Monthly Archives: June 2018

Drones, Policy

FAA restrictions may make flying difficult or impossible for many #drones #quadcopters

We have been looking at different areas around the western U.S. for possible relocation and retirement.

Looking at Walla Walla, WA, I was surprised to see this large restricted area around the Walla Walla Regional Airport, extending from the surface upwards, and about 7.4 miles southwest to 13.4 miles northeast of the airport and for about 4.4 miles either side of the airport – and astounding 183 square miles of controlled airspace over a rural area. The expansion was added in 2016 for an instrument approach corridor to the airport.

Walla Walla Regional Airport has 2 or 3 departures each day and 2 or 3 arrivals, all on Q400 turbo prop aircraft.

On the Seattle VFR sectional chart, the restricted area corresponds to the area marked off in a thin, dashed magenta line. As you can see, the restricted flight zone is so large it extends into Oregon.

“Controlled” airspace in this example means the air – from ground level upwards – is subject to FAA regulations. You cannot fly a toy quadcopter in your backyard 2 feet off the ground under a tree – the FAA controls the airspace in your backyard.

Hobbyists may fly at the local flying club’s model airfield, located in a city park but all other hobby flights within this airpspace are restricted as operation inside controlled airspace.

For all other flights, the hobbyist must contact the airport manager at airfields within 5 miles, which in this example includes up to 4 private airstrips, 1 small airport (no tower), the regional airport, plus two heliports (not shown on the map), plus the regional airport control tower. That is 9 phone calls prior to flying a personal model aircraft in your backyard – which is a significant burden. What do you do if the phone number for a private airfield is not answered and there is no answering machine or voice mail?

Alternatively, a hobbyist may obtain a Part 107 FAA UAS drone license and then need only contact the regional airport and tower in advance of each flight when operated below 400 feet within most of the restricted area on the map. Which is considerably more practical than making 9 phone calls 24 hours before hobby flying. Part 107 pilots can also use an app to file their flight online and receive approval in minutes.

70% of the U.S. population lives within 5 miles of an airport – and is required to contact the airport facility manager and the tower, if one exists, prior to flight. Best guess is most model aircraft flyers are unaware of how controlled the airspace has become – literally 3 out of 4 flyers need to restrict their flights to previously approved model airfields or they need to contact all local airport operators.

Second guess is that close to zero are making those phone calls.

My third guess is that ultimately the regulatory structure will de facto eliminate most hobby flights of model aircraft except at established model aircraft airfields. The FAA will not specifically prohibit flights elsewhere but its byzantine regulatory structure de facto makes it so hard to comply that legal flights may be relegated to licensed and commercial operations.

The effect is that unlicensed model aircraft flying will be de facto restricted to existing model airfields (or very rural areas). You will need a Federal license to fly a 1 pound toy aircraft most anywhere else that is within easy distance of your home.

There is precedent for this to occur. We used to see a lot of Part 103 ultralight aircraft, but FAA rules now limit unlicensed ultralight pilot training to certified 2-seat trainers only (prior rules allowed 2-seat ultralights for training only without being certified) by certified Flight Instructors (also pricey). The costs of certifying a training aircraft and the small size of the market mean there are, I am told, only 3 aircraft makes (including powered parachutes) certified for training. The effect is it is nearly impossible to get flight training for an ultralight aircraft now.

Without training, ultralight aviation has been de facto shut down. (Flight training is not required for flying an ultralight but learning, and making mistakes on your own, can be, ahem, expensive.)

Unless you live in a rural area, legal drone flying is going the same way. Many will continue to fly without going through the permission process but such operations will be used by bureaucrats as an excuse for stronger regulation with high penalties for not complying.

To continue legal flying where many wish to fly will require most of  us to have a Part 107 UAS license.

