House Passes Bill To Address The Internet Of Broken Things

from the your-fridge-needs-a-better-firewall dept

Though it doesn't grab the same headline attention as the silly and pointless TikTok ban, the lack of security and privacy standards in the internet of things (IOT) is arguably a much bigger problem. TikTok is, after all, just one app, hoovering up consumer data in a way that's not particularly different from the 45,000 other international apps, services, governments, and telecoms doing much the same thing. The IOT, in contrast, involves millions of feebly secured products being attached to home and business networks every day. Many also made in China, but featuring microphones and cameras.

Thanks to a laundry list of lazy companies, everything from your Barbie doll to your tea kettle is now hackable. Worse, these devices are now being quickly incorporated into some of the largest botnets ever built, resulting in devastating and historic DDoS attacks. In short: thanks to "internet of things" companies that prioritized profits over consumer privacy and the safety of the internet, we're now facing a security and privacy dumpster fire that many experts believe will, sooner or later, result in some notably nasty results.

To that end, the House this week finally passed the Internet of Things Cybersecurity Improvement Act, which should finally bring some meaningful privacy and security standards to the internet of things (IOT). Cory Gardner, Mark Warner, and other lawmakers note the bill creates some baseline standards for security and privacy that must be consistently updated (what a novel idea), while prohibiting government agencies from using gear that doesn't pass muster. It also includes some transparency requirements mandating that any vulnerabilities in IOT hardware are disseminated among agencies and the public quickly:

"Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data. The IoT Cybersecurity Improvement Act would ensure that taxpayers dollars are only being used to purchase IoT devices that meet basic, minimum security requirements. This would ensure that we adequately mitigate vulnerabilities these devices might create on federal networks."

Again, it's not going to get the same attention as the TikTok pearl clutching, but it's arguably more important.

The IOT is a simultaneously a successful sector while at the same time suffering from a form of market failure. I come back a lot to this Bruce Schneier blog post because I think it explains IOT dysfunction rather well:

"The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

One problem is that consumers often don't know what they're buying because sellers aren't transparent, which is why groups like Consumer Reports have been working on an open source standard to include security and privacy issues in product reviews. Another big problem is that these devices are rarely designed with GUIs that provide transparent insight into what these devices are doing online. And unless users have a semi-sophisticated familiarity with monitoring their internet traffic via a router, they likely have no idea that their shiny new internet-connected doo-dad is putting themselves, and others, at risk.

Fixing the IOT requires collaboration between consumers, vendors, governments, and security experts, and so far that coordination has been patchy at best. Instead of developing policies and standards that address an entire sector's worth of security and privacy problems, the U.S. adores hyperventilating about individual threats (see: TikTok) then pushing policies (see: the TikTok ban) that don't actually accomplish that much. U.S. data privacy and security is a problem that requires a much wider view, instead of this bizarre, inconsistent consternation that's more ADHD Whac-a-Mole than serious policy.

Filed Under: cybersecurity, iot, privacy, security

Details Of Unconstitutional WeChat/TikTok Ban Actually Would Make Users Of Those Apps Less Secure, Not More

from the what-the-fuck-is-this? dept

This morning the Commerce Department released the details of how the WeChat and TikTok bans will work. It's possible that the ban on TikTok will get lifted if Treasury Secretary Mnuchin can convince enough people in the administration to buy into the grifty Oracle non-sale, but the WeChat ban is happening no matter what.

The details reinforce two key points:

1. This is way unconstitutional and should be offensive to any 1st Amendment/free speech supporter.
2. The excuses about national security are utter and total garbage, because this would actually make users of those apps significantly less secure.

So, great. We have some applications bans, premised on national security, that are unconstitutional piles of garbage that make people less secure, and the only possible path out is through a grifty deal, pushed deliberately to a large donor to the President, who has said multiple times he's hoping for a kickback on the deal. We're witnessing an astounding bit of corruption right here.

Here's how the "ban" will work. First up, both apps get banned from all US app stores. The following is listed as "prohibited."

Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.

That's basically saying: "Apple and Google can no longer put those apps in their app stores." There are 1st Amendment concerns here, in that the executive branch is telling software companies what code they can or cannot host. While the IEEPA law under which this order is being made is broad, this seems ripe for a huge 1st Amendment challenge. The President should not be able to simply ban code from app stores based on an unsubstantiated claim of "national security."

