The IT Privacy and Security Update for the Week ending September 13th 2022 and Brad Pitt


From Tweets to Whistles we’re here to make some noise.

You get the latest from Washington DC on “what it has, where it lives or where it came from” and why the U.S. Navy can’t say anything more about UFOs.

We serve you a fix that really whacks and a new telecom project that will leave you looking at your phone like it’s a tin can with a piece of string attached.

You’ll be amazed by the magic of Meta with two completely different types of disappearances and one appearance.

Then there is the letter to the US Federal Trade Commission begging them not to let Amazon buy your vacuum cleaner company.

Finally, we end with why that long commute to planet WASP-39b might not be such a good idea after all.

You want it? We got it. Come get it! Oh, and then there is Brad.

US: Twitter Agreed To Pay Whistleblower $7 Million in June Settlement

Twitter agreed in June to pay roughly $7 million to the whistleblower whose allegations will be part of Elon Musk’s case against the company, WSJ reported Thursday, citing people familiar with the matter.

The settlement was completed days before Peiter Zatko filed his whistleblower complaint in July.

Mr. Zatko is the hacker who was Twitter’s security head before being fired in January.

In his whistleblower complaint, Mr. Zatko accuses the company of failing to protect sensitive user data and lying about its security problems.

Twitter’s confidential June settlement was related to Mr. Zatko’s lost compensation and followed months-long mediation over tens of millions of dollars in potential pay.

Such compensation agreements aren’t unusual when an executive departs a company prematurely and leaves behind potential stock options and other money.

As part of the settlement, Mr. Zatko agreed to a nondisclosure agreement that forbids him from speaking publicly about his time at Twitter or disparaging the company.

So what’s the upshot for you? Congressional hearings and governmental whistleblower complaints are two of the few venues in which he is permitted to speak openly, and he certainly did during the hearing today.

US: Twitter Doesn’t Know What Data It Has, Where It Lives, or Where It Came From

Ex-Twitter security chief Peiter Zatko lambasted the social media company on numerous fronts in a Congressional hearing and made it look like a hot mess.

Twitter received a shellacking on Capitol Hill on Tuesday after its ex-security chief Peiter Zatko told a room full of senators that the company is essentially an insecure hot mess infiltrated by more than one foreign government spy.

Convened by the Senate Judiciary Committee, the hearing covered a range of serious allegations against Twitter made by Zatko, who in July sent a 200-page whistleblower complaint to federal agencies and lawmakers.

The former employee, who was fired in January, called out Twitter on numerous fronts, claiming that the social media network had longstanding and basic cybersecurity failures that made it vulnerable to exploitation; that executives prioritized profits over security; that Twitter doesn’t know “what data [it] has, where it lives, or where it came from”; and that employees have access to too much user data and too many systems.

So what’s the upshot for you? Republican Sen. Chuck Grassley of Iowa, “So let me be very clear: The business of this committee and protecting Americans from foreign influence is more important than Twitter’s civil litigation (with Elon Musk) in Delaware. If these allegations are true, I don’t see how Mr. Agrawal can maintain his position at Twitter.”

US: U.S. Navy Says All UFO Videos Classified, Releasing Them ‘Will Harm National Security’

The U.S. Navy says that releasing any additional UFO videos would “harm national security” and told a government transparency website that all of the government’s UFO videos are classified information.

In a Freedom of Information Act request response, the Navy told government transparency site The Black Vault that any public dissemination of new UFO videos "will harm national security as it may provide adversaries valuable information regarding Department of Defense/Navy operations, vulnerabilities, and/or capabilities.

No portions of the videos can be segregated for release."

So what’s the upshot for you? Space aliens get better privacy from the US government than its own citizens!

US: Selling your car on Craigslist? Read this first.

“Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras.”

These safe trading places exist because sometimes in-person transactions from the Internet don’t end well for one or more parties involved.

The website Craigslistkillers has cataloged news links for at least 132 murders linked to Craigslist transactions since 2015.

Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people.

This is not to say that using Craigslist is uniquely risky or dangerous; the vast majority of transactions generated by the site end amicably and without physical violence. And that probably holds true for all of Craigslist’s competitors.

