Free Speech? Not if the Left Has Anything to Say

A systematic campaign of cyberstalking was undertaken by a team of eBay executives. Now ex-eBay-executives. Former eBay Employees Sent Cockroaches, Bloody Pig Mask to Mass. Couple In Harassment Campaign.

Their crime? They DARED to criticize eBay in a newsletter.

In a news conference, U.S. Attorney Andrew Lelling said Monday the former employees sent menacing packages to the couple’s home — including a bloody pig mask — to deter them from writing critically about the San Jose, California-based company.

Lelling said eBay executives were “enraged” by the coverage of the company on the couple’s website. One allegedly said he wanted to “crush this lady,” referring to the woman in the couple that ran the site.

Because the Left is convinced that you don’t have the right to say things that they disagree with, and they have the right to do anything they want to stop you from speaking your mind.

The employees allegedly involved in the scheme were James Baugh, eBay’s former Senior Director of Safety and Security; Stephanie Popp, a senior manager of global intelligence; Stephanie Stockwell, an intelligence analyst; Veronica Zea, a contractor; Brian Gilbert, a senior manager of special operations; and David Harville, former director of global resiliency.

All have been fired by eBay.

All six are being charged with conspiracy to commit cyberstalking and conspiracy to tamper with an investigation.

“Free speech? We can’t have that! Especially if they are going to criticize US!” </sarcasm>

Internet Vigilantes Get it Wrong Again and Again

Are we surprised that people willing to burn down businesses will destroy someone’s life over an error?

First up… Internet vigilantes falsely link ex-officer to teens’ attack

Baffled by the barrage of hate last Thursday, [John] Damskey plugged his name into the internet and made a horrifying discovery: Mobs of Twitter users were falsely accusing him of being the bicyclist on a Maryland trail who accosted three young adults posting flyers protesting the death of George Floyd.

And then… What It’s Like to Get Doxed for Taking a Bike Ride.

In his mentions, disaster was rapidly unfolding. People accused him of assaulting a child. Of being a racist. They shared a selfie he’d taken in sunglasses and his bike helmet and analyzed it alongside blurry images of another man in sunglasses and a bike helmet.

In both cases they were wrong. It didn’t matter. Because they don’t care about anything or anyone, except proving how woke they are.

In the 2nd case, the nightmare started because his regular bicycle ride was shared publicly on some GPS app, because what could go wrong with a lack of privacy.

Trail shared that information publicly, not just with his network of friends and followers. Someone had located a record of his ride on the path on June 2, matched it to the location of the assault from the video, matched his profile picture — white guy, aviator-style sunglasses, helmet obscuring much of his head — to the man in the video, and shared the hunch publicly.

And the hunch was accepted as fact.

And while I know about these 2 incidents, I’m sure there are more.

Beware of Free VPNs

I know it has been said before, but it apparently needs repeating… You get what you pay for. This is especially true in the world of Virtual Private Networks. With so many people using the net to work from home or whatever, VPNs are a good idea, but not every VPN is a a good idea.

If it is free, you are paying for it in another way. 100+ VPN Logging Policies Debunked.

And it isn’t just the unknown players that you need to beware of.

For example, McAfee’s Safe Connect claims to encrypt your online activity and defend you against cybercriminals. On their homepage, they also claim to protect your privacy.

But their “privacy policy” says that they keep info about the apps you use, the websites you visit, in addition to aggregate statistics. That sounds like fairly detailed usage logs to me.

After the break find a table that details some of the VPNs and how they are not guarding your privacy.

Torrent Freak hasn’t updated its list of VPNs, so we still have last year’s list. It is good. The Good VPNs don’t change much year-to-year. Which VPN Services Keep You Anonymous

Continue reading

Third Payment Processor Has Security Breach This Year

Someday companies will take security seriously. But it won’t be in 2020. New York payments startup exposed millions of credit card numbers.

The processor is PAAY, a startup in New York left a database online with no password protection. You can click thru for the particulars.

The interesting thing is the attitude and the lies of one of the co-founders. He said they didn’t store credit card numbers.

