Skip to content

Privacy

Facebook needs to be regulated more tightly, or broken up so that no single entity controls all of its data

Quote

The message was clear: The company just wanted negative stories to stop. It didn’t really care how the data was used.

Facebook knows what you look like, your location, who your friends are, your interests, if you’re in a relationship or not, and what other pages you look at on the web. This data allows advertisers to target the more than one billion Facebook visitors a day. It’s no wonder the company has ballooned in size to a $500 billion behemoth in the five years since its I.P.O.

The more data it has on offer, the more value it creates for advertisers. That means it has no incentive to police the collection or use of that data — except when negative press or regulators are involved. Facebook is free to do almost whatever it wants with your personal information, and has no reason to put safeguards in place.

For a few years, Facebook’s developer platform hosted a thriving ecosystem of popular social games. Remember the age of Farmville and Candy Crush? The premise was simple: Users agreed to give game developers access to their data in exchange for free use of addictive games.

..

In one instance, a developer appeared to be using Facebook data to automatically generate profiles of children, without their consent. When I called the company responsible for the app, it claimed that Facebook’s policies on data use were not being violated, but we had no way to confirm whether that was true. Once data passed from the platform to a developer, Facebook had no view of the data or control over it. In other cases, developers asked for permission to get user data that their apps obviously didn’t need — such as a social game asking for all of your photos and messages. People rarely read permissions request forms carefully, so they often authorize access to sensitive information without realizing it.

At a company that was deeply concerned about protecting its users, this situation would have been met with a robust effort to cut off developers who were making questionable use of data. But when I was at Facebook, the typical reaction I recall looked like this: try to put any negative press coverage to bed as quickly as possible, with no sincere efforts to put safeguards in place or to identify and stop abusive developers. When I proposed a deeper audit of developers’ use of Facebook’s data, one executive asked me, “Do you really want to see what you’ll find?”

The message was clear: The company just wanted negative stories to stop. It didn’t really care how the data was used.

This makes for a dangerous mix: a company that reaches most of the country every day and has the most detailed set of personal data ever assembled, but has no incentive to prevent abuse. Facebook needs to be regulated more tightly, or broken up so that no single entity controls all of its data. The company won’t protect us by itself, and nothing less than our democracy is at stake.

Indeed. And users, including businesses, need to get serious about privacy and the damage the likes of facebook are doing and flee Facebook and their ilk in droves. Will this happen? I doubt it. As long as it is free they will come. As the increased popularity of Alexa, and other personal assistants that listen in shows, people are continuing to invite these modern forms of big brother into their private lives.

Equifax TrustID – Only Old Insecure IE8 Works!

So this afternoon I was told by email I had an account with Equifax TrustedID when I went to check on the status of the report lock. My password did not work. I tried to use the password reset. The page worked but when you enter all the information and hit the continue button, it does not go anywhere. I called the support telephone and that rings busy. Gave up on that.

Clearly more buggy code.

I finally got it to work using an old Windows Explorer 8 Browser on an old XP machine instead of Firefox. I even tried ieExplorer 11 and that did not work. But old insecure ie8 works fine with no out of date browser warnings.

Next – Then using the same Firefox Browser, I was able to login. And guess what, despite signing up, my report was still unlocked! When I tried to lock it, no dice, lock button not working. No go on ie11, but old insecure ie8 worked just fine.

What royal cock up Equifax. Totally incompetent!

(off topic: I also notice that uBlock Origin identified 147 trackers on Equifax.com. And they look out for my privacy and security. Bullshit!)

HOTSPOT VPN == Spyware

Quote

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim
CDT tries to set fed trade watchdog on internet biz
By Thomas Claburn in San Francisco 7 Aug 2017 at 20:20

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.

AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed with the FTC, the company’s software gathers data and its privacy policy allows it to share the information.

Worryingly, it is claimed the service forces ads and JavaScript code into people’s browsers when connected through Hotspot Shield: “The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.”

“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”

….
IP address and unique device identifiers are generally considered to be private personal information, but AnchorFree’s Privacy Policy explicitly exempts this data from its definition of Personal Information.

