Skip to content

Nick L

France attacks Facebook data tracking, opening new front in privacy battles

facebook big brother
Quote

French data regulators have given Facebook three months to stop transferring data on French users to the US and to refrain from tracking nonusers.

PARIS — In yet another fissure between the US and Europe over digital privacy practices, French regulators ordered Facebook to curtail its online data collection practices.

The country’s data protection authority, known by its French acronym CNIL, ruled this week to give Facebook three months to stop transferring data on French users to the states and to refrain from collecting information about nonusers, or else face hefty fines.

—–
There is an easier solution. Just stop using it. These slime balls track you whether you are a user or not. That said, anyone who disrespects their own privacy deserves what they get. Word of the day Insouciant -“Marked by blithe unconcern; nonchalant.” And it is not just users of Facebook and other social media, it is what we witness everyday in businesses when it comes to their IT security and their employee and customer’s privacy.

La justice confirme que les tribunaux français peuvent juger Facebook

Quote (French) / Quote (English)

Paris court rules against Facebook in French nudity case

facebook censorship

The Paris appeal court has upheld a ruling that Facebook can be sued under French – not Californian – law.

A French teacher won in the Paris high court last year, arguing that Facebook should not have suspended his account because of an erotic image on his page.

Facebook appealed against that ruling – but the appeal court has now upheld the criticism of Facebook’s user terms.

US-based Facebook says users can only sue in California. It removed a close-up of a nude woman, painted by Courbet.

The teacher, Frederic Durand-Baissas, argued that he had a right to post a link on Facebook with the image of the famous Gustave Courbet painting. The original 19th-Century work hangs in the Musee d’Orsay in Paris.

The teacher accused Facebook of censorship and said the social network should reinstate his account and pay him €20,000 (£15,521; $22,567) in damages. He sued the company in 2011.

It is seen as a test case, potentially paving the way for other lawsuits against Facebook outside US jurisdiction.

Facebook users have to agree to the tech giant’s terms of service, which state that its jurisdiction is California. About 22 million French people are on Facebook.

The Paris high court decided that the company’s argument was “abusive” and violated French consumer law, by making it difficult for people in France to sue.

The Facebook community standards say “we restrict the display of nudity because some audiences within our global community may be sensitive to this type of content – particularly because of their cultural background or age”.

———
Good work Frederic Durand-Baissas!

‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone 6

iphone bricked

Quote

It’s the message that spells doom and will render your handset worthless if it’s been repaired by a third party. But there’s no warning and no fix

Thousands of iPhone 6 users claim they have been left holding almost worthless phones because Apple’s latest operating system permanently disables the handset if it detects that a repair has been carried out by a non-Apple technician.

Relatively few people outside the tech world are aware of the so-called “error 53” problem, but if it happens to you you’ll know about it. And according to one specialist journalist, it “will kill your iPhone”.
Apple says iPhone ‘Error 53′ is to protect customers’ security

The issue appears to affect handsets where the home button, which has touch ID fingerprint recognition built-in, has been repaired by a “non-official” company or individual. It has also reportedly affected customers whose phone has been damaged but who have been able to carry on using it without the need for a repair.

But the problem only comes to light when the latest version of Apple’s iPhone software, iOS 9, is installed. Indeed, the phone may have been working perfectly for weeks or months since a repair or being damaged.

After installation a growing number of people have watched in horror as their phone, which may well have cost them £500-plus, is rendered useless. Any photos or other data held on the handset is lost – and irretrievable.

Tech experts claim Apple knows all about the problem but has done nothing to warn users that their phone will be “bricked” (ie, rendered as technologically useful as a brick) if they install the iOS upgrade.

Freelance photographer and self-confessed Apple addict Antonio Olmos says this happened to his phone a few weeks ago after he upgraded his software. Olmos had previously had his handset repaired while on an assignment for the Guardian in Macedonia. “I was in the Balkans covering the refugee crisis in September when I dropped my phone. Because I desperately needed it for work I got it fixed at a local shop, as there are no Apple stores in Macedonia. They repaired the screen and home button, and it worked perfectly.”

He says he thought no more about it, until he was sent the standard notification by Apple inviting him to install the latest software. He accepted the upgrade, but within seconds the phone was displaying “error 53” and was, in effect, dead.