TechCrunch reviewed a portion of the data. Each transaction contained the full plaintext credit card number, expiry date and the amount spent. The records also contained a partially masked copy of each credit card number. The data did not include cardholder names or card verification values, making it more difficult to use the credit card for fraud.

Mendlowitz disputed the findings. “We don’t store card numbers, as we have no use for them.” TechCrunch sent him a portion of the data showing card numbers in plaintext, but he did not respond to our follow-up.

So perhaps not a total nightmare, but it is still a screw-up of monumental stature. To put a database online without security and leave it there for 3 weeks, is just plain stupid. Or it shows you don’t care in the least about security. Which they don’t.

Zoom Security Is Worse Than You Thought

Because security it hard. Security and Privacy Implications of Zoom.

Zoom’s encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn’t. It only provides link encryption, which means everything is unencrypted on the company’s servers. [SNIP]

They’re also lying about the type of encryption.

So the short story is, they don’t give a rat’s ass about security.

And then there is privacy. (What’s that?) First they lied about it. Then they tried to be coy. But privacy is not high on their list of priorities.

Zoom still collects a huge amount of data about you. And note that it considers its home pages “marketing websites,” which means it’s still using third-party trackers and surveillance based advertising.

But then security and privacy are expensive, and if you give a person a chocolate bar, there is good chance they will give you access to their online banking system.

Zoom Is Sending Your Info to F*c*book

Because of course it is. Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account.

What the company and its privacy policy don’t make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don’t have a Facebook account, according to a Motherboard analysis of the app.

Actually most apps send data to F*c*book, because programmers are lazy, and the F*c*book development environment is an easy place to start.

Privacy is such a 20th Century concept. (Hat tip to Wirecutter.)

Microsoft Joins the List of Companies that Hates Privacy

They want to snoop on EVERYTHING you do online. EVERYTHING. Research Finds Microsoft Edge Has Privacy-Invading Telemetry.

When testing the Edge Browser, Leith saw that every URL that was typed into Edge would be sent back to Microsoft sites.

For example, every URL typed into the address bar is shared with Bing and other Microsoft services such as SmartScreen. This was confirmed by BleepingComputer who used Fiddler to see the JSON data being sent to Microsoft.

“Telemetry” data. Everything you do online, is a bit beyond telemetry, and more like a creepy invasion of privacy.

Google’s Blogspot blogging software, has decided that in order to comment on any post at a website, you need to have 3rd-party cookies enabled. So I keep Edge handy with that feature on in case I ever want to comment on a blogspot blog. Because I won’t enable 3rd party cookies in my usual browsers. (Which are all of them, aside from Edge.)

Ministry of Truth is Created in the UK

More like Airstrip One everyday. UK Govt. Approves Net Censorship – Free Speech Dies – Liberty Nation.

The United Kingdom has become the first Western nation to move ahead with large-scale censorship of the internet, effectively creating regulation that will limit freedom on the last frontier of digital liberty. In a move that has the nation reeling, Prime Minister Boris Johnson has unveiled rules that will punish internet companies with fines, and even imprisonment, if they fail to protect users from “harmful and illegal content.”

Couched in language that suggests this is being done to protect children from pedophiles and vulnerable people from cyberbullying, the proposals will place a massive burden on small companies. Further, they will ultimately make it impossible for those not of the pervasive politically correct ideology to produce and share content.

Western Civilization was nice while it lasted. (Hat tip)

Why Aren’t You Using Signal?

Because security is important. Signal is finally bringing its secure messaging to the masses | Ars Technica.

Or are you comfortable living in a state like the old East Germany under the Ministerium für Staatssicherheit, or the Stazi?

But Deb, they make it so hard to share emojis and security is hard, and I really want a chocolate bar, and to get one all I have to do is turn over my life to Google, or F*c*book, or Apple or the NSA, or – Oh look! a squirrel! </sarcasm>

Marlinspike has always talked about making encrypted communications easy enough for anyone to use. The difference, today, is that Signal is finally reaching that mass audience it was always been intended for—not just the privacy diehards, activists, and cybersecurity nerds that formed its core user base for years—thanks in part to a concerted effort to make the app more accessible and appealing to the mainstream.

So there really is no excuse.

Big Grocery Is Watching You

Everything. You. Do. Customer Tracking at Ralphs Grocery Store.

