Skip to content

Privacy

The House voted to wipe away the FCC’s Internet privacy protections

SJ 34 would repeal safeguards that prohibit Internet service providers (ISPs) from sharing data, such as e-mails and web history, with third parties without user consent. It would also do away with transparency requirements, which mandate that ISPs provide easily accessible privacy notices to customers and advanced notice prior to changes…..Assuming Trump signs the measure, Internet providers will be freed from those obligations, which would otherwise have taken effect later this year. With this data, Internet providers can sell highly targeted ads, making them rivals to Google and Facebook, analysts say.

Internet providers also will be free to use customer data in other ways, such as selling the information directly to data brokers that target lucrative or vulnerable demographics.

“ISPs like Comcast, AT&T, and Charter will be free to sell your personal information to the highest bidder without your permission — and no one will be able to protect you,” wrote Gigi Sohn, a former FCC staffer who helped draft the privacy rules, in a recent blog post on the Verge.

Selling your data is merely one of the four ways in which Internet providers intend to make money off consumers. The others include selling you access to the Internet, as they have traditionally done; selling access to media content they’ve acquired by purchasing large entertainment companies; and selling advertising that directly targets you based on the data the provider has collected by watching how you use the Internet and what content you consume.

Sources: The Hill, Washington Post

Here is the roll call Miscreants who voted to repeal. Source Senate.Gov

Miscreants who voted For BillVoted AgainstNot Voting
Alexander (R-TN)Baldwin (D-WI)sakson (R-GA)
Barrasso (R-WY)Bennet (D-CO)Paul (R-KY)
Blunt (R-MO)Blumenthal (D-CT)
Boozman (R-AR)Booker (D-NJ)
Burr (R-NC)Brown (D-OH)
Capito (R-WV)Cantwell (D-WA)
Cassidy (R-LA)Cardin (D-MD)
Cochran (R-MS)Carper (D-DE)
Collins (R-ME)Casey (D-PA)
Corker (R-TN)Coons (D-DE)
Cornyn (R-TX)Cortez Masto (D-NV)
Cotton (R-AR)Donnelly (D-IN)
Crapo (R-ID)Duckworth (D-IL)
Cruz (R-TX)Durbin (D-IL)
Daines (R-MT)Feinstein (D-CA)
Enzi (R-WY)Franken (D-MN)
Ernst (R-IA)Gillibrand (D-NY)
Fischer (R-NE)Harris (D-CA)
Flake (R-AZ)Hassan (D-NH)
Gardner (R-CO)Heinrich (D-NM)
Graham (R-SC)Heitkamp (D-ND)
Grassley (R-IA)Hirono (D-HI)
Hatch (R-UT)Kaine (D-VA)
Heller (R-NV)King (I-ME)
Hoeven (R-ND)Klobuchar (D-MN)
Inhofe (R-OK)Leahy (D-VT)
Johnson (R-WI)Manchin (D-WV)
Kennedy (R-LA)Markey (D-MA)
Lankford (R-OK)McCaskill (D-MO)
Lee (R-UT)Menendez (D-NJ)
McCain (R-AZ)Merkley (D-OR)
McConnell (R-KY)Murphy (D-CT)
Moran (R-KS)Murray (D-WA)
Murkowski (R-AK)Nelson (D-FL)
Perdue (R-GA)Peters (D-MI)
Portman (R-OH)Reed (D-RI)
Risch (R-ID)Sanders (I-VT)
Roberts (R-KS)Schatz (D-HI)
Rounds (R-SD)Schumer (D-NY)
Rubio (R-FL)Shaheen (D-NH)
Sasse (R-NE)Stabenow (D-MI)
Scott (R-SC)Tester (D-MT)
Shelby (R-AL)Udall (D-NM)
Strange (R-AL)Van Hollen (D-MD)
Sullivan (R-AK)Warner (D-VA)
Thune (R-SD)Warren (D-MA)
Tillis (R-NC)Whitehouse (D-RI)
Toomey (R-PA)Wyden (D-OR)
Wicker (R-MS)
Young (R-IN)

The Death of Smart Devices?

With the release by WikiLeaks today that detail how U.S. spy agencies can hack into phones, T.V.s and other “smart devices,”  I am wondering if this will slow down the mindless adoption of such devices by consumers.

….probably not, there is no shortage of mindlessness.

Among other disclosures that, if confirmed, would rock the technology world, the WikiLeaks release said that the C.I.A. and allied intelligence services had managed to bypass encryption on popular phone and messaging services such as Signal, WhatsApp and Telegram. According to the statement from WikiLeaks, government hackers can penetrate Android phones and collect “audio and message traffic before encryption is applied.”…

If C.I.A. agents did manage to hack the smart TVs, they would not be the only ones. Since their release, internet-connected televisions have been a focus for hackers and cybersecurity experts, many of whom see the sets’ ability to record and transmit conversations as a potentially dangerous vulnerability.