“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting JavaScript codes using iFrames for advertising and tracking purposes,” the complaint says, adding that the VPN uses more than five different third-party tracking libraries.

What’s the alternative? Rool your own, set up a VPS or Algo or both

Robocalls Flooding Your Cellphone? Here’s How to Stop Them

So here is a New York Times article on the subject. There are a few good ideas, but another layer is to always block your caller id and only unblock it for contacts you trust. Here is the FULL ARTICLE, but I summarize below

Rule No. 1 The most simple and effective remedy is to not answer numbers you don’t know, Mr. Quilici said.

“Just interacting with these calls is just generally a mistake,” he said.

If you do answer, don’t respond to the invitation to press a number to opt out. That will merely verify that yours is a working number and make you a target for more calls, experts said.

List your phones on the National Do Not Call Registry and report them there!

Use apps such as Truecaller, RoboKiller (fee), Mr. Number (owned by Hiya<below>), Nomorobo (free for landlines, fee for mobile) and Hiya (fee??), which will block the calls.  (Note: I have not reviewed any of these for security issues, so caveat emptor)

Phone companies, such as T-Mobile, Verizon and AT&T, also have tools to combat robocalls. They work by blocking calls from numbers known to be problematic  (Note: Oh yea, after being going through 10 minutes of voice response and being on hold for another 20 minutes)

Turn the tables And then there is the Jolly Roger Telephone Company, which turns the tables on telemarketers. This program allows a customer to put the phone on mute and patch telemarketing calls to a robot, which understands speech patterns and inflections and works to keep the caller engaged.  (Note – I kind of like this idea, but many of these miscreants use fake caller IDs of legitimate business phone numbers. Also note, the services is NOT free, but not that expensive either for that matter.)

 

Police say fridges could be turned into listening devices

Quote

Just say NO to IOT

Your fridge could be turned into a covert listening device by Queensland Police conducting surveillance.

The revelation was made during a Parliamentary committee hearing on proposed legislation to give police more powers to combat terrorism.

Police Commissioner Ian Stewart said technology was rapidly changing and police and security agencies could use devices already in place, and turn them into listening devices.

“It is not outside the realm that, if you think about the connected home that we now look at quite regularly where people have their security systems, their CCTV systems and their computerised refrigerator all hooked up wirelessly, you could actually turn someone’s fridge into a listening device,” Mr Stewart said.

Share on Facebook SHARE
Share on Twitter TWEET

Queensland Police Commissioner Ian Stewart said the proposed new laws were necessary to keep people safe.
Queensland Police Commissioner Ian Stewart said the proposed new laws were necessary to keep people safe. Photo: Glenn Hunt

“This is the type of challenge that law enforcement is facing in trying to keep pace with events and premises where terrorists may be planning, they may be gathering to discuss deployment in a tactical way and they may be building devices in that place.

“All of that is taken into account by these new proposed laws.”

The Counter-Terrorism and Other Legislation Amendment bill would give police more powers during and following attacks.

Unroll.me — Not sorry we did it – just sorry you’re pissed off

Quote

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.
We’re ‘heartbroken’ we got caught selling your email records to Uber, says Unroll.me boss
Not sorry we did it – just sorry you’re pissed off
tears

Jojo Hedaya, the CEO of email summarizer Unroll.me, has apologized to his users for not telling them clearly enough that they are the product, not his website.

Unroll.me is owned by analytics outfit Slice Intelligence, and the site began life in 2011 with a fairly useful function. Its software crawls through your email inbox, noting which services and alerts you have signed up for. You can unsubscribe from the stuff you don’t want, and shift all those regular emails you do want into a digest, sent once a day.

It’s a way of tidying up and organizing all those notifications from your bank, newsletters, and so on. It’s also free to use, and it accesses your email account, and so obviously it sells anonymized summaries of your messages to anyone with a checkbook.

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts.

Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

“Our users are the heart of our company and service. So it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service,” he said. “And while we try our best to be open about our business model, recent customer feedback tells me we weren’t explicit enough.”

Hedaya didn’t apologize for selling the data, which he said was all legitimate and above board. If users had bothered to go through the 5,000 words that make up the app’s terms & conditions and privacy policy, they would have seen the legalese that allows such practices

Ah Bullshit. 5000 Word legal beagle stuff no reads. But the point is that “you are the product”. Anybody foolish enough to use a free service to mine their emails is just plane stupid.

