible with data privacy protections under the GDPR.

Read: https://www.techdirt.com/articles/20200119/09574843759/leaked-document-suggests-possible-facial-recognition-ban-europe.shtml

Google phasing out browser User-Agent string in Chrome 

Starting with Chrome version 81 (due out in mid-March), Google will commence the phase-out of the User-Agent string from the Chrome web browser. The UA string describes the browser type to the web server and a lot of processes key on it to decide how to render the pages they’re about to serve. For example: whether to send a desktop or a mobile version of the requested document.

However, UA strings can also be easily spoofed, for myriad reasons, and they can be used by servers in the creation of browser fingerprints: a method of tracking end users even in the absence of cookies.

In its place, Google is introducing a new mechanism called ClientHints, where the web server can request additional information from the client to better determine how to serve the document.

 

Google CEO calls for regulation of AI

Sundar Pichai, in a reportedly long-winded editorial for the Financial Times, called for “sensible regulation” of Artificial Intelligence (AI), saying that “Artificial Intelligence is too important not to be regulated”.

Regulation raises costs on new entrants and challengers, and grants the incumbent players a wider moat against competition.

An Entrepreneur-in-Residence to a state funded development bank once explained this to me in vivid detail, to whit: Work with the regulators to impose new rules that crowd out the competition, then when you are in place you get to “turn around and pull the ladder up behind you”. He used those exact words. Big smile on his face.

When the CEO of a gigantic incumbent tech platform calls for regulation, what it really means is “regulation for thee / monopoly for me”.

AI is a red herring anyway. Now that my Unassailable book is about to drop, I can resume work on the one I was supposed to be writing since last summer. It’s called “The Singularity has been Canceled: The Perils of Techno-Utopian thinking”.

Google’s ads now look a lot like search results 

Last Google item for this week is an article that observes how the latest look-and-feel of the search giants query results has the paid ads looking very similar to the organic search results.

Early data via Digiday indicate that the changes, barely over a week old, may already be resulting in higher ad clicks.

Read: https://digiday.com/marketing/googles-latest-search-results-change-blurs-whats-ad/

23andMe lays off 100

Last week we reported on the 23andMe’s first licensing deal to create drug based on the DNA data supplied by the company’s customers. Despite the deal, and a previous research deal with Glaxo Smith Kline to share data (reported in #AxisOfEasy 79), the company has found it necessary to lay off 100 staff as demand for DNA testing from consumers at large is decreasing.

I will also take this opportunity to share some feedback from a reader around last week’s story. He politely objected to the way I tend to frame the 23andMe business model (you pay them to monetize your data). He pointed out that there is real value derived from getting these tests, beyond what I said about finding out about your genetic heritage. In his case he had himself tested and had he done so sooner would have been aware of a genetic marker he possessed which foretold possible complications with a medication he had been prescribed. That’s an aspect I had not considered.

Apple dropped plan for encrypted backups after FBI complained

Two years ago Apple dropped plans to enable customers to encrypt their iCloud back ups after the FBI complained that doing so would hamper them in their investigations. The decision was not publicized until now, when Reuters broke the story.

The article highlights the discrepancy between Apple’s public stance of being strong on security and privacy and its willingness to lend assistance to law enforcement.

Example: that time when Apple visibly declined the US attorney general’s request to help them unlock a mass shooter’s iPhone, the Air Force officer who shot three people at the Penescola Air Force base in Penescola, it turns out they did provide authorities with the shooters’s backups anyway.

 

Hacker leaks passwords for more than half-million routers, IoT devices

A hacker has leaked the largest known “bot list”, a trove of data containing logins and passwords for over 500 million internet routers, IoT devices and web cams. The list was published online by a so-called “DDoS Stressor” service.

Using a specialized search engine such as Shodan or BinaryEdge, internet devices were scanned and then tested with known default manufacturer passwords as well as simple password combos that turn out to get used a lot. (I once ran a test on some breach data that showed something like 2.7% of the passwords therein was “abc123”).

Devices ranged from home routers and devices to nodes within large cloud providers.

DDoS mitigation company CEO admits to launching DDoS attacks

A court filing in the state of New Jersey reveals that the CEO of a DDoS Mitigation company confessed to paying cyber criminals to launch DDoS attacks. Tucker Preston, of Macon, Georgia, who was the CEO of a company called BackConnect Security LLC faces penalties of up to 10 years in prison and/or fines up to $250,000, or twice the amount gained or lost in the commission of the offence.

