The IT Privacy and Security Weekly “It’s all here” Update for the Week ending August 23rd., 2022

This week we start with a tweet and end with a rap.

In between those bookends, we have a sick kid, now healthy, a father who may never recover, a great site to see what the apps on your phone might be up to, and a new champion in the fight for our attention.

We have the latest in “secure” smartphones that could end up sounding exactly the opposite by the time you get to the end of our coverage, and a pending court case alleging that Oracle has leapfrogged Facebook in the race to collect everything on everyone, everywhere.

We’ve got another car story that sounds so dumb, it’s got to be smart, and a new way to get around the Vegas strip.

Just about the only thing missing is something credit card-sized you can tuck into your wallet or bag so that they never end up lost…… Ooops, yes we have that too.

Well then, it certainly looks like we have it all. Let’s have at it!

US: Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies

Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO.

Zatko was fired by Twitter (TWTR) in January for what the company claims was poor performance.

According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter’s board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the Federal Trade Commission.

So what’s the upshot for you? “Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,”

US: Dad Photographs Son for Doctor. Google Flags Him as Criminal, Notifies Police

“The nurse said to send photos so the doctor could review them in advance,” the New York Times reports, describing how an ordeal began in February of 2021 for a software engineer named Mark who had a sick son: Mark’s wife grabbed her husband’s phone and texted a few high-quality close-ups of their son’s groin area to her iPhone so she could upload them to the health care provider’s messaging system.

In one, Mark’s hand was visible, helping to better display the swelling.

Mark and his wife gave no thought to the tech giants that made this quick capture and exchange of digital data possible, or what those giants might think of the images.

With help from the photos, the doctor diagnosed the issue and prescribed antibiotics, which quickly cleared it up…

Two days after taking the photos of his son, Mark’s phone made a blooping notification noise: His account had been disabled because of “harmful content” that was “a severe violation of Google’s policies and might be illegal.”

A “learn more” link led to a list of possible reasons, including “child sexual abuse & exploitation…”

He filled out a form requesting a review of Google’s decision, explaining his son’s infection. At the same time, he discovered the domino effect of Google’s rejection.

Not only did he lose emails, contact information for friends and former colleagues, and documentation of his son’s first years of life, his Google Fi account shut down, meaning he had to get a new phone number with another carrier.

Without access to his old phone number and email address, he couldn’t get the security codes he needed to sign in to other internet accounts, locking him out of much of his digital life…

A few days after Mark filed the appeal, Google responded that it would not reinstate the account, with no further explanation.

Mark didn’t know it, but Google’s review team had also flagged a video he made and the San Francisco Police Department had already started to investigate him… In December 2021, Mark received a manila envelope in the mail from the San Francisco Police Department.

It contained a letter informing him that he had been investigated as well as copies of the search warrants served on Google and his internet service provider.

An investigator, whose contact information was provided, had asked for everything in Mark’s Google account: his internet searches, his location history, his messages, and any document, photo, and video he’d stored with the company.

The search, related to “child exploitation videos,” had taken place in February, within a week of his taking the photos of his son.

Mark called the investigator, Nicholas Hillard, who said the case was closed.

Mr. Hillard had tried to get in touch with Mark but his phone number and email address hadn’t worked…

Mark appealed his case to Google again, providing the police report, but to no avail… A Google spokeswoman said the company stands by its decisions…

So what’s the upshot for you? Mark’s life is over as he knew it, but at least his son is healthy.

Global: TikTok’s in-app browser could be keylogging

Beware of in-app browsers’ is a good rule of thumb for any privacy-conscious mobile app user – given the potential for an app to leverage its hold on user attention to snoop on what you’re looking at via browser software it also controls.

But eyebrows are being raised over the behavior of TikTok’s in-app browser after independent privacy research by developer Felix Krause found the social network’s iOS app injecting code that could enable it to monitor all keyboard inputs and taps.

A.k.a., keylogging.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third-party websites rendered inside the TikTok app.

This can include passwords, credit card information, and other sensitive user data," warns Krause in a blog post detailing the findings.

“We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third-party websites.”

So what’s the upshot for you? After publishing a report last week – focused on the potential for Meta’s Facebook and Instagram iOS apps to track users of their in-app browsers – Krause followed up by launching a tool, called, that lets mobile app users get details of code that’s being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page.

(Note: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code – so at best it’s offering a glimpse of potentially sketchy activities.)

CN: Chinese internet giants hand algorithm data to government

Algorithms decide what users see and the order they see it - and are critical to driving the growth of social media platforms.

