The FCC's Evidence-Optional Blacklist Of Huawei Is About Protectionism, Not National Security

from the evidence-schmevidence dept

Last week we noted that Best Buy was the latest to join a growing, evidence-optional blacklisting of Huawei based on ambiguous "national security" concerns. We also noted how despite a lot of hand-wringing on certain fronts for most of this decade, nobody has been able to provide evidence that Huawei actively spies on American consumers, the justification for similar blacklisting by AT&T and Verizon earlier this year (both bosom bodies with the NSA, it probably goes without saying). Few news outlets bother to mention an 18-month investigation found no evidence of wrongdoing by Huawei.

While it's certainly possible Huawei is embedding backdoors no security researcher has been able to ferret out, it's just as possible that we're engaging in good, old-fashioned vanilla protectionism dressed up as ambiguous national security concerns. As one anonymous source told the Washington Post during the last flare up of Huawei phobia, getting non-tech savvy lawmakers riled up on this subject isn't particularly difficult:

"What happens is you get competitors who are able to gin up lawmakers who are already wound up about China,” said one Hill staffer who was not authorized to speak publicly about the matter. “What they do is pull the string and see where the top spins."

There's a large contingency of folks who breathlessly profess dedication to free trade and open competition at every opportunity, yet can somehow pivot to protectionism on a dime -- despite criticizing China for doing the same thing. That apparently includes the FCC, which this week announced it would be joining the evidence-optional blacklist of Huawei by banning U.S. telcos from buying Huawei gear if they take taxpayers subsidies. From a statement by FCC boss Ajit Pai issued to the media this week:

"Threats to national security posed by certain communications equipment providers are a matter of bipartisan concern. Hidden ‘back doors’ to our networks in routers, switches—and virtually any other type of telecommunications equipment—can provide an avenue for hostile governments to inject viruses, launch denial-of-service attacks, steal data, and more. Although the FCC alone can’t safeguard the integrity of our communications supply chain, we must and will play our part in a government- and industry-wide effort to protect the security of our networks."

Again though, nobody has provided a shred of public evidence that Huawei routinely spies on American consumers. And the evidence that we do have routinely indicates that the United States is in no position to throw stones anyway. Edward Snowden documents revealed that not only did the NSA break into Huawei starting in 2007 to steal source code and implant its own backdoors, but that the agency also intercepted Cisco hardware en route for the same purpose. So again, the real message being sent here is that this kind of behavior is only acceptable if the United States does it.

In his statement, Pai declares that he's solely looking out for the welfare of the American public (you know, like he did during the net neutrality repeal), and that the agency will vote on the proposal next month:

"That’s why I’m proposing to prohibit the FCC’s $8.5 billion Universal Service Fund from being used to purchase equipment or services from any company that poses a national security threat to the integrity of communications networks or their supply chains. The money in the Universal Service Fund comes from fees paid by the American people, and I believe that the FCC has the responsibility to ensure that this money is not spent on equipment or services that pose a threat to national security. On April 17, I hope that my fellow Commissioners will join me in supporting this important proposal to help protect our national security."

But many small cable operators appear to see what this effort is really about. One Oregon cable operator told the Wall Street Journal this week that using Huawei gear saved them around $150,000 when they were trying to expand broadband into rural markets (something you'll recall Pai insists is a priority). They appear to be well aware that this effort is about protectionism and nationalism, not national security:

"“Our margins are pretty thin,” Mr. Franell said. “If you start dictating what kind of equipment I can use, it tips the scales.” He said he thinks the new legislation making the rounds in Washington is more likely driven by nationalism and protectionism than by real concerns about hacking and spying. ”I’m not going to rework my whole business plan based off a rumor or an unsubstantiated allegation,” he said.

Again, there's an ocean of ways China can (and does) spy on the United States without Huawei's help. Chinese hardware is literally everywhere, including in many of the products manufactured by U.S. companies. And given the fact that we're happily connecting security-optional internet of things devices to home and business networks like it's going out of fashion, there's ample opportunities to spy on Americans -- with Americans' oblivious enthusiasm.