Second, not only is this all based on unsubstantiated claims of national security, the very text proves how that's bullshit. The fact that these app stores can no longer issue updates means that people who have the apps currently can continue using them, but if there's a security update (say to patch a vulnerability) users can no longer patch those apps. If the goal of this ban is to "protect national security," everything here is exactly the opposite of that. Users will still have the app, but are unable to protect themselves and can only keep using the app if they accept the obsolete and increasingly less secure version of it.

In other words: the whole "national security" claim is a total lie, because the way the ban is implemented gives Americans less security. That sure is one way to fight back against supposed Chinese surveillance through these apps. If it's even true that China is spying on people via apps, they're now in a "don't throw me in the briar patch" situation -- since the US government is forcing these apps to be less secure and to expose even more data to whoever has it.

Another part of the ban that raises significant 1st Amendment issues is that it prohbits:

Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.

Translating that: it means that no US developer can use WeChat or TikTok's APIs or build software using any of their code. That's deliberately interfereing with the speech of Americans. Leaving aside the issue of whether or not banning apps that allow for communications is a 1st Amendment issue. Leaving aside the issue of whether or not banning apps at all is a 1st Amendment issue. This goes even further: it says that US-based software developers cannot write the code they want. That's a huge 1st Amendment issue.

I discussed this a few months ago but the Supreme Court has already said that code is speech in Brown v. Entertainment Merchants Association (the case about whether or not the government could regulate video games and require age warnings). And, while it's not the Supreme Court, the 2nd Circuit has been even more direct about code being speech protected by the 1st Amendment in the the Universal v. Corley case (about whether or not you could publish code that breaks DRM):

Communication does not lose constitutional protection as "speech" simply because it is expressed in the language of computer code. Mathematical formulae and musical scores are written in "code," i.e., symbolic notations not comprehensible to the uninitiated, and yet both are covered by the First Amendment. If someone [*446] chose to write a novel entirely in computer object code by using strings of 1's and 0's for each letter of each word, the resulting work would be no different for constitutional purposes than if it had been written in English. The "object code" version would be incomprehensible to readers outside the programming community (and tedious to read even for most within the community), but it would be no more incomprehensible than a work written in Sanskrit for those unversed in that language. The undisputed evidence reveals that even pure object code can be, and often is, read and understood by experienced programmers. And source code (in any of its various levels of complexity) can be read by many more. Ultimately, however, the ease with which a work is comprehended is irrelevant to the constitutional inquiry. If computer code is distinguishable from conventional speech for First Amendment purposes, it is not because it is written in an obscure language.

Later in that ruling:

Computer programs are not exempted from the category of First Amendment speech simply because their instructions require use of a computer. A recipe is no less "speech" because it calls for the use of an oven, and a musical score is no less "speech" because it specifies performance on an electric guitar. Arguably distinguishing computer programs from conventional language instructions is the fact that programs are executable on a computer. But the fact that a program has the capacity to direct the functioning of a computer does not mean that it lacks the additional capacity to convey information, and it is the conveying of information that renders instructions "speech" for purposes of the First Amendment.

Based on all of that, it is difficult to see how this broad ban can possibly stand up to 1st Amendment scrutiny on multiple levels. The banning of US developers coding using these companies APIs is a 1st Amendment violation. The ban on US companies hosting their code is a 1st Amendment violation. The ban on apps used for speech is likely a 1st Amendment violation (on par with breaking up printing presses). So, these bans appear to violate the 1st Amendment in multiple different ways.

And for what? The claim is "to protect national security." We already knew that was bogus, and all of the info anyone can get from TikTok is already widely available for purchase. But now with the details coming out, in which it would make the data of US users of these services even less secure by banning updates, we have even more evidence that the national security claims are joke.

And thus, the bans are likely unconstitutional on multiple different grounds, have no national security purpose based on multiple different problems with the deal, and don't seem to do anything other than potentially put a lucrative business deal in the pocket of a top Trump supporter. How is there anyone out there who thinks this is a reasonable thing?