They are closely guarded by companies.

In the US Meta and Alphabet have successfully argued they are trade secrets amid calls for more disclosure.

The Cyberspace Administration of China (CAC) has published a list with the descriptions of 30 algorithms. In a statement, it said that its algorithm list would be routinely updated in a bid to curb data abuse.

Among the listed algorithms is one belonging to the e-commerce website Taobao, owned by Alibaba.

The Mandarin document said Taobao’s algorithm "recommends products or services to users through their digital footprint and historical search data.

"ByteDance’s algorithm for Douyin, China’s version of TikTok, is said to gauge user interests through what they click, comment on, “like” or “dislike”.

Chinese regulators have been tightening their grip on the technology sector for nearly two years now.

The country adopted new rules for algorithms in March - which allow users to opt-out of contributing to recommendations. It also required algorithms with “public opinion properties or social mobilization capabilities” to register with the CAC.

It is “remarkable” that the registrations were made public.

“I’m not aware of any other country in the world where you can go see a list of all of the pieces of code that are essentially informing the decisions that you make, the purchasing decisions that you make, the content viewing decisions that you make.”

So what’s the upshot for you? This move is ultimately about control.

Beijing is fiercely protective of the technology behind these companies and doesn’t allow the export of it beyond its shores.

But it’s concerned about how these platforms can influence public opinion within China and prefers to have more oversight over their technology and data.

It wants to redirect people’s attention to content that the state thinks is fit for public consumption.

Global: Oracle’s ‘surveillance machine’ targeted in US privacy class action

A new privacy class action claim in the U.S. alleges Oracle’s “worldwide surveillance machine” has amassed detailed dossiers on some five billion people, “accusing the company and its adtech and advertising subsidiaries of violating the privacy of the majority of the people on Earth.”

The suit has three class representatives: Dr. Johnny Ryan, senior fellow of the Irish Council for Civil Liberties (ICCL); Michael Katz-Lacabe, director of research at The Center for Human Rights and Privacy; and Dr Jennifer Golbeck, a professor of computer science at the University of Maryland – who say they are “acting on behalf of worldwide Internet users who have been subject to Oracle’s privacy violations.”

The litigants are represented by the San Francisco-headquartered law firm, Lieff Cabraser, which they note has run significant privacy cases against Big Tech.

The complaint references multiple federal, constitutional, tort, and state laws, alleging violations of the Federal Electronic Communications Privacy Act, the Constitution of the State of California, the California Invasion of Privacy Act, as well as competition law, and the common law.

The substance of the complaint hinges on allegations that Oracle collects vast amounts of data from unwitting Internet users, i.e. without their consent, and uses this surveillance intelligence to profile individuals, further enriching profiles via its data marketplace and threatening people’s privacy on a vast scale – including, per the allegations, by the use of proxies for sensitive data to circumvent privacy controls.

So what’s the upshot for you? Another player in the “Collect all the data you can about everyone” stakes. Just give us a moment to sit down, stand up and sit back down again.

Global: For the person who has everything, and loses it.

We came across these recently and thought they were an interesting take on the Apple Air Tag theme.

You can get credit card-sized versions of the Chipolo Card Spot that fit nicely in your wallet, work with Apple’s “Find my” app, and last about 2 years before they need replacing.

There’s a straight Chipolo card that is slightly cheaper with a 1-year battery that works with the Chipolo app on Android and Apple but loses the advantages of the huge scale that Apple has with their system.

So what’s the upshot for you? The thin form factor means they are less likely to be removed from your luggage or wallet (and so allow longer tracking). The additional win is that when the card runs out, you can buy a replacement for 1/2 the price and send in the old one for recycling.

US: Erik Prince wants to sell you a “secure” smartphone that’s too good to be true

Erik Prince’s pitch to investors was simple – but certainly ambitious: pay just 5 million euros and cure the biggest cybersecurity and privacy plagues of our day.

The American billionaire – best known for founding the notorious private military firm Blackwater, which became globally infamous for killing Iraqi civilians and threatening US government investigators – was pushing Unplugged, a smartphone startup promising “free speech, privacy, and security” untethered from dominant tech giants like Apple and Google.

In June, Prince publicly revealed the new phone, priced at $850. But before that, beginning in 2021, he was privately hawking the device to investors – using a previously unreported pitch deck that has been obtained by MIT Technology Review.

It boldly claims that the phone and its operating system are “impenetrable” to surveillance, interception, and tampering, and its messenger service is marketed as “impossible to intercept or decrypt.”

