Archive for Google

Do You Have A Nest Secure? There’s A Hidden Mic That Google Never Told You About

Posted in Commentary with tags on February 20, 2019 by itnerd

From the “so much for do no evil” file comes the disclosure by Google of a microphone on their Nest Secure which was meant to be used with Google Assistant:

Apparently this could be enabled or disabled at any time via the Nest mobile app, and via this blog post it further explained that it was an opt-in feature, and that customers will receive email explaining how to activate it.

One slight problem, this wasn’t disclosed for over 18 months. Thus people who bought the Nest Secure without knowing that there was a microphone present. And during those 18 months or so the potential existed for the bad guys, hackers or whomever to hack in and listen in.

Not cool Google. Not cool.

The fact is that if your IoT device secretly contained a microphone, which was previously undocumented, would you be happy when the device maker announced an over-the-air update that can enable the microphone? Of course not. You should be enraged and call for heads to roll. Now Google does admit that they screwed up, but it wasn’t intended to be a secret. But that will do little to calm people who own one of these devices and discovered this added feature.

By the way, you have to wonder how many other IoT devices have similar “features.”

Advertisements

Google Has Access To Apple’s Enterprise Certificates Again

Posted in Commentary with tags , on February 1, 2019 by itnerd

It appears that Google much like Facebook before it has left the “sin bin” as Apple has restored the company’s access to enterprise certificates. The ones that got them into so much trouble when they were caught using them to sideload applications outside the app store. This was confirmed by Tech Crunch and by this tweet:

I would have liked to have been a fly on the wall of that conversation as one has to wonder what was said and what Google had to do to make nice with Apple. In any case, like the tweet says, all is well with the world. Except that it isn’t as I fully expect other companies to be “sin binned” by Apple as it’s a safe bet that Apple is taking a very deep look at their enterprise certificate program to find anyone more companies who are flouting the rules.

Apple Lays The Smack Down On Google For Abusing Enterprise Certificates

Posted in Commentary with tags , on January 31, 2019 by itnerd

That escalated quickly.

Not more than 24 hours ago it came to light that Facebook was not the only one abusing Apple enterprise certificates, but Google was doing that as well and for a much longer amount of time. In the case of the former, Apple revoked their enterprise certificate which is causing chaos within Facebook. Now it appears that Google has had their enterprise certificate revoked by Apple:

Apple has now shut down Google’s ability to distribute its internal iOS apps, following a similar shutdown that was issued to Facebook earlier this week. A person familiar with the situation tells The Verge that early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps have stopped working today, alongside employee-only apps like a Gbus app for transportation and Google’s internal cafe app.

“We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” says a Google spokesperson in a statement to The Verge. Apple also appears to be working more closely with Google to fix this situation. “We are working together with Google to help them reinstate their enterprise certificates very quickly,” says an Apple spokesperson in a statement to BuzzFeed.

From the above statements, it sounds moderately more cordial than the Facebook situation. But if I am a betting man, I am guess that there’s a lot of one way conversations going on with the one way being from Apple to Google. Hopefully they along with other companies get the message that tis behavior isn’t acceptable.

Google Pulls A Facebook By Using Enterprise Certificates To Bypass App Store

Posted in Commentary with tags , on January 31, 2019 by itnerd

Clearly the use of Apple’s enterprise certificates to bypass the App Store so that one can load any piece of software they want onto their iDevice is a bigger problem than Facebook. I say that because Google has been caught doing a version of what Facebook was caught doing. According to TechCrunch, Google has been distributing an app called “Screenwise Meter” using the enterprise certificate installation method since 2012. Google has apparently been privately inviting users aged 18 and up (or 13 for those part of a family group) to download Screenwise Meter, an app that is designed to collect information on internet usage, including details on how long a site is visited to apps that are downloaded. The Screenwise Meter app that Google uses lets users earn gift cards for sharing their traffic and app data. It is part of Google’s Cross Media Panel and Google Opinion Rewards programs that provide rewards to people for installing tracking software on their smartphones, web browsers, routers, and TVs. Or put another way, they were paying people without actually handing out cash the way Facebook was.

So much for Google’s motto of “do no evil.” But to be fair, the ship has sailed on that motto years ago.

And there’s this little detail about the app:

Putting the not-insignificant issues of privacy aside — in short, many people lured by financial rewards may not fully take in what it means to have a company fully monitoring all your screen-based activity — and the implications of what extent tech businesses are willing to go to to amass more data about users to get an edge on competitors, Google Screenwise Meter for iOS appears to violate Apple’s policy.

And to nobody’s surprise, once this became public, this happened:

So now that’s two companies who have been playing fast and loose with Apple’s enterprise certificates. One has to think that more companies are doing exactly the same thing. The question is how many are doing the same thing and how bad is this going to get?

Google Gets Slapped With $57 Million Fine For Violating The EU’s GDPR Regulations

Posted in Commentary with tags on January 21, 2019 by itnerd

You may recall that the EU was implementing a set of regulations called the GDPR which was meant to among other things, hold companies accountable for the data that they have. We now have our first big company who’s run afoul of these regulations. And surprise, it’s Google.