In early 2015, Samsung appeared to acknowledge the televisions posed a risk to privacy. The fine print terms of service included with its smart TVs said that the television sets could capture background conversations, and that they could be passed on to third parties.

The company also provided a remarkably blunt warning: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

source: NYT Article Here

Google Voice, Siri, Alexa, IoT devices — Just say No

Cloud Pets! Your Family & Intimate Messages exposed to all sorts of Miscreants

… Now I know the average parent spends a good deal their time on Facebook and other “look at me .. look at me” social media and can care less about such hard to understand things like I.T. Security.

BUT THESE ARE YOUR CHILDREN AND YOU NEED TO PROTECT THEM!

…sorry, as a parent, this stuff makes my blood boil. Look parents, you scour the pedophile databases for your neighborhood, but leave the barn door open on the Internet. If you think governmental entities are going to protect you, you are only fooling yourselves. Companies peddling these things are about making the maximum amount of money at the lowest possible cost. They will **NOT** invest in expensive and complex security. Why? they do not have to. By the time the breach is discovered, they have made there millions. And there is absolutely no teeth in any governmental mandates op provide security such that any really exist in the first place.

Ok, on with the story!

The personal information of more than half a million people who bought internet-connected fluffy animals has been compromised.

The details, which include email addresses and passwords, were leaked along with access to profile pictures and more than 2m voice recordings of children and adults who had used the CloudPets stuffed toys.

The US company’s toys can connect over Bluetooth to an app to allow a parent to upload or download audio messages for their child.

Of course the company denied it and shot at the messenger

CloudPets’s chief executive, Mark Myers, denied that voice recordings were stolen in a statement to NetworkWorld magazine. “Were voice recordings stolen? Absolutely not.” He added: “The headlines that say 2m messages were leaked on the internet are completely false.” Myers also told NetworkWorld that when Motherboard raised the issue with CloudPets, “we looked at it and thought it was a very minimal issue”. Myers added that a hacker would only be able to access the sound recordings if they managed to guess the password. When the Guardian tried to contact Myers on Tuesday, emails to CloudPets’s official contact address were returned as undeliverable.

Troy Hunt, owner of data breach monitoring service Have I Been Pwned, drew attention to the breach, which he first became aware of in mid-February. At that point, more than half a million records were being traded online. Hunt’s own source had first attempted to contact CloudPets in late December, but also received no response. While the database had been connected to the internet, it had more than 800,000 user records in it, suggesting that the data dump Hunt received is just a fraction of the full information potentially stolen.

The personal information was contained in a database connected directly to the internet, with no usernames or passwords preventing any visitor from accessing all the data. A week after Hunt’s contact first attempted to alert CloudPets, the original databases were deleted, and a ransom demand was left, and a week after that, no remaining databases were publicly accessible. CloudPets has not notified users of the hack.

Hunt argues the security flaws should undercut the entire premise of connected toys. “It only takes one little mistake on behalf of the data custodian – such as misconfiguring the database security – and every single piece of data they hold on you and your family can be in the public domain in mere minutes.

“If you’re fine with your kids’ recordings ending up in unexpected places then so be it, but that’s the assumption you have to work on because there’s a very real chance it’ll happen. There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them. Inevitably, some would already have been compromised and the data taken without the knowledge of the manufacturer or parents.”

John Madelin, CEO at IT security experts RelianceACSN, echoes Hunt’s warnings. “Connected toys that are easily accessible by hackers are sinister. The CloudPets issue highlights the fact that manufacturers of connected devices really struggle to bake security in from the start. The 2.2m voice recordings were stored online, but not securely, along with email addresses and passwords of 800,000 users, this is unforgivable.”  Source: Guardian Article Here

Now for the technical, here are some tid-bits from the researcher. Full article here

Clearly, CloudPets weren’t just ignoring my contact, they simply weren’t even reading their emails”

There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

But then I dug a little deeper and took a look at the mobile app:

CloudPets app

This app communicates with a website at spiraltoys.s.mready.net which is on a domain owned by Romanian company named mReady. That URL is bound to a server with IP address 45.79.147.159, the exact same address the exposed databases were on. That’s a production website there too because it’s the one the mobile app is hitting so in other words, the test and staging databases along with the production website were all sitting on the one box. The most feasible explanation I can come up with for this is that one of those databases is being used for production purposes and the other non-production (a testing environment, for example).

My Friend Cayla

…Or is it My Friend Spy Cayla. And what is the difference between this and Google Voice and Siri? Not much.

