A Weighty IT Privacy and Security Update for the week ending May 30rd., 2023


This week we go from excess baggage to a face that is not our own.

fat cat
- for the podcast right click on the pic -

We have a new scheme to establish what is real in a world where more and more is artificial, by someone we expect to be very prominent in both.

There’s a new declaration about social media that is eerily similar to the one from Santa Cruz California on June 3, 1956, when city authorities announced a total ban on rock and roll at public gatherings, calling rock and roll music “Detrimental to both the health and morals of our youth and community.”

We’ve got an update on PyPi and how they’d like anything they serve up to be in much smaller pieces.

We’ve got a couple more almost unbelievable TikTok stories and the latest trendy phone that might have you going back to baggy trousers with very large pockets for your next TikTok video.

Finally, we end with a tiny story about what just might be the largest invasion of privacy ever.

Forget the electron microscope and let’s jump on the scales!

Global: Privacy? Air New Zealand To Weigh Passengers Before They Board the Airplane

New Zealand’s Civil Aviation Authority is asking that its national airline weigh passengers departing on international flights from Auckland International Airport through July 2, 2023.

The program, which Air New Zealand calls a passenger weight survey, is a way to gather data on the weight load and distribution for planes, the airline said.

“We weigh everything that goes on the aircraft – from the cargo to the meals onboard, to the luggage in the hold,” Alastair James, the airline’s load control improvement specialist said in a statement.

“For customers, crew, and cabin bags, we use average weights, which we get from doing this survey.” Still, weight is a personal thing that not everyone wishes to disclose.

In order to protect individual’s privacy, the airline says it has made the data anonymous.

So what’s the upshot for you? “We know stepping on the scales can be daunting. We want to reassure our customers there is no visible display anywhere. No one can see your weight, not even us,” James said.

Outside of Auckland, if this takes off it’s going to make the queues at the airport extra exciting. We can’t wait to hear the conversations that ensue especially in some of the New York City airports after a few hours of flight delay.

Global: Altman Raises $115 Million for Worldcoin Crypto Project

OpenAI Chief Executive Sam Altman has raised $115 million in a Series C funding round led by Blockchain Capital for a cryptocurrency project he co-founded.

The project, Worldcoin, aims to distribute a crypto token to people “just for being a unique individual”.

The project uses a device to scan irises to confirm their identity, after which they are given the tokens for free.

Worldcoin has faced criticism for perceived privacy risks.

In response to Altman’s tweet introducing the project in 2021, former U.S. intelligence contractor Edward Snowden tweeted, “Don’t catalog eyeballs”.

So what’s the upshot for you? In a world where artificial intelligence will soon interact with web pages to create accounts and content on social media, digital proof-of-personhood could become important very quickly.

After all, the Web is already brimming with bots pretending to be people. With the power of AI coming online, this phenomenon is about to deepen and become far more complicated.

Might Worldcoin be the answer?

Global: PyPI Was Subpoenaed

In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data.

All three subpoenas were issued by the United States Department of Justice.

The PSF was not provided with context on the legal circumstances surrounding these subpoenas.

In total, user data related to five (5) PyPI usernames were requested.

The data request was:

“Names (including subscriber names, user names, and screen names);”
“Addresses (including mailing, residential addresses, business addresses, and email addresses);”
“Connection records;”
“Records of session times and durations, and the temporarily assigned network address (such as Internet Protocol addresses) associated with those sessions;”
“Length of service (including start date) and type of services utilized;”
“Telephone or instrument numbers (including the registration Internet Protocol address);”
“Means and source of payment of any such services (including any credit card or bank account number) and billing records;”
“Records of all Python Package Index (PyPI) packages uploaded by…” given usernames
“IP download logs of any Python Package Index (PyPI) packages uploaded by…” given usernames

The privacy of PyPI users is of utmost concern to PSF and the PyPI Administrators, and we are committed to protecting user data from disclosure whenever possible.

In this case, however, PSF determined with the advice of counsel that our only course of action was to provide the requested data.

I, as Director of Infrastructure of the Python Software Foundation, fulfilled the requests in consultation with PSF’s counsel.

We have waited for the string of subpoenas to subside, though we were committed from the beginning to write and publish this post as a matter of transparency, and as allowed by the lack of a non-disclosure order associated with the subpoenas received in March and April 2023.

So what’s the upshot for you? Good for them. Transparency in matters like this really counts big.

Global: PyPi is Reducing Stored IP Address Data

The PyPi registry of open-source Python packages “began evaluating ways to reduce the amount of identifying information that it stores,” reports the Register, “even before the U.S. Justice Department came asking for data on suspect users.”

