Skip to content

Privacy

My Friend Cayla

…Or is it My Friend Spy Cayla. And what is the difference between this and Google Voice and Siri? Not much.

Quote:

The My Friend Cayla doll has been shown in the past to be hackable

An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data.

The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications.

Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.

But the UK Toy Retailers Association said Cayla “offers no special risk”.

In a statement sent to the BBC, the TRA also said “there is no reason for alarm”.

The Vivid Toy group, which distributes My Friend Cayla, has previously said that examples of hacking were isolated and carried out by specialists. However, it said the company would take the information on board as it was able to upgrade the app used with the doll.

But experts have warned that the problem has not been fixed.

The Cayla doll can respond to a user’s question by accessing the internet. For example, if a child asks the doll “what is a little horse called?” the doll can reply “it’s called a foal”.
Media captionRory Cellan-Jones sees how Cayla, a talking child’s doll, can be hacked to say any number of offensive things.

A vulnerability in Cayla’s software was first revealed in January 2015.

Complaints have been filed by US and EU consumer groups.

The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told the BBC: “I’m worried about the impact of connected dolls on children’s privacy and safety.”

The Commission is investigating whether such smart dolls breach EU data protection safeguards.

In addition to those concerns, a hack allowing strangers to speak directly to children via the My Friend Cayla doll has been shown to be possible.

The TRA said “we would always expect parents to supervise their children at least intermittently”.

It said the distributor Vivid had “restated that the toy is perfectly safe to own and use when following the user instructions”.
Privacy laws

Under German law, it is illegal to sell or possess a banned surveillance device. A breach of that law can result in a jail term of up to two years, according to German media reports.

Germany has strict privacy laws to protect against surveillance. In the 20th Century Germans experienced abusive surveillance by the state – in Nazi Germany and communist East Germany.

The warning by Germany’s Federal Network Agency came after student Stefan Hessel, from the University of Saarland, raised legal concerns about My Friend Cayla.

Mr Hessel, quoted by the German website Netzpolitik.org, said a bluetooth-enabled device could connect to Cayla’s speaker and microphone system within a radius of 10m (33ft). He said an eavesdropper could even spy on someone playing with the doll “through several walls”.

A spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a “concealed transmitting device”, illegal under an article in German telecoms law (in German).

“It doesn’t matter what that object is – it could be an ashtray or fire alarm,” he explained.

Manufacturer Genesis Toys has not yet commented on the German warning.

Not so Smart using a Smart TV

As reported Vizio’s Smart TVs spied on you

Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio even retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without clearly telling consumers or getting their consent.

What did Vizio know about what was going on in the privacy of consumers’ homes? On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.

Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others. And let’s be clear: We’re not talking about summary information about national viewing trends. According to the complaint, Vizio got personal. The company provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name, but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home ownership. And Vizio permitted these companies to track and target its consumers across devices.

That’s what Vizio was up to behind the screen, but what was the company telling consumers? Not much, according to the complaint.

Source here

Well for their offense Vizio was slapped with 2.2million fine. Sounds like a lot, right? Well as a colleague of mine observed, that is 20cents per TV. In other words, it was a great ROI for Vizio and points out how toothless the FTC really is.

So what to do? Turn off all the Smart TV features, boycott Vizio (that said, Samsung and others are just as bad it may appear). Better Yet, unplug the TV from the Internet.

Some sites suggest that Roku and Apple streaming boxes front-ending your TV are better. I am not so sure as I know with the Roku, at least, one needs to reset your ID often to clear the tracking and there does not appear to be a permanent “Kill” switch for this type of spyware crap.

I am toying of building my own set top streaming device using the RasberryPI. If I do so, I will pay pay special attention to the privacy aspects of the embedded software I use and report findings here. Don’t hold your breath, time is at a premium of here.

Anyway – welcome to the iDIoT. The Insecure Dumbed-down Internet of Things

Nick

Ghostery – Bad Design

I am constantly evaluating browser add-ons and recently took a harder look at Ghostery. I notice that settings could not be saved when I closed the browser and then restarted. Why? Well it seems that Ghostery stores these in a cookie.

What a Cookie? Shame Shame Shame. **ALL** browsers should be set to dump cache and all cookies when you close it. Why? It helps greatly to prevent tracking and those targeted adverts among others.

What to use instead? A good and efficient ad-blocker. like uBlock I am also using uBlock Origin which appears to have a wider feature set and extra privacy settings. Both can be downloaded from your favorite browser ad-ons facility. Here are a few: Firefox is here, Chrome (yuk- you are google’s product, but if you insist) is here. Safari – not on their site, but uBlock is here. I cannot find the download for uBlock Origin. Post comment with link if you know it.

Direct uBlock Origin releases are here, but they may not be verify by the browser yet.