Boasting falsely that Unplugged has built “the first operating system free of big tech monetization and analytics,” Prince bragged that the device is protected by “government-grade encryption.”

Better yet, the pitch added, Unplugged is to be hosted on a global array of server farms so that it “can never be taken offline.”

One option is said to be a server farm “on a vessel” located in an “undisclosed location on international waters, connected via satellite to Elon Musk’s StarLink.”

An Unplugged spokesperson explained that “they benefit in having servers not be subject to any governmental law.”

The Unplugged investor pitch deck is a messy mix of these impossible claims, meaningless buzzwords, and outright fiction.

While none of the experts had yet been able to test the phone or read its code, because the company hasn’t provided access, the evidence available suggests Unplugged will fall wildly short of what’s promised.

The UP Phone’s operating system, called LibertOS, is a proprietary version of Google’s Android, according to an Unplugged spokesperson.

It’s running on an unclear mix of hardware that a company spokesperson says they’ve designed on their own.

Even just maintaining a unique Android “fork” – a version of the operating system that departs from the original, like a fork in the road – is a difficult endeavor that can cost massive money and resources, experts warn.

For a small startup, that can be an insurmountable challenge.

Another key issue is the life span. Apple’s iPhones are considered the most secure consumer device on the market due in part to the fact that the company offers security updates to some of its older phones for six years, longer than virtually all competitors.

When support for a phone ends, security vulnerabilities go unaddressed, and the phone is no longer secure.

There is no information available on how long UP Phones will receive security support.

“There are two things happening here,” says Allan Liska, a cyberintelligence analyst at the cybersecurity firm Recorded Future.

"There are the actual attempts to make real secure phones, and then there is the marketing BS.

Distinguishing between those two can be really hard."

So what’s the upshot for you? “When I worked in US intelligence, we [penetrated] a number of phone companies overseas,” says Allen Liska.

"We were inside those phone companies.

We could easily track people based on where they connected to the towers.

So when you talk about being impenetrable, that’s wrong.

This is a phone, and the way that phones work is they triangulate to cell towers, and there is always latitude and longitude for exactly where you’re sitting," he adds. “Nothing you do to the phone is going to change that.”

The UP Phone is due out in November 2022.

US: Streaming finally pips Cable in US viewership

Amid the slowdown of new content on traditional television and reduced sports programming, streaming claimed the largest share of TV viewing in July—a first after four consecutive months of hitting new viewership highs.

Streaming viewership in a given month has exceeded broadcast viewing before, but this is the first time it has also surpassed cable viewing.

In addition to claiming the largest viewership share during the month, audiences watched an average of 190.9 billion minutes of streamed content per week—easily surpassing the 169.9 billion minutes that audiences watched during the pandemic lockdown period back in April 2020.

Streaming accounted for 34.8 percent of US audiences’ TV viewing.

Next was cable TV, which came up narrowly behind at 34.4 percent.

In third was broadcast at 21.6 percent.

So what’s the upshot for you? Nielsen notes that overall TV viewership hasn’t changed much—just the relative size of each slice of the pie.

In other words, people aren’t watching more TV; they’re watching the same amount of TV but in different ways.

The real difference now is that streaming companies can glean data about viewers that Neilson never could.

Global: Google Cloud Blocks the Largest Web DDOS Attack to date

Over the past few years, Google has observed that distributed denial-of-service (DDoS) attacks are increasing in frequency and growing in size exponentially.

On June 1, a Google Cloud Armor customer was targeted with a series of HTTPS DDoS attacks which peaked at 46 million requests per second.

This is the largest Layer 7 DDoS reported to date—at least 76% larger than the previously reported record.

To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.

So what’s the upshot for you? The geographic distribution and types of unsecured services leveraged to generate the attack match the Maris family of attacks.

Known for its massive attacks that have broken DDoS records, the Maris method (targeting devices made by MikroTik, a Latvian manufacturer of network routers) abuses unsecured proxies to obfuscate the true origin of the attacks.

Global: Microsoft Employees Exposed Own Company’s Internal Logins

Multiple people who appear to be employees of Microsoft have exposed sensitive login credentials to the company’s own infrastructure on GitHub, potentially offering attackers a gateway into internal Microsoft systems, according to a cybersecurity research firm that found the exposed credentials.

Microsoft confirmed the data exposure when contacted by Motherboard.

Microsoft refused to elaborate on what systems the credentials were protecting when asked multiple times by Motherboard.

