Archive for Privacy

Canadian Connected Sex Toy Company Fingered For Data Mining Users Without Consent

Posted in Commentary with tags on March 14, 2017 by itnerd

Ottawa based connected sex toy company Standard Innovation who makes an apparently popular sex toy called WeVibe apparently did more than make the sex toy and the app for your phone that goes with it. It also apparently data mined users by collecting real-time data of their connected sex toys usage without the users knowledge. Clearly that’s more invasive than it should be. So it’s no surprise that when users found out about it they went to court and got a $3.75 million (CDN) settlement. The Financial Post has the intimate details:

Under the terms of the settlement, Standard Innovation Corp. has agreed to destroy the personal information it has collected from users of the vibrator and stop collecting such information from now on. The vibrator, known as the We-Vibe Rave, could be paired with a smartphone app to allow a partner to control it remotely.

About 300,000 customers purchased the vibrators, with about one-third of them using them with the app, according to the settlement agreement. App users are entitled to a share of a fund up to US$10,000 after expenses and fees, with anyone who purchased vibrator without using the app entitled to up to US$199.

The company won’t have to admit that they did anything wrong as part of this settlement.

My take on this is that in the era of the Internet of Things, you can fully expect that your data will be used in some way that you don’t expect it to. That includes what you do in your bedroom. Now the company is wrong for not telling users that they were collecting real time stats of their intimate activities. But part of me isn’t shocked by this at all as data is very valuable these days. Thus if this is the sort of thing that you’re into, because if it is there’s nothing wrong with that, you might want to keep the fact that you may not fully control the data that your activities generate in mind.


WikiLeaks Does Massive Data Dump On CIA Hacking Tools And Ops

Posted in Commentary with tags , on March 7, 2017 by itnerd

WikiLeaks today released documents that shed light on the CIA’s hacking tools and internal operations. What’s key about this is that absolutely no platform is safe from the CIA as documented by BetaNews:

WikiLeaks has unleashed a treasure trove of data to the internet, exposing information about the CIA’s arsenal of hacking tools. Code-named Vault 7, the first data is due to be released in serialized form, starting off with “Year Zero” as part one. A cache of over 8,500 documents and files has been made available via BitTorrent in an encrypted archive. The plan had been to release the password at 9:00am ET today, but when a scheduled online press conference and stream came “under attack” prior to this, the password was released early. Included in the “extraordinary” release are details of the zero day weapons used by the CIA to exploit iPhones, Android phones, Windows, and even Samsung TVs to listen in on people. Routers, Linux, macOS — nothing is safe. WikiLeaks explains how the “CIA’s hacking division” — or the Center for Cyber Intelligence (CCI) as it is officially known — has produced thousands of weaponized pieces of malware, Trojans, viruses and other tools. It’s a leak that’s essentially Snowden 2.0.

I take two things out of this data dump. First, nothing is secure. Absolutely nothing. That should scare you. Second, some of these tools that are now in the public domain, really bad people are going to get their hands on them. That should scare you even more.

It should be interesting to see how this is explained by the US Government.

Spammers Have Internal Database Leak Onto The Web

Posted in Commentary with tags , on March 7, 2017 by itnerd

In an #EpicFail moment, notorious spammers River City Media (RCM) has exposed 1.37 billion email addresses after failing to password-protect a remote backup. This was discovered by Chris Vickery who is a security researcher at MacKeeper:

A cooperative team of investigators from the MacKeeper Security Research Center, CSOOnline, and Spamhaus came together in January after I stumbled upon a suspicious, yet publicly exposed, collection of files. Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling.

Additional coverage can be seen over at CSOOnline.

The leaky files, it turns out, represent the backbone operations of a group calling themselves River City Media (RCM). Led by known spammers Alvin Slocombe and Matt Ferris, RCM masquerades as a legitimate marketing firm while, per their own documentation, being responsible for up to a billion daily email sends.

Think about that for a second. How can a group of about a dozen people be responsible for one billion emails sent in one day? The answer is a lot of automation, years of research, and fair bit of illegal hacking techniques. 