France’s top data-privacy agency, known as the CNIL, said Monday that Google failed to fully disclose to users how their personal information is collected and what happens to it. Google also did not properly obtain users’ consent for the purpose of showing them personalized ads, the watchdog agency said.

French regulators said Google’s business practices had run afoul of Europe’s new General Data Protection Regulation. Implemented in 2018, the sweeping privacy rules commonly referred to as GDPR have set a global standard that has forced Google and its tech peers in Silicon Valley to rethink their data-collection practices or risk sky-high fines. The United States lacks a similar, overarching federal consumer privacy law, a deficiency in the eyes of privacy hawks that has elevated Europe as the world’s de facto privacy cop.

Despite Google’s changes to its business practices, the CNIL said in a statement that “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”

The total cost to Google is 50 Million Euros which is about $57 Million USD. Not exactly a trivial amount of money. Google is apparently looking at this to determine what their “next steps” will be. Which I assume means that they’re going to fight this. Which doesn’t come as a shock as I am sure that Google does not want to be the poster child of bad behavior when it comes to the GDPR. The question is, how many other big companies will be in Google’s shoes and how expensive will that be before companies get the message and do the right thing which is to seriously protect customer data?

Protests at Google HQs in Toronto, Montreal Demand Google Scrap Censorship Effort In China

Posted in Commentary with tags on January 17, 2019 by itnerd

On Friday, January 18th, a coalition of Chinese, Tibetan, Uyghur, and human rights groups will protest outside Google offices and headquarters in Toronto and Montreal demanding that the internet giant scrap the controversial censorship collaboration with the government of China: “Project Dragonfly.”  The protests in Canada are part of a larger global effort calling on Google to protect free speech and human rights on Internet Freedom Day – commemorated on January 18th.

On Friday, January 18th activists will gather outside Google HQs with messages highlighting the risks Dragonfly poses to freedom of speech and internet security and calling on the tech company to end the project. They will also hand out leaflets to Google employees and the public. The organisers have stated that this will be the first of a series of protests that will continue until Google executives confirm that Project Dragonfly has been canceled.

At Google’s HQ in Montreal, Quebec:
WHEN: Friday, January 18th. 12:00pm LOCAL TIME
WHERE: 1253 McGill College Avenue, Montreal, QC H3B 2Y5
LOCAL CONTACT: Sherap Therchin | ctcnationaloffice@gmail.com

At Google’s offices in Toronto, Ontario:
WHEN: Friday, January 18th. 3:00pm LOCAL TIME
WHERE: 111 Richmond Street West, Toronto, ON M5H 2G4
LOCAL CONTACT: Sonam Chokey | sonam@studentsforafreetibet.org

Project Dragonfly is a search app targeted at the Chinese market that has been under development by Google since at least 2017. The app would comply with the ruling Chinese Communist Party’s tight internet censorship laws and would restrict searches for forbidden or sensitive topics, including ‘human rights’, ‘democracy’, ‘Tiananmen’ and ‘Tibet’. The app would also facilitate state surveillance in China by linking users’ search history with their telephone numbers.

Since the launch of the campaign, Google CEO Sundar Pichai testified before the United States House Judiciary Committee on December 11th. In response to questioning about Project Dragonfly , Pichai dismissed concerns on the grounds the project is a ‘limited internal effort’ with ‘no plans right now to launch’ the service ‘right now’. While the status of project Dragonfly has become more complicated over the past month, former and current Google employees doubt that the work on Dragonfly — which has always been shrouded in secrecy — has come to end.

Since the launch of the campaign in December 2018, over 50,000 people have already signed petitions or written to Google, calling on the company to halt its development of Project Dragonfly and commit to an open and free Internet.

Protests will also take place in Australia, the UK, Switzerland, Sweden, Argentina, Chile, and the US.

The coalition of groups launching the global day of action on Internet Freedom Day includes the World Uyghur Congress, Free Tibet, International Tibet Network, Students for a Free Tibet, Tibet Action Institute, Tibet Society, SumOfUs and other activists from Chinese, Tibetan and Uyghur communities.

 

Hackers Are Pwning Chromecasts To Broadcast Security Risks About Chromecast And UPnP

Posted in Commentary with tags on January 3, 2019 by itnerd

It seems that Chromcast devices that are on home networks with Universal Plug and Play enabled are reachable from the Internet. Which makes them pwnable by hackers. An example of this was captured by TechCrunch. Now the hackers aren’t out to steal anything as the message actually has some useful info. Such as you should turn off UPnP to make your network more secure. Oh yeah, according to the hackers, you should subscribe to the YouTube channel of Pewdiepie. Don’t know who he is? Ask your teenagers.

Now this isn’t a Chromecast bug as such. It is really an inherent weakness in Universal Plug and Play which is designed to make devices work easily with each other. But I have been on record as saying that UPnP should just be disabled on routers by default as it is a security nightmare just waiting to happen. So if I were you, I’d dig up your router manual and figure out how to turn off UPnP now. As in right the hell now. And that advice holds true whether you have a Chromecast or not.