Government investigation finds federal agencies failing at cybersecurity basics

The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway. Finding little situational awareness, few standard processes for reporting or managing attacks and almost no agencies adequately performing even basic encryption, the OMB concluded that “the current situation is untenable.” All told, nearly three quarters of federal agencies have cybersecurity programs that qualified as either “at risk” (significant gaps in security) or “high risk” (fundamental processes not in place). The report, which you can read here, lists four major findings, each of which with its own pitiful statistics and recommendations that occasionally amount to a complete about-face or overhaul of existing policies.

1. “Agencies do not understand and do not have the resources to combat the current threat environment.”

The simple truth and perhaps origin of all these problems is that the federal government is a slow-moving beast that can’t
Continue reading "Government investigation finds federal agencies failing at cybersecurity basics"

Facebook didn’t see Cambridge Analytica breach coming because it was focused ‘on the old threat’

In light of the massive data scandal involving Cambridge Analytica around the 2016 U.S. presidential election, a lot of people wondered how something like that could’ve happened. Well, Facebook didn’t see it coming, Facebook COO Sheryl Sandberg said at the Code conference this evening. “If you go back to 2016 and you think about what people were worried about in terms of nations, states or election security, it was largely spam and phishing hacking,” Sandberg said. “That’s what people were worried about.” She referenced the Sony email hack and how Facebook didn’t have a lot of the problems other companies were having at the time. Unfortunately, while Facebook was focused on not screwing up in that area, “we didn’t see coming a different kind of more insidious threat,” Sandberg said. Sandberg added, “We realized we didn’t see the new threat coming. We were focused on the old threat
Continue reading "Facebook didn’t see Cambridge Analytica breach coming because it was focused ‘on the old threat’"

Canadian Yahoo hacker gets a five-year prison sentence

After pleading guilty in November, the Canadian hacker at least partially to blame for the massive Yahoo hack that exposed up to 3 billion accounts will face five years in prison. According to the Justice Department, the hacker, 23-year-old Karim Baratov, worked under the guidance of two agents from the FSB, Russia’s spy agency, to compromise the accounts. Those officers, Dmitry Dokuchaev and Igor Sushchin, reside in Russia, as does Latvian hacker Alexsey Belan who also was implicated in the Yahoo hack. Given their location, those three are unlikely to face consequences for their involvement, but Baratov’s Canadian citizenship made him vulnerable to prosecution. “Baratov’s role in the charged conspiracy was to hack webmail accounts of individuals of interest to his coconspirator who was working for the FSB and send those accounts’ passwords to Dokuchaev in exchange for money,” the Justice Department described in its summary of Baratov’s sentencing.
Continue reading "Canadian Yahoo hacker gets a five-year prison sentence"

Students confront the unethical side of tech in ‘Designing for Evil’ course

Whether it’s surveilling or deceiving users, mishandling or selling their data, or engendering unhealthy habits or thoughts, tech these days is not short on unethical behavior. But it isn’t enough to just say “that’s creepy.” Fortunately, a course at the University of Washington is equipping its students with the philosophical insights to better identify — and fix — tech’s pernicious lack of ethics. “Designing for Evil” just concluded its first quarter at UW’s Information School, where prospective creators of apps and services like those we all rely on daily learn the tools of the trade. But thanks to Alexis Hiniker, who teaches the class, they are also learning the critical skill of inquiring into the moral and ethical implications of those apps and services. What, for example, is a good way of going about making a dating app that is inclusive and promotes healthy relationships? How can an
Continue reading "Students confront the unethical side of tech in ‘Designing for Evil’ course"