U.S. networking and smartphone manufacturers are particularly afraid of losing ground to China in the race to deploy faster fifth-generation (5G) networks and handsets. But instead of competing, we're apparently going to double down on the argument that Huawei (and other Chinese network vendors) are rampant national security threats, while ignoring we routinely engage in the same or worse behavior (except with proof). It's protectionism plain and simple, but if you wave your hands hysterically and patriotically enough, nobody (including the American tech press) will apparently call you on it.

Filed Under: fcc, protectionism, security
Companies: cisco, huawei

New Open Source Standard Hopes To Cure The Internet Of Broken Things Of Some Awful Security Practices

from the come-together,-right-now dept

As we've pretty well documented, the internet of things is a security and privacy shitshow. Millions of poorly-secured internet-connected devices are now being sold annually, introducing massive new attack vectors and vulnerabilities into home and business networks nationwide. Thanks to IOT companies and evangelists that prioritize gee-whizzery and profits over privacy and security, your refrigerator can now leak your gmail credentials, your kids' Barbie doll can now be used as a surveillance tool, and your "smart" tea kettle can now open your wireless network to attack.

Security analysts like Bruce Schneier have been warning for a while that the check is about to come due for this mammoth dumpster fire, potentially resulting in human fatalities at scale -- especially if these flaws are allowed to impact integral infrastructure systems. But Schneier has also done a good job noting how nobody in the production or consumer cycle has any incentive to take responsibility for what's happening:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

There's no quick fix for this problem. And as Schneier notes it's going to take the cooperation of companies, governments, consumers and independent groups to craft a solution, something that was already difficult enough during decidedly more sane times.

Consumer Reports has been one of the few organizations to try and tackle this problem with plans to incorporate some open source security and privacy testing standards into its product reviews, to name and shame companies that turn a blind eye to this problem. Just about a year ago the organization noted it was working with privacy software firm Disconnect, non-profit privacy research firm Ranking Digital Rights (RDR), and nonprofit software security-testing organization Cyber Independent Testing Lab (CITL) on the new effort, which it acknowledged was early and requires public and expert assistance.

This week these groups shed a little more detail on the new effort, which it claims is the first step in reinstilling some degree of trust in the internet of very broken things. The standard is still very much under development, and the groups are looking for your help in spreading the word:

"We are focused on ensuring the Standard’s maximum impact by working across many constituencies to use and refine this tool as a metric for evaluating consumer software and hardware. Our goals are to educate companies on how they can use the Standard to improve their products, help consumer and digital rights advocates to leverage the Standard in their advocacy, and solicit feedback from the full range of stakeholders on how the Standard can be improved."

The emerging standard would incorporate 35 different security and privacy testing standards into product reviews, with a heavy emphasis on the obvious need for quality encryption, non-default usernames and passwords, transparency as to what data is collected and who it's being sold to, more easily understood terms of service, and better government mechanisms to handle consumer complaints and enforcement against bad actors.

Traditionally, IOT companies have disregarded these issues in both their business models and product design, creating Schneier's unaccountable "invisible pollution" (for example when your cheap ass Chinese security camera gets hacked minutes after being connected online, then contributes to historically massive DDOS attacks without your knowledge or consent). Convincing companies (especially when they're overseas and outside of regulatory authority) that contributing to the greater good benefits everybody in the long run hasn't been easy.

As such, the OTI tries to make the case that over the long term, respecting privacy and embracing security standards should save everybody money, noting that firms like the Ponemon Institute have estimated that the average data breach in 2017 cost "responsible" businesses $3.5 million. Not to mention the costs of downtime from massive DDOS attacks like the one that targeted Dyn last year, or the costs of having to deal with regulatory action because of the lack of common security sense we've seen applied to everything from smart TVs to in-car infortainment systems.

Still, the temptation to disregard security and privacy and just move on to marketing the next IOT product in the pipeline is a siren song that will be hard to compensate for (especially for overseas Chinese vendors), and it's going to take a massive, collective push to avoid some of the doomsday scenarios many security researchers have been warning about.

