Narrative: Declining Privacy & Security
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
Narrative: Declining Privacy and Security (Jan 24, 2017)
This content is restricted to paid subscribers to the Tech Narratives service. You can sign up on this page for a 30-day free trial, which will give you access to all the content on the site including the daily comments, narrative essays, subscriber forums, and other restricted features. If you’re already a subscriber, you can sign in using the link below.
If you’re already a member, you can sign in here.
Microsoft Hires Head of Privacy and Data Security from FTC (Apr 28, 2017)
Apple fans, Android world scramble to patch Broadcom’s nasty drive-by Wi-Fi security hole – The Register (Apr 6, 2017)
There are two interesting things here, both worth discussing briefly. Firstly, Broadcom, which provides chips for many popular smartphones including the iPhone, has a vulnerability in its WiFi element which can be hacked, allowing a way into the device. Apple issued a patch this week to deal with the issue, and Android vendors will be working to close the vulnerability too, though there’s no specific timeframe yet, highlighting yet another challenge with Android’s fragmented ecosystem. The second thing that’s interesting here is that the vulnerability was discovered by Google’s Project Zero team, which is set up to discover and fix vulnerabilities like this, and has been doing great work lately doing just that, including on non-Google devices like the iPhone. Vulnerabilities like this are always worrying, and it’s great to have Google out there with what seems like a strong team detecting these and notifying vulnerable vendors so they can patch the issues.
via The Register
FCC and FTC Heads Outline Policy on Internet Privacy (Apr 5, 2017)
In an op-ed in the Post this morning, the chair of the FCC and acting chair of the FTC write up their views on the internet privacy debate that’s been roaring in online tech publications over the last few weeks. As I’ve said previously (and discussed in depth in last week’s News Roundup podcast), the reaction on this topic has been overblown, and understanding poor, though the major players on the other side haven’t really helped themselves. The major ISPs only began communicating on the topic after the congressional vote was over, and only now are the FCC and FTC chairs communicating clearly about the issue. But the reality is that this issue of internet privacy can only really be resolved by new regulation from the FTC, which will end up once again having responsibility for online privacy as it did until 2015.
We’re talking here about Tizen, Samsung’s alternative operating system which it uses for smartwatches, TVs, and to a lesser extent phones, and some security researchers are claiming there are widespread security vulnerabilities in that software. Some of the characterizations in this article seem like a bit of a stretch – it would be very odd indeed if Samsung had done as little to provide security in Tizen as the researcher quoted suggests. But these allegations are becoming part of a pattern recently in relation to Samsung, between the Wikileaks smart TV story, the more recent (and more serious) story on smart TV hacking through broadcast signals, and now this. It’s particularly problematic for Samsung because it has worked so hard over the last few years to develop Knox, its enterprise security solution, which is best in class in the Android world. It simply can’t afford to get a reputation for poor security when it’s trying to become the de facto standard for Android devices in the enterprise, and needs to address these vulnerabilities – and the broader claims – quickly and definitively.
via The Verge
Whereas the CIA / Wikileaks stories about Samsung smart TVs being hacked were somewhat overblown (they largely affected older TVs and required physical access to sets), this hack is more worrying because it would affect newer TVs and could be delivered remotely. However, for any kind of widespread effect, it would require hacking into a broadcast or IPTV stream, which in itself would be no mean feat, and of course would only work on TVs that happened to be accessing that stream during the time when it was compromised. Still, the broader worry here is, once again, that any device connected to the internet is at least theoretically vulnerable to hacking, and devices such as TVs with less sophisticated security systems than computers and smartphones are often the most vulnerable and hardest to patch.
EFF withdraws Verizon spyware claims – CNET (Mar 31, 2017)
This is an example of the hysteria we’re all being subjected to around the recent overturning of privacy rules regarding ISPs by the US Congress, and the dangerous places it can lead. The EFF, a consumer rights group particularly concerned with privacy, first wrote and then essentially entirely withdrew a post hyperventilating about a new app Verizon is testing on one obscure smartphone, once it gave Verizon a chance to respond and it provided an entirely reasonable response. In and of itself, this story isn’t that important, but it is symptomatic of a lot of the overblown rhetoric we’ve seen in the past week about carriers selling browser histories. The reality is that, because the new rules never actually went into effect, this week’s congressional action changed absolutely nothing from the status quo. And carriers no more have any intention of literally selling anyone’s browser history than Google or anyone else does – what they may do is use your browsing history to target advertising or their own products, just as Google, Facebook, and many other entities already do. Reasonable people can disagree on whether that’s a good thing or not, but it’s a fact of life for all of us already if we use these services. To pretend that what’s happened this week is the beginning of what EFF calls the privacy apocalypse is a total disservice to everyone involved, a form of crying wolf which is likely to make it much harder to get real attention onto real issues in the future.
This story has been somewhat misreported, although this article does a decent job. It appears a hacking collective is claiming to have lots of username / password sets for iCloud accounts, though it appears that the source of the data is a hack of some other site or sites rather than any of Apple’s own. That breach then seems to have allowed the hackers to take iCloud.com email addresses and the passwords used on other sites and use them to access iCloud services as well. In other words, this isn’t an Apple hack at all, and is only effective because people are reusing passwords on multiple sites. Using two-factor authentication and unique passwords is therefore still the best defense against this kind of thing, although Apple still has to deal with the headache of both false claims and threats from this hacking group.