Skip to content

Monthly Archives: February 2019

620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

I always tell people that no one seems to take IT Security seriously – at least seriously enough to spend the money to establish good security. The response is always – nah, that can’t be true. Sadly it is is. And these are only an ‘example/subset’ the ones that are reported.

Quote

Exclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove’s seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.
Who are the buyers?

These silos of purportedly purloined information are aimed at spammers and credential stuffers, which is why copies are relatively cheap to buy. The stuffers will take usernames and passwords leaked from one site to log into accounts on other websites where the users have used the same credentials.

So, for example, someone buying the purported 500px database could decode the weaker passwords in the list, because some were hashed using the obsolete MD5 algorithm, and then try to use the email address and cracked password combinations to log into, say, strangers’ Gmail or Facebook accounts, where the email address and passwords have been reused.

All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data. The records were swiped mostly during 2018, we’re told, and went on sale this week.

The seller, who is believed to be located outside of the US, told us the Dubsmash data has been purchased by at least one person.

Some of the websites – particularly MyHeritage, MyFitnessPal, and Animoto – were known to have been hacked as they warned their customers last year that they had been compromised, whereas the others are seemingly newly disclosed security breaches. In other words, this is the first time we’ve heard these other sites have been allegedly hacked. This also marks the first time this data, for all of the listed sites, has been peddled publicly, again if all the sellers’ claims are true.
Is this legit?

A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world about in 2018. ShareThis, CoffeeMeetsBagel, 8fit, 500px, DataCamp, and EyeEm also confirmed their account data was stolen from their servers and put up for sale this week in the seller’s collection. This lends further credibility to the data trove.

Last week, half a dozen of the aforementioned sites were listed on Dream Market by the seller: when we spotted them, we alerted Dubsmash, Animoto, EyeEm, 8fit, Fotolog, and 500px that their account data was potentially being touted on the dark web.

Over the weekend, the underground bazaar was mostly knocked offline, apparently by a distributed denial-of-service attack. On Monday this week, the underworld marketplace returned to full strength, and the seller added the rest of the sites. We contacted all of them to alert them, and ask for a response. Meanwhile, Dream Market has been smashed offline again.

Here’s a summary of what is, or briefly was, purported to be on sale:

Dubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total

11GB of data taken in December 2018. Each account record contains the user ID, SHA256-hashed password, username, email address, language, country, plus for some, but not all the users, the first and the last name. This alleged security breach has not been previously publicly disclosed. Dubsmash is a video-messaging application popular with millennials and younger folk.

New York City-based Dubsmash has hired law firm Lewis Brisbois to probe the online sale. Partner Simone McCormick told us:

Our office has been retained to assist Dubsmash in this matter. Thank you for your alert. We immediately launched an investigation. We plan to notify any and all individuals as appropriate. Again, thank you for bringing this to our attention.
500px: 14,870,304 accounts for 0.217 BTC ($780) total

1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and city and country. 500px is a social-networking site for photographers and folks interested in photography.

“Our engineering team is currently investigating and if we can confirm there was a breach we will take the necessary steps to inform our users as per GDPR standards,” 500px spokesperson Stephanie Newell told us.

Update: 500px staff are now notifying their users that the site was indeed hacked, and will reset everyone’s passwords, starting with the ones weakly hashed using MD5.

“We are able to confirm a breach occurred,” Newell told us. “Our engineers immediately launched a comprehensive review of our systems and have since taken every precaution to secure them. All areas of vulnerability have been identified and fixed during our internal investigation, and we’ve found no evidence to date of any recurrence of the issue.

“We are currently working on notifying our entire user base, however, given the amount of users affected, this task will span one day at minimum. We’ve taken every precaution to ensure our users’ data is safe. A system-wide password reset is currently underway for all users, prioritized in order of accounts with the highest potential risk, and we have already forced a reset of all MD5-encrypted passwords.”

In addition, 500px, which is based in Canada, said it has taken the following steps to shore up its security:

– Vetted access to our servers, databases, and other sensitive data-storage services.

– Analyzed and are continuing to monitor our source code, both public-facing and internal, to improve our security protocols and protect against security issues.

– We have partnered with leading experts in cyber security to further secure our website, mobile apps, internal systems, and security processes.

– Modifications to our our internal software development process.

– Reviewing the PII [personally identifying information] data we collect from users and how it is used on our platform.

– We are continuing to upgrade our network infrastructure. Over the last 12 months, we have undertaken a major upgrade to our network infrastructure—this project is nearing completion, and will also offer a significant increase in security.
EyeEm: 22,360,765 accounts for 0.289 BTC ($1,040) total

1.7GB of data taken February 2018. Each account record contains an email address and SHA1-hashed password, although about three million are missing an email address. This security breach has not been previously publicly disclosed. Germany-based EyeEm is an online hangout for photographers. A spokesperson did not respond to a request for comment.

Update: EyeEm has told its customers it was hacked, and forced a reset of their passwords.
8fit: 20,180,667 accounts for 0.2025 BTC ($728) total

1.9GB of data taken July 2018. Each account record contains an email address, bcrypted-hashed password, country, country code, Facebook authentication token, Facebook profile picture, name, gender, and IP address. This security breach has not been previously publicly disclosed. Germany-headquartered 8fit offers customized workout and diet plans for healthy fitness types.

8fit CEO Aina Abiodun told us her team is investigating, adding: “I need to get back to you on this and can’t comment immediately.”