Filed Under: 1st amendment, apis, bans, china, code, commerce department, donald trump, executive order, ieepa, national security, security, updates
Companies: apple, bytedance, google, oracle, tencent, tiktok, wechat

Oracle Doesn't Buy TikTok, But Gets A Lucrative Hosting Deal, And Trump & Friends Will Pretend This Means Something

from the art-of-the-grift dept

The TikTok saga, which was insanely stupid to begin with, kicked into overdrive last month when President Trump issued a blatantly unconstitutional executive order that was designed to force ByteDance to sell TikTok to an American company. We had all sorts of questions about this, but effectively ByteDance had until this week to find a buyer. While Microsoft was rumored for a while, late last night Microsoft announced that its proposal had been rejected and the only competitor left standing was... wait for it... Oracle. This led many to conclude that Oracle was buying TikTok. That is not the case. But hold on, we'll get there.

There was one other serious bidder: Walmart. Last night the company claimed it was still interested in buying TikTok, but the White House rejected that plan, because it would have made it totally obvious that the "national security" pretense for demanding the sale was obvious bullshit. Nope, the White House said: it has to be sold to a "tech" company, so that the White House can stand by its totally unsubstantiated by evidence claims that TikTok's dancing teens represented a national security threat.

So, with Walmart blocked, and Microsoft's deal not accepted, that left Oracle. But immediately the descriptions of Oracle's involvement were... weird. They very clearly did not say anything about "buying" TikTok. Instead, Oracle put out a very short press release saying that it will "serve as the trusted technology provider" to TikTok. That's not how you describe a sale.

This is a hosting deal.

Oracle will just host TikTok on its wannabe, way-behind-the-competition, cloud platform. And Trump and his cult-like supporters will pretend this actually accomplishes something. Oracle's executive suite has long been vocal Trump supporters, so this basically dumps a giant hosting contract into Oracle's lap. ByteDance will effectively still own TikTok, and Trump will pretend he's done something. For what it's worth, this is the second big Oracle cloud deal done in the last few months, with the previous one being with videoconferencing company Zoom.

As Russell Brandom over at the Verge notes, this deal "accomplished nothing." ByteDance still owns TikTok (and, according to reports, retains full control over TikTok's algorithm). As former Yahoo and Facebook Chief Security Officer Alex Stamos points out, literally none of the concerns people have raised about TikTok (most of which were bogus in the first place) are solved by an Oracle hosting deal:

As Stamos points out, accepting this deal would show that it's nothing but "pure grift," basically dumping a forced contract into Oracle's lap, a company which (again) has had an executive licking Trump's boots since day one.

And people can't even truly argue that Oracle will somehow make whatever little "private" data there is on TikTok "more secure." It's not like it was just months ago that an Oracle-owned subsidiary, BlueKai, leaked data that tracked users all over the web, exposing billions of records.

In other words, the whole thing was a joke. Like so much of this administration it was performative nonsense by Trump, who was mad that some kids made him look foolish on TikTok, combined with anti-Chinese racism, to push for a deal he had no legal right to push for, resulting in a weird scramble that doesn't accomplish what he wanted, but does shift a bunch of money to some of his vocal and wealthy supporters. The "Art of the Grift."

Filed Under: china, corruption, donald trump, grift, hosting, larry ellison, national security, security
Companies: bytedance, microsoft, oracle, tiktok

If A College Is Going To Make COVID-19 Contact Tracing Apps Mandatory, They Should At Least Be Secure

from the tracer-round dept

One of the more frustrating aspects of the ongoing COVID-19 pandemic has been the frankly haphazard manner in which too many folks are tossing around ideas for bringing it all under control without fully thinking things through. I'm as guilty of this as anyone, desperate as I am for life to return to normal. "Give me the option to get a vaccine candidate even though it's in phase 3 trials," I have found myself saying more than once, each time immediately realizing how stupid and selfish it would be to not let the scientific community do its work and do it right. Challenge trials, some people say, should be considered. There's a reason we don't do that, actually.

And contact tracing. While contact tracing can be a key part of siloing the spread of a virus as infectious as COVID-19, how we contact trace is immensely important. Like many problems we encounter these days, there is this sense that we should just throw technology at the problem. We can contract trace through our connected phones, after all. Except there are privacy concerns. We can use dedicated apps on our phones for this as well, except this is all happening so fast that it's a damn-near certainty that there are going to be mistakes made in those apps.

