Facebook – The Enemy of Privacy

The guy who runs the place basically said privacy is an out-dated concept, and yet people are surprised that if you use Facebook, you have no privacy. Facebook Under Investigation by FTC for Use of Personal Data | Time. Same goes for Twitter of course, but that is a story for another day.

The latest (though I doubt the last) privacy kerfuffle around Facebook has as much to do with the fact that the firm involved “helped elect President Trump,” as anything. However the FCC isn’t investigating that.

The U.S. Federal Trade Commission is probing whether Facebook violated terms of a 2011 consent decree following the revelations that user data had been transferred to Cambridge Analytica without their knowledge, according to a person familiar with the matter.

Under the 2011 settlement, Facebook agreed to get user consent for certain changes to privacy settings as part of a settlement of federal charges that it deceived consumers and forced them to share more personal information than they intended. That complaint arose after the company changed some user settings without notifying its customers, according to an FTC statement at the time.

Nothing will happen to Facebook. People will not stop using it. And I believe, that if the firm involved had been a Democratic consultant, and not Republican, this story would not even be in the news. But hey that’s just my opinion. (Which for the time being is still protected by the First Amendment.)


Drones Invading Privacy

You knew the idiots and the bad actors would get around to this. Woman comes eye to eye with camouflaged drone peeping in her bedroom window | Stuff.co.nz

Cameras peering into windows. Drones hovering over backyard BBQs and kids playing in the driveway.

One, whose privacy was invaded from the air, fired at a drone with a shot gun and another threatened to shoot one from the sky. Earlier this year a Motueka man said a peaceful stroll turned “really creepy” after a mysterious drone followed his family along the beach.

This doesn’t even cover the “fleets of drones” that police departments are getting.

Smart TVs Not So Smart

Don’t worry, I’m sure the people building self-driving cars are doing a much better job. Maybe. Probably. Perhaps. Investigation finds major security flaws with smart TVs

Consumer Reports has found millions of smart TVs from major manufacturers can be controlled by hackers exploiting easy to-find security vulnerabilities.

This focuses on hackers controlling your TV, but experience has shown that if they can get in, they won’t wreak havoc, so much as steal things.

Why you want a camera and a microphone in your living room/family room/wherever you have a TV is beyond me. Especially when we KNOW that the vendors of smart devices couldn’t care less about security. Hat tip: I, For One, Welcome Our New Self-Driving Overlords.

Dark Overlord Hacking Group Turns Attention to Schools

Because as mentioned, schools love to put sensitive data online, but can’t be bothered to secure it properly. Dark Overlord hacks schools across U.S., texts threats against kids

The hacking group responsible is the Dark Overlord, the group that leaked new Orange Is the New Black episodes because Netflix didn’t pay a ransom. The same group tried to sell millions of pilfered healthcare records and was responsible for other attacks such as on Gorilla Glue and an Indiana cancer service agency. Now, it is targeting schools and scaring the snot out of parents by sending personalized text messages threatening their kids.

Iowa, Montana, Texas, and Alabama have had schools that were targeted.

Why target schools? In part, it is because they have crappy security.

Schools had better get on it and batten down the security hatches because there is no excuse for their lax security.

If you don’t have the money for security, you shouldn’t be putting students’ data on the web. Probably shouldn’t do it in any case, but there you have it.

What A Surprise – Local .gov Not Ready for Cyber Attacks

Color me shocked. Johnston cyber attack ‘very disturbing,’ Iowa cyber security officials say

The net of the story is that local governments – in particular schools – have a ton of sensitive information, on websites, that may or may not be on the public internet with little to no security in place.

The reason: Governments are doing more and more business online, yet most don’t have the staff and resources to properly safeguard the financial and personal information they collect.

“So you have the perfect storm,” Nick Bilogorskiy, Facebook’s former chief malware expert, told The Des Moines Register. “Schools have large networks with sensitive data that are expensive to defend well and very rarely do they have qualified people to do it.”

Here’s an idea: If you have sensitive data, and you are not willing (or able) to defend it, then DON’T put it on the internet. Already there? The lessons of Sony, and Equifax, and all the others are clear. Take it down.

There is no law that says sensitive data needs to be on the internet. (There should probably be a law banning it from being on the internet, but that law isn’t there either.) I know it is all cool and buzz-wordy to be on the intertubes, but that comes with a lot of responsibility. Which shouldn’t top out at paying for 2 years worth of identity theft protection.

It is unfortunately easy to put stuff on the web. It is expensive to do it correctly.

More on The Equifax Hack

I am still hopping mad about this, but there is more that needs to be said.

Equifax has been the focus of researchers since they admitted to the hack. One new thing has come to light which sort of highlights the casual disregard for security that the company has. Equifax used the word ‘admin’ for the login and password of a database. That’s right, the security login and password for a web server (in Argentina) used a Userid of “admin” and a password of “admin.” If there is a better indication that security was a joke at Equifax, I can’t think what it might be.

Massachusetts announced plans Wednesday to file a lawsuit, which will maintain that the company failed to adopt appropriate safeguards to protect the sensitive data. New York, Illinois, Pennsylvania and Connecticut and other states are also investigating, while nearly two dozen class-action lawsuits have already been filed.

Aside from the Argentina fiasco – they shut down the website, but are tap dancing around the issue – as I said earlier, this is an unmitigated disaster. I think it means we need to stop using the Social Security number for bank accounts, brokerage, credit scores, etc. I don’t know what we should use, but Equifax has effectively destroyed it as a unique ID.

Equifax had a responsibility to safeguard data. And they fucked up. Big time. This isn’t fixed by a year or 2 of credit monitoring. Or even a passive approach to monitoring credit. 143 million people have had their Social Security Numbers compromised. That is criminal negligence as far as I am concerned. I’m sure the courts will see it differently and the managers/executives who couldn’t be bothered to spend money on security (and then sold shares in the company before this was made public) will suffer NO effects. Well their stock options will be worth less, but no one will go to jail, and if anyone loses their job it will be the guy who was trying to justify a bigger security budget. (Because obviously he didn’t perform miracles on a shoestring budget.)

The Equifax Hack

I’ve been trying to write something about this all day, but it has me so wound up…

This isn’t like when my credit card got stolen as part of the Target, or Home Depot or Chipotle Hacks. I had to get a new credit card. Inconvenient, but easy enough.

143 million Social Security Numbers have been compromised. This isn’t fixed with a year or 2 of credit monitoring. (Whether or not Equifax attaches a bunch of strings – as it looks like they are trying to do.) For as long as any of those 143 million people are alive, they have to live with the fact that their SSN has been stolen by some bad actors. And not just the SSN, but a lot of other info that makes using the SSN as any kind of “secure” ID a joke for banking/whatever. And even after they pass, estates will have to deal with it for some time as well.

This well and truly sucks.

The folks at Equifax (and everywhere else) who put their heads in the sand and ignored the issues of application security, should be held criminally liable for negligent behavior. And financially liable for all the future headaches this will cause. But of course, they won’t be. (Whenever Congress thinks about security, they just seem to want to outlaw cryptography – and the math that is behind it.)