Filed Under: iot, open standards, security

Security Researcher At The Center Of Emoji-Gate Heading Home After Feds Drop Five Felony Charges

from the good-news-for-one-of-the-actual-good-guys dept

The security researcher who was at the center of an audacious and disturbing government demand to unmask several Twitter accounts on the basis of an apparently menacing smiley emoji contained in one of them is now facing zero prison time for his supposed harassment of an FBI agent. Justin Shafer, who was originally facing five felony charges, has agreed to plead guilty to a single misdemeanor charge. Shafer, who spent eight months in jail for blogging about the FBI raiding his residence repeatedly, is finally going home.

Here are the details of plea agreement [PDF] Shafer has agreed to. (h/t DissentDoe]

Mr. Shafer is pleading to a single misdemeanor of simple assault, based on his sending a Facebook direct message to an FBI Agent’s immediate relative's public Facebook account. There is no allegation of any physical contact.

The government agrees to recommend a sentence of time served. Mr. Shafer already served 8 months in jail before trial for criticizing the government's prosecution in a blog post. He was released after the defense filed a motion arguing his pre-trial detention violated First Amendment free speech rights and the statute governing pre-trial detention.

The government is not seeking for any restitution.

The United States Attorney's Office has agreed not to prosecute Mr. Shafer for the events leading to the initial armed FBI raid of his family’s home.

Mr. Shafer has agreed to a no contact order with the FBI agent, the agent’s family, and the company involved in the initial investigation.

What started out as normal security research soon became a nightmare for Shafer. His uncovering of poor security practices in the dental industry -- particularly the lack of attention paid to keeping HIPAA information secured -- led to his house being raided by FBI agents. The FBI raided his house again after he blogged about the first raid. The FBI justified its harassment of Shafer with vague theories about his connection to infamous black hat hacker TheDarkOverlord. To do this, the FBI had to gloss over -- if not outright omit -- the warnings Shafer had sent to victims of TheDarkOverlord, as well as the information on the hacker Shafer had sent to law enforcement agencies including the FBI.

Blogging about his interactions with the FBI led to the judge presiding over his criminal trial to revoke his release and jail him for exercising his First Amendment rights. This was ultimately reversed by a federal judge who agreed Shafer was allowed to call FBI agents "stupid" and blog about his treatment by the federal agency. (He was not to reveal personal info about FBI agents, however.)

This trial has come to a swift end because the presiding judge sees zero merit in the government's case.

[T]he case probably would have gone to trial had it not been for Judge Janis Graham Jack letting the prosecution know that she saw no evidence of any threat to support the felony charges and that she might rule on the defense’s motion to dismiss if the prosecution didn’t come up with some reasonable plea deal.

This case comes to an end, but it does not absolve the government of its abusive behavior. Here's what Shafer's defense team (Tor Ekeland, Fred Jennings, and Jay Cohen) had to say about their client's treatment by federal law enforcement.

Mr. Shafer first contacted us after he [was] raided by armed federal law enforcement for alleged computer crimes the government has never charged him for. When he complained to the government about it, he was arrested and thrown in jail for his criticism. He was freed after the defense filed a motion arguing his pre-trial detention violated the First Amendment. Fortunately, when presented with the facts of this case, the Court understood the magnitude of the issues here and helped us resolve this case without the hassle, expense, and stress of a jury trial. We are grateful to the Northern District of Texas for recognizing this case for what it was: an attack on internet free speech and a citizen’s right to criticize the government.

And what can we learn from this debacle? Here's what Shafer has learned: never help anybody.

I think the next time someone finds social security numbers that is considered protected health information under HIPAA they should just turn a blind eye. Nobody is going to call you a hero (except the enlightened), and you run the risk of being harassed by the FBI. Doctors responsible for alerting patients will now have yet another reason not to. Already, only about 10% of doctors notified patients that their patient information was publicly available. Law enforcement or the Office of Civil Rights won’t care, and will most likely ignore it. Punishing health information researchers for reporting these issues only puts patients at greater risk. I think it would benefit society greatly if people who find publicly accessible data were not threatened by the people who put it there.