To comply with California’s new data privacy law, companies that collect information on consumers and users are forced to be more transparent about it. Sometimes the results are creepy.

Health. Insurance. Property. Bank Accounts. What you do online. Geolocation data – which is vague. (Where you go in the store or where you go in general?) There’s more.

And when people got creeped out, they said they may have to rethink how they worded the disclosure.

That’s the company’s solution. Don’t spy on people less, just change the wording so they don’t realize it.

More consumer protection laws will be required.

Bets on Whether the Swamp Will Restrain the NSA?

Still, it should be interesting to see the politicos explain why privacy is such an outmoded concept. Bipartisan Coalition Bill Introduced to Reform NSA Surveillance.

The reforms this bill wants to impose are quite extensive and here is a shortlist of the highlights:

  • It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.

  • It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
  • It would prohibit warrantless collection of geolocation information by intelligence agencies.
  • It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.

It’s beginning to feel like we live in the Soviet Union, or East Germany, where the .gov can do pretty much what it wants, and it will destroy anyone who gets in the way.

The Future of Texting Is Broken

Whiskey. Tango. Foxtrot. The Future of Texting Is Far Too Easy to Hack: Rich Communication Services promises to be the new standard for texting. Thanks to sloppy implementation, it’s also a security mess..

Can we PLEASE get some secure communications. Aside from Signal that is. (Look, I love Signal. I wish I could get everyone to use it, but for some reason I can’t.) And in what is essentially 2020 there is no fucking excuse to have insecure communications. We know how to do this.

But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.

At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones.

For the love of all things Holy. USE Signal.

Big Amazon Is Watching You

Massive surveillance of everything is in the hands of Amazon. What could go wrong? Amazon’s Ring Home Surveillance Network Raises Big Privacy Concerns.

According to Motherboard, police officers can request homeowners’ surveillance footage through Ring. In a statement, Ring said that law enforcement requests must be tied to an active investigation, and though the owner’s consent is required, a warrant isn’t necessary.

Edward Snowden’s privacy concerns are starting to sound less and less like paranoia.

And the terms of service will change over time. You know, that legally binding statement you agreed to when you opened the package. The fine print that no one ever reads, and changes regularly anyway.

Google Has Patient Data – Wants to Squeeze More Money

What a shock. Google has access to detailed health records on tens of millions of Americans.

Google quietly partnered last year with Ascension—the country’s second-largest health system—and has since gained access to detailed medical records on tens of millions of Americans, according to a November 11 report by The Wall Street Journal.

The endeavor, code-named “Project Nightingale,” has enabled at least 150 Google employees to see patient health information, which includes diagnoses, laboratory test results, hospitalization records, and other data, according to internal documents and the newspaper’s sources. In all, the data amounts to complete medical records, WSJ notes, and contains patient names and birth dates.

So much for protections for privacy.

2019 Hacks and Other Cyber-insanity

I usually see this kind of “the year in review” stuff in December. The scariest hacks and vulnerabilities of 2019.

It’s a surprisingly long list. It includes things like hard-coded password left in a car telemetry app, that could make cars vulnerable, F*c*book storing millions of passwords in plaintext on one of their servers, personnel data from LAPD was stolen, Louisiana school districts and Texas cities were hit with ransomware, and SIM jacker could target any phone with a 2g or newer SIM card. Then there were the hacks that cost a lot, like the $95million hack that hit Demant, a Danish company.

Two months to go.

It Isn’t Just Amazon and Google Spying on You

As if that wasn’t enough. Alexa and Google Home abused to eavesdrop and phish passwords.

By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.

Now, there’s a new concern: malicious apps developed by third parties and hosted by Amazon or Google.

Privacy is such a 20th Century concept.

Welcome to the Panoptican

Netflix. Roku. Smart-TVs. They are all spying on you. Facebook and Google have ad trackers on your streaming TV, studies find.

Modern TV, coming to you over the Internet instead of through cable or over the air, has a modern problem: all of your Internet-connected streaming devices are watching you back and feeding your data to advertisers. Two independent sets of researchers this week released papers that measure the extent of the surveillance your TV is conducting on you. They also sort out who exactly is benefiting from the massive amounts of consumer data that is taken with or without consumer knowledge.