Nick

Trump: Blame the Computers not Russia

Trump: “I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind the security we need,” Trump said according to press pool report. He was at the Mar-a-Lago resort at the time of making the statement.” Source

Actually, I agree with Trump on this. We do not have the security we need. More fundamental to that, we do not have a mindset that puts computer security first. We bolt the front door and secure our physical premises with 24/7 monitoring services, yet we leave the barn door wide open for our online presence be it email, social media, browsing and shopping.

Privacy and security is an option when in fact it should come first. Imagine if the internet was built from the ground up with privacy and security as the foundation layer? That would mean no web bugs, tracking cookies, targeted advertising, privacy statements like Netflix’s (for example) that say, let me rape you and sell my experience and if you do not agree, your option is to cancel your subscription.

And home router manufacturers that make appliances so easily hacked it is a joke. And Microsoft windows that to this day facilitates users running with administrator privileges in everyday use. And the IoT – internet of things that have little if any security. And the mindset of the average consumer the allows Amazon’s Alexa into their home. Completely secure, right? Yeah sure, Why then, I ask, did this happen: “Amazon had been served with a search warrant in a murder case, as detectives in Bentonville, Ark., want to know what Alexa heard in the early morning hours of Nov. 22, 2015 — when Victor Collins was found dead in a hot tub behind a home after an Arkansas Razorbacks football game. (Read more) Come on! Lock the door, arm yourself to the teeth, **but** let a device with 7 microphones listening to every sound in your house connected to ?? and easily hacked by ?? (you’ll never know!). By the way, the same goes with Siri and Google voice on your smart phones.

Don’t blame the Russians, blame yourself. Yes, the mindset needs to change indeed.

Happy New Year.

Googdroid

QUOTE

This article begs the question: “Why doesn’t google police its store an evaluate apps for potential malware?” So much of the crap on google play is infected with spyware. Oh wait, spyware, that is how google makes money selling your private info others so they can market more to you.

A new strain of Android malware is infecting an estimated 13,000 devices per day.

The Gooligan malware roots Android devices before stealing email addresses and authentication tokens stored on them. The tokens create a means for hackers to access users’ sensitive data from Gmail accounts, security researchers at Check Point Software Technologies warn.

The malicious code creates a money-making sideline for crooks by fraudulently installing apps from Google Play and rating them on behalf of the victim.

Gooligan targets devices running Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), collectively around 74 per cent of Android devices currently in use. Gooligan is installing at least 30,000 apps on breached devices every day, or more than 2 million apps since the malicious campaign began, according to Check Point.

Security researchers at the Israeli firm first encountered Gooligan’s code in the malicious SnapPea app last year. In August, the malware reappeared with a new variant and has since infected at least 13,000 devices per day. About 40 per cent of these devices are located in Asia and about 12 per cent are in Europe. Hundreds of the email addresses compromised by Gooligan are associated with enterprises around the world.

Check Point has passed on its findings on the campaign to Google’s security team. “This theft of over a million Google account details is very alarming and represents the next stage of cyber-attacks,” said Michael Shaulov, Check Point’s head of mobile products. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

Gooligan spreads when victims download and install an infected app. Crooks are slinging the malware by tricking victims into following malicious links in phishing messages.

“If your account has been breached, a clean installation of an operating system on your mobile device is required,” Shaulov advised.

Guilty till Proven Innocent

Quote

Oklahoma Highway Patrol officers can now seize funds from prepaid debit cards, without requiring a warrant or criminal charges.

The Electronic Recovery and Access to Data (ERAD) device can be used in the field, enabling officers to quickly drain cards found in vehicles or on drivers and passengers. Officers must merely establish a “reasonable suspicion” that a crime is being committed.

To get the money back, or counter initial suspicions, individuals must prove the money was obtained legitimately.ote

Civil-rights advocates claim officers frequently abuse the system and take money from law-abiding citizens. In many states, courts have agreed that “innocent until proven guilty” protects individuals, but not their possessions.

Raising further concerns, the company that owns the patent for the device, ERAD Group, receives a 7.7-percent cut of any funds seized using the tools. A larger portion can find its way back to police departments for new gear and other expenses, creating a potential conflict of interest.

“This is a capability that law enforcement has never had before and one that is very likely to land [Oklahoma’s Department of Public Safety] in litigation,” opined ACLU Oklahoma legal director Brady Henderson.

The United Police States. What a disgrace. How can we continue to hold this country as a model of freedom to the world and allow this?

Google to kill passwords on Android, replace ’em with ‘trust scores’

Quote

Bad idea – basically adds new features for google to identify you, track you, and sell your private info to their empire. Yeah, I need protection from Google, not protection from them.

Google is planning to use “trust scores” to kill off traditional passwords on Android.

The internet giant wants to get rid of password logins, at least for Android apps, by 2017. Google outlined its plans at its I/O conference last week.

Kuwaiti Government will DNA Test Everyone

Quote

There’s a new law that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program “does not include genealogical implications or affects personal freedoms and privacy.”

I assume that “visitors” includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from sharing that information with any other government.

Despicable