But now, “the Python community package registry wants developers to understand that it’s working to minimize the user data that it stores.”

The goal is not to be unable to respond to lawful requests for information; rather it’s to store only the minimum amount of data necessary so as not to expose users to unnecessary privacy intrusion.

Coincidentally, data minimization may prevent organizations from becoming a preferred source of on-demand surveillance: having excessive amounts of information about users invites legal demands, which staff then have to handle…

Mike Fiedler, a member of the PyPI admin team, said in a statement on Friday that the organization’s effort to improve user privacy and security dates back to 2020.

Since the receipt of the subpoenas in March and April, that effort has been reinvigorated.

Much of the concern focuses on IP address data, which gets stored in conjunction with web log access; user events such as logins; project events including uploads; events associated with recently introduced organizations; and administrative PyPI journal entries.

According to Fiedler, PyPI was able to stop storing IP data for journal entries — an append-only transaction log — because these were only exposed to administrators…

To obscure IP addresses, PyPI is salting them — adding an arbitrary value — and then hashing them — running the data through a one-way scrambling function that creates a value called a hash.

This provides a way to store a reference to potentially identifying data without actually storing raw data…

PyPI has been using its CDN provider Fastly to pass along a salted hash of the IP address for requests via a custom header, along with broad GeoIP data (the country and city where the user is located), and is using that instead of the raw IP address.

In April, the registry adopted code changes for hashing and salting IP addresses for requests that PyPI handles directly in Warehouse, the web application that implements the official Python package index.

And over the past few days, it has been replacing IP addresses in the PyPI user interface with geolocation data.

PyPI still relies on IP address information to identify abuse — the creation of malicious packages, harassment, and so on — but Fiedler says even that is being looked at. "

We’re thinking about managing that without storing IP data, but we’re not there yet," he said.

So what’s the upshot for you? Fiedler says the PyPI team will be weighing whether it can remove IP data from event history records after a period of time and whether the service can handle all its requests via CDN.

US: Social media risks for youth mental health highlighted in new surgeon general report

Amid what he called the worst youth mental health crisis in recent memory, U.S. Surgeon General Vivek Murthy issued an advisory Tuesday warning about social media’s impact on developing young brains.

“Through the last two and a half years I’ve been in office, I’ve been hearing concerns from kids and parents,” Murthy told STAT.

“Parents are asking ‘Is social media safe for my kids?’ Based on our review of the data, there isn’t enough evidence that it is safe for our kids.”

The advisory calls on policymakers and technology companies to take steps to minimize the risks of social media.

“This is not going to be an issue that we solve with one sector alone,” Murthy said. Policymakers, according to the report, need to develop age restrictions and safety standards for social media – much like the regulations that the U.S. has in place for everything from cars to medicine.

Specifically, Murthy would like to see policymakers require a higher standard of data privacy for children to protect them from potential harms like exploitation and abuse.

Technology companies, meanwhile, need to be more transparent about the data they share, according to Murthy.

He calls on companies to assess the potential risks of online interactions and take active steps to prevent potential misuse.

He also suggests the establishment of scientific advisory committees to inform approaches and policies aimed at creating safe online environments for children.

The advisory also suggests families attempt to protect young people’s mental health by developing a family media plan aimed at establishing healthy technology boundaries at home, such as creating “tech-free zones” that restrict phone use during certain hours or family mealtime.

But Murthy noted that parents are already at the end of their rope in trying to manage how their children are exposed to and using this rapidly evolving technology.

That responsibility has fallen entirely on them up to this point.

“We’ve got to move quickly,” he said.

“None of us should be satisfied until we have clear evidence that these platforms are safe.”

The surgeon general’s report comes two weeks after the American Psychological Association issued a health advisory on teens and social media use.

The group noted the increased risk of anxiety and depression among adolescents who are exposed to discrimination and bullying online.

“Other research has shown that adolescents ages 12-15 who spent more than three hours per day on social media face a heightened risk of experiencing poor mental health outcomes compared to those who spent less time online,” adds STAT News.

50's dance
- for the podcast right click on the pic -

So what’s the upshot for you? Perhaps this offers some insight. Maybe a little like the stories, your grandmother told you about rock and roll music destroying the minds of the youth…

US: Microsoft Warns That China Hackers are in US Infrastructure

Microsoft has issued a warning that Chinese state-sponsored hackers, known as “Volt Typhoon,” have compromised “critical” U.S. cyber infrastructure across various industries with a focus on gathering intelligence.