I say illegal hacking due to the presence of scripts and logs enumerating the groups’ many missions to probe and exploit vulnerable mail servers.

The game that these spammers were playing goes something like this. RCM gathered its mammoth database from people requesting credit checks, entering prize giveaways and sweepstakes and applying for education opportunities, along with techniques like co-registration in which a person’s info is shared with unnamed affiliates after clicking “submit” or “I agree” on a website. Thus, there’s a very good chance that your e-mail address is likely in this leak.

The good news is that RCM’s spamming days are over. Spamhaus has blacklisted their entire operation. The bad news is that this database has a ton of personally identifiable info. Who knows what hands that is going to end up in.

Viral Chinese Selfie App Meitu Phones Home

Posted in Commentary with tags , on January 20, 2017 by itnerd

The Meitu selfie app that is the app to have on your phone at the moment aggressively your personal data researchers say. Said researchers have discovered that the app harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded overall:

Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset’s MAC address. “Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it,” Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found.

Well, that’s pretty bad. My advice is to pull it from your phone. Like right now. Clearly this is an app that cannot be trusted. Oh by the way, this is a perfect example as to why you should never jailbreak your phone because the fact that the app checks for that is really really bad.


“The Man” Is Looking At Your Social Media Posts

Posted in Commentary with tags , on January 19, 2017 by itnerd

I want to bring you two stories from the CBC to highlight the fact that when you post to social media, nothing that you post is private. Ever.

Let’s start with this story where the Canada Revenue Agency is apparently monitoring social media to figure out if Canadian Taxpayers are cheating on their taxes. Presumably by people tweeting out pictures of their new car or boat that was bought with money that they owe to the taxman. Here’s what the Canada Revenue Agency has to say on this:

“The CRA does practice risk-based compliance, so for taxpayers identified as high risk, any relevant, publicly available information relating to the specific risk-based factors for the taxpayer may be consulted as part of our fact-gathering processes,” said spokesperson David Walters.

Among those considered high risk are wealthy Canadians with offshore bank accounts, said Jean-François Ruel, director of CRA’s Strategy and Integration Branch.

“If we go with high-risk, high-wealth individuals that do offshore [banking], then we would look at all information that is public for compliance action.”

But here’s the problem according to someone who spends all day every day looking at this stuff:

However, David Christopher, of the advocacy group Open Media, said his organization opposes government agencies monitoring what Canadians are saying on social media.

“When Canadians post something on Facebook, they believe that they are sharing that with their friends and with their family. They don’t believe that they are sharing that with some government bureaucrat in Ottawa,” he said.

“Unfortunately, Facebook’s privacy settings are notoriously complex and many people might think that they are posting something to their friends and it ends up getting shared with the whole world.”

My thoughts on this are that while this is problematic, it doesn’t cross the line into a place where it is offensive for reasons I will get to in a minute. But having said that, let’s take this discussion to the next level. This CBC story details a London Ontario based company who created software that violated Twitters terms of service to mine data on behalf of law enforcement:

A London, Ont., data mining company has been banned from Twitter and is being reviewed by Facebook for selling surveillance software to North American police services to monitor people at Black Lives Matter events and other public protests.

Media Sonar lost its Twitter privileges in October after it was revealed that the firm was in violation of the social media giant’s privacy policies.

“If Media Sonar creates other API keys [to connect with Twitter], we will terminate those as well and take further action as appropriate,” wrote Twitter spokesperson Nu Wexler. 

Public documents obtained through access to information requests show the company billed itself to police forces as the “only vendor that allows public safety agencies to view social accounts covertly.”

It also provided at least one police force in California with a list of keywords and hashtags, including #blacklivesmatter and #Weorganize, to help with “proactive policing.” 