Thank god the FBI was there to help ensure public safety no one publicly badmouthed one of its agents. Shooting the messenger is the expected response when security breaches are discovered. If it's not those leaving personal info exposed threatening researchers with lawsuits or criminal charges, it's the government itself stepping in to "protect" entities that can't even protect the data of paying customers.

Filed Under: disclosure, fbi, hacking, justin shafer, security, security research

The Future The FBI Wants: Secure Phones For Criminals, Broken Encryption For Everyone Else

from the safety's-just-another-word-for-nothing-left-to-lose dept

The old truism is in play again with the FBI's renewed CryptoWar: if X is outlawed, only criminals will have X. In this case, it's secure encryption. The FBI may not be trying to get encryption banned, but it does want it weakened. No backdoors, claims FBI director Chris Wray, just holes for the government to use at its pleasure. So, if the FBI gets it way, the only truly secure encryption will be in the hands of criminals… exactly the sort of people the FBI claims it needs weakened encryption to catch.

For years, a slew of shadowy companies have sold so-called encrypted phones, custom BlackBerry or Android devices that sometimes have the camera and microphone removed and only send secure messages through private networks. Several of those firms allegedly cater primarily for criminal organizations.

Now, the FBI has arrested the owner of one of the most established companies, Phantom Secure, as part of a complex law enforcement operation, according to court records and sources familiar with the matter.

Phantom makes phones solely for criminals, unlike Apple or Android manufacturers, who only have a certain percentage of criminals in their userbases. All of these companies may provide the protection of encryption, but only one actively targets a criminal market. Encryption protects everyone, not just criminals, but that fact is usually paved over with subtle-as-10-tons-of-asphalt comments from the FBI director while portraying the FBI as the nation's white knight and cell phone manufacturers as profit-driven sociopaths.

These companies marketing directly to criminals do more to protect data and communications than vanilla smartphones. Remote wipe capability is built in. Often, cameras and microphones are removed, along with GPS software/hardware. It's more security than most people need, but then again, most people aren't cartel members.

The thing is, the FBI director doesn't care if you're law-abiding. He wants your encryption options limited and weakened so the contents can be accessed. This makes your smartphone more susceptible to being accessed by criminals, rather than just G-men. And these criminals accessing your phone will probably have phones the FBI can't even access, even with backdoors or key escrow or easily-cracked encryption. Chris Wray claims this is all about public safety, but he's willing to make the public less safe to gain the access he wants.

While I understand the concern of the inability to access evidence, the fact remains no solution involving compromised encryption will make the public safer. And while I understand the concern, the concern itself is overstated and accompanied by smoke-and-mirrors presentations. The FBI points to stacks of locked phones, but says nothing about the many tools at its disposal: phone-cracking companies, judges, contempt charges, good old fashioned consent requests, or whether all cases involving these phones remain at a standstill. The FBI does not argue in good faith, and the access it wants can only be had by sacrificing the security and safety of law-abiding citizens.

Filed Under: doj, encryption, fbi, going dark, security

Judge Says Yahoo Still On The Hook For Multiple Claims Related To Three Billion Compromised Email Accounts

from the if-you-don't-fix-the-front,-you'll-be-paying-on-the-back-end dept

A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in "unending" efforts to thwart attacks, but apparently it just wasn't good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.

In a decision on Friday night, U.S. District Judge Lucy Koh in San Jose, California rejected a bid by Verizon Communications Inc, which bought Yahoo’s Internet business last June, to dismiss many claims, including for negligence and breach of contract.

Koh dismissed some other claims. She had previously denied Yahoo’s bid to dismiss some unfair competition claims.

Yahoo was accused of being too slow to disclose three data breaches that occurred from 2013 and 2016, increasing users’ risk of identity theft and requiring them to spend money on credit freeze, monitoring and other protection services.

Three billion is a lot of potential class-mates, even though many Yahoos users had moved on to more viable/useful services long before the breach began. That being said, password reuse is common. So is the tendency to have the same user name in place across several platforms. And, needless to say, personally identifiable info stays the same, no matter what platform Yahoo's former users have strayed to.

