What Happens When a Software Company Ignores a Disclosed Vulnerability?

Even worse, they argued that a security backdoor was “critical for their seamless user experience.” In other words, we want it to be easy, not secure. Zoom fixes webcam flaw for Macs, but security concerns linger.

When a security researcher finds a problem, you get 90 days. They ignored the issue for 10, then they were able to confirm the issue. They held the first meeting on day 72, and came up with a “solution” that didn’t fix anything. Or in other words, Epic Fail.

You can find discussions of the technology all over the place, but I’m more interested in the insanity of the corporate schmucks. (You can find one such link at the bottom of this post.)

“Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom CISO Richard Farley, said in a blog post. “But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service.”

That statement is the key. Here’s what the CISO was really saying, when you strip out the corporate double-speak.

We didn’t see the value in fixing the problem pointed out by the security community because we give a rat’s ass about our clients’ security and privacy, and this fix would tarnish our image (or something), but when it was clear it was turning into a PR disaster we decided that maybe we aren’t as smart as we think we are, and will promise to value security in the future. Cross our hearts…

So what happens when a SW company ignores the security of their customers? They get handed their hats. (Schneier on Security has details on the technology, if you want to more info.)

Stupid Criminals and WiFi Auto-login

It’s good to see that the American educational system is still just like it always was. Wi-Fi Auto-Login Helped Identify Hate Crime Vandalism Suspects.

The plan was to write “Class of 2018” everywhere, but it didn’t end there. They painted racist, homophobic and antisemitic graffiti all over the place.

They knew there were security cameras, so they covered their faces.

What the suspects did not realize however, is that their smartphones automatically connected to the school Wi-Fi once they were in the area. Which of course, would only possible if they have an account or attend the school. Since each student has their own unique ID, their login times were recorded on the server and could be cross-referenced with the surveillance video.

To be completely surrounded by technology, to use that technology every day of your life, and to be so completely ignorant of how that technology works… I guess they figure it is like magic, they go to school and get connected to WiFi, and don’t bother to think what that means. Or when they go to their favorite coffee shop, fast food restaurant, or anywhere else that they use the free WiFi. Privacy? What’s that? Stupidity they seem to have a handle on.

Google: “Like a horror movie villain that just won’t die”

When they first got busted on this, they said, just delete the emails. Google Keeps Gmail Purchase History.

At the time, Google claimed it tracks the info so that Google Assistant can track packages or reorder items, adding that users could simply delete everything by tapping into a purchase and removing the Gmail. However, it only worked if each purchase was deleted individually, which could take hours or even days depending on a person’s purchase history.

Still, Haselton decided to delete everything in his Gmail inbox — more than a decade of information. And it didn’t work.

Even after deleting all those emails, Google still had a record of his purchases.

“Like a horror movie villain that just won’t die,” he wrote, adding that he can “still see receipts for things I bought years ago. Prescriptions, food deliveries, books I bought on Amazon, music I purchased from iTunes, a subscription to Xbox Live I bought from Microsoft — it’s all there. Google continues to show me purchases I’ve made recently, too. I can’t delete anything and I can’t turn it off.”

I still have a Gmail account connected to this blog, though I may dump it as well. But Google is mostly out of my life. It should be out of yours as well.

Your Not-so-smart Home – 2 Billion Records Exposed

Billion with a B. If you think your smart home is making you safe, you might be kidding yourself. Confirmed: 2 Billion Records Exposed In Massive Smart Home Device Breach.

Orvibo is a Chinese company that makes “smart home” hubs, and outlets, and a bunch of other things. It turns out they have an awful lot of data about their customers, and they made it all public.

The list of data included in the breach is extensive according to the vpnMentor report and includes:

  • Email addresses
  • Passwords
  • Account reset codes
  • Precise geolocation
  • IP address
  • Username
  • UserID
  • Family name
  • Family ID
  • Smart device
  • Device that accessed account
  • Scheduling information

The kinds of thing that this lets bad guys do… Access your security camera. Unlock your smart lock. Lock you out of your account.

OK this is a story about data being made public, but why are they logging all of this data? Even if they don’t make it public, this is a lot of data to entrust a company that doesn’t seem to have your security on its radar.

Privacy Is SUCH a 20th Century Concept

An online payment system owned by PayPal has security problems? Say it ain’t so! Millions of Venmo transactions scraped in warning over privacy settings.