Brexit blow for UK’s hopes of helping set AI rules in Europe

The UK’s hopes of retaining an influential role for its data protection agency in shaping European Union regulations post-Brexit — including helping to set any new Europe-wide rules around artificial intelligence — look well and truly dashed. In a speech at the weekend in front of the International Federation for European Law, the EU’s chief Brexit negotiator, Michel Barnier, shot down the notion of anything other than a so-called ‘adequacy decision’ being on the table for the UK after it exits the bloc. If granted, an adequacy decision is an EU mechanism for enabling citizens’ personal data to more easily flow from the bloc to third countries — as the UK will be after Brexit. Such decisions are only granted by the European Commission after a review of a third country’s privacy standards that’s intended to determine that they offer essentially equivalent protections as EU rules. But the mechanism does not
Continue reading "Brexit blow for UK’s hopes of helping set AI rules in Europe"

To truly protect citizens, lawmakers need to restructure their regulatory oversight of big tech

If members of the European Parliament thought they could bring Mark Zuckerberg to heel with his recent appearance, they underestimated the enormous gulf between 21st century companies and their last-century regulators. Zuckerberg himself reiterated that regulation is necessary, provided it is the “right regulation.” But anyone who thinks that our existing regulatory tools can reign in our digital behemoths is engaging in magical thinking. Getting to “right regulation” will require us to think very differently. The challenge goes far beyond Facebook and other social media: the use and abuse of data
Continue reading "To truly protect citizens, lawmakers need to restructure their regulatory oversight of big tech"

Vermont passes first first law to crack down on data brokers

While Facebook and Cambridge Analytica are hogging the spotlight, data brokers that collect your information from hundreds of sources and sell it wholesale are laughing all the way to the bank. But they’re not laughing in Vermont, where a first-of-its-kind law hems in these dangerous data mongers and gives the state’s citizens much-needed protections. Data brokers in Vermont will now have to register as such with the state; they must take standard security measures and notify authorities of security breaches (no, they weren’t before); and using their data for criminal purposes like fraud is now its own actionable offense. If you’re not familiar with data brokers, well, that’s the idea. These companies don’t really have a consumer-facing side, instead opting to collect information on people from as many sources as possible, buying and selling it amongst themselves like the commodity it has become.

US news sites are ghosting European readers on GDPR deadline

A cluster of U.S. news websites has gone dark for readers in Europe as the EU’s new privacy laws went into effect on Friday. The ruleset, known as General Data Protection Regulation (GDPR), outlines a robust set of requirements that internet companies collecting any personal data on consumers must follow. The consequences are considerable enough that the American media company Tronc decided to block all European readers from its sites rather than risk the ramifications of its apparent noncompliance. Tronc -owned sites affected by the EU blackout include the Los Angeles Times, The Chicago Tribune, The New York Daily News, The Orlando Sentinel and The Baltimore Sun. Some newspapers owned by Lee Enterprises also blocked European readers, including The St. Louis Post Dispatch and The Arizona Daily Star.

Facebook, Google face first GDPR complaints over “forced consent”

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent. The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android. Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data
Continue reading "Facebook, Google face first GDPR complaints over “forced consent”"

Family claims their Echo sent a private conversation to a random contact

A Portland family tells KIRO news that their Echo recorded and then sent a private conversation to someone on its list of contacts without telling them. Amazon called it an “extremely rare occurrence.” Portlander Danielle said that she got a call from one of her husband’s employees one day telling her to “unplug your Alexa devices right now,” and suggesting she’d been hacked. He said that he had received recordings of the couple talking about hardwood floors, which Danielle confirmed. Amazon, when she eventually got hold of the company, had an engineer check the logs, and he apparently discovered what they said was true. In a statement, Amazon said “We investigated what happened and determined this was an extremely rare occurrence. We are taking steps to avoid this from happening in the future.”

What could have happened? It

Continue reading "Family claims their Echo sent a private conversation to a random contact"

PornHub has its own VPN now

PornHub is diversifying. The most popular site that no one you know will admit to frequenting, is launching its very own VPN service today, called, get this: VPNHub. The app, which is available on Android, iOS, MacOS and Windows, is primarily designed to offer “free and unlimited bandwidth,” according to its creators.

