#AxisOfEasy 208: Big Tech Wants To Data Mine Your Encrypted Data And Search Your Photos For CSAM

 

 


Weekly Axis Of Easy #208


Last Week’s Quote was “Could we change our attitude, we should not only see life differently, but life itself would come to be different. Life would undergo a change of appearance because we ourselves had undergone a change of attitude,” was Katherine Mansfield, the New Zealand author who lived 1888 – 1923, nobody got it.

This Week’s Quote: “In any bureaucracy, the people devoted to the benefit of the bureaucracy itself always get in control, and those dedicated to the goals the bureaucracy is supposed to accomplish have less and less influence, and sometimes are eliminated entirely” … by???

THE RULES: No searching up the answer, must be posted to the blog- the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.


 

In this issue:

  • Facebook wants to datamine encrypted data without breaking the encryption
  • Apple will start scanning your phone for child pr0n
  • Apple remote workers facing in-home surveillance cameras
  • Authentication bypass affects millions of home routers
  • ‘New DNS level vulnerability allows “nation state level spying” on companies’
  • Spanish engineers extra potable water from air
  • eBay execs conducted harassment campaign against critics
  • Big Tech are supposed to the plumbers, not the patricians of internet discourse


Today’s headline combines two separate items this week: Facebook wants to be able to datamine your encrypted data on WhatsApp so that they can monetize it with ads, while Apple will be scanning your iPhone looking for illegal child abuse photos.

There will be no AxisOfEasy next week as we head off on vacation.


Facebook wants to datamine encrypted data without breaking the encryption

Facebook is still trying to figure out how to monetize all those free users they acquired when they bought WhatsApp for $16B back in 2014.

That’s always the problem in unicorn economics: The power point deck will have a bunch of slides that have arrows pointing up and to the right, but once you spend the money and buy the company, it becomes evident that users don’t really want to pay for a products they’re used to getting for free.

So somehow you have to monetize the users.

Problem there, when it comes to WhatsApp is the encryption, which is one of the main selling features for it.
 
End-to-end encrypted data makes it harder to data mine the users content and target them with ads based on their private communications. So now Facebook is building a team of AI experts to develop homomorphic encryption: it’s a type of encryption that enables machine learning and data analysis on the data, without decrypting it. Once they do that, Facebook can get back to monetizing those users based on their private communications without needing to know what the substance of those communications are.
 
Read: https://thenextweb.com/news/facebook-encryption-ads-ai-team-rumor 
 
The subtext here is that if you’re using free services and not paying for them, you have no expectation of privacy or of not being data mined and monetized. Gmail, hotmail, Twitter DMs, everything.



Apple will start scanning your phone for child pr0n 
 
Apple will be rolling out a system that will enable automated scanning for CSAM, or “Child Sexual Abuse Materials” on your iPhone.
 
It’s being implemented via a new system called “neuralMatch” which will be deployed via a software update. neuralMatch will scan your iPhone’s photos, and those in your iCloud backup and compare hashes (like digital fingerprint) to a database of over 200,000 known CSAM pictures compiled by the US non-profit National Center for Missing and Exploited Children.
 
“Before an image is stored in iCloud Photos, an on-device matching process is performed for that image against the known CSAM hashes.” 
 
If it finds a match it will flag your device for inspection and if verified to be true, will contact the police.
 
Most privacy and security experts are wary of this, as it has obvious slippery slope implications, not to mention that the technology isn’t foolproof.
 
Read: https://www.bbc.com/news/technology-58109748 
 

Readers have been asking me about the Librem Puri.sm phone I ordered over four years ago. It never arrived. I’m still scheduled to receive one, every time they send out a marketing email I ask them “when will I get my phone?” and sometimes somebody replies that I’m scheduled to receive it in a few months. Most recently Librem’s CEO sent out an email asking their customers if they wanted to invest in a debt offering (convertible debentures) being floated by the company. I took a pass, I am not holding my breath for ever receiving my phone. I know people who have their laptops and they like them, but it looks like things are running on fumes over at Librem.


Apple remote workers facing in-home surveillance cameras

Also Apple: The work-from-home revolution is here to stay, so now some employers want to be able to keep tabs on their employees or contractors in their homes while they’re on the job.

In Colombia workers from an all-remote call center called Teleperformance, one of the largest call center providers in the world, are voicing privacy concerns over the contract with Apple which came out in March. Under the revised contract, workers agree to having cameras placed in their homes…

“The contract allows monitoring by AI-powered cameras in workers’ homes, voice analytics and storage of data collected from the worker’s family members, including minors.”

Workers who have expressed privacy concerns over the new deal have been told if they do not sign the contracts they will be removed from the Apple account.

Similar issues exist with a call center in Albania.

Read: https://9to5mac.com/2021/08/09/apple-call-center-workers-surveillance/


Authentication bypass affects millions of home routers

A software bug that has remained latent in a library used by multiple home router devices has now been discovered and exploited putting millions of home routers at risk.