The Chinese hacking group, codenamed “Volt Typhoon,” has operated since mid-2021, Microsoft said in an advisory.

The organization is apparently working to disrupt “critical communications infrastructure between the United States and Asia,” Microsoft said, to stymie efforts during “future crises.”

The National Security Agency put out a bulletin on Wednesday, detailing how the hack works and how cybersecurity teams should respond.

The attack is apparently ongoing.

In an advisory, Microsoft urged impacted customers to “close or change credentials for all compromised accounts.”

U.S. intelligence agencies became aware of the incursion in February, around the same time that a Chinese spy balloon was downed, the New York Times reported.

The infiltration was focused on communications infrastructure in Guam and other parts of the U.S., the Times reported, and was particularly alarming to U.S. intelligence because Guam sits at the heart of an American military response in case of a Taiwanese invasion.

Volt Typhoon is able to infiltrate organizations using an unnamed vulnerability in a popular cybersecurity suite called FortiGuard, Microsoft said.

Once the hacking group has gained access to a corporate system, it steals user credentials from the security suite and uses them to try to gain access to other corporate systems.

The state-sponsored hackers aren’t looking to create disruption yet, Microsoft said. Rather, “the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”

Infrastructure in nearly every critical sector has been impacted, Microsoft said, including the communications, transport, and maritime industries.

Government organizations were also targeted.

So what’s the upshot for you? Lest you blink and have your eyes shut too long, when they open yet another cyber threat is staring you in the face.

US: 50 US Senators Issued Satellite Phones

Amid growing concerns of security risks to members of Congress, over 50 senators have been issued satellite phones for emergency communication, people familiar with the measures told CBS News…

[Senate Sergeant at Arms] Gibson said satellite communication is being deployed "to ensure a redundant and secure means of communication during a disruptive event.

Gibson said the phones are a security backstop in the case of an emergency that “takes out communications” in part of America.
- for the podcast right click on the pic -

So what’s the upshot for you? Could the latest trend be big fat dumb phones once again? Looks promising!

Global: FireFox Falls Flat with Full Screen VPN ad

Firefox users have been complaining about very intrusive full-screen advertisements promoting Mozilla VPN displayed in the web browser when navigating an unrelated page.

The ads popping in Firefox disable the web browser’s functionality, denying users access to the interface and graying out everything in the background until they close them.

Some users reported on Reddit that the annoying full-screen ads even cause Firefox to become unresponsive for up to 30 seconds, forcing them to terminate the browser’s process.

BleepingComputer has contacted Mozilla about the matter and received the following statement following the barrage of complaints from Firefox users: "We’re continuously working to understand the best ways to communicate with people who use Firefox.

So what’s the upshot for you? A spokesperson from Firefox said, “Ultimately, we accomplished the exact opposite of what we intended in this experiment and quickly rolled the experience back. We apologize for any confusion or concern.”

Global: Bitwarden Moves into Passwordless Security

Bitwarden, the popular open-source password management program, has launched Bitwarden Passwordless.dev, a developer toolkit for integrating FIDO2 WebAuthn-based passkeys into websites and applications.

Bitwarden Passwordless.dev uses an easy-to-use application programming interface (API) to provide a simplified approach to implementing passkey-based authentication with your existing code.

This enables developers to create seamless authentication experiences swiftly and efficiently.

For example, you can integrate with FIDO2 WebAuthn applications such as Face ID, fingerprint, and Windows Hello.

Enterprises also face challenges in integrating passkey-based authentication into their existing applications. Another way Bitwarden Passwordless.dev addresses this issue is by including an admin console.

This enables programmers to configure applications, manage user attributes, monitor passkey usage, deploy code, and get started instantly.

“Passwordless authentication is rapidly gaining popularity due to its enhanced security and streamlined user login experience,” said Michael Crandell, CEO of Bitwarden.

“Bitwarden equips developers with the necessary tools and flexibility to implement passkey-based authentication swiftly and effortlessly, thereby improving user experiences while maintaining optimal security levels.”

So what’s the upshot for you? And if you aren’t ready for it yet, Bitwarden maintains your options while keeping you safe.

Global: Driver’s Licenses, Addresses, Photos: Inside How TikTok Shares User Data

Employees of the Chinese-owned video app TikTok have regularly posted user information on a messaging and collaboration tool called Lark, according to internal documents.

In August 2021, TikTok received a complaint from a British user, who flagged that a man had been “exposing himself and playing with himself” on a live stream she hosted on the video app.