It’s an attempt to circumvent ISP throttling, a potential boon for those who frequently visit sites with lot of video. Sites like, well, PornHub. “With 90 million visitors a day, the vast majority of whom are using devices on the go, it’s especially important that we continue to ensure the privacy of our users,” VP Corey Price said in a statement.

The app is free on the aforementioned mobile platforms, but there’s a premium for desktop users. Another higher tier will drop ads, offer faster connection speeds and provide logins in additional countries, according to the company. That

Continue reading "PornHub has its own VPN now"

Facebook is asking users worldwide to review their privacy settings

Starting this week, Facebook will begin asking users worldwide to review their privacy settings with a prompt that appears within the Facebook app. The experience will ask you to review how Facebook uses your personal data across a range of products, from ad targeting to facial recognition. This request to review Facebook’s updated terms and your settings follows a similar experience rolled out to users in the European Union as a result of the new user data privacy regulation, GDPR. However, EU users have to agree to the new terms of service in order to continue using Facebook, Recode point out, after asking Facebook how the worldwide experience differs from the one being shown in Europe. Elsewhere in the world, users who dismiss the prompt twice will be automatically opted in. But before you close that window too quickly, you may want to take a look at what Facebook is asking.

Instapaper on pause in Europe to fix GDPR compliance “issue”

Remember Instapaper? The Pinterest-owned, read-it-later bookmarking service is taking a break in Europe — apparently while it works on achieving compliance with the region’s updated privacy framework, GDPR, which will start being applied from tomorrow. Instapaper’s notification does not say how long the self-imposed outage will last.

The European Union’s General Data Protection Regulation updates the bloc’s privacy framework, most notably by bringing in supersized fines for data violations, which in the most serious cases can scale up to 4% of a company’s global annual turnover. So it significantly ramps up the risk of, for example, having sloppy security, or consent flows that aren’t clear and specific enough (if indeed consent is the legal basis you’re relying on for processing people’s personal information). That said, EU regulators are clearly going to tread softly on

Continue reading "Instapaper on pause in Europe to fix GDPR compliance “issue”"

50 tech CEOs come to Paris to talk about tech for good

Ahead of VivaTech, 50 tech CEOs came to Paris to have lunch with French President Emmanuel Macron. Then, they all worked together on “tech for good”. The event was all about leveraging tech around three topics — education, labor and diversity. At the end of the day, French Prime Minister Édouard Philippe invited everyone for a speech in Matignon. It wasn’t a groundbreaking speech as Macron is also speaking at VivaTech tomorrow morning. “We’re trying to pivot France,” Philippe said.
With great power comes great responsibility Édouard Philippe
Maurice Lévy, the former CEO of Publicis, one of the two companies behind VivaTech with Les Échos, first introduced the event, as well as Eric Hazan from McKinsey. McKinsey worked on the data that was used to start those discussions. So let’s see what they talked about. “As McKinsey showed, there's no question that technology overall is a net creator of
Continue reading "50 tech CEOs come to Paris to talk about tech for good"

FBI reportedly overestimated inaccessible encrypted phones by thousands

The FBI seems to have been caught fibbing again on the topic of encrypted phones. FBI director Christopher Wray estimated in December that it had almost 7,800 phones from 2017 alone that investigators were unable to access. The real number is likely less than a quarter of that, The Washington Post reports. Internal records cited by sources put the actual number of encrypted phones at perhaps 1,200 but perhaps as many as 2,000, and the FBI told the paper in a statement that “initial assessment is that programming errors resulted in significant over-counting of mobile devices reported.” Supposedly having three databases tracking the phones led to devices being counted multiple times. Such a mistake would be so elementary that it’s hard to conceive of how it would be possible. These aren’t court notes, memos or unimportant random pieces of evidence, they’re physical devices with serial numbers and names attached.
Continue reading "FBI reportedly overestimated inaccessible encrypted phones by thousands"