Update: 8fit has confessed to its users that it was hacked, and is resetting their passwords.
Fotolog: 16 million accounts for 0.52 BTC ($1,872) total

5.9GB of data taken in December 2018. There are five SQL databases containing information including email addresses, SHA256-hashed passwords, security questions and answers, full names, locations, interests, and other profile information. This alleged security breach has not been previously publicly disclosed. Fotolog, based in Spain, is another social network for photography types. A spokesperson did not respond to a request for comment.
Animoto 25,402,283 accounts for 0.318 BTC ($1,144) total

2.1GB of data taken in 2018. Each account record contains a user ID, SHA256-hashed password, password salt, email address, country, first and last name, and date of birth. This security breach was publicly disclosed by the NYC-headquartered business in 2018, though this is the first time the data has gone on sale, we understand.

“We provided notification about an incident potentially affecting customers back in August 2018 after we identified unusual activity on our system,” spokesperson Rebecca Brooks told us. “After identifying the suspicious activity, we immediately took the systems offline and implemented numerous security controls to help prevent an incident like this from happening again.”
MyHeritage 92,284,478 accounts for 0.549 BTC ($1,976) total

3.6GB of data taken October 2017. Each account record contains an email address, SHA1-hashed password and salt, plus the date of account creation. This security breach was publicly disclosed by the business last year, though this is the first time the data has gone on sale, we’re told. No DNA or similar sensitive information was taken. MyHeritage, based in Israel, is a family-tree-tracing service that studies customers’ genetic profiles.

A spokesperson told us:

The date, the number of users affected, and the type of information [in the 2018 disclosure] correspond almost exactly to [the for-sale database], so this does not look like a new breach. It seems likely that the perpetrator(s) of the October 2017 breach or someone who obtained the data from them is now trying to sell it. We will investigate this immediately and report the attempted sale to the authorities so they can try to trace the perpetrators. Until this moment, we have not seen any evidence of circulation or usage or abuse of the breached email addresses and hashed passwords, and this is the first time a mention of them has surfaced since June 4 2018.
MyFitnessPal 150,633,038 accounts for 0.289 BTC ($1,040) total

3.5GB of data taken February 2018. Each account record contains a user ID, username, email address, SHA1-hashed password with a fixed salt for the whole table, and IP address. This security breach was publicly disclosed by the business last year. This may be the first time it has gone on public sale. Under-Armor-owned MyFitnessPal does what it says on the tin: it’s an app that tracks diet and exercise. A spokesperson did not respond to a request for comment.

Update: Spokesperson Erin Wendell has told us the biz made every user reset their password following the discovery of the intrusion last year. If you reused your old MyFitnessPal password with other sites, now would be a good time to change your password on those other services, if you have not done so already.

“We responded swiftly to alert users and have since required all MyFitnessPal users who had not changed their passwords since that March 29, 2018 announcement, to reset their passwords,” Wendell said.

“As a result, passwords previously used for MyFitnessPal at the time of the data security issue are no longer valid on MyFitnessPal, and we continue to encourage strong password practices including unique and complex passwords for all their accounts to enable users to further protect themselves.”
Artsy 1,070,000 accounts for 0.0289 BTC ($104) total

184MB of data taken April 2018. Each account record contains an email address, name, IP addresses, location, and SHA512-hashed password with salt. This security breach has not been previously publicly disclosed. Artsy, located in NYC, is an online home for collecting and organizing art. A spokesperson did not respond to a request for comment.

Update: Artsy has emailed its users to confirm its data was stolen and sold online. It is in the process of investigating how it happened.
Armor Games 11,013,617 accounts for 0.2749 BTC ($988) total

1.8GB of data taken late December 2018. Each account record contains a username, email address, SHA1-hashed password and salt, date of birth, gender, location, and other profile details. This alleged security breach has not been previously publicly disclosed. California-based Armor Games is a portal for a ton of browser-based games. A spokesperson did not respond to requests for comment.
Bookmate 8,026,992 accounts for 0.159 BTC ($572) total

1.7GB of data taken July 2018. Each account record typically contains a username, an email address, SHA512 or bcrypt-hashed password with salt, gender, date of birth, and other profile details. This alleged security breach has not been previously publicly disclosed. British Bookmate makes book-reading apps. A spokesperson did not respond to a request for comment.
CoffeeMeetsBagel 6,174,513 accounts for 0.13 BTC ($468) total

673MB of data taken late 2017 and mid-2018. Each account record contains typically a full name, email address, age, registration date, and gender. This security breach has not been previously publicly disclosed. CoffeeMeetsBagel is a dating website.

Jenn Takahashi, spokesperson for the CoffeeMeetsBagel, told us: “We are not aware of a breach at this time, but our security team is looking into this now.” She also said the San-Francisco-based biz does not store passwords, and uses third-party sites for authentication.

“We have engaged with our legal team and forensic security experts to identify any issues and ensure we have the best security stance moving forward,” Takahashi added.

Update: CoffeeMeetsBagel has confirmed at least some user account data was stolen by a hacker who broke into the biz’s systems as recently as May 2018, as we reported.

“On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details, specifically names and email addresses prior to May 2018,” the company said in a statement.

“Once we became aware, we immediately launched a comprehensive investigation with the help of experienced forensic experts. We are currently working on notifying the affected user base. The security of our users’ information is important to us, and we apologize for any inconvenience this may have caused.”
DataCamp 700,000 accounts for 0.013 BTC ($46.8) total

82MB of data taken December 2018. Each account record contains an email address, bcrypt-hashed password, location, and other profile details. This security breach has not been previously publicly disclosed. US-based DataCamp teaches people data science and programming. A spokesperson told us they are “looking into” the online sale.