Now this clearly crosses the line and is clearly offensive. Unlike the Canada Revenue Agency who walked up to the line because they were going after people that they would be investigating anyway through other means, Media Sonar went after anyone and turned that info over to the cops if they said the wrong thing on Twitter. Thus anyone could get roped up in this company’s dragnet. That’s a #EpicFail because while you shouldn’t expect to have privacy in a public forum like social media, you shouldn’t expect to be spied on either if you’ve done nothing wrong. Hopefully this award winning company loses some of those awards and gets the message that this is a far from acceptable as you can get.

It should also send a clear message to users of Facebook, Twitter, and other social media platforms. You are being watched. It may not be right, but it is the case. Govern yourself accordingly.

Court Docs Show That “Connected” Cars Have Been Targets Of Spying By Cops For Years

Posted in Commentary with tags on January 18, 2017 by itnerd

Hacker News has an interesting report that illustrates the fact that cars that are “connected” in some way have been the targets of spying by law enforcement. Now I put the word “connected” in quotes because some of the cases that are cited pre-date the times when cars became “things” on the Internet. Instead, the cars were “connected” in other ways. For example, cops have leveraged SiriusXM radios in cars to get evidence:

In 2014, satellite radio and telematics provider SiriusXM provided location information of a Toyota 4-Runner following a warrant by New York police, which was recently unsealed.

The warrant asked SiriusXM “to activate and monitor as a tracking device the SIRIUS XM Satellite Radio installed on the Target Vehicle” for ten days, and the company admitted to Forbes that it complied with the order.

How did SiriusXM achieve this? The company simply turned on the stolen vehicle recovery feature of its Connected Vehicle Services technology on the target vehicle, Toyota 4-Runner. It’s like Apple turning on the Find My iPhone feature to track a customer’s location, the court documents [PDF] says.

SiriusXM said it worked with law enforcement periodically to provide such information on its customers with just a valid warrant. The company receives an estimated five valid court orders a year to monitor a suspect, though it declined to offer on-record comment.

If you have a GM vehicle, you likely have OnStar which cops have leveraged as well to get evidence. Here’s one example:

According to Forbes, police asked GM to hand over OnStar data in December 2009 from a Chevrolet Tahoe rented by suspected crack cocaine dealer Riley Dantzler.

OnStar’s tracking is so accurate that even after the feds had no idea about Dantzler’s car, it’s able to “identify that vehicle among the many that were on Interstate 20 that evening,” followed him from Houston, Texas, to Ouachita Parish, stopped Dantzler and found cocaine, ecstasy and a gun inside the car.

Lovely. Another example is cited as well. The interesting part about that is the fact that the target of this was not an OnStar subscriber, but the hardware was still live. Something that I wrote about in part a few years ago. For the record, here’s GM’s stance on this:

“We don’t monitor or otherwise track the location of OnStar-equipped cars unless required by a valid court order in criminal procedures or under exigent circumstances; and we don’t release the number of those requests. We take our customers’ privacy, safety, and security very seriously, and we assist them on average more than 600 times each month in North America with some form of Stolen Vehicle Assistance.”

Now if all of this is going on, one has to wonder what would happen if a hacker was able to leverage this for some nefarious purpose. Never mind the fact that there’s data inside your car that someone could use against you legally. This illustrates the need for substantive rules around this sort of thing. The question is whether those who make those rules see this as a priority.

Apple, Google, Microsoft To World: We Don’t Scan Email Like Yahoo Does

Posted in Commentary with tags , , , on October 5, 2016 by itnerd

Yesterday, when I posted this story on Yahoo’s massive e-mail scanning program, I wondered how many other companies did the same thing. Well, Apple, Google and Microsoft have now gone on record to day that they don’t. Mostly. Let’s start with Google via a story from Vocativ:

We’ve never received such a request, but if we did, our response would be simple: ‘no way’

Microsoft in the same story said this:

We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.

Apple really didn’t have much to say, other than to have you refer to CEO Tim Cook’s official letter on consumer privacy which says this in part:

I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.

Other companies such has Facebook and Twitter said similar things. Now that sounds all warm and fuzzy on the surface. But I want to point this out to you. We don’t know if these companies have ever been approached to do something like this. That would add a lot of colour to this story. I wonder if these companies will come clean at some point.