When Olmos, who says he has spent thousands of pounds on Apple products over the years, took it to an Apple store in London, staff told him there was nothing they could do, and that his phone was now junk. He had to pay £270 for a replacement and is furious.

“The whole thing is extraordinary. How can a company deliberately make their own products useless with an upgrade and not warn their own customers about it? Outside of the big industrialised nations, Apple stores are few and far between, and damaged phones can only be brought back to life by small third-party repairers.

It is all about the money isn’t Apple? !

Microsoft Admits Windows 10 Automatic Spying Cannot Be Stopped

Windows10-Spy
Quote

…Speaking to PC World, Microsoft Corporate Vice President Joe Belfiore explained that Windows 10 is constantly tracking how it operates and how you are using it and sending that information back to Microsoft by default. More importantly he also confirmed that, despite offering some options to turn elements of tracking off, core data collection simply cannot be stopped:

“In the cases where we’ve not provided options, we feel that those things have to do with the health of the system,” he said. “In the case of knowing that our system that we’ve created is crashing, or is having serious performance problems, we view that as so helpful to the ecosystem and so not an issue of personal privacy, that today we collect that data so that we make that experience better for everyone.”

To his credit, Belfiore does recognise the controversial nature of this decision and stresses that:

“We’re going to continue to listen to what the broad public says about these decisions, and ultimately our goal is to balance the right thing happening for the most people – really, for everyone – with complexity that comes with putting in a whole lot of control.”

B.S.!


Interestingly Belfiore himself won’t be around to oversee this as he is about to take a year long sabbatical. When he comes back, however, I suspect this issue will still be raging as Windows and Devices Group head Terry Myerson recently confirmed Windows 10 Enterprise users will be able to disable every single aspect of Microsoft data collection.

This comes in combination with Windows 10 Pro and Enterprise users’ ability to permanently disable automatic updates which are forced upon consumers and shows the growing divide between how Microsoft is treating consumers versus corporations.

So how concerned should users be about Windows 10’s default data collection policies? I would say very.

By default Windows 10 Home is allowed to control your bandwidth usage, install any software it wants whenever it wants (without providing detailed information on what these updates do), display ads in the Start Menu (currently it has been limited to app advertisements), send your hardware details and any changes you make to Microsoft and even log your browser history and keystrokes which the Windows End User Licence Agreement (EULA) states you allow Microsoft to use for analysis.

The good news: even if Belfiore states you cannot switch off everything, editing your privacy settings will disable the worst of these. To find them open the Start menu > Settings > Privacy.

The bad news: despite Belfiore’s pledge “to continue to listen”, Microsoft’s actions (including the impending Windows 7 and Windows 8 upgrade pressure) suggests the company’s recent love for Big Brother tactics is only going to get worse before it gets better…

Answer? Stay on windows 7 pro or switch to a Linux distro. It is time that users stand up and say “Stop spying or I will stop using your products.” Remember, Windows 10 is not free, you pay for the privileged to get raped by their ilk!

Rooting your Android phone? Google’s rumbled you again

do-evil-google

Quote

Google’s crackdown on rooted Android devices continues. Citing security reasons, Google doesn’t want rooted ‘Droid phones to use mobile payments via the Android Pay infrastructure.

This is a standard not required by Pay’s predecessor, the now-deprecated Google Wallet.

In turn, this has led to a cat-and-mouse game with Android’s substantial global enthusiast community. Now a door that modders opened slightly a few months ago has been slammed shut.

A developer last year found a way of rooting Android without disturbing the /system partition (aka “systemless root”).

A Google engineer acknowledged last year that if it had to scan and verify every file on the partition, the phone would be “bogged down for tens of minutes”.

Respite was temporary. Systemless rooting will now fail to fulfil an Android Pay transaction. Pay now introduces an additional check, performed by Android’s SafetyNet framework.

This post at XDA Developers explains that several further tweaks are required to work around the latest security check.

Ah if it was only that simple. Google fears malware, but the real reason is that is that it looses the ability to hoover up all your private information. One of the comments in the article was spot on:

The trouble with that is if Google Pay refuses to work, then Google Play (with an L) refuses to work *even for free apps*.

And you can’t uninstall Google Play Services without it taking all your downloaded apps with it. It uninstalls them when you turn it off in the settings.

This is the linkage game no different than when Microsoft did it.