This is what Albion College in Michigan found out recently. Albion told students two weeks prior to on-campus classes resuming that they would be required to use Aura, a contact tracing app. The app collects a ton of real-time and personal data on students in order to pull off the tracing.

Aura, however, goes all in on real-time location-tracking instead, as TechCrunch reports. The app collects students' names, location, and COVID-19 status, then generates a QR code containing that information. The code either comes up "certified" if the data indicates a student has tested negative, or "denied" if the student has a positive test or no test data. In addition to tracking students' COVID-19 status, the app will also lock a student's ID card and revoke access to campus buildings if it detects that a student has left campus "without permission."

TechCrunch used a network analysis tool to discover that the code was not generated on a device but rather on a hidden Aura website—and that TechCrunch could then easily change the account number in the URL to generate new QR codes for other accounts and receive access to other individuals' personal data.

It gets worse. One Albion student was able to discover that the app's source code also included security keys for Albion's servers. Using those, other researchers into the app found that they could gain access to all kinds of data from the app's users, including test results and personal identifying information.

Now, Aura's developers fixed these security flaws...after the researchers brought them to light and after the school had made the use of the app mandatory. If anyone would like to place a bet that these are the only two privacy and security flaws in this app, then they must certainly not like having money very much.

To be clear, plenty of other schools are trying to figure out how to use technology to contact trace as well. And there's probably a use for technology in all of this, with an acceptable level of risk versus the benefit of bringing this awful pandemic under control.

But going off half-cocked isn't going to help. In fact, it's only going to make the public less trustful of contact tracing attempts in the future, which is the last thing we need.

Filed Under: academia, contact tracing, covid-19, mandatory, security, students
Companies: albion college, aura

Bridgefy, A Messaging App Hyped As Great For Protesters, Is A Security Mess

from the not-as-advertised dept

Over the last year Bridgefy, a messaging app developed by Twitter cofounder Biz Stone, has been heavily promoted as just perfect for those trying to stand up to oppressive, authoritarian governments. The reason: the app uses both Bluetooth and mesh network routing to let users within a couple hundred meters of one another send group and individual messages -- without their packets ever touching the internet. Originally promoted as more of a solution for those out of reach of traditional wireless, more recently the company has been playing up their product's use for protesters in Belarus, India, the U.S., Zimbabwe, and Hong Kong.

The problem: the app is a security and privacy mess, and the company has known since April, yet it's still marketing the app as great for protesters.

A new research study, first spotted by Ars Technica, found that the app suffers from numerous vulnerabilities that could actually put protesters at risk:

"Though it is advertised as “safe” and “private” and its creators claimed it was secured by end-to-end encryption, none of aforementioned use cases can be considered as taking place in adversarial environments such as situations of civil unrest where attempts to subvert the application’s security are not merely possible, but to be expected, and where such attacks can have harsh consequences for its users. Despite this, the Bridgefy developers advertise the app for such scenarios and media reports suggest the application is indeed relied upon."

More specifically, the researchers reverse engineered the app and found they could create attacks allowing them to decrypt and read direct messages, "de-anonymize" users, impersonate users, track a target's movement, subject users to man in the middle attacks making it possible to change message content, and even shut down the network:

"Moreover, we utilise compression to undermine the advertised resilience of Bridgefy: using a single message “zip bomb” we can completely disable the mesh network, since clients will forward any payload before parsing it which then causes them to hang until a reinstallation of the application. Overall, we conclude that using Bridgefy represents a significant risk to participants of protests."

Much of the problems stem from the fact that Bridgefy provides no means of cryptographic authentication, instead relying on a userID transmitted in plaintext. Users can then obtain this data while in local transit over the air, opening the door to impersonation and all manner of additional attacks.

The company was advised of the myriad of problems with its app back in April. And while it says it's taking steps to address many of them (including revamping the system internals to utilize the Signal protocol), and making it a little bit more clear to users that the app does not feature true end-to-end encryption, the company continues to advertise the idea it's a great tool for protesters. From Ars:

"But the company continues to send mixed messages. The App Store and Play Store promotions mentioned earlier give the impression Bridgefy can be trusted to keep messages private, even though it has been clear to the company since April that they can’t. Tweets that continue to refer to mass protests and welcome activists using the app are another example."