Researcher: 90% Of ‘Smart’ TVs Can Be Compromised Remotely

Quote
“So yeah, that internet of broken things security we’ve spent the last few years mercilessly making fun of? It’s significantly worse than anybody imagined. “

So we’ve noted for some time how “smart” TVs, like most internet of things devices, have exposed countless users’ privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible “advancements” in television technology.

As recent Wikileaks data revealed, the lack of security and privacy standards in this space has proven to be a field day for hackers and intelligence agencies alike.

And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting – Terrestrial) signals.

This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems. Using $50-$150 DVB-T transmitter equipment, an attacker can use this standard to exploit smart dumb television sets on a pretty intimidating scale, argues Scheel:

“By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city.”

Scheel says he has developed two exploits that, when loaded in the TV’s built-in browser, execute malicious code, and provide root access. Once compromised, these devices can be used for everything from DDoS attacks to surveillance. And because these devices are never really designed with consumer-friendly transparency in mind, users never have much of an understanding of what kind of traffic the television is sending and receiving, preventing them from noticing the device is compromised.

Scheel also notes that the uniformity of smart TV OS design (uniformly bad, notes a completely different researcher this week) and the lack of timely updates mean crafting exploits for multiple sets is relatively easy, and firmware updates can often take months or years to arrive. Oh, and did we mention these attacks are largely untraceable?:

“But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good.”

Democrats draft laws in futile attempt to protect US internet privacy

At a the the present, I agree that this has a snowball’s chance in hell. But if more states take it seriously, just maybe it will negate the disgusting screwing of Internet users privacy by big corporate ISPs with their bidding done by their lackies in the congress, chief FCC lackie Pai and signed by the poorest excuse for a leader in years, Trump.

Hah Hah – Drain the swamp. What a joke. Just filled it with swine dung and does it wreak worse than it ever did. Hey maybe I show start a new category “swine swamp.”

Oh, do I sound angry? God damn right I am.

Less than a week after President Trump signed the law allowing ISPs to sell customers’ browsing habits to advertisers, Democratic politicians are introducing bills to stop the practice.

On Thursday, Senator Ed Markey (D-MA) submitted a bill [PDF] that would enshrine the FCC privacy rules proposed during the Obama administration into law – the rules just shot down by the Trump administration. Americans would have to opt in to allowing ISPs to sell their browsing data under the proposed legislation, and ISPs would have to take greater care to protect their servers from hacking attacks.

“Thanks to Congressional Republicans, corporations, not consumers, are in control of sensitive information about Americans’ health, finances, and children. The Republican roll-back of strong broadband privacy rules means ISP no longer stands for Internet Service Provider, it stands for ‘Information Sold for Profit’,” said Senator Markey.

“This legislation will put the rules back on the books to protect consumers from abusive invasions of their privacy. Americans should not have to forgo their fundamental right to privacy just because their homes and phones are connected to the internet.”

The bill has been cosponsored by ten senators, all Democrats except for the independent Bernie Sanders. No Republicans have added their name to the legislation – nor shown any support for it – which probably means it’s doomed to failure given the GOP-dominated composition of the Senate.

The new bill echoes similar legislation introduced in the House of Representatives earlier in the week. Representative Jacky Rosen, who was a software developer before she got into politics, has introduced the Restoring American Privacy Act of 2017.

“As someone who has first-hand experience as a computer programmer, I know that keeping privacy protections in place is essential for safeguarding vulnerable and sensitive data from hackers,” said Representative Rosen (D-NV).

“I will not stand by and let corporations get access to the most intimate parts of people’s lives without them knowing and without consent. It is appalling that Republicans and President Trump would be in favor of taking Americans’ most personal information to sell it to the highest bidder.”

The FCC rules would have required internet users to sign up to allow their browsing histories to be sold, and put an increased onus on ISPs to protect their private data. One of the first acts of the new administration was to drop the FCC rules and legislate against them, with President Trump signing off on the legislation on Monday.

