Bug or Feature? Facebook Made Your Life Public in May

Privacy is such a 20th Century concept. Facebook bug switched as many as 14 million users’ privacy settings to ‘public’

Facebook Inc. had a software bug for 10 days in May that set the audience for people’s posts to “public,” even if they had intended to share those posts with only friends or an even smaller audience.

So no one noticed a bug for 10 days. Did anyone test? (Before or after the implementation?)

Actually given Facebook’s pogrom against all things conservative, I’m not sure why anyone who reads this blog regularly would still be using FB. Oh it is convenient to support the people working against your Constitutional Rights. Really? I hope you have a lot of luck with that.

You won’t find me on FB, and I’m on Twitter less and less, and have considered ditching it too. (Social media is a time-waster, and I waste enough time on this blog.)

Advertisements

I Wonder How Many Times Atlanta’s Info Tech Department Asked for More Funding

We don’t need to update all these PCs and Servers. Those crazy IT folks are always worried about something. Everything is working just fine. Atlanta officials reveal worsening effects of cyber attack | Reuters. Everything was working until everything stopped working of course.

What’s the “extra” cost to fix the problem? They just asked for ANOTHER 9.5 million dollars. And that may not be the end of it.

For those of you who are not paying attention to the state of cyber attacks and hacking, Atlanta got hit with the SamSam ransomware attack in March of this year.(Wired had a pretty good article on attack in case you want to refresh your memory.)

The City of Atlanta has still not put all of the pieces back together.

Departments citywide, including municipal courts, told the council on Wednesday about their struggles to regain workplace normalcy since the attack. Interim City Attorney Nina Hickson said her office lost 71 of 77 computers as well as a decade of legal documents.

What’s the cost of that? No backups for “decades of legal documents?” I want to assume that they have paper copies of everything, but it is really hard to search through paper copies of documents.

The question of the day is, “How long has the city’s IT department been wanting to fix any of this?” SamSam isn’t as easy to avoid as WannaCry, but it is a known attack. Have they been asking for resources to head off stuff like this, and been turned down, or have they just given up? You would think that the 2nd might be true, but I’ve worked with some pretty ground down IT organizations that still tried to do the best with the resources they were given. (Of course I was usually replacing the system they’d been struggling to maintain for the past 5 years.) The other question is how many IT organizations are still asking, and still getting turned down, because the executive suite doesn’t want to spend the money to fix things that aren’t broken.

What’s the Opposite of Privacy? Facebook

In violation of a consent decree. Does this mean that Zuckerberg lied to Congress? Facebook Gave Device Makers Deep Access to Data on Users and Friends – The New York Times

Facebook formed a bunch of partnerships with companies like Apple/Blackberry/Samsung/et al that let them access data on users’ friends without explicit consent. Which is apparently in violation of an F.T.C consent decree from 2011. Those agreements are still in place.

Because as far as the Facebook is concerned, privacy is not something that you get to have.

“It’s like having door locks installed, only to find out that the locksmith also gave keys to all of his friends so they can come in and rifle through your stuff without having to ask you for permission,” said Ashkan Soltani, a research and privacy consultant who formerly served as the F.T.C.’s chief technologist.

And people wonder why I don’t use Facebook.

90,000 Canadians Had Info Hacked Because of Lax Practices at 2 Banks

Hackers wanted a million bucks by yesterday. Not clear what happens now. Hackers threaten to reveal personal data of 90,000 Canadians caught in bank hack | CBC News

The hackers claim they were able to gain partial access to accounts by using a common mathematical algorithm designed to quickly validate relatively short numeric sequences such as credit card numbers and social insurance numbers.

The hackers say they used the algorithm to get account numbers, which allowed them to pose as authentic account holders who had simply forgotten their password. They say that was apparently enough to allow them to reset the backup security questions and answers, giving them access to the account.

“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said, adding that the bank “was not checking if a password was valid until the security question were input correctly.”

Customer service wanted to be helpful. Guess what? They weren’t helpful to the right people.

Corporations (and individuals) need to start taking cyber security seriously, and that means that some things will be harder to do. The alternative is not pretty.

Your Tax Dollars At Work: Emergency Alert/Zombie Apocalypse Edition

First there was Hawaii’s famed false Missile Attack Alert. (Still a classic!)

There was also the Tsunami Alert issued to Palm Beach, Florida. ‘Test’ tsunami warning startles Palm Beach County. That didn’t get as much press coverage as Hawaii.

Did you get a tsunami warning for Palm Beach County on Tuesday morning? Did you spit up your double latte?

The county is pointing fingers at the National Weather Service. Apparently a “test” alert went out, that had “test” in the title, but NOT in the coding – that bit that computers would use to make decisions. So a local .gov screw up or a federal .gov screw up? Still the .gov, either way. (“I’m from the government and I’m here to help”) Even Accuweather sent out a copy of the alert.

The downside is of course that in the event of a real tsunami, the residents of Palm Beach County will now say, “Oh, it’s just another false alarm,” and ignore the chance to get out of the way.

But my favorite is probably this story from Lake Worth, Florida that came out this week. Watch: ‘Extreme zombie activity’ alert in Florida city was apparent prank. (Apparent? You mean there was no real Zombie Apocalypse? I’m so disappointed.)

The alert, sent out by the city of Lake Worth early Sunday, warned of a “power outage and zombie alert for residents of Lake Worth and Terminus,” referencing a city from AMC’s The Walking Dead.

Heh!

Apparently the power outage was real enough. So chalk this up to another municipal .gov that can’t be bothered to spend money and resources protecting their computer infrastructure from hackers. So is this “Peak Florida?” (Hat tip to Ace of Spades.)

The Cops Can Track You in Real Time

Through your smartphone of course. (Actually via any cellphone – doesn’t have to be smart.) The Silicon Graybeard: How a “location API” allows cops to figure out where we all are in real-time

The recommendation of Graybeard is to NOT go to the site and run the test. Doing so means you give up ALL future privacy rights.

In one place it says, “You agree to provide LocationSmart with true, accurate, current, and complete information about yourself (the “User Information”) if requested, and maintain and update such information to keep it true, accurate, current, and complete at all times.” I added that bold format. That sounds like they’re going to keep anything I tell them.

Of course they are, because they don’t like being hemmed in by the 4th Amendment. Which is probably one of the reasons it is basically dead.

As they say, go read the whole thing.

Alexa, Siri and Google Assistant Are Bigger Security Risks Than I Care to Contemplate

What could possibly be wrong about an electronic device that takes commands via the spoken word? Alexa and Siri Can Hear This Hidden Command. You Can’t. – The New York Times

Well, those spoken commands can be hidden in music and video, etc.

Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors, wire money or buy stuff online — simply with music playing over the radio.

More evidence that manufacturers treating security as anything but an after thought is a long way off.