I plan to get the Part 107 license. I used to fly light aircraft and have an FAA private pilot’s license, but I am no longer current so need to take the Part 107 exam ($150). Because of issues related to health insurance coverage while flying an aircraft (side effect of ObamaCare fiasco), the additional costs of medical insurance while flying raises the cost of piloting an aircraft to about $250 per hour (rental plus more expensive health insurance) – which is wholly impractical.

Business, Innovation, Management

Study finds VCs would get better returns investing in startups with age 45-50 year old entreprenuers 

A new study found the average founder of the fastest growing tech startups was about 45-years-old — and 50-year-old entrepreneurs were about twice as likely to have a runaway business success as their 30-year-old counterparts.

The findings have implications for both older and younger entrepreneurs, who may gauge future success on industry biases, as well as for venture capitalists, whose propensity to invest younger may be having adverse affects on their returns.”

Young people are just smarter,” Facebook CEO Mark Zuckerberg once said.

Zuckerberg’s bias is not uncommon in Silicon Valley. Young people are digital natives, thought to be cognitively sharper, less distracted by family and less beholden to current industry paradigms, according to the study.

Source: Research shows older entrepreneurs are likely to be more successful 

The bias to youth is, in part, because media stories frequently focus on the unusual (versus the important), and a young, successful entrepreneur met the unusual criteria.

VCs invest almost exclusively in firms started by very young entrepreneurs.

Privacy, Spying

Fascinating details: “The NSA’s Hidden Spy Hubs In Eight U.S. Cities”

These fortress-like AT&T buildings are central to a secret NSA program that has monitored billions of communications, documents and sources reveal.

Source: The NSA’s Hidden Spy Hubs In Eight U.S. Cities

Stephen Budiansky, in his book, Code Warriors, explains how the pre-cursor to the NSA tape recorded communications prior to and during WW II. As they worked to decrypt and interpret contemporary messages, access to older communications proved invaluable to understanding current events and why enemies were making the decisions they were making.

In a similar way, the NSA records and stores large quantities of communications in the event that a future situation will benefit from analysis of past communications. For this reason, the NSA built enormous data centers, such as the NSA Data Center near Provo, Utah, specifically to store enormous quantities of digital data including phone calls, radio signals, text messages, emails, and general Internet data traffic. Much of this data collection may never be accessed – except in time of national emergencies or war.

Cloud, Software

How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) –

I noticed my PC was bogged down and the CPU cooling fan has powered up to a higher speed. What’s up?

Google claims the Software Reporter Tool scans your PC looking for malware that may interfere with the Chrome experience.  I’m not sure I want Google scanning and peaking inside my computer, at all of the files on my computer. I really have no idea what this app is doing or what information it is collecting, who has access to the data, how long it will be stored, and how it will be used. Since I seldom use Chrome on this PC, I went ahead and uninstalled Chrome. However, the following describes a way to prevent the tool from running. (I already run both Windows Defender and a second anti-malware application – the SRT seems superfluous.)

Source: How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) – gHacks Tech News

Business, Cloud, Privacy, Security

Consumers said to want more #IoT devices for security, protection and willing to share that data with insurance companies

Specifically, consumers say they’d share more data with their insurance company in exchange for smoke, fire and water alarm systems (and presumably also theft) that send data to their insurance company.

“Consumers appreciate the safety and security value propositions of smart home products”

Source: Report: Nearly half of broadband internet households interested in IoT-based insurance | Insurance Business

Everyone wants to be inside your bedroom now, from your smart phone, to your Amazon Alexa device, to your set-top-box (which logs everything you watch) to your home security systems (which, in some cases, log everyone in and out and share with a network provider).

Business, Privacy, Security, Smart Phones, Social media, Spying

HP computers and data privacy and spying

I have an older HP desktop computer. I’ve long observed significant slow downs as various background tasks were underway and I had assumed it was just anti-virus software running in the background. But it was not – instead, the HP Support Assistance was frequently scanning the entire system, using 55% of the CPU and hogging the disk input/output, tremendously slowing down the system. I finally disabled the HP software as I had never seen any value from it.