Zuckerberg didn’t make any friends in Europe today

Speaking in front of EU lawmakers today Facebook’s founder Mark Zuckerberg namechecked the GDPR’s core principles of “control, transparency and accountability” — claiming his company will deliver on all that, come Friday, when a new European Union data protection framework, GDPR, starts being applied, finally with penalties worth the enforcement. However there was little transparency or accountability on show during the session, given the upfront questions format which saw Zuckerberg cherry-picking a few comfy themes to riff on after silently absorbing an hour of MEPs’ highly specific questions with barely a facial twitch in response. The questions MEPs asked of Zuckerberg were wide ranging and often drilled deep into key pressure points around the ethics of Facebook’s business — ranging from how deep the app data misuse privacy scandal rabbithole goes; to whether the company is a monopoly that needs breaking up; to how users should be compensated
Continue reading "Zuckerberg didn’t make any friends in Europe today"

Amazon facial recognition software raises privacy concerns with the ACLU

Amazon hasn’t exactly kept Rekognition under wraps. In late 2016, the software giant talked up its facial detection software in a relatively benign AWS post announcing that the tech was already being implemented by The Washington County Sheriff’s Office in Oregon for suspect identification.

The ACLU of Northern California is shining more light on the tech this week, however, after announcing that it had obtained documents shedding more light on the service it believes “raises profound civil liberties and civil rights concerns.”

The documents in question highlight Washington County’s database of 300,000 mug shot photos and a mobile app designed specifically for deputies to cross-reference faces. They also note that Amazon has solicited the country to reach out to other potential customers for the service, including a company that makes body cameras.

“People should be free to walk down the street without being watched by the government,” ACLU

Continue reading "Amazon facial recognition software raises privacy concerns with the ACLU"

The birth of the Universal Digital Profile

It is a well-known fact that Europeans are generally more concerned about privacy than some other countries. Indeed, we’ve had a history of major privacy breaches that had such catastrophic consequences that it is now part of our culture that personal data should be treated as highly sensitive — something the U.S. is now catching up to in the wake of the Facebook/Cambridge Analytica scandal. The culmination of this is the new EU-wide privacy regulation, the GDPR, which will come into effect on May 25, 2018, and was a hot topic during the recent Zuckerberg testimony.

One key article is the right to personal data portability. In a nutshell, it states that users of a service can request their personal data to be transferred to another provider, without hindrance (read: in the format the other provider requests). This means that if you are no longer happy using

Continue reading "The birth of the Universal Digital Profile"

Comcast is leaking the names and passwords of customers’ wireless routers

Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the wi-fi name and password via the company’s Xfinity internet activation service. Security researchers Karan Saini and Ryan Stevenson reported the issue to ZDnet. The site is meant to help people setting up their internet for the first time: ideally, you put in your data, and Comcast sends back the router credentials while activating the service. The problem is threefold:
  1. You can “activate” an account that’s already active
  2. The data required to do so is minimal and it is not verified via text or email
  3. The wireless name and password are sent on the web in plaintext
This means that anyone with your account number and street address number (e.g. the
Continue reading "Comcast is leaking the names and passwords of customers’ wireless routers"

Where to watch Zuckerberg’s meeting with EU MEPs on Tuesday

The Facebook founder Mark Zuckerberg’s meeting with elected representatives of the European Union’s ~500 million citizens will be livestreamed after all, it was confirmed today. MEPs had been angered by the original closed door format of the meeting, which was announced by the EU parliament’s president last week. But on Friday a majority of the political groups in the parliament had pushed for it to be broadcast online. This morning president Antonio Tajani confirmed that Facebook had agreed to the 1hr 15 minute hearing being livestreamed.

A Facebook spokesperson also sent us this short statement

Continue reading "Where to watch Zuckerberg’s meeting with EU MEPs on Tuesday"