The complaint -- amended again after news broke that Yahoo's entire user base had been compromised -- notes that Yahoo's "unending" efforts were routinely terrible, if not practically nonexistent. The suit points out multiple Yahoo hosts were compromised in 2008 and 2009. The next year, Google notified Yahoo that its systems were being used to attack Google. And in 2012, Yahoo suffered two breaches, including one stemming from a SQL injection attack that revealed the company unendingly stored passwords in plain text.

A couple of claims have been dismissed but the most damaging -- negligence -- remains. The plaintiffs so far have presented plenty of evidence that Yahoo handled users' PII extremely carelessly. From the decision [PDF]:

First, the contract entered into between the parties related to email services for Plaintiffs. Plaintiffs were required to turn over their PII to Defendants and did so with the understanding that Defendants would adequately protect Plaintiffs’ PII and inform Plaintiffs of breaches. Second, it was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII. Third, the FAC asserts that hackers were able to gain access to the PII and that Defendants did not promptly notify Plaintiffs, thereby causing injury to Plaintiffs. Fourth, the injury was allegedly suffered exactly because Defendants provided inadequate security and knew that their system was insufficient. Fifth, Defendants “knew their data security was inadequate” and that “they [did not] have the tools to detect and document intrusions or exfiltration of PII.” “Defendants are morally culpable, given their repeated security breaches, wholly inadequate safeguards, and refusal to notify Plaintiffs . . . of breaches or security vulnerabilities.” Id. Sixth, and finally, Defendants’ concealment of their knowledge and failure to adequately protect Plaintiffs’ PII implicates the consumer data protection concerns expressed in California statutes, such as the CRA and CLRA.

Yahoo also has to keep fighting "deceit by concealment" allegations stemming from its delayed reporting of known security breaches.

Defendants also criticize Plaintiffs for continuing to use Yahoo Mail and taking no remedial actions after learning of Defendants’ allegedly inadequate security. However, Defendants fail to acknowledge that Defendants’ delayed disclosures are likely to have harmed Plaintiffs in the interim. Plaintiffs did not even know that they should take any remedial actions during the periods of Defendants’ delayed disclosures. Moreover, contrary to Defendants’ suggestion, the actions that Plaintiffs took after the fact do not conclusively determine what actions they would have taken if they had been alerted before the fact. The FAC provides at least one good reason why Plaintiffs may not have ceased their use of Yahoo Mail after the fact—namely, Plaintiffs have already established their “digital identities around Yahoo Mail.” Plaintiffs can consistently plead that they took minimal or no action after learning of the security defects but that they “would have taken measures to protect themselves” if they had been informed beforehand.

In total, Yahoo is still on the hook for 9 of 15 allegations related to the massive security breach. And it has no one to blame but itself if new owner Verizon ends up shelling out for damages. Yahoo's terrible security had been a problem for a half-decade before the 2013 breach. Three years later, it became clear everything Yahoo had collected on three billion email accounts was now in the hands of other people. This long line of breaches show Yahoo was very interested in increasing its user base, but much less motivated to protect their info.

Filed Under: breach, cybersecurity, email, hack, liability, negligence, security, standing
Companies: verizon, yahoo

Wireless Carriers, Hardware Companies Use Flimsy IOT Security To Justify Attacks On Right To Repair Laws

from the lobbyists-within-lobbyists dept

A few years ago, anger at John Deere's draconian tractor DRM birthed a grassroots tech movement. The company's lockdown on "unauthorized repairs" turned countless ordinary citizens into technology policy activists, after DRM and the company's EULA prohibited the lion-share of repair or modification of tractors customers thought they owned. These restrictions only worked to drive up costs for owners, who faced either paying significantly more money for "authorized" repair, or toying around with pirated firmware just to ensure the products they owned actually worked.

The John Deere fiasco resulted in the push for a new "right to repair" law in Nebraska. This push then quickly spread to multiple other states, driven in part by consumer repair monopolization efforts by other companies including Apple, Sony and Microsoft. Lobbyists for these companies quickly got to work trying to claim that by allowing consumers to repair products they own (or take them to third-party repair shops) they were endangering public safety. Apple went so far as to argue that if Nebraska passed such a law, it would become a dangerous "mecca for hackers" and other ne'er do wells.