Belated responses, no responses, or hostile responses to security researchers is common in the United States, where we like to talk a lot about privacy and security protection in marketing and speeches, but not practice it. So while it's good Bridgefy acknowledged the flaws and even thanked the researchers in a statement, the company's decision to continue marketing the app as perfect for protesters is actively exposing those users to surveillance, arrest, and potentially worse.

Filed Under: encryption, mesh networking, messaging app, protests, security
Companies: bridgefy

Consumer Reports Study Shows Many 'Smart' Doorbells Are Dumb, Lack Basic Security

from the dumber-is-better dept

Like most internet of broken things products, we've noted how "smart" devices quite often aren't all that smart. More than a few times we've written about smart lock consumers getting locked out of their own homes without much recourse. Other times we've noted how the devices simply aren't that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that's the primary feature of many internet of broken things devices.

"Smart" doorbells aren't much better. A new study by Consumer Reports studied 24 different popular smart doorbell brands, and found substantial security problems with at least five of the models. Many of these flaws exposed user account information, WiFi network information, or, even in some cases, user passwords. Consumer Reports avoids getting too specific as to avoid advertising the flaws while vendors try to fix them:

"Since the manufacturers have yet to fix all but one of the 11 vulnerabilities we discovered, we can’t fully describe the issues since we want to avoid supplying information to potential hackers. However, we can tell you which models are affected, some of the risks facing consumers, and how the manufacturers responded to our findings."

The report also found that most models of smart doorbells collect way more data than is actually needed to function (Amazon/Ring's relationship with law enforcement has been well documented by Tim Cushing). Beyond that, barely a quarter of the brands could be bothered to implement two-factor authentication, considered a fairly basic necessity to prevent your account from being compromised:

"Our tests also revealed that most video doorbells lack two-factor authentication, a widely used security feature that sends users a temporary, onetime passcode typically via text message, email, phone, or mobile app to use in addition to their password for logging into their accounts. With this feature enabled, a hacker can’t log in to your video doorbell account even if they have your password. In fact, barely a quarter of the brands we tested have two-factor authentication. The only ones that have it are Arlo, August, Google Nest, Ring, and SimpliSafe."

As some security analysts like Bruce Schneier have long noted, there's market failure here in that consumers can't be bothered to research what they buy, manufacturers can't be bothered to properly secure their gear before moving on to hype the next model, and government guidance or punishment for lax security is inconsistent at best. Most of these products are advertised as smarter alternatives to older, dumber tech. But they inadvertently advertise how, in many instances, dumb technology (like a deadbolt, traditional doorbell, or a dog) is consistently the smarter option.

Filed Under: security, smart devices, smart doorbells

VoLTE Flaw Lets A Hacker Spy On Encrypted Communications For A Measly $7,000

from the time-to-take-a-broader-view dept

As we've noted, much of the hysteria surrounding TikTok isn't based on anything close to consistent outrage. As in, many of the folks freaking out about a teen dancing app were nowhere to be found when U.S. wireless carriers were found to be selling access to your location data to any random idiot. Most of the folks pearl clutching about TikTok have opposed election security funding or even the most basic of privacy rules. The SS7 flaw that makes most wireless networks vulnerable to eavesdropping ? The lack of any security or privacy safeguards in the internet of things (IOT) space?

Which is all a long way of saying: if you're going to lose sleep over TikTok, you'll be shocked to learn there's an ocean of issues that folks are paying absolutely no attention to. Or, to put it another way, TikTok is probably the very least of a long list of problems related to keeping U.S. data secure.

The latest case in point: a report last week noted how with around $7,000 worth of gear, a marginally competent person could eavesdrop on voice over LTE (VoLTE) communications, even though these transmissions are purportedly encrypted:

"Their technique, dubbed ReVoLTE, uses a software-defined radio to pull the signal a carrier’s base station transmits to a phone of an attacker’s choosing, as long as the attacker is connected to the same cell tower (typically within a few hundred meters to few kilometers) and knows the phone number. Because of an error in the way many carriers implement VoLTE, the attack converts cryptographically scrambled data into unencrypted sound. The result is a threat to the privacy of a growing segment of cell phone users. The cost: about $7,000."