“There’s truly no reason to have this API open to unauthenticated requests,” he told TechCrunch. “The API only exists to provide like a scrolling feed of public transactions for the home page of the app, but if that’s your goal then you should require a token with each request to verify that the user is logged in.”

You want a Modern Tech Company™ to spend time and resources on YOUR privacy? There is no privacy. (F*c*book’s lawyer said so!)

Georgia Town Says Privacy = No Response to a Burglar Alarm

Want to get police response to your burglar alarm? Then you have to put cameras in your home and connect them to the internet. Because that never ends badly. Confusion abounds over new Sandy Springs alarm law.

Under the law, police officers will not respond to home and business burglary alarms without video, audio or in-person verification that a crime is occurring.

So basically if you value your privacy, you are screwed in terms of having a burglar alarm in Sandy Spring.

Now I get the police position. 90 percent (or more) of burglar alarms are false alarms. And besides…

The chief told residents huddled around him Monday night that the average burglar alarm response time is 40 minutes, which he said is basically useless because a criminal is almost always gone by then.

Under those conditions, why bother with a monthly fee? Though hopefully the fire department can get their faster in the event of a smoke-detector going off.

Google Hates Privacy

And so they play games with privacy settings. Google Payment Privacy Settings Hidden Behind Special URL.

This Settings page can be accessed using the navigation sidebar, as shown below, or directly through the URL https://pay.google.com/payments/u/0/home#settings. From the Settings screen you can set your address, payment users, some general settings, and other information. There is, though, no privacy settings on this page when accessing it normally.

Because Google thinks they have the RIGHT to know every time you stop at Starbucks, what you had for lunch yesterday, how many drinks you paid for at happy hour, etc.

WhatsApp Is Lacking In Security

But then the people behind it don’t care about security. How Hackers Broke WhatsApp With Just a Phone Call.

A new Financial Times report alleges that the notorious Israeli spy firm NSO Group developed a WhatsApp exploit that could inject malware onto targeted phones—and steal data from them—simply by calling them. The targets didn’t need to pick up to be infected, and the calls often left no trace on the phone’s log.

Apparently the latest patch fixes some of the problem, and they are “doing infrastructure upgrades” to also address the issue. But WhatsApp is all about convenience. And convenience is in many ways the enemy of security.

“This does indeed sound like a freak incident, but at the heart of it seems to be a buffer overflow problem that is unfortunately not too uncommon these days,” says Bjoern Rupp, CEO of the German secure communication firm CryptoPhone. “Security never was WhatsApp’s primary design objective, which means WhatsApp has to rely on complex VoIP stacks that are known for having vulnerabilities.”

They bad guys are targeting high-profile dissidents and political activists. So probably bad-states.

The Apple $1 Billion Suit Over Facial Recognition Gone Wrong

The story from earlier already has a broken link. So here it is again from a different source. Teen hits Apple with $1B lawsuit over facial recognition arrest.

Ousmane Bah was arrested by New York Police Department officers on Nov. 29 after being accused of thefts at Apple Stores in Manhattan, Boston, New Jersey and Delaware, according to his lawsuit.

The lawsuit says the actual thief was caught stealing $1,200 worth of merchandise — specifically Apple Pencils — from the Boston store on May 31, 2018. The person then used a stolen ID that included Bah’s name, address and other personal details, but not his photo, according to the suit. This may actually have been a non-photo learner’s permit that Bah previously lost, the suit says. Bah is African American.

The lawsuit accuses Apple of negligence, emotional distress, defamation, slander, libel and fraudulent concealment.

Because they didn’t bother to look at the guy they arrested vs the security camera footage BEFORE they arrested him. Though that’s as much on the cops as on Apple.

Apple Defamed a Kid, He Wants His Payday

Facial recognition gone wrong. A teenager is suing Apple for $1 billion over facial recognition tech. OK that link is broken in a day. Here’s the CNET story. Teen hits Apple with $1B lawsuit over facial recognition arrest. Quotes are from the original. Not sure why that source booted the story…

An 18-year-old from New York is currently trying to take Apple for around 0.1 per cent of the company worth – $1 billion – for a facial recognition faux pas that has allegedly seen him charged in New York, Massachusetts, Delaware and New Jersey for thefts that were nothing to do with him.

The only way to get the tech giants to change their ways – short of antitrust action, which I don’t see happening – is to cause them real financial harm.

Facial recognition not being a reliable tool in law enforcement? We’re shocked. Absolutely shocked.