This is the same guy who admitted employing the questionable practice of BGP hijacking in order to mitigate DDoS attacks in the past.

Read: https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/

Jeff Bezos’s phone hacked by Saudis 

In November 2018, Amazon CEO Jeff Bezos received a text via WhatsApp from a number he exchanged with Saudi Arabian crown prince, Mohammed bin Salmen (“MBS”). The message had an image file attached, a picture of Lauren Sanchez, the woman he was having a then-disclosed affair with. Naturally, he opened the file.

That turned out to be a mistake, as it was revealed last week that said image was infected with malware, thus infecting the mobile phone of one of the wealthiest individuals in the world.

The incident has caused a bit of an international s**tstorm with a UN investigation concluding that Bezos was targeted because of his ownership of the Washington Post. The same WaPo that published a series of articles critical of the Kingdom and the same WaPo that employed the Saudi-born dissident journalist, Jamal Khashoggi who had been murdered in the Saudi consulate in Turkey a month earlier. 

Oh those Saudis…

Breach of the week: Microsoft exposes 250 million customer support records

Bob Dianchenko strikes again. The security researcher with a knack for finding unprotected, unsecured data dumps on wide open ElasticSearch instances found a trove of 250 million records of Microsoft customer support logs.

The records were exposed for a two-day period in December and were retrievable without authentication. The records included logs of exchanges between Microsoft support agents and customers over a 14-year period.

Your net connected dildo may be hackable

This piece in Cnet, which I found to be deceptively headlined (“Your sex devices may be spying on you”), points out that in this era of Bluetooth and network connected everything, one must take care to guard against using such devices with weak security.

Networked sex toys, like anything else, seem to fall into a broad range across the security spectrum: some established companies have better security posture regarding these things, while others are lax and vulnerable.

Similar to our guidance on all smart agents within the home: don’t use them or turn off the microphones, our advice is this:

  • don’t stick anything with a network interface into any bodily orifice (possibly excepting earbuds, into your ears), and
  • don’t stick any of your body appendages into anything with a network access point.

HackerOne finds serious security failure in Paypal’s login system

A security researcher working within Paypal’s bug bounty program at HackerOne found serious bug in one of the most visited pages on the company’s website. Alex Birsan found that the reCaptcha JavaScript on the Paypal login page was vulnerable to cross-site scripting forgery and session hijacking.

He reported the bug to Paypal and was paid a bounty of $15,300 USD. Paypal fixed the problem within two days of its being reported. It also turns out that the vulnerability could only be exploited if the victim followed a login link from a hostile source like a phishing site or a malware email.

US Defense Secretary says China is a 21st century surveillance state

US Secretary of Defense Mark Esper, in a speech in Washington DC last week called China a “21st Century Surveillance State”. He cited that country’s practice of using AI and ubiquitous surveillance to suppress minority groups, such as the Urgyur Moslems as well as pro-democracy activists,

“In fact, the Chinese Communist Party has constructed a 21st century surveillance state with unprecedented abilities to censor speech and infringe upon basic human rights. George Orwell would be proud”.

 

 

4 thoughts on “[Axis of Easy] Apple Dropped Plan For Encrypted Backups After FBI Complained

  1. Good Heavens! Has no reader of this blog heard Johnny Deep utter this banal phrase in “Finding Neverland”? Or are the majority of the customers here not blog readers, but callow mercantile fortune seekers? They’ll learn soon enough, once old and grey as I am, and their fortune somehow went the other way!
    Anyhow- enough of this J.M Barrie nonsense- let’s move to this week’s puzzle.
    Oh wait! This week’s quote IS from Barrie.!
    Well, at least i had never heard of last week’s “Monsters under the Bed” author. But then… I killed my first monster when I was seven years old. He melted like butter in my bathroom’s sixty-watt bulb. Huh. Now that most light bulb are LED, what will the children do?

  2. “…some established companies have better security posture regarding these things, while others are lax and vulnerable.”
    — That’s what she said!
    Please tell me you did this one intentionally… =)

  3. Regarding the 23 and me tests, the person who found out he had a genetic marker concerning medication he should not take; that type of information should be provided by doctors. I find it upsetting that a genealogy company can do this for people when doctors who prescribe medicine do not. I feel it does not excuse what 23 and me is doing by selling drugs developed from their customer’s data after receiving payment from their customers. I think it’s unethical and it is fortunate for them that I never paid for testing.

Leave a Reply to Tony Q. King Cancel reply

Your email address will not be published. Required fields are marked *