“We take this matter seriously and want to further verify if this is indeed the case,” said the biz’s Lode Vanacken. “We will also investigate access and audit logs to see if we can trace back any potential unauthorised access. If indeed further investigation shows this data to be valid we will communicate with you and with the affected end-users.”

Update: Vanacken has told us DataCamp is resetting users’ passwords after confirming its data was stolen. “We have notified the users we believe were affected or potentially affected via email,” he said.

“Out of an abundance of caution, we are logging out all DataCamp users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords and prompting them to reset their passwords.

“We continue to monitor for suspicious activity and to make enhancements to our systems to detect and prevent unauthorized access to user information.”
HauteLook 28 million accounts for 0.217 BTC ($780) total

1.5GB of data taken during 2018. Each account record contains an email address, bcrypt-hashed password, and name. This alleged security breach has not been previously publicly disclosed. HauteLook is an online store for fashion, accessories, and so on. A spokesperson for the Los Angeles-based biz did not respond to a request for comment.
ShareThis 41,028,098 accounts for 0.217 BTC ($780) total

2.7GB of data taken early July 2018. Each account record contains a name, username, email address, DES-hashed password, gender, date of birth, and other profile info. This security breach has not been previously publicly disclosed. Palo Alto-based ShareThis makes a widget for sharing links to stuff with friends. A spokesperson did not respond to a request for comment.

Update: ShareThis has written to its users, alerting them that the site was hacked, likely in July 2018, and that email addresses, password hashes, and some dates-of-birth was stolen and put up for sale online.
Whitepages 17,775,679 accounts for 0.434 BTC ($1560) total

2.9GB of data taken 2016. Each account record contains an email address, SHA1- or bcrypt-hashed password, and first and last name. This alleged security breach has not been previously publicly disclosed. Whitepages is a Seattle-based online telephone and address directory. A spokesperson did not respond to a request for comment.

The seller told The Register they have as many as 20 databases to dump online, while keeping some others back for private use, and that they have swiped roughly a billion accounts from servers to date since they started hacking in 2012.

Their aim is to make “life easier” for hackers, by selling fellow miscreants usernames and password hashes to break into other accounts, as well as make some money on the side, and highlight to netizens that they need to take security seriously – such as using two-factor authentication to protect against password theft. The thief also wanted to settle a score with a co-conspirator, by selling a large amount of private data online.

The hacker previously kept stolen databases private, giving them only to those who would swear to keep the data secret.

“I don’t think I am deeply evil,” the miscreant told us. “I need the money. I need the leaks to be disclosed.

“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.” ®
Updates below

This article was revised at 0430 UTC on Tuesday, February 12 to include confirmation from 500px that it was hacked, as we reported.

Also on Tuesday, EyeEm informed its users it had been hacked. We understand similar disclosures are due to land this week from ShareThis and others.

On Wednesday, February 13, DataCamp informed us it is resetting its users’ passwords after “some user data was exposed by a third party who gained criminal unauthorized access to one of our systems.”

Also on Wednesday, CoffeeMeetsBagel told us it is alerting its users to its security breach, we added a statement from MyFitnessPal, and 8fit admitted to its customers that it was hacked.

On Thursday, February 14, Artsy emailed its users to confirm its internal data was stolen and put up for sale, as reported. “On February 11, 2019, we became aware that account information for some of our users was made available on the internet,” the biz wrote. “We are still investigating the precise causes of the incident, and together with our engineering team, we are working with a leading cyber forensics firm to assist us.”

On Friday, February 15, ShareThis confirmed it was hacked, too.

Unearthed emails could be smoking gun in epic GDPR battle against Google, adtech giants

If online ads were simply outlawed, the problem would be fixed. That will not happen soon, so use the best ad-blocker you can, set your browser to dump cookies and other data upon exit (not available in Google Chrome –hhmmm now I wonder why..), and when done on one site, close browser and restart before going to new site.

Quote

Privacy warriors have filed fresh evidence in their ongoing battle against real-time web ad exchange systems, which campaigners claim trample over Europe’s data protection laws.

The new filings – submitted today to regulators in the UK, Ireland, and Poland – allege that Google and industry body the Interactive Advertising Bureau (IAB) are well aware that their advertising networks’ business models flout the EU’s privacy-safeguarding GDPR, and yet are doing nothing about it. The IAB, Google – which is an IAB member – and others in the ad-slinging world insist they aren’t doing anything wrong.

The fresh submissions come soon after the UK Information Commissioner’s Office (ICO) revealed plans to probe programmatic ads. These are adverts that are selected and served on-the-fly as you visit a webpage, using whatever personal information has been scraped together about you to pick an ad most relevant to your interests.

Typically, advertisers bid for space on a webpage in real-time given the type of visitor: the page is fetched from a website, it brings in ad network code, which triggers an auction between advertisers that completes in a fraction of a second, and the winning ad is served and displayed (assuming the advert isn’t blocked.) This transaction, dubbed real-time bidding or RTB, happens automatically and immediately when an ad is required, and it can be fairly convoluted: ad slots may be passed through a tangle of publishers and exchanges before they arrive in a browser.

Netizens known to be wealthy and with a lot of disposable income, or IT buyers with big spending budgets, for example, will command higher ad rates than those unlikely to buy anything through an ad. This is why ad networks and exchanges, like Google, love to know everything about you, all that lovely private data, so they can tout you to advertising buyers and target ads at you for stuff you’re previously shown an interest in.