Still, the risk of a deal going badly when one meets total strangers from the Internet is not zero, and so it’s only sensible to take a few simple precautions.

For example, choosing to transact at a designated safe place such as a police station dramatically reduces the likelihood that anyone wishing you harm would even show up.

So what’s the upshot for you? Think this is us being maybe a little paranoid? Visit where someone has actually cataloged transactions that have gone very badly.

Global: Fix for RetBleed whacks Linux VM performance by up to 70%

“Performance Regression in Linux Kernel 5.19”, A VMware performance engineering staffer reported the virtualization giant’s internal testing found that running Linux VMs on the ESXi hypervisor using version 5.19 of the Linux kernel saw compute performance dip by up to 70 percent when using a single vCPU, networking fall by 30 percent and storage performance dip by up to 13 percent.

When VMware’s testers turned off the Retbleed remediation in version 5.19 of the kernel and ESXi performance returned to levels experienced under version 5.18.

Because speculative execution exists to speed processing, it is no surprise that disabling it impacts performance.

A 70 percent decrease in computing performance does, however, have a major impact on application performance that could lead to unacceptable delays for many business processes.

So what’s the upshot for you? VMware’s tests were run on Intel Skylake CPUs – silicon released between 2015 and 2017 that will still be present in many server fleets.

Subsequent CPUs addressed the underlying issues that allowed Retbleed and other Spectre-like attacks.

Global: Google Spins Out Secret Hi-Speed Telecom Project Called Aalyria

While Google declined to offer details about Aalyria, such as how long it’s been working on the technology and how many employees are joining the startup, Aalyria said in a news release that its mission is to manage “hyper fast, ultra-secure, and highly complex communications networks that span land, sea, air, near space, and deep space.”

The company says it has laser communications technology “on an exponentially greater scale and speed than anything that exists today.”

Aalyria’s software platform has been used in multiple aerospace networking projects for Google.

Aalyria (pronounced ah-Leer-eeh-ah) said it has an $8.7 million commercial contract with the U.S. Defense Innovation Unit.

The company will be led by CEO Chris Taylor, a national security expert who has led other companies that have worked with the government.

Taylor’s LinkedIn profile says he’s the CEO of a company in stealth mode that he founded in November.

Aalyria’s board of advisors includes several previous Google employees and executives as well as Vint Cerf, Google’s chief internet evangelist who’s known as one of the fathers of the web.

Google will retain a minority stake in Aalyria but declined to say how much it owns and how much outside funding the company has raised.

Google said that earlier this year it transferred nearly a decade’s worth of intellectual property, patents and physical assets, including office space, to Aalyria.

Aalyria’s light laser technology, which it calls “Tightbeam,” claims to keep data “intact through the atmosphere and weather and offers connectivity where no supporting infrastructure exists.”

“Tightbeam radically improves satellite communications, Wi-Fi on planes and ships, and cellular connectivity everywhere,” the company said.

So what’s the upshot for you? 5g, satellite SOS? Forget it. “Tightbeam”, now that’s the one we want on our phones!

Global: Facebook Button is Disappearing From Websites as Consumers Demand Better Privacy

Until about a month ago, shoppers on Dell’s website looking for a new laptop could log in using their Facebook credentials to avoid creating a new username and password.

That option is now gone.

Dell isn’t alone.

Other big brands, including Best Buy, Ford Motor, Pottery Barn, Nike, Patagonia, Match and Amazon’s video-streaming service Twitch have removed the ability to sign on with Facebook.

It’s a marked departure from just a few years ago, when the Facebook login was plastered all over the internet, often alongside buttons that let you sign in with Google, Twitter or LinkedIn.

Jen Felch, Dell’s chief digital and chief information officer, said people stopped using social logins, for reasons that include concerns over security, privacy and data-sharing.

So what’s the upshot for you? The disappearing login is the latest sign of Facebook’s diminishing influence on the internet following more than a decade of spectacular growth.

In the past year, the company’s business has been beset by Apple’s iOS privacy change, which made it harder to target ads, a deteriorating economy, competition from short-video service TikTok, and reputational damage after a whistleblower leaked documents showing Facebook knew of the harm caused by many of its products.