Facing a public backlash, the major ISPs have promised that they won’t sell off an individual’s browsing history – but left the door open for selling the data as part of a group. Customers will also have the choice to opt out, but you can bet the form to do so will be in the internet equivalent of a locked filing cabinet carrying a sign reading “Beware of the leopard.”

The bills will be welcomed by many but, realistically, have no chance of passing unless a sizable number of Republicans cross the floor. That’s not going to happen, so individual states have been taking action of their own.

Last week, Minnesota and Illinois legislatures began enacting legislation to provide privacy protections for internet users, and now New York has done the same. Senator Tim Kennedy (D-Buffalo) has introduced legislation to stop ISPs selling off their customers’ browsing histories.

“When voters across the country elected this House and US Senate last November, I doubt they were voting with the hope that their ISP would be allowed to sell their browsing history,” said Senator Kennedy.

“This kind of anti-consumer, anti-privacy action doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks – this is bad policy with real-world consequences.”

It’s possible the ISPs could have bitten off more than they can chew on this one by seriously underestimating quite how angry this issue has made people. Despite frantic PR moves, more and more states are now taking matters into their own hands – which is just as the Founding Fathers designed the system.

SOURCE: HERE

Corrupt Politician Signs Bill Recinding America’s digital privacy protections while Grunting

Oh and of course he said he was “for the little guy right.” Bullshit. Oink Oink Grunt Grunt.

So let’s do some work via the Register

Ajit Pai, the chief lackie…eerhh, chairman of the FCC, said

“resident Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers.”

BULLSHIT on the last part of that sentence, that the rules were “designed to benefit one group of favored companies, not online consumers.”

The rules were developed entirely and absolutely to protect online consumers. They required ISPs to get an opt-in from customers for sensitive information, to offer an opt-out for other uses of that data, and to ensure that they appropriately protected that data.


The other Republican commissioner on the FCC, Mike O’Rielly, had his own statement that, unfortunately, layered bullshit upon bullshit.

“I applaud President Trump and Congress for utilizing the CRA to undo the FCC’s detrimental privacy rules,” he said. “The parade of horribles trotted out to scare the American people about its passage are completely fictitious, especially since parts of the rules never even went into effect. Hopefully, we will soon return to a universe where thoughtful privacy protections are not overrun by shameful FCC power grabs and blatant misrepresentations.”

What O’Rielly does, however, is pinpoint the beating heart of the bullshit: the claim that since something hasn’t happened yet, it means that it won’t happen.

For someone who is a commissioner at a federal regulator, this willful blindness over how the real world works is borderline obnoxious.

Here is the absolute solid reality of what this decision to scrap the FCC rules means:

ISPs were previously able to do what they can do now, ie, sell their customers’ private data.
But they were previously at risk of being investigated by the FTC and then, later, the FCC.
If they had been found to have broken data privacy rules, they faced huge fines and most likely the requirement to get prior approval from the FTC/FCC before doing anything similar in future.
Now, however, there is no backstop. The FTC does not have jurisdiction. And nor does the FCC. The ISPs currently exist in a regulatory-free world.

What this means is significant and it is the source of (Democrat) claims that ISPs will soon be selling your private data and the counter-claims (by Republicans) that people are fear-mongering and inventing problems. Source: Here

Swine — oh wait, that is unfair…to the the swine I mean.

Amnesia’ IoT botnet feasts on year-old unpatched vulnerability

Why anyone would want to connect any home device to the internet at this stage in the game is beyond me.

“Hackers have brewed up a new variant of the IoT/Linux botnet “Tsunami” that exploits a year-old but as yet unresolved vulnerability.

The Amnesia botnet targets an unpatched remote code execution vulnerability publicly disclosed more than a year ago in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide.

The vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed, specialists at Unit 42, Palo Alto Networks’ threat research unit, warn.

The Amnesia botnet is yet to be abused to mount a large-scale attack but the potential for harm is all too real.

“Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems,” the researchers warn. “A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall [autumn] 2016.”

El Reg asked TVT Digital, based in Shenzhen, China, for a response to Palo Alto’s warning but are yet to receive a reply. We’ll update the story as and when we hear more.” Source: Here