The IT Nerd

Polar is a company that makes fitness gear like fitness trackers, heart rate monitors and the like. They also make an app that allows you to compile the data from their gear called Polar Flow. But Polar Flow has one extra feature” that is likely to make a lot of people nervous right now, the location data of people such as spies and military personnel was accidentally exposed to the planet. Here’s the details:

For most users who set their activity tracking records to public, posting their workouts on Polar’s so-called Explore map is a feature and not a privacy issue. But even with profiles set to private, a user’s fitness activity can reveal where a person lives.

An exposed location of anyone working at a government or military installation can quickly become a national security risk.

Well, that’s an oops moment. This is pretty similar to what happened to Strava not too long ago. And it’s not just GPS info. It’s info that could also allow someone to identify you. Which of course isn’t good. After the company was told about this, the company took the relevant functionality off line. Then they put out this statement…. Which was kind of strange to me when I first read it:

In a statement sent by Polar chief strategy officer Marco Suvilaakso, the company said it “recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations.”

The company denied a leak or a breach of its systems.

“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” said the statement. “While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”

Well, if this isn’t a leak of some sort, I don’t know what qualifies. Thus this is a strange response from the company.

This is the bottom line that you have to keep in mind when you use these sorts of apps. They collect a ton of data on you. Thus you have to be 100% comfortable with the fact that this data could get exposed at some point and someone could learn a lot about you.

There’s a popular extension called Stylish which was once a great way to remove annoying features from websites—trending topics on Facebook, say, or that annoying bar that follows you as you scroll on Medium. To do this Stylish, the browser extension, needs access to every website you visit. But it also trolls and steals your browser history. In short, it’s spyware. And here’s what  Robert Heaton has to say about it on his personal blog:

Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit. Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows it’s new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.

As a result, Firefox has taken steps to ban the extension from its addons site and prompt all users to disable it. Google has done the same thing. Now the data that this addon shares is anonymized, but that’s still scary.

I try not to use browser add ons as I am always afraid of this sort of thing happening. Now it looks like my paranoia isn’t paranoia after all.

You’ve likely never heard of a company called LocationSmart. But I will let security researcher Brian Krebs tell you why you should care:

On May 10, The New York Times broke the news that a different cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to a sheriff’s office in Mississippi County, Mo.

On May 15, ZDnet.com ran a piece saying that Securus was getting its data through an intermediary — Carlsbad, CA-based LocationSmart.

Wednesday afternoon Motherboard published another bombshell: A hacker had broken into the servers of Securus and stolen 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users. Most of the stolen credentials reportedly belonged to law enforcement officers across the country — stretching from 2011 up to this year.

None of that is good. But it actually gets worse. Apparently the LocationSmart website had a bug in its website that allowed anyone to see where a person is located without obtaining their consent:

LocationSmart’s demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device’s nearest cellular network tower.

Once that consent is obtained, LocationSmart texts the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map. [It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information”].

But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”

Well, that’s very disturbing. This demo software was promptly taken offline when the story broke. But there’s a larger issue here. Which is the security of your data and what you should expect in terms of privacy. A US senator is poking around the edges of this, but this requires a more stringent response. As in the four telcos and all of the companies above need to come in front of congress to answer some tough questions about this.

The recent mass shooting in a Texas church has been making headlines since Sunday. But related to that is a problem that law enforcement has faced before. The inability to unlock the shooter’s phone to get to critical data that could help in their investigation. News.com has the details on this:

An official said at a press conference Tuesday that the FBI is unable to open the phone of Devin Patrick Kelley, who killed 26 people and injured 20 more at a Texas church on Sunday. 

The phone is encrypted, meaning the information inside is unreadable without a passcode. The FBI didn’t say what kind of phone the shooter used.

“With the advance of the technology and the phones and the encryptions, law enforcement — whether at a state, local or federal level — is increasingly not able to get into these phones,” said Christopher Combs, the FBI special agent in charge.

This is the same sort of situation that the FBI found itself in with the San Bernardino shooter’s iPhone, which in turn led to a protracted legal battle with Apple. But in the end they unlocked the phone with the help of a third party. Not only that, but apparently the FBI has been unable to get into thousands of phones which is making it difficult for them to investigate crimes.

Now I have to admit that I struggle with this. On one hand, I see the need for law enforcement to have the ability to get into phones to help them to put bad guys in jail. But at the same time, I don’t think that anyone should have a free pass to look at anything on a phone. Nor should Apple, Google or anyone else build backdoors into their phones for law enforcement. It’s a tricky balance I admit and I am not sure how you get the balance right. But hopefully there’s reasonable discussion about this that leads to that balance.

According to a CTV News report, Canadian Privacy Commissioner Daniel Therrien told a House of Commons committee yesterday that U.S. Customs and Border Protection officers can look at mobile devices and even demand passwords under new American law:

Therrien cited statistics indicating U.S. border searches of mobile phones had increased between 2015 and 2016.

“These devices contain a lot of sensitive information,” Therrien said. “We should be very concerned.”

And it seems that when US border officials look at your phone, they can deny you entry based on what is found on it. And it doesn’t have to be related to you being a bad guy. Take for example what New Democrat MP Nathan Cullen had to say:

Cullen said one of his constituents was denied entry to the U.S. on health-related grounds because information on the person’s phone indicated a prescription for heart medication.

Now to be fair, Canadian border officials can do this as well. But….. :

Canadian law also allows border officers to inspect cell phones, since they are treated as goods, Therrien told the Commons committee on access to information, privacy and ethics.

But he noted Canada’s border agency has a policy of limiting searches to cases where an officer has grounds to do so — for instance, because a phone might contain information about contraband items.

So travelers, you now know that if you’re going to the US, you can expect that there’s a higher probability that your phone might be searched. Thus if you don’t want things to go sideways, you should likely take precautions prior to departure.

There’s a group of five nations that collaborate on collecting and sharing intelligence. Known as the “Five Eyes” they are the U.S., the U.K, Canada, Australia, and New Zealand. Australia at a meeting this week of the “Five Eyes” will push for greater international powers to thwart the use of encrypted messaging services by terrorists and criminals. Here’s what Reuters had to say on this:

Australia has made it clear it wants tech companies to do much more to give intelligence and law enforcement agencies access to encrypted communications.

“I will raise the need to address ongoing challenges posed by terrorists and criminals using encryption,” Australian Attorney General Senator Brandis said in a joint statement.

“These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies.”

While I fully support any and all reasonable methods for law enforcement to stop “evil doers” from doing “evil things,” this isn’t going to accomplish that goal. Simply put, those who want to inflict chaos and destruction on the world will move to unregulated open source solutions with end to end encryption which will put them out of the reach of law enforcement. Thus the only thing that will be accomplished is the weakening of security consumer devices and software that “evil doers” will move away from to stay out of the reach of the good guys. Do I have a better idea? Short of putting some sort of “backdoor” into every device and software that has encryption, no. But I do know a bad idea when I see it. And this qualifies as a bad idea.