But generally speaking, an attacker may have an opportunity to move on to other points of interest after gaining initial access to an internal system.

One of the GitHub profiles with exposed and active credentials makes a reference to the Azure DevOps code repository.

So what’s the upshot for you? The moral of the story is everyone makes mistakes and should be scanning code repositories for credentials.

Global: Hyundai Uses Example Keys For Encryption System

“Hyundai predictably fails in attempting to secure their car infotainment system with a default key lifted from programming examples.”

“Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF],” writes an unidentified developer under the name “greenluigi1.”

Luck held out, in a way.

“Greenluigi1” found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key.

The search results pointed to a common public key that shows up in online tutorials like “RSA Encryption & Decryption Example with OpenSSL in C.”

Two questions remain:
1.) How did the test key get left behind?
2) Was it by accident or design?

So what’s the upshot for you? Some would argue that if you own a car you should be able to reprogram it. “Thanks, Hyundai! including a common encryption key was genius!”

US: Lyft Robotaxis on the Vegas Strip

A local news report called it "a futuristic dream, now a reality in Las Vegas: self-driving vehicles moving customers up and down the Las Vegas strip.

Lyft’s ride-hailing service now lets customers book Motional’s all-electric (and autonomous driving) IONIQ5.

Not everyone’s sold. “Love technology — love it, promote it — but we don’t need to replace every human,” said one person interviewed on the street.

But “the digital wave continues to sweep Las Vegas,” the newscast points out, with the car company’s director of commercial fleet operations insisting it will ultimately make transportation more affordable, sustainable, and reliable.

“We look at this as an opportunity to really show that robotaxis are the best way for people to get around,” he says, noting Vegas drivers have to contend with lots of night-time driving, bright lights, unusually wide lanes and big intersections.

The city once adopted the slogan “what happens in Vegas stays in Vegas,” and some passengers might appreciate the extra privacy of a truly driverless vehicle.

Passengers “for the time being, will be accompanied by two safety drivers in the event of an error,” according to news reports, but that’s expected to change soon:
“Motional and Lyft have a clear path to widespread commercialization of Level 4 autonomous vehicles,” said Karl Iagnemma, Motional’s president and CEO. “We’ve led the industry in commercial operations for years, and today’s launch signals we’re on track to deliver a fully driverless service next year…”

Upon arrival, riders who order the IONIQ 5 can unlock the doors to the vehicle using the Lyft mobile app.

Once inside the vehicle, customers can start the ride or contact customer support by using the new in-car Lyft AV app [on a touchscreen for passengers].

By making these new features available now, despite the presence of the two safety drivers, Lyft hopes to solicit customer feedback and refine the new tools before the service goes fully driverless in 2023.

So what’s the upshot for you? Lyft and Motional have been piloting autonomous rides in other vehicles in Las Vegas since 2018, with more than 100,000 autonomous rides provided thus far, over 95% of which have received five-star ratings, according to the companies.

Feedback gathered on the new IONIQ 5 autonomous vehicle over the coming months will help to inform Lyft’s launch of fully driverless e-hail trips in Las Vegas sometime next year.

After that, the company plans to expand the driverless, e-hail service to various other markets throughout the country.

Global: Capitol Records signs AI-powered virtual rapper, FN Meka

FN Meka, a “robot rapper” powered by artificial intelligence, with over 10 million followers on TikTok and more than a billion views on the platform, has inked a deal with Capitol Records

The new signing was reported by Music Business Worldwide last week, the same day FN Meka dropped his first single for the label: a song called ‘Florida Water’ that also features (real-life) rapper Gunna and gaming streamer Clix.

So what’s the upshot for you? O.K. but at this point, the vocals are still done by a real person. When that too flips to AI, then it might be time for aspiring pop artists to get worried.


And our quote of the week: “Don’t pet strange dogs.” In other words, if it doesn’t feel right, don’t click on it.

That’s it for this week. Stay safe, stay secure, don’t touch that dog, and see you in se7en.

Considering that many of us who use Google Products, in fact most, would be located outside of the United States, not potentially having any jurisdictional or Government recourse is of a extreme concern.

Technology makes mistakes but the unchecked implications can be substantial. The sooner we have alternatives to MFAANG products & services, the better.

#Daml #Canton

I’ve provided some alternative search engines in this week’s (2022 08 30) IT Privacy and Security Weekly Update. See if one of them works for you!
The flip side of this particular story though, is the trouble you can find yourself in with all your eggs in one vendor’s basket (so to speak).

Best, RPS