The ICO’s investigation will focus on how well informed people are about how their personal information is used for this kind of online advertising, which laws ad-technology firms rely on for processing said private data, and whether users’ data is secure as it is shared on these platforms.

Meanwhile, these latest filings follow on from gripes lodged by the same online rights campaigners late last month and in 2018.

The privacy warriors allege the aforementioned auction systems fall foul of Europe’s General Data Protection Regulation (GDPR) because netizens do not have much or any real control over the massive amounts of ad-related data lobbed between sites and services. Moreover, this information can be highly personal – sometimes including location coordinates along with pseudonymous identifiers, personal interests, and the site they are browsing.

The complaints, which point the finger of blame at the IAB’s openRTB and Google’s Authorized Buyers systems, were filed to watchdogs in the UK by Open Rights Group executive director Jim Killock and privacy research Michael Veale; in Ireland by Johnny Ryan of browser biz Brave; and in Poland by the Panoptykon Foundation.

The IAB has consistently stressed that the complaints should not be directed at RTB technology makers, such as itself – and that doing so is like holding road builders accountable for people who break the speed limit. In other words, the tech can be abused, but apparently not by its developers. And the industry body claimed the complainants have only proven it is possible to break the law, not that it has been broken.

As such, the privacy warriors hope to add more weight to their arguments, and today submitted a fresh set of documents to regulators in the aforementioned trio of nations. This cache includes examples of the data passed through RTB systems, and the number of daily bid requests ad exchanges make, which reach 131 billion for AppNexus and 90 billion for Oath/AOL.
Programmatic trading, or is that problematic trading?

The complainants have also filed documents they claim prove the IAB has long been aware that there is a potential problem with RTB systems and their compliance with GDPR.

Among the latest cache is an email from 2017 – obtained under a Freedom-of-Information request – sent from the CEO of IAB Europe, Townsend Feehan, to senior staff in the European Commission Directorate General for Communications Networks, Content, and Technology.

The email reveals Feehan lobbying commission staffers against proposals for a new ePrivacy Regulation – which was meant to come into force with GDPR but has been stuck in negotiations – saying it could “mean the end of the online advertising model.”

Programmatic trading would seem, at least prima facie, to be incompatible with consent under GDPR

The exec attached an 18-page document to the email detailing IAB Europe’s reasoning, which discussed the impact of proposals to tighten rules on the use of people’s private data to the same level as that of GDPR, particularly the requirement of someone’s consent to share their information. Crucially, consent under GDPR requires that people are told clearly what’s going on with their sensitive info, which means website visitors must be told the identity of the data controller(s) processing their data and the purposes of processing. Given the instantaneous and convoluted nature of ad bidding, it is seemingly impossible to alert netizens prior to the real-time auctions, it is claimed.

This, essentially, is the rub between GDPR and today’s on-the-fly web advertising, it would seem.

“As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR,” the IAB said.

Brave’s Johnny Ryan said this acknowledges the issue at the core of the campaigners’ complaint – and suggests the IAB doesn’t think adtech’s operating model can work with GDPR.

The IAB has since launched a “Consent and Transparency Framework” to help companies involved in RTB systems meet their legal requirements – but opponents argue that this doesn’t change the facts at the heart of the matter.

Similarly, a document from May 2018 produced by the IAB Tech Lab – a group that produces standards, software, and services for digital publishers, marketers, media, and adtech firms – acknowledged concerns about GDPR compliance. In it, the lab said publishers were concerned “there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad but need a way to clearly signal the restriction for permitted uses in an auditable way.”

It also said that “surfacing thousands of vendors with broad rights to use data w/out tailoring those rights may be too many vendors/permissions.” And elsewhere in the 2017 document, the IAB said that, since third parties in adtech have “no link to the end-user [they] will be unable to collect consent.”
All your basis are belong to…?

It is question-marks like these, from the industry itself, that the privacy campaigners hope will bolster their case. These concerns were also highlighted by the ICO’s tech policy lead Simon McDougall in a blog post earlier this month outlining the body’s plan to look into adtech.

“The lawful basis for processing personal data that different organisations operating in the adtech ecosystem currently rely upon are apparently inconsistent,” he said. “There seem to be several schools of thought around the suitability of various basis for processing personal data – we would like to understand why the differences exist.”

He added that the ICO was interested in how and what people are told about how their personal data is used for online advertising, and how accurate these disclosures are.

A third prong of the ICO probe will consider the security of the data that is widely and rapidly shared during the auctions. “We are interested in how organisations can have confidence and provide assurances that any onward transfers of data will be secure,” said McDougall.

The ICO stressed that it was in the fact-finding stages of its work, and that it wanted to listen to all the “diverging views” on adtech.

And, for their part, the complainants in the case against IAB Europe and Google have said that they aren’t, necessarily, seeking an end to online advertising. Rather, they want to see adtech firms operate without sharing the highly personal information they do at the moment. For instance, Ryan said that the IAB RTB system allows 595 different kinds of data to be included in a bid request. Scrapping the use of just four per cent would be an “easy, long overdue, fix

Security Password managers may leave your online crown jewels ‘exposed in RAM’ to malware

Quote

A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.

Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.

The problem here is mainly secure memory management. To some degree, every one of the four password managers left passwords – either the master password or individual credentials – accessible in memory. This would potentially allow malware on a system, particular malware with admin rights, to obtain those passwords.

And yeah, sure… we know. We get it. If spyware has infected your computer, you’re pretty much screwed. The point here is to demonstrate that software nasties can potentially mine all your login details straight from your password manager in one go. Think of this as a heads up to developers of passphrase managers, and malware researchers.

