Tag Archives: Right to repair

Security News for the Week Ending February 19, 2021

Parler is Back Online

After being down for a month after getting kicked off Amazon, Parler is back online. Existing accounts can log in now; new accounts can be created next week. They have a new interim CEO after the board fired the last one. It does not appear that old content was moved over to the new platform. Apple and Google have not restored Parler’s apps and there are lawsuits and Congressional investigations, so they are not completely out of the woods yet. It remains to be seen what their content moderation strategy will be. In their notice it says that they don’t moderate and then proceed to talk about all the content moderation they are doing – likely to try and stay out of jail. Credit: MSN

Even Though FBI Complains About Going Dark, they Unlock Phones

While the FBI will never be happy until we return to the 1990s when there was no encryption, apparently, according to court documents, the FBI can get into iPhones after first unlock after power up (which is 99.99% of the time) and even read Signal messages. Likely using tools like GrayKey and Cellebrite they can extract data from many encrypted phones. Credit: Hackread

Certification Labs UL Hit By Ransomware

Underwriters Labs, the safety certification organization – which also has a cybersecurity certification – has apparently been hit by a ransomware attack which caused them to shut down their IT systems. Attempts to connect to the MyUL.Com portal return a ‘can’t reach this page’ error message. They have been down for a week so far and have decided not to pay the ransom. This points to how long it takes to recover from ransomware, even for a big company. Credit: Bleeping Computer

Microsoft Says SolarWinds Hackers Stole Some Source Code

Microsoft is now admitting that the SolarWinds hackers were able to download some of their source code including parts of code for Intune, Exchange and Azure. While not complete code for anything, any code that makes it onto the dark web will make it easier for hackers to figure out how to hack Microsoft users in the future. Credit: ZDNet

John Deere Promised Right to Repair But Didn’t Quite Do That

In 2018 John Deere lobbyists successfully killed a number of state legislative bills that would have allowed farmers to repair their own tractors and heavy equipment. In exchange, Deere pinky-promised to make the software and manuals available in three years. That would be January 1 of this year. Apparently, Deere, while successful at killing the bills, has not lived up to their end of the bargain and some of the state legislators are not terribly happy. Expect at least some states to introduce new “right to repair” bills this year. What is unknown is how broad these bills will be. Will they just allow a farmer to repair his/her tractor or will it also allow iPhone users to also repair their phones? Credit: Vice

News Bites for the Week Ending October 26, 2018

Poorly Secured Family of Adult Web Sites Leak Account Info

For those people who can think back to the hack of the Ashley Madison web site, this is kind of deja vu all over again.

100 megabytes of user authentication data was leaked – user names, IP addresses, passwords and email addresses.  Not THE most sensitive data, but most people who visit adult web sites do not advertise that fact.  But there is more.

One surprise is that there were OVER ONE MILLION email addresses compromised.

Along with, apparently, pictures that some people uploaded to some of the sites.  Suffice it to say those pictures are not of sunsets over the beach.

The owner of the 8 sites took the sites down almost immediately and told people to change their passwords.

One disappointing feature of the sites – the passwords, while encrypted (or technically hashed), were encrypted with a hashing algorithm over 40 years old and which can be easily decrypted.

All this does point out the dangers of posting data and pictures to the web – YOU don’t understand what their security practices are like.  It also points out that web site owners need to get a security review of their web site from time to time to make sure that they re not using 40 year old unsecure algorithms.  Source: Ars Technica.

 

Saudis “buy” Twitter Employee to Spy on Dissidents

The Saudis do not need any more bad news, but they are getting it anyway.  The Times has reported that the Saudis “groomed” (maybe bribed or blackmailed) a Twitter employee to feed them dirt on Saudi dissidents.  In addition, the Saudis, like the Russians, have mounted a huge disinformation campaign.  Social media has a huge challenge and no easy answers.  Source: The Hill .

 

NY Times Reports US Begins First LIMITED Cyber Ops Against Russia

In spite of the fact that President Trump says that the Russians are not hacking our elections, the United States Cyber Command is targeting Russians to stop them from interfering with the elections.  The campaign started in recent days.

The campaign comes after the Justice Department released a report last Friday outlining a Russian campaign of information warfare.

Not surprisingly, the Pentagon is not talking much about this – just like they would not talk about any spy activities or activities that would likely be considered illegal, aggressive or an act of war by the targeted countries.

Interestingly, the story says that the actions are “measured” and much less that what the Russians are doing.  Why?  Because they are worried that Russia might take down the US power grid or some other major cyber activity.

That is not comforting.  Source: NY Times .

 

UK Grocer Morrisons Loses Appeal of Breach Class Action

This is the UK and not the US, but still, this is interesting.  A disgruntled employee downloaded data on 100,000 employees, leaked it to the press and posted it online.  Data leaked include salary and bank account information.

Morrisons was sued not surprisingly but, somewhat surprisingly, lost.  Morrisons appealed the court verdict, but lost the appeal.  They now plan to appeal to the UK Supreme Court.

If they lose there, it will mark a turning point in security law.  The company maintains that they did nothing wrong and it was a rogue employee who leaked the data.  The employee is now in jail.  The court says Morrisons is responsible anyway.  Stay tuned because if the courts hold that companies are responsible for the unauthorized actions of their employees, boy oh boy.  Source: BBC .

Yahoo Settles One More Lawsuit for $50 Mil Plus Credit Monitoring for 200 Million

As Yahoo continues to feel the fallout from its data breaches in 2013-2014 that it failed to disclose, they agreed to another settlement covering 1 billion of the 3 billion users affected.

For this suit, they will pay $50 million, split between Verizon and Altaba (the company that controls what is level of Yahoo) and provide credit monitoring for 200 million people for 2 years.  Add to that $35 million in legal fees.

This, of course, is not the end.  It is only one lawsuit of many plus fines from regulators. Stay tuned for further settlements. This really poorly planned strategy of Marissa Mayer to hide the breach may wind up costing Yahoo and Verizon a billion dollars.  Source: Seattle Pi.

Score One For the Right to Repair Movement

Every three years the Librarian of Congress gets to arbitrarily decide who is breaking the law and who is not.  Really.  Specifically, he or she gets to decide who and why the Digital Millennium Copyright Act (DMCA) applies to.

Every three years, those people who got an exemption before have to go back to the Librarian and ask, again, mother may I?

One example is that the Librarian said that you can circumvent encryption and DRM tools to jailbreak your phone.

Another exemption allows educators to use encrypted DVDs (and break that encryption) in certain educational settings.

None of this gives you the tools to actually do it, but they can’t put you in jail or fine you millions of dollars if you succeed.

The newest addition to the list of approved exemptions from DMCA is for the right to repair movement, a growing group that says that people should have the right to repair things that they bought like cars, iphones and tractors.  John Deere, for example, said that while a farmer bought the metal pieces of that million dollar combine, they do not own the software that actually makes it work when you turn it on and if you don’t let an authorized John  Deere mechanic fix it, they will try to sue you into oblivion.

Now people can try to fix their cars, tractors, iphones and other devices.  It doesn’t mean that the manufacturers will help you – it just means that they can no longer sue you.  Source: Motherboard .