She also described past abuse she had experienced.

To address the complaint, TikTok employees shared the incident on an internal messaging and collaboration tool called Lark, according to company documents obtained by The New York Times.

The British woman’s personal data – including her photo, country of residence, internet protocol address, device, and user IDs – were also posted on the platform, which is similar to Slack and Microsoft Teams.

Her information was just one piece of TikTok user data shared on Lark, which is used every day by thousands of employees of the app’s Chinese owner, ByteDance, including by those in China.

According to the documents obtained by The Times, the driver’s licenses of American users were also accessible on the platform, as were some users’ potentially illegal content, such as child sexual abuse materials.

In many cases, the information was available in Lark “groups” – essentially chat rooms of employees – with thousands of members.

The profusion of user data on Lark alarmed some TikTok employees, especially since ByteDance workers in China and elsewhere could easily see the material, according to internal reports and four current and former employees.

Since at least July 2021, several security employees have warned ByteDance and TikTok executives about risks tied to the platform, according to the documents and the current and former workers.

“Should Beijing-based employees be owners of groups that contain secret” data of users, one TikTok employee asked in an internal report last July.

The user materials on Lark raise questions about TikTok’s data and privacy practices and show how intertwined it is with ByteDance, just as the video app faces mounting scrutiny over its potential security risks and ties to China.

So what’s the upshot for you? Not sure just how much proof people need for convincing, so we will say it here.

If you are making money on the TikTok platform, it might be wise to start a parallel engagement with a competing platform, as TikTok might be here today… and gone tomorrow.

Global: TikToker Notices Something Strange About Her Face in the App’s Camera

In a video posted on Wednesday, beauty founder and content creator Charlotte Palermino describes how strange her face looked as she tried to record a clip in TikTok’s camera.

Palermino had not added any TikTok filters to her video and had recently updated the app.

However, her face still did not look like herself in TikTok’s front-facing camera.

“I knew my face looked off because it’s not my face,” Palermino explains.

Upon looking deeper and browsing the retouch section in the app’s camera, Palermino says that TikTok had added certain filters to her face automatically — without her consent.

TikTok had automatically removed Palermino’s dark circles, smoothed and retouched her face by 30 percent, whitened her teeth by 20 percent, and even changed the “degree” of her nose.

Palermino says it was even more concerning that TikTok did not even give her the option to see whether the filter had been added on or not.

“What is most troubling about this [automatic filter] is that it is the default,” Palermino explains.

So what’s the upshot for you? Potentially the only people who will really know what you look like are in Beijing pretending that they don’t.

CH: LHC experiments see first evidence of a rare Higgs boson decay

If you had a breakdown, you’d want a little privacy right?

Well, not even the world’s smallest particle seems to be able to do that now without someone peering at it.

The discovery of the Higgs boson at CERN’s Large Hadron Collider (LHC) in 2012 marked a significant milestone in particle physics.

Since then, the ATLAS and CMS collaborations have been diligently investigating the properties of this unique particle and searching to establish the different ways in which it is produced and decays into other particles.

At the Large Hadron Collider Physics (LHCP) conference last week, ATLAS and CMS report how they teamed up to find the first evidence of the rare process in which the Higgs boson decays into a Z boson, the electrically neutral carrier of the weak force, and a photon, the carrier of the electromagnetic force.

This Higgs boson decay could provide indirect evidence of the existence of particles beyond those predicted by the Standard Model of particle physics.

The decay of the Higgs boson into a Z boson and a photon is similar to that of a decay into two photons.

In these processes, the Higgs boson does not decay directly into these pairs of particles.

Instead, the decays proceed via an intermediate “loop” of “virtual” particles that pop in and out of existence and cannot be directly detected.

These virtual particles could include new, as yet undiscovered particles that interact with the Higgs boson.

The Standard Model predicts that if the Higgs boson has a mass of around 125 billion electronvolts, approximately 0.15% of Higgs bosons will decay into a Z boson and a photon.

But some theories that extend the Standard Model predict a different decay rate.

Measuring the decay rate, therefore, provides valuable insights into both physics beyond the Standard Model and the nature of the Higgs boson.

So what’s the upshot for you? It’s tough being tiny.

And our quote of the week - “Sometimes it seems as though each new step towards AI, rather than producing something which everyone agrees is real intelligence, merely reveals what real intelligence is not. ” - Douglas Hofstadter

- for the podcast right click on the pic -

That’s it for this week. Stay safe, stay secure, step lightly, and see you in se7en.