Wary of public backlash, many of these companies refuse to speak on the record regarding their attacks on consumer rights and repair competition. But they continue to lobby intensely behind the scenes all the same. The latest example comes courtesy of the "The Security Innovation Center," a new lobbying and policy vehicle backed by hardware vendors and wireless carriers. The group issued a new "study" this week that tries to use the understandable concerns over flimsy IOT security to fuel their attacks on right to repair laws.

The study starts out innocuously enough, noting how they hired Zogby to run a poll of 1015 users on consumer privacy and security concerns in the internet of broken things era:

"Almost two-in-three American consumers said that the explosive growth of Internet-connected products makes them more concerned about their privacy and security, the survey of 1,015 Americans found. And only 1 in 3 Americans expressed confidence that people they know would not be affected if one of their devices was hacked."

Which is understandable. Especially in an era where countless IOT companies value gee whizzery over privacy or security. But it doesn't take long for the real purpose of this study to reveal itself--demonizing efforts to break the monopoly over repair:

"These concerns have placed a focus on security when getting Internet-enabled products fixed: 84 percent value the security of their data over convenience/speed of service....More than 80 percent expect repair professionals to both provide a warranty for their repairs and demonstrate that they are trained or certified to fix their specific product. Further, 75 percent value warranty protections over convenience and 70 percent feel most comfortable having their products fixed by a manufacturer or authorized repair shop. Yet, only 18 percent can determine if an electronics repair shop is protecting their security and privacy."

In other words, the not so subtle message being sent by hardware vendors and wireless carriers is this: don't allow third-party or user self repair because you'll wind up hacked, or worse. That matches the same message being sent by Verizon, Apple, Microsoft and others as they try to convince the public that being able to access less expensive third-party repair vendors (or repair your own devices yourself) will result in reduced security and privacy, dogs and cats living together and the world being ripped off its axis.

Again, the "Security Innovation Center" isn't much of a center at all. It's basically just a lobbying and policy vessel created by a New York PR firm (Vrge), backed by other, existing lobbying and policy vessels (CTIA, CompTIA, NetChoice). It's such a thin veneer, the Center's press release lists its "executive director" as Josh Zecher, the guy who founded the PR outfit running the campaign. It's basically just the Russian nesting doll equivalent of lobbying and policy, all to obfuscate Apple's, Verizon's and other companies' blatant disdain for repair competition and consumer rights.

Filed Under: anti-circumvention, drm, iot, lobbying, ownership, right to repair, security

Apple Agrees To Store Chinese iCloud Data In China, Making It Much Easier For The Chinese Gov't To Access It

from the joining-the-Big-Brothers-program dept

In a time when law enforcement officials are calling Apple "evil" and demanding access to encrypted communications, it doesn't make much sense for the company to be doing this.

When Apple Inc begins hosting Chinese users’ iCloud accounts in a new Chinese data center at the end of this month to comply with new laws there, Chinese authorities will have far easier access to text messages, email and other data stored in the cloud.

That’s because of a change to how the company handles the cryptographic keys needed to unlock an iCloud account. Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.

This will allow the Chinese government to quell dissent and hunt down wrong-thinkers much more efficiently. It also shows the company is willing to drastically change the way it does business in order to maintain a large foreign customer base. This move will prompt questions from Congressional reps and FBI officials about Apple's refusal to work with the US government to provide access to locked devices and encrypted communications. Thanks to its acquiescence to the Chinese government, these questions won't be so easy to answer.

This change in policy won't budge the needle much in terms of US lawful access. US authorities will now have to route requests for Chinese data through the Chinese government, but it's unlikely there's much of that going on now. Requests for domestic data and communications stored in Apple's iCloud will be handled the way they always have been. Apple's always held keys domestically for iCloud accounts, which makes the cries of "going dark" a bit melodramatic.

But it does indicate Apple is willing to change policies for governments far less freedom-friendly than ours. And if it's willing to do that, why won't it stash encryption keys for locked devices where US law enforcement can access them?

