Category Archives: Safety

Amazon Sells Face Recognition Tech To Cops

Amazon is selling facial recognition technology that it has developed – called Rekognition – to law enforcement agencies and maybe others – Amazon won’t say.

While there is nothing illegal about this and if Amazon doesn’t do it, others likely would, it certainly raises privacy concerns.

Two police departments that are known to have purchased the software are using it in different ways.

The Washington County, Oregon Sheriff is using it to match suspects to people in their database.  They use it, they say, about 20 times a day.  It cost the department $400 to upload 305,000 mugshots and it costs them $6 a month to use the service.  These numbers have to be very attractive to law enforcement.

The Orlando, FL police department, however, is using it very differently.  Orlando has a series of surveillance cameras throughout the city to watch people who are out in public.  They call them public safety cameras since that likely sounds better than the 1984-esque alternative.  Using these cameras and Amazon’s facial recognition system, the city can look at the images to find “persons of interest”.  Of course, most of us won’t complain if the city we live in is safer, but it also means that likely your every move in Orlando (and maybe other cities, we do not know) could be being monitored and potentially recorded.

Some people say that if you are not doing anything wrong you shouldn’t object to being surveilled.

As we recently discovered, all of the major cell phone companies sell your location data to anyone who’s check will clear.  Is there any reason that cash-strapped cities won’t do the same?  Maybe with the pictures showing what you were doing and with whom?  Don’t know.  There are no clear universal laws covering this other than you do not have an expectation of privacy when you are outside.

So, what can or should you do?

Unfortunately, in this case, there is not a lot that you can do.

Be aware, for one, that your actions are not private, may be recorded, and you may be identified and your actions cataloged.  This is somewhat like what automated license plate readers do in some cities, only a little more intrusive.

Write to your politicians if you think that there should be limits on the surveillance that your government should be doing, absent probable cause.  It may or may not make a difference, but certainly if people do not complain, the politicians will assume you don’t care.

Finally, let your friends know what is happening.  An informed citizenry is critical to a democracy.

So stay tuned.  I suspect that Jeff Bezos won’t change his mind and stop selling this technology because even if he does, someone else will likely step in to replace him (maybe Facebook).  This story will take a while to play out.

Information for this post came from The LA Times.

Facebooktwitterredditlinkedinmailby feather

NBC Reports Seven States Election Data Hacked

NBC is reporting that the Intelligence Community developed substantial evidence that Russian financed attackers compromised the voter registration systems or web sites of seven states to different degrees.

Up until this time DHS has been completely mum about this, saying absolutely nothing.

But now NBC is reporting that the seven states are Alaska, Arizona, California, Florida, Illinois, Texas and Wisconsin.

The officials say that the systems were compromised in different ways and to different degrees.

Those state and federal officials that spoke to NBC claimed that no votes were changed and no voters taken off the voter rolls. They did not, however, provide any evidence to support those claims, so I guess we should trust them.  After all, why would they lie?

After NBC broadcast the story, the Homeland Security acting spin doctor Tyler Houlton said the reporting is not accurate and is actively undermining efforts of the Department of Homeland Security to work in close partnership with state and local governments to protect the nation’s election systems from foreign actors.  He did not say what about it was inaccurate.   Did he mean that there were only 6 states?  OR, that there were 9 states?  We don’t know.

He also said, via Twitter, that DHS has no intelligence that corroborates NBC’s reporting.

Today, Michael Daniel, top cyber security official at the end of the Obama administration, basically corroborated the NBC reports.

Perhaps DHS is telling the truth.  As the states have complained for a year now, DHS is not sharing any information with them.  Maybe the intelligence community is not sharing information with DHS.  If that is the case, both NBC and DHS could be telling the truth.

Regarding the statement that reporting is undermining the efforts to keep us safe, I have a couple of thoughts.

First, it may be useful to not telegraph how much we know to the Ruskies.  Up until now, the only state that we knew had been hacked was Illinois.  Now they know that we know that there are at least seven states.  They can compare this to the list of states that they did hack and say, maybe, “wow, we got away undetected 50%  of them time”.

But from a different standpoint, don’t the American people deserve to know the extent of Russian meddling in our elections?

For those of you who are cynical, you may draw a correlation between the current administration’s repeated efforts to “believe” Putin and disbelieve our own intelligence community and an effort by DHS to withhold information on the degree of Russian hacking.

Is this related, also, to the fact that until last week (when they appointed a committee to look into it) the Justice Department was not doing anything at all to deal with the Russian hacking?

And, is this related to the comment that soon-to-retire Admiral Mike Rogers, head of the NSA and of Cyber Command’s made before Congress that the White House has not asked them to do anything to stop Russian election hacking?

I don’t know the answer, so you are going to have to draw your own conclusions.  However, given the amount of smoke around this subject, there likely is a really, really, big fire.

Information for this post came from NBC News.

 

Facebooktwitterredditlinkedinmailby feather

Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Facebooktwitterredditlinkedinmailby feather

Ohio Man Indicted For Spying on People for 13 Years

NOTE: THE CONTENTS OF THIS POST MAY NOT BE SUITABLE FOR YOUNGER READERS.

A 28 year old Ohio man has been indicted for creating and installing malware on hundreds of Apple Mac and Microsoft Windows computers.

The man, Phillip Durachinsky, used the software to spy on people.  This includes recording what the camera and microphone pick up in the same room as the computer.

In addition to capturing audio and video, the software that he created also stole passwords and used that to access third party sites.  He also used the software to steal tax, medical and banking records and also photos and private communications.