“This vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors, and that is touched on in a whitepaper Tenable has released,” explained Evan Grant, Tenable Staff Research Engineer, on Tuesday.”

The vulnerability was disclosed in an April security report, but a proof-of-concept exploit was released on Aug 3rd. The attacks started within 48 hours and is installing Mirai botnet code.

A list of home routers affected is included in the Bleeping Computer article, while the Juniper Labs Theat Report outlines how to look for signs of compromise.

Read: https://www.bleepingcomputer.com/news/security/actively-exploited-bug-bypasses-authentication-on-millions-of-routers/

And: https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild


‘New DNS level vulnerability allows “nation state level spying” on companies’ 
 
For this item I’ve cribbed the exact title from the Bleeping Computer article to make a meta observation on how the media frames things.
 
At the recent Black Hat conference a pair of researchers from the cloud provider wiz.io presented their findings (which they titled “A New Class of DNS Vulnerabilities Affecting Many DNS-as-a-Service Platforms”).
 
The problem, quite simply, is that a lot of companies that provide DNS services, either as a managed or cloud DNS provider (like us), or in the course of providing other services (web hosting, ecommerce, blogs, registrars) don’t properly validate the domain names being added to the system by end users. Some of them, including Amazon Route 53, allow users (AWS fixed this already) to add domain names that are literally the same as their own nameserver records.
 
In other words, it would be the same as us allowing somebody to add “dns1.easydns.com” to their easyDNS account, and then set their own IP address for dns1.easydns.com.  This would intercept all the DNS queries headed for our nameserver, because most nameserver daemons (especialy BIND) would prefer the domain where dns1 is the zone apex, over the real dns1, where it is a sub-host of the parent zone. Except that doesn’t work at easyDNS because we’ve been blocking that for 20 years and whenever somebody tries to add a domain that contains the string “easydns” we automatically block it, and often nuke the account.
 
There is a similar problem the researchers found with the SOA record for many domains being misconfigured by their respective DNS providers (don’t worry, if you’re with easyDNS, Domainsure or Zoneedit, yours are fine).
 
The Bleeping Computer headline seems to suggest that this was a disclosure of some new protocol level vulnerability in DNS, which it isn’t. It’s more indicative of poor input validation at the provider level.
 
Read: https://www.bleepingcomputer.com/news/security/new-dns-vulnerability-allows-nation-state-level-spying-on-companies/


BlackHat Deck: https://www.blackhat.com/us-21/briefings/schedule/#a-new-class-of-dns-vulnerabilities-affecting-many-dns-as-service-platforms-23563


Spanish engineers extra potable water from air 
 
In Spain a team headed by a 82 year old engineer has succeeded in extracting water from air using electrical condensation.
 
It uses a principle based on what we normally see with condensation on air conditioners. Only now they can do it at lower temperatures and humidity levels.
 
“While other water generators based on similar technology require high ambient humidity and low temperatures to function effectively, Veiga’s machines work in temperatures of up to 40 Celsius (104F) and can handle humidity of between 10% and 15%. A small machine can produce 50-75 liters a day, and be easily carried on a trolley, but bigger versions can produce up to 5,000 liters a day.”
 

Enrique Veiga first invented it during a drought in Spain during the 1960’s. The system is already operational in Namibia and in a refugee camp in Lebanon.
 
Read: https://tech.slashdot.org/story/21/08/05/0139241/spanish-engineers-extract-drinking-water-from-thin-air 
 
Speaking of fresh water initiatives, another pioneer from the domain and DNS industry, Richard Lau (NamesCon, MyDomain) has been executive director of Waterschool for a few years now. Waterschool works with communities in Uganda to provide clean, safe drinking water to communities there. Check them out 
here, and get involved here.


Big Tech are supposed to the plumbers, not the patricians of internet discourse 
 
One of our customers has his account suspended by Mailchimp because he’s been writing more about vaccine passports. Increasingly more tech vendors think it’s within their purview to decide what is or isn’t “misinformation.” There is a fallacy that has gained enormous traction within the corporate media that there is some kind of stand alone objective truth that emanates directly from the mouths of anointed experts, and all else is false, misinfo or even right-wing extremism.
 
I wrote up a piece about it over on Bombthrower, and then a reader sent me this excellent article about mob mentality and the othering of the unvaxxed.
 
Read: https://bombthrower.com/articles/when-dissent-is-misinformation-fallacies-become-facts/ 


Also: https://charleseisenstein.substack.com/p/mob-morality-and-the-unvaxxed
 
  

3 thoughts on “#AxisOfEasy 208: Big Tech Wants To Data Mine Your Encrypted Data And Search Your Photos For CSAM

  1. Ludwig von Mises. And if he didn’t say it in exactly those words, you *know* he said it somewhere in his magisterial “Bureaucracy.”

Leave a Reply

Your email address will not be published. Required fields are marked *