For what it’s worth, we reckon that if malware has taken hold of your PC it could probably impersonate your password manager, and snaffle your master passphrase that way, but on the other hand, why go to that trouble if the goodies are laying around in RAM?

So, what we’re saying here is: this isn’t anything to panic over right now – it’s something the designers of password managers, at least, should now be aware of.

The team noted that the password managers are not vulnerable when they are not running, such as right after the system boots up, but rather are exposed after the user opens the manager and types in their master password. That means the passwords stored on disk are safe, at least.

“All password managers we examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive,” Team ISE explained.

“Each password manager also attempted to scrub secrets from memory. But residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets.”

The password managers are not necessarily getting better in their newer editions, either. The ISE studied two versions of 1Password (4.6.2.626 and 7.2.576) and found that the earlier build was in fact better at protecting passwords than the newer version. This is because the later build loaded all passwords into memory as plain text as soon as the master password was entered.

Some of the described flaws have already been fixed. A LastPass spokesperson told The Register it had sorted the memory disclosure issues described in its products, and that even when the flaw was present, a real-world exploit would require the attacker to have local access to the machine with admin clearance.

The report doesn’t by any means suggest you should not be using a password manager. Even with the mild flaws ISE found, a password manager remains by far the best way to keep your login credentials secure, and experts routinely recommend them as a way to manage multiple unique and strong passphrases for your online accounts.

“First and foremost, password managers are a good thing,” Team ISE noted. “All password managers we have examined add value to the security posture of secrets management.”

See their afore-linked report for more dos and don’ts on staying safe

What would happen if Facebook was turned off?

Quote

Imagine a world without the social network

THERE HAS never been such an agglomeration of humanity as Facebook. Some 2.3bn people, 30% of the world’s population, engage with the network each month. Economists reckon it may yield trillions of dollars’ worth of value for its users. But Facebook is also blamed for all sorts of social horrors: from addiction and bullying to the erosion of fact-based political discourse and the enabling of genocide. New research—and there is more all the time—suggests such accusations are not entirely without merit. It may be time to consider what life without Facebook would be like.

To begin to imagine such a world, suppose that researchers could kick a sample of people off Facebook and observe the results. In fact, several teams of scholars have done just that. In January Hunt Allcott, of New York University, and Luca Braghieri, Sarah Eichmeyer and Matthew Gentzkow, of Stanford University, published results of the largest such experiment yet. They recruited several thousand Facebookers and sorted them into control and treatment groups. Members of the treatment group were asked to deactivate their Facebook profiles for four weeks in late 2018. The researchers checked up on their volunteers to make sure they stayed off the social network, and then studied what happened to people cast into the digital wilderness.

Facebook is also blamed for all sorts of social horrors: from addiction and bullying to the erosion of fact-based political discourse and the enabling of genocide. New research—and there is more all the time—suggests such accusations are not entirely without merit. It may be time to consider what life without Facebook would be like.

 

THERE HAS never been such an agglomeration of humanity as Facebook. Some 2.3bn people, 30% of the world’s population, engage with the network each month. Economists reckon it may yield trillions of dollars’ worth of value for its users. But Facebook is also blamed for all sorts of social horrors: from addiction and bullying to the erosion of fact-based political discourse and the enabling of genocide. New research—and there is more all the time—suggests such accusations are not entirely without merit. It may be time to consider what life without Facebook would be like.

To begin to imagine such a world, suppose that researchers could kick a sample of people off Facebook and observe the results. In fact, several teams of scholars have done just that. In January Hunt Allcott, of New York University, and Luca Braghieri, Sarah Eichmeyer and Matthew Gentzkow, of Stanford University, published results of the largest such experiment yet. They recruited several thousand Facebookers and sorted them into control and treatment groups. Members of the treatment group were asked to deactivate their Facebook profiles for four weeks in late 2018. The researchers checked up on their volunteers to make sure they stayed off the social network, and then studied what happened to people cast into the digital wilderness.

Meanwhile back at the ranch – Alexa,Google Home, etc. are flying off the shelves.

Retail Arbitrage – Not everything on Amazon, eBay is a good deal

…And here is why

Quote

The Herberts were on the hunt for all of the Contigo water bottles the store had in stock, and kept the camera rolling for their 6,400 YouTube subscribers. Within minutes, an employee pulled out 32 two-packs — sold on clearance for $5 each — from a back storage room. For two people who recently left their jobs in finance, the blue-and-black plastic bottles might as well have been made of gold. The Herberts would resell the two-packs on Amazon for $19.95. Subtracting some taxes and fees, they’d clear $6.16 in profit. All told, the Herbert’s 10-minute Target run earned them $198.

Juston, 30, and Kristen, 28, estimate they can reel in $150,000 this year from their newest gig: retail arbitrage. The basic idea is to buy up a bunch of the same item — from water bottles to vacuums to Monopoly boards — and then resell them online for a handsome profit.

Chris Green wrote one of the go-to how-to books on the topic, titled “Retail Arbitrage.” And he’s helped popularize the moniker.

…..

The term seems to be having a moment. In December, according to Google Trends, searches for “retail arbitrage” spiked on YouTube, where aficionados post videos of their shopping and reselling sprees. (One reseller, who has more than 52,000 YouTube subscribers, filmed his 22-hour buying binge through 17 Walmarts. He filled his trunk with 182 Monopoly games and flipped most of them in one night for $2,500.)

In the early 2000s, resellers started flipping products on eBay. But Green’s guide focused on the engine behind many of these small businesses: Fulfillment By Amazon, or FBA.