Google Play Services is one of the most virulent spyware apps ever. Tracking, surveillance, access to cameras, microphones the lot. It has no purpose doing that, yet it does it for Google’s benefit.

You probably don’t know its tracking your location, and monitoring your app usage and all the other things “Carrier IQ” was doing. Sadly it is.

We need a true open source phone (which is what Anrdoid was supposed to be) away from the spying eyes of Google, the carriers and their ilk. Google is a monopolist. Why root? to get rid of the crapware, and spyware installed on the phones and to get security fixes faster and for longer. But if your entire life is on the phone (and then hoovered up and sold on), rooting is not for you. Just bend over for the likes of Google.

Popular 3G/4G data dongles vulnerable, say hackers

Quote

Cellular modems from four vendors have been popped by security researchers, who have documented cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE) and integrity attacks on the products….Because so many of the vulnerabilities – whether it’s via firmware or XSS/CSRF forgery attacks – allow remote code execution, the paper states, it’s easy to track devices. An attacker can read out the Cell ID or the connected WiFi base station.

The vulnerabilities also enabled a range of traffic interception attacks:

Devices could have their DNS redirected to an attacker-controlled domain.
Attackers can plant their own certificates into the devices’ trusted root list.
Some devices allow command-line access (via AT commands) to SMSs.

Other possibilities the research explored included using devices as PC attack vectors, attacks on SIM cards via binary SMS messages, and even upstream attacks directed at carrier networks.

The researchers conclude that the Huawei kit they tested was the least-worst.

I’ll take some Customer info with my Burger & Fries please

Windy's hacked
Quote

Wendy’s, the nationwide chain of fast-food restaurants, says it is investigating claims of a possible credit card breach at some locations. The acknowledgment comes in response to questions from KrebsOnSecurity about banking industry sources who discovered a pattern of fraud on cards that were all recently used at various Wendy’s locations….“We have received this month from our payment industry contacts reports of unusual activity involving payment cards at some of our restaurant locations,” Bertini said. “Reports indicate that fraudulent charges may have occurred elsewhere after the cards were legitimately used at some of our restaurants. We’ve hired a cybersecurity firm and launched a comprehensive and active investigation that’s underway to try to determine the facts.”

When will businesses start taking IT Security Seriously? (…not until a few get put of business I fear..)

Got to love Outsourcing that Support!

Quote

UK ISP TalkTalk is considering cutting ties with its Indian call center provider after three employees at the site were arrested for allegedly scamming customers.

The budget telco said police in Kolkata have nabbed a trio of Wipro call center workers as part of an investigation into security practices. Wipro runs the customer service call center for TalkTalk.

“Acting on information supplied by TalkTalk, the local Police have arrested three individuals who have breached our policies and the terms of our contract with Wipro,” TalkTalk said in a statement posted Wednesday.

I am not a big fan of the outsourcing option.In my experience, it just builds customer resentment for the shoddy sub-standard service delivered. Best to keep these jobs at home.

Fortigate Back Door

Quote

Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable…..”Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products,” said the company in a blog post.

“During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS.”

Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.

In all cases, the problem can be sorted by updating to the latest firmware builds. Don’t delay – hackers are closing in on the backdoor management authentication issue.

“Looking at our collected SSH data, we’ve seen an increase in scanning for those devices in the days since the revelation of the vulnerability,” said Jim Clausing, a mentor with the SANS Institute.

“Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven’t already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.”

Evil OpenSSH servers can steal your private login keys to other systems

Quote

Patch now and consider regenerating your keys just in case

Malicious OpenSSH servers can silently steal people’s private SSH keys as they try to login, it emerged today.

This means criminals who compromise one server can secretly grab keys needed to log into other systems from a user’s computer – allowing crooks to jump from server to server.

The security cockup, present in the default configuration of OpenSSH, has been patched today, and all users and administrators are urged to update as soon as possible. ….The bug lies in versions 5.4 to 7.1 of the OpenSSH client, specifically in a little-known default-enabled feature called roaming that allows you to restart an SSH session after the connection has been interrupted. The roaming code contains an information sharing flaw (CVE-2016-0777) and a mildly harmless buffer overflow (CVE-2016-0778) blunder……The OpenSSH team has released version 7.1p2 that fixes the issue and software houses are scrambling to lock down this latest threat. The latest builds of FreeBSD and OpenBSD have already been patched, as have Debian, Ubuntu, and Red Hat Enterprise Linux.