The 16 count federal indictment includes the production of child pornography, so it doesn’t take much to figure out if you kid had a Macbook in the bedroom and it was infected, this guy may have captured video of your kids doing whatever and, apparently, while naked – something that doesn’t seem completely unexpected in a bedroom, but which you and your kids certainly do not expect.  People expect to be safe and secure in their bedroom.

The software alerted him when the user used certain search terms, such as pornography.  People who watch porn might be doing certain things while naked, hence the charge of producing child porn. Kind of boggles the mind.

As an indication of how deranged this guy is, he is alleged to have kept regular, detailed notes.

Durachinsky, who is 28 now, has been spying on people for the last 13 years, according to the feds, so he must have created this software when he was around 14 or 15.  If it weren’t so warped, the skill would be pretty impressive.

What has not been revealed yet is the total number of computers infected or the number of people affected.  It is also not clear how much video exists and if the video has been published or if he was keeping it for himself.  Given that he was charged with PRODUCING child porn and not with DISTRIBUTING child porn, you might conclude that he was not selling or giving away the video that he captured.

The researcher who found the software, called Fruitfly, discovered it on at least 400 Macs, so it looks like the software was not widespread.

A simple way to protect yourself, at least in part, is to join the ranks of Facebook founder Mark Zuckerberg and former FBI Director James Comey and cover your laptop camera with a piece of opaque tape.  Many companies make small devices that you can slide back and forth or remove that are a little more elegant than black electrical tape.

For parents, have kids close the lid on their laptops when they are not using it and, of course, do not use your laptop when you are sans clothing.

It is a sad thing that you have to worry about such things.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather

FBI Says Tech Industry Should Follow Financial Services in Saving Messages

FBI Director Christopher Wray suggested that the tech industry follow the model of the financial services industry.  Some of the big banks have created a messaging app with delete capability so to keep the regulators happy, they agreed to save a copy of each message for 7 years.

Lets apply that to the tech industry

Whatsapp currently serves up 55 billion messages plus 4.5 billion photos plus 1 billion videos a day.

iMessage serves up 40 billion messages a day.

Lets assume a message, with overhead is 1,000 bytes, a photo is 3 megabytes and a video is 20 megabytes AND lets ignore every other secure messaging platform.  The math is:

(95 billion x 1kB + 4.5 billion x 3mB + 1 billion x 20mB ) x 365 x 7

That equals 33,595,000 Billion bytes per day or

12,262,175,000 billion bytes per year or

85,835, 225,000 billion bytes in 7 years.

That would be 85,000,000,000,000,000,000 characters, if I did the math right.  Lets ignore compression for the moment since videos and photos don’t compress and they are the bulk of the disk space.

Assuming a 5 TB disk drive, that would only require 17,167, 045 disk drives to hold the data.

Double that if you would like just one backup copy.

That assumes zero growth during that time, which, as we know, growth is in the double digits per year.

That is a lot of disk drives for someone to buy.  And maintain.  And pay for the electric and people to keep them running.  Roughly the size and cost of the NSA’s Utah data center, which cost about $4 billion to build, estimates say and probably, a hundred million dollars a year to run.

Scale IS a problem here.  A big problem.

Lets say you scale that back and say that you only keep messages for a year.  Now you only need two and a half million disk drives, assuming zero growth.

If we assume that people don’t keep all their messages, someone else is going to have to and that will be VERY expensive.  Even if you build a back door into phones, if people delete their messages, that back door doesn’t help you.

I’m not saying there is no answer, but there is no simple or inexpensive or privacy protecting way.

And, of course, if you force Apple to build a back door into iMessage, some dude in Pakistan will build his own app that doesn’t have a backdoor.  Now you have to police every phone on the planet for a long list of apps that changes daily.  Again, possible, but not cheap or inexpensive.

NOTE: These numbers are only for examples.  They could be off by a factor of 10 in either direction – or more.

Information for this post came from The Washington Post.

 

Facebooktwitterredditlinkedinmailby feather

Researchers Find Directv Security Hole No One is Patching

Researchers tried to do this the right way with no luck so now they are seeing if bad publicity will get the job done.

AT&T Directv creates a private wireless network to transfer video, audio and the user interface between it’s wireless slave boxes  hanging off the back of your TVs and the DVR that they talk to.

According to researchers, the bug is trivial to exploit and will go undetected.

The wireless video bridge, as it is called, is running a web server and when the researcher decided to check it out, he discovered that the web server does not require you to log in to it.  After all, all that should be talking to it is a Genie slave unit.

Worse yet, the web server does not do any kind of input validation, so if you want to send it bogus data, you can own the box as ROOT, Linux’ super admin userid.

The good news is that this wireless bridge is not connected to the Internet, but if someone was able to compromise a PC on the network, then it would be trivial to use it to compromise the Directv box.

The first attack that the researchers considered is a Mirai botnet like attack where a couple of thousand AT&T Directv boxes are used to attack the Internet and take down Google or Microsoft or whomever.  Definitely possible.

The researchers notified AT&T 6 months ago and AT&T has gone completely dark, so they are announcing the  bug.  Maybe the fear of being on the front page of every newspaper in the country – after all, now millions of hackers are aware of how to break in – might get them off the dime.

From a user perspective, there are only a couple of things that you can do and #1 is to completely isolate your AT&T devices from the rest of your network.

Information for this post came from The Register.

 

Facebooktwitterredditlinkedinmailby feather