It doesn't take that much work to fix the vulnerability, but many wireless carriers are expected to lag in fix implementation:

"With more than 120 providers around the world and over 1,200 different device types supporting VoLTE, it will likely take more time for the eavesdropping weakness to be fully eradicated.

“However, we need to consider a large number of providers worldwide and their large deployments,” the researchers wrote. “It is thus crucial to raise awareness about the vulnerability."

And while the attack requires some degree of finesse and good timing, it's yet another indication that our very basic communications infrastructure isn't half as secure as we like to pretend it is. The report came on the heels of another report indicating that it didn't take much work to spy on much of our satellite communications infrastructure despite these attacks being known about for the better part of the last fifteen years. Then there's the SS7 flaw in most major wireless networks which allows for covert spying of wireless transmission and has been known about for nearly as long.

Which again is a long way of saying that if we genuinely cared about U.S. data privacy and security in the face of hostile global actors, we'd do a hell of a lot better job shoring up basic infrastructure and infrastructure security. Instead we get (waves in the general direction of the TikTok Microsoft kerfuffle) whatever all of this is supposed to accomplish.

Filed Under: calls, encryption, revolte, security, volte

Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing

from the good dept

There are many things that big internet companies do that the media have made out to be scandals that aren't -- but one misuse of data that I think received too little attention was how both Facebook and later Twitter were caught using the phone numbers people gave it for two factor authentication, and later used them for notification/marketing purposes.

In case you're somehow unaware, two-factor authentication is how you should protect your most important accounts. I know many people are too lazy to set it up, but please do so. It's not perfect (Twitter's recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when you tried to login on a new machine (or after a certain interval of time), the service would have to text you a code that you would need to enter to prove that you were you.

Over time, people realized that this method was less secure. Many hacks involved people "SIM swapping" (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker. These days, good 2FA usually involves using an authenticator app, like Google Authenticator or Twilio's Authy or even better a physical key such as the Yubikey or Google's Titan Key. However, many services and users have stuck with text messaging for 2FA because it's the least complex for users -- and the issue with any security practice is that if it's not user-friendly, no one will use it, and that doesn't do any good either.

But using phone numbers given for 2FA purposes for notifications or marketing is really bad. First of all, it undermines trust -- which is the last thing you want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account. To then share that phone number or email with the marketing team is a massive violation in trust. And it serves to undermine the entire concept of two factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.

As we noted when Facebook received the mammoth $5 billion fine from the FTC a year ago, while the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if you actually read the FTC's settlement documents, it was other things that really caused the FTC to move, including Facebook's use of 2FA phone numbers for marketing. We were glad that Facebook got punished for that.

And now it's Twitter's turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice -- noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information. Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).

There's no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. There are many things I think Twitter gets unfairly blamed for, but a practice like this is both bad and dangerous, and I'm all for large fines from the FTC to convince companies to never do this kind of thing again.

Filed Under: 2fa, ftc, marketing, notifications, privacy, security, targeting, two factor authentication
Companies: twitter

Banning TikTok Will Accomplish Nothing. Fix Our Broader Security & Privacy Problems Instead.

from the adulting-is-hard dept

Earlier this month I noted how the calls to ban TikTok didn't make a whole lot of sense. For one thing, a flood of researchers have shown that TikTok isn't doing anything any different than a flood of foreign and domestic services. Secondly, the majority of the most vocal pearl clutchers over the app (Josh Hawley, etc.) haven't cared a whit about things like consumer privacy or internet security, suggesting it's more about politics than policy. The wireless industry SS7 flaw? US cellular location data scandals? The rampant lack of any privacy or security standards in the internet of things? The need for election security funding?

Most of the folks hyperventilating about TikTok haven't made so much as a peep on these other subjects. Either you actually care about consumer privacy and internet security or you don't, and a huge swath of those hyperventilating about TikTok have been utterly absent from the broader conversation. In fact, many of them have done everything in their power to scuttle any effort to have even modest privacy guidelines for the internet era, and fought every effort to improve and properly fund election security. Again, that's because, for many it's more about politics than serious, adult tech policy.