Global: Facebook Parent Meta Cuts Responsible Innovation Team

Meta Platforms has disbanded its Responsible Innovation team, which was once a prominent piece of its effort to address concerns about the potential downsides of its products.

The team had included roughly two dozen engineers, ethicists and others who collaborated with internal product teams and outside privacy specialists, academics and users to identify and address potential concerns about new products and alterations to Facebook and Instagram.

So what’s the upshot for you? The team’s demise comes at a tumultuous time for Meta, as it contends with a precipitous slowdown in its core digital-advertising business that has prompted it to slow hiring in recent months.

The Responsible Innovation team was to have had a formative role in future company products, beginning with encouraging newly hired engineers in how to think about potential downsides to what they build and then consulting on the design of specific products.

Not anymore.

Global: Meta’s next-gen Oculus headset kit left in a hotel room

Meta is expected to launch the next-generation VR device at Meta Connect, a virtual event scheduled on 11 October.

CEO Mark Zuckerberg and other top executives will discuss the company’s vision and latest progress in building the metaverse, which the beleaguered business sees as its next big thing.

Then you heard about the units that were “forgotten in a hotel room”.

The video and images on Twitter don’t give too much away in terms of hardware or performance, but do suggest the secretive headset developed under the codename Project Cambria will be named the “Meta Quest Pro”.

Although the box was labeled “Engineering sample,” both the finish and the packaging suggest that this is the final version, rather than an earlier prototype.

The headset is black plastic, with gray surrounds for three cameras on the front of the device.

These are expected to allow the Quest Pro to mix both virtual reality (VR) and augmented reality (AR) content.

  • Standalone device
  • High-resolution graphics
  • External cameras
  • Mix of virtual reality and augmented reality

So what’s the upshot for you? Apparently Apple has a similar headset readying for release but where Facebook is predicted to sell their unit at a loss, Apple’s will hit your wallet a lot, lot harder.

CN: China Accuses the NSA of Hacking a Top University to Steal Data

China claims that America’s National Security Agency used sophisticated cyber tools to hack into an elite research university on Chinese soil.

The attack allegedly targeted the Northwestern Polytechnical University in Xi’an (not to be confused with a California school of the same name), which is highly ranked in the global university index for its science and engineering programs.

The U.S. Justice Department has referred to the school as a “Chinese military university that is heavily involved in military research and works closely with the People’s Liberation Army,” painting it as a reasonable target for digital infiltration from an American perspective.

So what’s the upshot for you? In this particular case, the NSA unit appears to have used 41 different hacking tools to break into Northwestern Polytechnical and steal data.

One such tool, dubbed “Suctionchar,” is said to have helped infiltrate the school’s network by stealing account credentials from remote management and file transfer applications to hijack logins on targeted servers.

According to China’s National Computer Virus Emergency Response Center, traces of Suctionchar have been found in many other Chinese networks besides Northwestern’s, and the agency has accused the NSA of launching more than 10,000 cyberattacks on China over the past several years.

RU: Former Conti Ransomware Gang Members Helped Target Ukraine, Google Says

A cybercriminal group containing former members of the notorious Conti ransomware gang is targeting the Ukrainian government and European NGOs in the region, Google says.

The details come from a new blog post from the Threat Analysis Group (TAG), a team within Google dedicated to tracking state-sponsored cyber activity.

With the war in Ukraine having lasted more than half a year, cyber activity including hacktivism and electronic warfare has been a constant presence in the background.

Now, TAG says that profit-seeking cybercriminals are becoming active in the area in greater numbers.

From April through August 2022, TAG has been following “an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers,” writes TAG’s Pierre-Marc Bureau.

So what’s the upshot for you? One of these state-backed actors has already been designated by CERT – Ukraine’s national Computer Emergency Response Team – as UAC-0098.

But new analysis from TAG links it to Conti: a prolific global ransomware gang that shut down the Costa Rican government with a cyberattack in May.

US: Leaked Oath Keepers’ list includes hundreds of police and dozens of elected officials

As reports tracked a string of violent events leading up to Oath Keepers’ involvement in the Jan 6th, 2021 Capitol riots, it remained difficult for outsiders to discern just how effective the nonprofit group’s recruitment really was at targeting people with real power.