Chris Green wrote one of the go-to how-to books on the topic, titled “Retail Arbitrage.” And he’s helped popularize the moniker.

The term seems to be having a moment. In December, according to Google Trends, searches for “retail arbitrage” spiked on YouTube, where aficionados post videos of their shopping and reselling sprees. (One reseller, who has more than 52,000 YouTube subscribers, filmed his 22-hour buying binge through 17 Walmarts. He filled his trunk with 182 Monopoly games and flipped most of them in one night for $2,500.)

In the early 2000s, resellers started flipping products on eBay. But Green’s guide focused on the engine behind many of these small businesses: Fulfillment By Amazon, or FBA.


Amazon “needs people like me to fill all the holes in the marketplace,” he said.

“We’re literally flesh-and-blood robots for Amazon,” Rezendes said.

The retail giant hasn’t shied away from promoting its small businesses: In 2018, the number of small and medium-size businesses that passed $1 million in sales in Amazon stores worldwide grew by 20 percent. Third-party sales are growing at a faster rate than first-party sales online, the company said last month.

You’ll find Shane Myers on YouTube as the “Rise N Grind Picker” — with 15,000 YouTube subscribers.

Three years ago, with $20 in his savings account, Myers started reselling thrift store merchandise on eBay. He turned to Amazon in August. By September, Myers had churned out more than $2,000 selling used books alone. In his first three months back on retail arbitrage, he’d paid off all his credit card debt and car payments.

Myers, 31, pays $30 a month for an app called BrickSeek, which helps him find markdowns at big-box stores like Walmart and Target. A few weeks ago, Myers hit multiple Walmarts within a 150-mile radius and came home with 218 packages of lightbulbs. He found them on clearance for $2 each. He marked up the price and netted $4 to $5 on each package.

The grand total: more than $1,100 in profit.

Myers hopes that within the next year and a half he can move to retail arbitrage full time and will have paid off his house. And he hopes he’ll never miss his daughter’s birthday again for work, like when he was clocking in at his old day job in retail.

“I see money everywhere,” Myers said. “If I walk into a store, it’s just like a dollar sign sitting on the shelf.”

While one might conclude retail arbitrage hurts only the big box stores, it is untrue. It hurts the smaller retailers & shops much much more. The monopolist Amazon enables and encourages this as it helps them do further damage to the brick and mortar retailers.

Economics 101
A company wanting to monopolize a market may engage in various types of deliberate action to exclude competitors or eliminate competition. Such actions include collusion, lobbying governmental authorities, and force (see anti-competitive practices).” https://en.wikipedia.org/wiki/Monopoly

Sounds like modus operandi of big tech these days

Zucked: Waking Up to the Facebook Catastrophe -Book Review

Quote

An important investor explains how his enthusiasm has turned to shame

As the so-called Techlash gains pace and polemics on the downsides of the internet flood the book market, one omission seems to recur time and again. Facebook, Google, Amazon and the rest are too often written about as if their arrival in our lives started a new phase of history, rather than as corporations that have prospered thanks to an economic and cultural environment established in the days when platforms were things used by trains. To truly understand the revolutions in politics, culture and human behaviour these giants have accelerated, you need to start not some time in the last 15 or so years, but in the 1980s.

Early in that decade, the first arrival of digital technology in everyday life was marked by the brief microcomputer boom, which was followed by the marketing of more powerful personal computers. Meanwhile, Margaret Thatcher and Ronald Reagan were embedding the idea that government should keep its interference in industry and the economy to a minimum. In the US, a new way of thinking replaced the bipartisan belief that monopolies should always be resisted: concentrations of economic power were not a problem as long as they led to lower prices for consumers. And at the same time as old-school class politics was overshadowed, the lingering influence of the 60s counterculture gave the wealthy a new means of smoothing over their power and privilege: talking in vague terms about healing the world, and enthusiastically participating in acts of spectacular philanthropy.

If there was one period when all this cohered, it was between 1984 to 1985: the time of Band Aid and Live Aid, the launch of both Bill Gates’s Microsoft Windows operating system and the Apple Macintosh, and the advent of Reagan’s second term as president. And in 1984 Mark Zuckerberg, who would grow up in a country and culture defined by these events and forces, was born; he invented Facebook while he was at Harvard, and made his fortune via an intrusive, seemingly uncontrollable kind of capitalism, sold with the promise of “bringing the world closer together”.

Roger McNamee is a little longer in the tooth. Aged 62, he is old enough to know that the US beat the depression and won the second world war when “we subordinated the individual to the collective good, and it worked really well”. He knows that the anti-state, libertarian mores that define what we now know as Big Tech were born in the 1980s, and that by the early 21st century, “hardly anyone in Silicon Valley knew there had once been a different way of doing things”. Laissez-faire ideas, he says, joined with a bombastic arrogance in the minds of the “bros” who flocked to northern California to make their fortune from the mid 1990s onwards. What they did was founded on cutting-edge technology – but in terms of its underlying economic ideas, their business represented recently established nostrums being taken to their logical conclusion.


Should political will and public alarm eventually combine to finally break Silicon Valley’s remarkable power, McNamee knows roughly what ought to happen. He points to giving people control and ownership of their data, and the need to push through years of free-market dogma and convince the US authorities to reinvent anti-monopoly rules, and to take some action. What exactly this might entail remains frustratingly unclear, but he wants his readers to know he has made the ideological leap required. “Normally, I would approach regulation with extreme reluctance, but the ongoing damage to democracy, public health, privacy and competition justifies extraordinary measures,” he says. Unwittingly, the way he frames his point speaks volumes about how much we lost in the laissez-faire revolutions of the 1980s: what, after all, is so extraordinary about democratically elected governments taking action against corporations that are out of control?