Quote:

The My Friend Cayla doll has been shown in the past to be hackable

An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data.

The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications.

Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.

But the UK Toy Retailers Association said Cayla “offers no special risk”.

In a statement sent to the BBC, the TRA also said “there is no reason for alarm”.

The Vivid Toy group, which distributes My Friend Cayla, has previously said that examples of hacking were isolated and carried out by specialists. However, it said the company would take the information on board as it was able to upgrade the app used with the doll.

But experts have warned that the problem has not been fixed.

The Cayla doll can respond to a user’s question by accessing the internet. For example, if a child asks the doll “what is a little horse called?” the doll can reply “it’s called a foal”.
Media captionRory Cellan-Jones sees how Cayla, a talking child’s doll, can be hacked to say any number of offensive things.

A vulnerability in Cayla’s software was first revealed in January 2015.

Complaints have been filed by US and EU consumer groups.

The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told the BBC: “I’m worried about the impact of connected dolls on children’s privacy and safety.”

The Commission is investigating whether such smart dolls breach EU data protection safeguards.

In addition to those concerns, a hack allowing strangers to speak directly to children via the My Friend Cayla doll has been shown to be possible.

The TRA said “we would always expect parents to supervise their children at least intermittently”.

It said the distributor Vivid had “restated that the toy is perfectly safe to own and use when following the user instructions”.
Privacy laws

Under German law, it is illegal to sell or possess a banned surveillance device. A breach of that law can result in a jail term of up to two years, according to German media reports.

Germany has strict privacy laws to protect against surveillance. In the 20th Century Germans experienced abusive surveillance by the state – in Nazi Germany and communist East Germany.

The warning by Germany’s Federal Network Agency came after student Stefan Hessel, from the University of Saarland, raised legal concerns about My Friend Cayla.

Mr Hessel, quoted by the German website Netzpolitik.org, said a bluetooth-enabled device could connect to Cayla’s speaker and microphone system within a radius of 10m (33ft). He said an eavesdropper could even spy on someone playing with the doll “through several walls”.

A spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a “concealed transmitting device”, illegal under an article in German telecoms law (in German).

“It doesn’t matter what that object is – it could be an ashtray or fire alarm,” he explained.

Manufacturer Genesis Toys has not yet commented on the German warning.

Not so Smart using a Smart TV

As reported Vizio’s Smart TVs spied on you

Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio even retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without clearly telling consumers or getting their consent.

What did Vizio know about what was going on in the privacy of consumers’ homes? On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.

Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others. And let’s be clear: We’re not talking about summary information about national viewing trends. According to the complaint, Vizio got personal. The company provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name, but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home ownership. And Vizio permitted these companies to track and target its consumers across devices.

That’s what Vizio was up to behind the screen, but what was the company telling consumers? Not much, according to the complaint.

Source here

Well for their offense Vizio was slapped with 2.2million fine. Sounds like a lot, right? Well as a colleague of mine observed, that is 20cents per TV. In other words, it was a great ROI for Vizio and points out how toothless the FTC really is.

So what to do? Turn off all the Smart TV features, boycott Vizio (that said, Samsung and others are just as bad it may appear). Better Yet, unplug the TV from the Internet.

Some sites suggest that Roku and Apple streaming boxes front-ending your TV are better. I am not so sure as I know with the Roku, at least, one needs to reset your ID often to clear the tracking and there does not appear to be a permanent “Kill” switch for this type of spyware crap.

I am toying of building my own set top streaming device using the RasberryPI. If I do so, I will pay pay special attention to the privacy aspects of the embedded software I use and report findings here. Don’t hold your breath, time is at a premium of here.

Anyway – welcome to the iDIoT. The Insecure Dumbed-down Internet of Things

Nick

Ghostery – Bad Design

I am constantly evaluating browser add-ons and recently took a harder look at Ghostery. I notice that settings could not be saved when I closed the browser and then restarted. Why? Well it seems that Ghostery stores these in a cookie.

What a Cookie? Shame Shame Shame. **ALL** browsers should be set to dump cache and all cookies when you close it. Why? It helps greatly to prevent tracking and those targeted adverts among others.

What to use instead? A good and efficient ad-blocker. like uBlock I am also using uBlock Origin which appears to have a wider feature set and extra privacy settings. Both can be downloaded from your favorite browser ad-ons facility. Here are a few: Firefox is here, Chrome (yuk- you are google’s product, but if you insist) is here. Safari – not on their site, but uBlock is here. I cannot find the download for uBlock Origin. Post comment with link if you know it.

Direct uBlock Origin releases are here, but they may not be verify by the browser yet.