That's not to say there aren't security concerns when it comes to installing Chinese-made apps on American devices, but that same argument can be made (but somehow isn't) for an absolute ocean of foreign and domestic services, hardware, and apps. Over the weekend, Kevin Roose at the New York Times made some similar points, noting that things tend to get stupid when you fuse politics with policy and domestic financial interests with national security (especially given lobbyists adore taking advantage of the lack of transparency in the latter):

"There are also reasons to be skeptical of the motives of TikTok’s biggest critics. Many conservative politicians, including Mr. Trump, appear to care more about appearing tough on China than preventing potential harm to TikTok users. And Silicon Valley tech companies like Facebook, whose executives have warned of the dangers of a Chinese tech takeover, would surely like to see regulators kneecap one of their major competitors."

It took a while for this opinion to form out of the internet news and policy murk, but it's nice to see folks realizing that banning TikTok, but doing nothing about an absolute ocean of foreign and domestic hardware, services, and apps that pose similar threats, is kind of pointless and stupid:

"I’ll be honest: I don’t buy the argument that TikTok is an urgent threat to America’s national security. Or, to put it more precisely, I am not convinced that TikTok is inherently more threatening to Americans than any other Chinese-owned app that collects data from Americans. If TikTok is a threat, so are WeChat, Alibaba and League of Legends, the popular video game, whose maker, Riot Games, is owned by China’s Tencent.

And since banning every Chinese-owned tech company from operating in America wouldn’t be possible without erecting our own version of China’s Great Wall — a drastic step that would raise concerns about censorship and authoritarian control — we need to figure out a way for Chinese apps and American democracy to coexist."

But the piece goes a step further in smartly arguing that if you want to deter TikTok-esque privacy issues, you're better off fixing the underlying rot that has resulted in the cavalier treatment of consumer data. And using TikTok as an example of how to do security and privacy oversight correctly, you start by forcing the company to embrace open source, by finally getting off our collective, befuddled asses and passing a basic but tough US privacy law, by demanding greater transparency of TikTok (and every other company), and by ending our myopic view of security and privacy:

"I think TikTok is a bit of a red herring,” Alex Stamos, Facebook’s former chief security officer and a professor at Stanford University, told me in an interview. Ultimately, Mr. Stamos said, the question of what to do about TikTok is secondary to the question of how multinational tech giants in general should be treated.

“This is a chance to come up with a thoughtful model of how to regulate companies that operate in both the U.S. and China, no matter their ownership,” he said."

Granted that requires nuance and a holistic view of the real problem, and that's the last thing most of the folks crying about TikTok want. And they don't want that because they're not genuinely interested in consumer privacy and internet security, they're interested in putting on a little stage play for political reasons. Adult, good faith tech policy solutions that solve actual, real world problems is the very last thing on most of their minds.

Filed Under: china, privacy, security
Companies: tiktok

Latest VPN Security Scandals Show (Yet Again) That VPNs Aren't A Panacea

from the not-a-magic-bullet dept

Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks.

Usually, consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bullet-proof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.

The latest case in point: a number of VPN providers who claim to offer "zero logging" protection were found to have not only been tracking a laundry list of user behaviors online, but doing a piss poor job securing said data. Kicking it off, Comparitech's Bob Diachenko recently discovered 894 GB worth of of user data in an unsecured Elasticsearch cluster belonging to UFO VPN, a provider whose privacy policy informs users that they aren't tracked as they travel around the internet. That wound up being, you know, not even remotely true:

"Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity."

Again, "VPN" should not be automatically associated with "secure," and the majority of these companies simply aren't particularly trustworthy. Just ask vpnMentor, which discovered last week that an entirely different group of "no logging" free VPN providers had left more than a terabyte of private user data openly exposed online without a shred of protection:

"The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details."

The irony of consumers (justifiably) fearing for their security in the wake of massive privacy scandals, only to stumble into the arms of "security companies" that are even worse on security and privacy is just very 2020. For many of these fly by night operations, the VPN itself is just security theater, and in some instances you're actually probably better off with the devil you already know:

That's not to say that VPNs don't certainly have their use, but folks need to exercise some good judgement and spend a little time reading and comparing recommendations from respected outlets before putting their behavior data into the hands of total randos half a world away.

Filed Under: privacy, security, vpn