Apple's defense of this move is interesting. It claims denying the Chinese government access would have meant shutting down the service in China. According to Apple's statements, this would make Chinese users less safe than the company decrypting iCloud data on demand.

“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.

Presumably, data would have migrated to smaller cloud services offering even less protection to Chinese citizens. But that's hard to square with the fact that Apple's Chinese iCloud infrastructure is reliant on state-owned cloud firm Guizhou -- a company with close ties to the Chinese government.

Apple says the government won't have access to keys. It will still hold the keys, but the data's location means there won't be any prolonged battles over jurisdiction. Its "contractual arrangement" with Guizhou possibly makes Apple's decision to hold the keys inconsequential. The government may be able to approach Apple's partner and obtain direct access, bypassing the very minimal legal requirements Chinese law enforcement needs to meet before demanding user data.

Apple used to resist the Chinese government's demand for cloud data. Now it's pretty much engaged in a partnership with a state-owned business. If it's willing to do this, its resistance to US government overtures seems hypocritical at best. I don't want Apple to lower its defenses against US government intrusion, but I'd rather it took a consistent stance on these issues. Right now, it appears to be willing to submit to authoritarian governments rather than sacrifice part of its user base. It punches holes in its defenses of its actions on the domestic side and makes it easier for US law enforcement officials to sell encryption-damaging legislation to Congress and the White House.

Filed Under: china, human rights, icloud, privacy, security, surveillance
Companies: apple

Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You

from the insecurity dept

Facebook's definition of protection isn't quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled "Protect." Clicking on that link in the company's navigation bar will redirect Facebook users to the “Onavo Protect – VPN Security” app’s listing on the App Store. There, they're informed that "Onavo Protect helps keep you and your data safe when you browse and share information on the web." You're also informed that the "app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers."

What you're not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:

"Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat’s dwindling user base, even before the company announced a period of diminished growth last year."

Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:

On a positive note, Facebook was quick to acknowledge that the SMS spam isn't intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):

"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug."

While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its "VPN" service offering. That effort likely began with good intentions among Facebook's security team, then got hijacked by company higher ups nervous about the fact Facebook's engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.

Filed Under: 2fa, marketing, security, sms, spam, tracking, two factor authentication, vpn
Companies: facebook

More Than 4,000 Government Websites Infected With Covert Cryptocurrency Miner

from the whoops-a-daisy dept

The rise of cryptocurrency mining software like Coinhive has been a decidedly double-edged sword. While many websites have begun exploring cryptocurrency mining as a way to generate some additional revenue, several have run into problems if they fail to warn visitors that their CPU cycles are being co-opted in such a fashion. That has resulted in numerous websites like The Pirate Bay being forced to back away from the software after poor implementation (and zero transparency) resulted in frustrated users who say the software gobbled upwards of 85% of their available CPU processing power without their knowledge or consent.

But websites that don't inform users this mining is happening are just one part of an emerging problem. Hackers have also taken to using malware to embed the mining software into websites whose owners aren't aware that their sites have been hijacked to make somebody else an extra buck. Politifact was one of several websites that recently had to admit its website was compromised with cryptocurrency-mining malware without their knowledge. Showtime was also forced to acknowledge (barely) that websites on two different Showtime domains had been compromised and infected with Coinhive-embedded malware.

While Bloomberg this week proclaimed that governments should really get behind this whole cryptocurrency mining thing, the reality is that numerous governments already have -- just not in the way they might have intended. Security researcher Scott Helme this week discovered that more than 4,000 U.S. and UK government websites -- including the US court system website -- have been infected with cryptocurrency mining malware, a number that's sure to only balloon.