 
This may suggest the perspective of an outsider, but McNamee does not quite fit that description. As a high-profile investor in tech businesses, he was co-founder of Elevation Partners, a private equity firm established with U2 frontman Paul “Bono” Hewson, the very embodiment of the 80s’ uneasy mixture of profit and philanthropy. In 2010, the firm acquired 1% of Facebook for $90m, but McNamee had already put money into the company, become a source of occasional advice for its founder, and been key in the appointment as chief operating officer of Sheryl Sandberg, the former Bill Clinton administration insider who brought business acumen and political connections to Zuckerberg’s inner circle. But now McNamee has come to the conclusion that what he helped bring about is a blend of hubris and dysfunction: Zucked is partly the story of his early enthusiasm giving way to mounting alarm at Facebook’s failure to match its power with responsibility, and what he has tried to do about it.

It is an unevenly told tale. McNamee wants readers to think of him as a player in the events he describes, but the text regularly has a sense of things viewed from too great a distance. That said, he knows enough about Facebook and its contexts to get to the heart of what its presence in our lives means for the world, and is bracingly blunt about the company’s threat to the basic tenets of democracy, and his own awakening to its dangers. In early passages about the initial occasions when he met Zuckerberg, he writes of a man then aged 22 appearing “consistently mature and responsible”, and “remarkably grown-up for his age”. He goes on: “I liked Zuck. I liked his team. I liked Facebook.” But by the time of the 2016 presidential election, everything had changed. In a memo to Zuckerberg and Sandberg, McNamee was blunt: “I am disappointed. I am embarrassed. I am ashamed.” And he had a keen sense of what had gone wrong, summarised here in the kind of aphoristic phrase for which he clearly has a talent: “Facebook has managed to connect 2.2 billion people and drive them apart at the same time.”

The account of how this played out is now familiar, and ends with the election and subsequent revelation that 126 million Facebook users were exposed to messages authored in Russia. McNamee deals with the Cambridge Analytica scandal, and how it highlighted Facebook’s blithe attitude to its users’ personal data (though he really should have mentioned the Observer journalist Carole Cadwalladr, whose curiosity and resilience ensured that the story broke, and Facebook was called to account). But some of his best material is about the elements of Facebook’s organisation and culture that created the mess, and the work he has done trying to alert powerful people to the need for action.

Once Zuckerberg realised his creation was eating the world, he and his colleagues did what “bros” do, and embraced a mindset known as “growth hacking”, whereby what mattered was “increasing user count, time on site, and revenue”: unrestrained capitalism, in other words. And as all these things endlessly increased, the company simply sped on. “In the world of growth hacking, users are a metric, not people,” McNamee writes. As Facebook expanded, he says, “it is highly unlikely that civic responsibility ever came up.”
Roger McNamee, founder of Elevation Partners.

If Facebook looks like a borderline autocracy (Zuckerberg controls around 60% of the company’s voting shares, because his stock has a “class B” status that gives him unchallengeable power), that is partly because it is different from comparable companies in one crucial sense: the simplicity of its business model. “The core platform consists of a product and a monetisation scheme,” McNamee points out, which “enables Facebook to centralise its decision making. There is a core team of roughly ten people who manage the company, but two people – Zuck and Sheryl Sandberg – are the arbiters of everything.” In the final analysis, Zuckerberg “is the undisputed boss”, both “rock star and cult leader”. It was always going to be a dangerous combination: global reach, a vast influence on events across the world, and a command structure too often reducible to the strengths and weaknesses of one man.

McNamee has worked hard to hold Facebook to account. His key ally is Tristan Harris, a former Google insider who is now an expert critic of Big Tech and its apparent ethical vacuum. As the most compelling passages here recount, while anxiety about the company began to spread, the pair lobbied members of Congress, and were not surprised to find that Washington “remained comfortably in the embrace of the major tech platforms” – but did their best to educate them on a subject many US legislators still seem to barely understand. Their efforts led to two hearings in late 2017, attended only by the big tech companies’ lawyers. Six months later, Zuckerberg finally went to Capitol Hill to testify over two days, but was initially confronted with some of the moronic questions imaginable (“How do you sustain a business model in which users don’t pay for your service?” asked Utah’s 84 year-old Senator, Orrin Hatch). His second session, in front of the House Of Representatives’ Committee on Energy And Commerce, was much better, full of biting criticism. But, as McNamee sighingly acknowledges, his former friend “caught a break”: TV news was suddenly consumed by fallout from the FBI raiding the home and office of Donald Trump’s attorney Michael Cohen, and Zuckerberg went back to northern California looking remarkably untroubled.

Should political will and public alarm eventually combine to finally break Silicon Valley’s remarkable power, McNamee knows roughly what ought to happen. He points to giving people control and ownership of their data, and the need to push through years of free-market dogma and convince the US authorities to reinvent anti-monopoly rules, and to take some action. What exactly this might entail remains frustratingly unclear, but he wants his readers to know he has made the ideological leap required. “Normally, I would approach regulation with extreme reluctance, but the ongoing damage to democracy, public health, privacy and competition justifies extraordinary measures,” he says. Unwittingly, the way he frames his point speaks volumes about how much we lost in the laissez-faire revolutions of the 1980s: what, after all, is so extraordinary about democratically elected governments taking action against corporations that are out of control?