They just can’t stand the idea that you have any privacy. Or that you think thoughts they don’t approve of, but that’s another story.

GPS Trackers for Kids Making Data PUBLIC

This is BEYOND stupid. Buggy GPS Trackers Expose Childrens’ Real-Time Location.

It seems that corporations haven’t learned a damn thing about security, and people are so excited about convenience they don’t seem to care that it comes at the cost of privacy and/or security.

So when you bought the GPS tracker to keep tabs on your kid, did you think it would make their every move public? Did you think you would be outfitting them with a microphone that anyone on the planet could listen to? Did you think you get a “really good” system for next to no money?

The security flaws were found in GPS location trackers manufactured by the Shenzhen i365 Tech, with over 600,000 users from countries all over the world and resold under multiple brands on various e-commerce platforms like Amazon or eBay.

The details are at the link, but in short… There is a default password for EVERY tracker, which is “123456” and user-id is the serial number. While you can define a more stupid “security model,” it would be hard to come up with one in 2019.

Back in 2017, the European Consumer Organisation (BEUC) also issued a public service announcement warning that most children’s GPS-tracking smartwatches are stuffed to the brim with various security flaws exposing their location or allowing potential attackers to take control of the devices.

Various “children’s tablets” that could be hacked and used for phishing. Trackers. Smart watches. Do you really want to bet your kid’s safety on cheap technology from a company you never heard of, sold by an “Amazon Affiliate” – which is about the equivalent of buying something from a flea market.

Bluetooth? I’ll Keep My 3.5mm Headphone Jack, Thanks

This isn’t the first exploit to hit Bluetooth, and it probably won’t be the last. New Attack exploiting serious Bluetooth weakness can intercept sensitive data.

Address book syncing between a car and phone, keystroke from a keyboard, it isn’t a particular product that is vulnerable, it is the ENTIRE Bluetooth architecture.

KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself. That means, in all likelihood, that the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.

Architectural level problems are the hardest to fix, though several companies have implemented fixes to “mitigate” the issue.

“Why Schools?” – That’s The Wrong Question

Why aren’t schools doing anything to prepare? (And they’re not.) That would be a better question. Why School Systems? The Rise of Ransomware in Public Schools.

And if you ask the wrong question, any answer that you get won’t result in any useful insights.

Due to their wealth of data and limited budget for cybersecurity staff and training, schools have drawn the eye of hackers. Experts recommend backing up data and investing in cybersecurity training and preparedness.

My personal recommendation is that schools cut back on that “wealth of data” until such time as they have a wealth of “cybersecurity training and preparedness” in place, and deployed to protect it. And even then, they should ask if they really need to have that information online, because while ransomware has been in the news, there have been instances where all the data needed to steal identities was taken out of school systems. That’s a lifetime of having to worry about identity theft for people who are not old enough to drink. (Thanks Public Schools Idiots Everywhere who think you know how much you need to spend on security.) All because some administrator somewhere, with next to no knowledge of the risks, decided that he couldn’t be bothered to look up a kids address the 2 times during the year when he needed that information. And how often to school administrators need SSN? Really? They couldn’t get by 99.999% of the time with an in-house student ID number?

But back to the schools.

“The principal reason is that it’s a relatively easy target to aim for,” he said, explaining that school systems typically suffer from a fairly limited IT staff, older equipment and less-than-optimal cybersecurity expertise.

Then repeat after me. If that statement (limited expertise, limited staff, etc.) applies to your organization, that purge every last bit of data that is not needed, and some that is needed. And it isn’t needed just because you’ve “always collected it.” Schools do NOT need SSN. Not online they don’t. They don’t need every piece of information for stealing identities in a place where they can be stolen by the lowest-knowledge hacker on the planet. How big is your school? You can’t file a couple of 1000 pages of info. (Like home address, and SSN for the one time in 4 years when you MIGHT need it?) Stop pretending that having “everything at your fingertips” is a requirement. It isn’t.

Another instance where people asked the wrong question. What diet leads so many people in this area to live past 100? (Hint: It isn’t diet.)