Nick

Trump: Blame the Computers not Russia

Trump: “I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind the security we need,” Trump said according to press pool report. He was at the Mar-a-Lago resort at the time of making the statement.” Source

Actually, I agree with Trump on this. We do not have the security we need. More fundamental to that, we do not have a mindset that puts computer security first. We bolt the front door and secure our physical premises with 24/7 monitoring services, yet we leave the barn door wide open for our online presence be it email, social media, browsing and shopping.

Privacy and security is an option when in fact it should come first. Imagine if the internet was built from the ground up with privacy and security as the foundation layer? That would mean no web bugs, tracking cookies, targeted advertising, privacy statements like Netflix’s (for example) that say, let me rape you and sell my experience and if you do not agree, your option is to cancel your subscription.

And home router manufacturers that make appliances so easily hacked it is a joke. And Microsoft windows that to this day facilitates users running with administrator privileges in everyday use. And the IoT – internet of things that have little if any security. And the mindset of the average consumer the allows Amazon’s Alexa into their home. Completely secure, right? Yeah sure, Why then, I ask, did this happen: “Amazon had been served with a search warrant in a murder case, as detectives in Bentonville, Ark., want to know what Alexa heard in the early morning hours of Nov. 22, 2015 — when Victor Collins was found dead in a hot tub behind a home after an Arkansas Razorbacks football game. (Read more) Come on! Lock the door, arm yourself to the teeth, **but** let a device with 7 microphones listening to every sound in your house connected to ?? and easily hacked by ?? (you’ll never know!). By the way, the same goes with Siri and Google voice on your smart phones.

Don’t blame the Russians, blame yourself. Yes, the mindset needs to change indeed.

Happy New Year.

Googdroid

QUOTE

This article begs the question: “Why doesn’t google police its store an evaluate apps for potential malware?” So much of the crap on google play is infected with spyware. Oh wait, spyware, that is how google makes money selling your private info others so they can market more to you.

A new strain of Android malware is infecting an estimated 13,000 devices per day.

The Gooligan malware roots Android devices before stealing email addresses and authentication tokens stored on them. The tokens create a means for hackers to access users’ sensitive data from Gmail accounts, security researchers at Check Point Software Technologies warn.

The malicious code creates a money-making sideline for crooks by fraudulently installing apps from Google Play and rating them on behalf of the victim.

Gooligan targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), collectively around 74 per cent of Android devices currently in use. Gooligan is installing at least 30,000 apps on breached devices every day, or more than 2 million apps since the malicious campaign began, according to Check Point.

Security researchers at the Israeli firm first encountered Gooligan’s code in the malicious SnapPea app last year. In August, the malware reappeared with a new variant and has since infected at least 13,000 devices per day. About 40 per cent of these devices are located in Asia and about 12 per cent are in Europe. Hundreds of the email addresses compromised by Gooligan are associated with enterprises around the world.

Check Point has passed on its findings on the campaign to Google’s security team. “This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” said Michael Shaulov, Check Point’s head of mobile products. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

Gooligan spreads when victims download and install an infected app. Crooks are slinging the malware by tricking victims into following malicious links in phishing messages.

“If your account has been breached, a clean installation of an operating system on your mobile device is required,” Shaulov advised.

Guilty till Proven Innocent

Quote

Oklahoma Highway Patrol officers can now seize funds from prepaid debit cards, without requiring a warrant or criminal charges.

The Electronic Recovery and Access to Data (ERAD) device can be used in the field, enabling officers to quickly drain cards found in vehicles or on drivers and passengers. Officers must merely establish a “reasonable suspicion” that a crime is being committed.

To get the money back, or counter initial suspicions, individuals must prove the money was obtained legitimately.ote

Civil-rights advocates claim officers frequently abuse the system and take money from law-abiding citizens. In many states, courts have agreed that “innocent until proven guilty” protects individuals, but not their possessions.

Raising further concerns, the company that owns the patent for the device, ERAD Group, receives a 7.7-percent cut of any funds seized using the tools. A larger portion can find its way back to police departments for new gear and other expenses, creating a potential conflict of interest.

“This is a capability that law enforcement has never had before and one that is very likely to land [Oklahoma’s Department of Public Safety] in litigation,” opined ACLU Oklahoma legal director Brady Henderson.

The United Police States. What a disgrace. How can we continue to hold this country as a model of freedom to the world and allow this?

Google to kill passwords on Android, replace ’em with ‘trust scores’

Quote

Bad idea – basically adds new features for google to identify you, track you, and sell your private info to their empire. Yeah, I need protection from Google, not protection from them.

Google is planning to use “trust scores” to kill off traditional passwords on Android.

The internet giant wants to get rid of password logins, at least for Android apps, by 2017. Google outlined its plans at its I/O conference last week.