As Helme notes, attackers don't need to even attack each website individually, as they've found a way to compromise shared resources like Text Help, whose modified script files were then loaded by thousands of websites at a pop:

Fortunately this attack isn't particularly hard to neutralize, with a tiny modification to the share script being able to nip similar, future attacks in the bud. But Helme also notes that this entire kerfuffle could have been substantially worse:

Ultimately it seems like these kinds of attacks should be easy to avoid once site administrators and governments wise up to the rising threat. That said, reports by cybersecurity firm CrowdStrike have suggested things will get a little worse before they get better. Again though, the malware angle is just one conversation we need to be having. How sites can responsibly and transparently implement miners as an alternative revenue stream is going to be something we'll be talking about for a while, as Salon made evident this week as the first website to offer the option as an alternative to traditional advertising.

Filed Under: cryptocurrency, government websites, injections, javascript, miner, security, third party scripts
Companies: browsealoud, texthelp

Consumer Reports: Your 'Smart' TV Remains A Privacy & Security Dumpster Fire

from the internet-of-very-broken-things dept

By now it has been pretty well established that the security and privacy of most "internet of things" devices is decidedly half-assed. Companies are so eager to cash in on the IOT craze, nobody wants to take responsibility for their decision to forget basic security and privacy standards. As a result, we've now got millions of new attack vectors being introduced daily, including easily-hacked "smart" kettles, door locks, refrigerators, power outlets, Barbie dolls, and more. Security experts have warned the check for this dysfunction is coming due, and it could be disastrous.

Smart televisions have long been part of this conversation, where security standards and privacy have also taken a back seat to blind gee whizzery. Numerous set vendors have already been caught hoovering up private conversations or transmitting private user data unencrypted to the cloud. One study last year surmised that around 90% of smart televisions can be hacked remotely, something intelligence agencies, private contractors and other hackers are clearly eager to take full advantage of.

Consumer Reports this week released a study suggesting that things aren't really improving. The outfit, which is working to expand inclusion of privacy and security in product reviews, studied numerous streaming devices and smart TVs from numerous vendors. What they found is more of the same: companies that don't clearly disclose what consumer data is being collected and sold, aren't adequately encrypting the data they collect, and still don't seem to care that their devices are filled with security holes leaving their customers open to attack.

The company was quick to highlight Roku's many smart TVs and streaming devices, and the company's failure to address an unsecured API vulnerability that could allow an attacker access to smart televisions operating on your home network. This is one of several problems that has been bouncing around since at least 2015, notes the report:

"The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. “Roku devices have a totally unsecured remote control API enabled by default,” says Eason Goodale, Disconnect’s lead engineer. “This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign."

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded."

Roku was quick to issue a blog post stating that Consumer Reports had engaged in the "mischaracterization of a feature," and told its customers not to worry about it:

"Consumer Reports issued a report saying that Roku TVs and players are vulnerable to hacking. This is a mischaracterization of a feature. It is unfortunate that the feature was reported in this way. We want to assure our customers that there is no security risk.

Roku enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this API. In addition, consumers can turn off this feature on their Roku player or Roku TV by going to Settings>System>Advanced System Settings>External Control>Disabled."

Roku fails to mention that doing so disables the ability for consumers to control the device with Roku's own app, taking away valuable functionality from the end user (something Consumer Reports mentions in its write up). And Roku doesn't even address the other complaints in the report, including concerns that streaming hardware and TV companies aren't making data collection and third-party sales clear, aren't clearly showcasing their privacy policies, and often don't let users opt out of such collection without losing functionality (much like the broadband ISPs and numerous services and apps these devices are connected to).

Roku's response highlights the SOP approach (somebody else's problem) inherent in the IOT. As experts like Bruce Schneier have repeatedly noted, the tech industry is caught in a cycle of security dysfunction where nobody in the chain has any real motivation to actually fix the problem:

"The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Schneier has repeatedly warned that we need cooperative engagement between governments, companies, experts and the public to craft over-arching standards and policies. The alternative isn't just a few hacks and embarrassing PR gaffes now and again. The influx of millions of poorly secured internet-connected devices (many of which are being automatically integrated into historically-nasty botnets) is a massive dumpster fire with the potential for genuine human casualties. It's easy to downplay these kinds of reports as just "a few minor problems with a television set," but that ignores the massive scope of the problem and the chain of security and privacy apathy that has created it.

Filed Under: cybersecurity, iot, privacy, security, smart tv