Zucked! Why We Keep Forgiving Facebook

Here is an excellent Pod cast from the NPR 1A show on Facebook. Joshua Johnsonm is interviewing Roger McNamee, the author of ‘Zucked: Waking up to the Facebook Catastrophe’

You may have lots of friends on Facebook. But are you friends with Facebook?

It’s been 15 years since a Harvard student named Mark Zuckerberg co-created the social network in his dorm room. But like many teenagers, it’s prone to misbehave and worry the grown-ups. Some expect Facebook to implode before it turns sweet sixteen.

No one intended Facebook to cause the problems that it has: not Zuckerberg, its engineers, its early investors or advisors.

We spoke with Roger McNamee, former advisor and early investor, about how the company changed the world in unexpected ways and — in his view — refused to do right by its users in times of trouble.

Monopolists – Adding New Category

I am adding the new category of Monopolists and the sub-category Tech Monopolists. With the current state of things in high tech these days, what with kill zones, rampant bad corporate behavior, rampant tracking, black box user data sharing and daily new intentional breaches of privacy, industrial concentration especially in the tech sector and lax regulatory oversight  (to name a few), I hope to encourage discussion and eventually a change to a more equitable and more competitive environment.

Deleting Linkedin

Wow, what a disgusting company Linkedin (Microsoft Owner) has become. Today: 160 trackers (and counting) and canvas tracking. Linkedin is now little more than spyware and on par with the likes of that disgusting company Facebook. In case anyone interested: https://www.linkedin.com/help/linkedin/answer/63/closing-your-linkedin-account?lang=en One can download all data prior to closing account. We are in the process of doing this.

By the way, don’t take my word “The People Agree: Twitter, Facebook, and LinkedIn Are All Worse than Bank of America” Motley Fool: https://www.fool.com/investing/general/2014/01/05/the-people-agree-twitter-facebook-and-linkedin-are.aspx

Wow – worse than Bank of America. I did not think that possible!

How to Stop Facebook’s Dangerous App Integration Ploy

Here is a great op. ed. piece by Sally Hubbard who is a former assistant attorney general in the New York State Attorney General’s Antitrust Bureau and an editor at The Capitol Forum, where she covers technology and monopolization. She makes two points 1) Facebook is a monopolist and 2) the FTC is toothless. Both need to change.
Quote

In response to calls that Facebook be forced to divest itself of WhatsApp and Instagram, Mark Zuckerberg has instead made a strategic power grab: He intends to put Instagram, WhatsApp and Facebook Messenger onto a unified technical infrastructure. The integrated apps are to be encrypted to protect users from hackers. But who’s going to protect users from Facebook?

Ideally, that would be the Federal Trade Commission, the agency charged with enforcing the antitrust laws and protecting consumers from unfair business practices. But the F.T.C. has looked the other way for far too long, failing to enforce its own 2011 consent decree under which Facebook was ordered to stop deceiving users about its privacy claims. The F.T.C. has also allowed Facebook to gobble up any company that could possibly compete against it, including Instagram and WhatsApp.

Not that blocking these acquisitions would have been easy for the agency under the current state of antitrust law. Courts require antitrust enforcers to prove that a merger will raise prices or reduce production of a particular product or service. But proving that prices will increase is nearly impossible in a digital world where consumers pay not with money but with their personal data and by viewing ads.

The integration Mr. Zuckerberg plans would immunize Facebook’s monopoly power from attack. It would make breaking Instagram and WhatsApp off as independent and viable competitors much harder, and thus demands speedy action by the government before it’s too late to take the pieces apart. Mr. Zuckerberg might be betting that he can integrate these three applications faster than any antitrust case could proceed — and he would be right, because antitrust cases take years.

Luckily, the F.T.C. has a way to act quickly. Prompted by the Cambridge Analytica scandal, the agency has been investigating Facebook for violating that 2011 consent decree, which required it, among other things, to not misrepresent its handling of user information and to create a comprehensive privacy program. The F.T.C. can demand Facebook stop the integration as one of the conditions for settling any charges related to the consent decree, rather than just imposing an inconsequential fine.

If not stopped, the integration will cement Facebook’s monopoly power by enriching its data trove, allowing it to spy on users in new ways. Facebook might decide to sync data from one app to another so it can better track users. And Facebook needs user data: The reason it commands such a large share of digital advertising is that it tracks users — and even people without Facebook accounts — across millions of sites. It gathers data that allows it to target ads more precisely than many of its rivals for digital ad dollars, including news media sites and content creators.

After stopping Mr. Zuckerberg’s integration plan, the F.T.C. should reverse the WhatsApp and Instagram acquisitions as illegal under the Clayton Act, which prohibits mergers and acquisitions where the effect “may be substantially to lessen competition, or to tend to create a monopoly.” Undoing the mergers would give consumers an alternative to Facebook-owned apps and force Facebook to do better.

Without meaningful competition, Facebook has little incentive to protect users by making changes that could reduce profits. Users unhappy about data collection and algorithms that promote fake news and political polarization don’t have anywhere to go.

Any future Facebook acquisitions, no matter what the size, should be strictly reviewed because of the company’s history of deceiving users. Facebook uses technology, like its Onavo and Research apps, that monitor consumers’ app usage to identify potential rivals even before they are big enough to get on antitrust enforcers’ radars. Internal Facebook documents published by the British Parliament show Facebook used Onavo data to identify WhatsApp as a competitive threat, only to convince regulators otherwise.

Congress also should write legislation to overrule misguided cases that have neutered antitrust enforcement, and pass a strong privacy law with enough resources to enforce it. Only then, perhaps, will we be protected from Facebook.