Then in fall 2021, the Distributed Denial of Secrets published a massive data leak, revealing names and addresses of 38,000 Oath Keepers and donors.

Sorting through the data, the Anti-Defamation League Center on Extremism (COE) saw an opportunity to cross-reference public data on listed members and map out approximately how far Oath Keepers has come in furthering its mission to establish a secure “foothold in mainstream seats of power” throughout the US.

Last week the COE identified 373 people in the Oath Keepers database believed to be active law enforcement officers, 117 people who seem to be currently serving in the military, and 81 public officials who either currently hold or are running for public office in 2022.

So what’s the upshot for you? Now, in an interactive map you can see just how close you are to this particular group’s members.

US: Letter to the FTC: "Please kill Amazon’s iRobot Purchase”

26 organizations sent an open letter to the FTC’s five commissioners on Friday.

The groups view Amazon’s acquisition of iRobot, which they described as a “competing smart home device business” as an anti-competitive action that could harm the overall consumer technology market.

“Amazon seeks to unduly expand its market power by eliminating a competitor through acquisition, rather than through organic growth,” the groups wrote. “The company also aims to minimize fair competition by exploiting consumer data not accessible to other market participants.”

That “consumer data” refers to detailed video footage of customers’ homes and floor plans constantly sucked up by iRobot’s Roomba and other home devices.

That type of data is potentially well worth the $1.7 billion Amazon intends to spend on the company if for nothing else than to determine more useful merchandise to sell you through its main business.

Privacy advocates, however, fear Amazon – which already has smart devices hooked up in around a third of U.S. households – could potentially misuse that potentially sensitive data.

Critics, including some U.S. senators, warn we’ve already witnessed a version of this through Amazon-owned Ring sharing user data with police without its owners’ consent or a police warrant.

“There is no more private space than the home,” the letter reads. “Yet with this acquisition, Amazon stands to gain access to extremely intimate facts about our most private spaces that are not available through other means, or to other competitors.”

While Amazon’s recent acquisition attempt is significant, the groups warn Amazon’s iRobot deal amounts to a symptom of a larger problem.

"Amazon’s business model largely relies on acquiring rivals, sometimes in adjacent markets, and then rapidly expanding through anti-competitive predatory pricing while leveraging vast troves of consumer data to grow its overall grip on the economy,

To bolster that point, the groups pointed to Amazon’s 2018 acquisition of smart doorbell maker Ring.

Within three years, Ring transformed from a successful but growing product to the undisputed king of smart doorbells.

That sudden market annihilation, the groups argue, was only made possible through Amazon pushing the product through its “ubiquitous” e-commerce platform at below market price points.

So what’s the upshot for you? We think more consideration might be given to something that maps the floorplan of your home, takes photographs to supplement that data, and then is used to sell you more throw pillows.

Can you imagine anything more controversial than throw pillows covering every surface that used to be suitable for sitting on? Arghh!!!

Outer Space: Scientists Found Genetic Mutations in Every Astronaut Blood Sample They Studied

When they examined decades-old blood samples from 14 NASA astronauts who flew Space Shuttle missions between 1998 and 2001, researchers found that samples from all 14 astronauts showed mutations in their DNA.

The specific mutations, as identified in a new study published in the journal Nature Communications Biology, were marked by a high proportion of blood cells that came from a single clone, a phenomenon called clonal hematopoiesis.

Mutations like this can be caused by exposure to excess ultraviolet radiation and other forms of radiation including chemotherapy.

In this case, researchers are suspicious that the mutations may have been the result of space radiation.

So what’s the upshot for you? This highlights the importance of regular checkups especially if you are chaperoning your relatives to other planets so you can have some privacy.

And our quote of the week: "- You should know who has your personal data, what data they have, and how it is used.

  • You should be able to prevent information collected about you for one purpose from being used for others.
  • You should be able to correct inaccurate information about yourself.
  • Your data should be secure.


…while it’s illegal to use Brad Pitt’s image to sell a watch without his permission, Facebook is free to use your name to sell one to your friends.”
― Eli Pariser

That’s it for this week. Stay safe, stay secure, tell Brad we didn’t mean it, and see you in se7en.