Then I went to read the HP Privacy policy (which may be different today from what it was when I bought the computer years ago).

(Click on any image to read the full size screen capture of the HP privacy policy).

In addition to the data collected by HP, HP also “deduces” attributes about you, and collects data when you use social media logins to access anything. This means when you log in to a site using your Facebook login, data about your visit is collected by Facebook and shared with Facebook’s partners (which is literally the entire world).

HP remotely spies on your use of HP printers, collecting a database of pages printed, type of print media used, what ink you are using, including what brand of ink, and the names of the applications from which you print.

HP also purchases information from third party data services, social media networks and advertising networks. Ad networks are used to track every web site you visit online. HP uses this, as they disclose, to get your name, address, “preferences, interests and certain demographic data”. Clearly, HP is buying data about us from Facebook, Google and Twitter.

This example illustrates the pervasive – and nasty – web of anti-privacy efforts underway by the high tech industry. The entire industry works together to intensely monitor, intercept and collect enormous quantities of data about every one of us. Further, they use automated software systems to analyze and interpret this data to then draw inferences about us.

A previous post on my SocialPanic.org blog found that inferences made by Facebook and Twitter were completely wrong – but there is no way to correct that. In most cases there is no way to know what inferences companies like HP have made about us.)

What Can You Do?

  • Delete the HP support assistant. I have found no value from having run it on this computer for many years. Optionally, disable it in the Windows Task Scheduler so it does not run.
  • Delete or disable other software that you do not need or us.
  • Do not use social media logins to web sites other than the social media web site.
  • Use privacy enhanced browsing to minimize tracking across the web. First, never use Chrome. Google logs every web site you visit. Use the Epic Privacy Browser or use Mozilla Firefox with the Privacy Badger and Ghostery plug ins. Use the Cookie-AutoDelete plugin to automatically remove tracking cookies when leaving a web site (you can optionally “white list” web sites so that cookies and logins remain active, if you wish).
  • The Epic Privacy Browser includes access to a proxy server to hide your IP address from web sites.
  • When using mobile phones, note that operating systems such as Android always track your location if Location Services is enabled (such as using mapping). Most people leave Location Services on all the time, and Google uses that to build a database of everywhere you travel and every place you visit. Google also records information about WiFi networks and Bluetooth devices within range of your phone. Even when location services is turned off, WiFi access points and even some Bluetooth devices can reveal your location anyway. Disabling WiFi and Bluetooth will reduce this data collection.

The tech industry has been operating in a free wheeling, Orwellian 1984 world of intense spying on everyone who uses online services including web sites, monitoring our email communications, our social media Likes, every where we travel, and even monitoring our use of home printers.

Automobiles are also now collecting information about our use of the vehicles, including our driving habits and locations visited.

They argue that if we don’t like this, then we should not use online services or we should not use printers or we should not drive a car. These arguments are wholly unrealistic.

Yet most people seem oblivious to this: Facebook has been widely exposed as a massive global surveillance network and propaganda platform – yet financial analysts say they see little harm to Facebook’s business as few seem to care.

Security

Minor security problem at Veoh.com

Veoh was established years ago as a video sharing service. Perhaps as many as ten years ago, I set up two accounts there. One for my self, to which I uploaded just two videos, plus a second one to test out for a daughter who was about to do a study abroad – she could use that account to post videos. We never used this one, though, and the account languished.

I did not remember the password to that second account – but I had saved it in the browser’s automated login feature! Thus, I could log in to the account.

I thought perhaps I’d change the password to something new. Fortunately, their security prevented me from changing the password by requiring me to enter the current password before I could proceed. But I did not know the current password!

Then I noticed the email address set up for the account was an old one that my daughter used years ago. The email address probably does not exist any more. However, I could change the email address! And I did not have to enter the current password to do so!

I then logged out, went to the login screen and said I had forgotten the password. Veoh sent me a password reset link and I quickly reset the password.

This is another example – albeit a minor one – of a potential security vulnerability. I could change the email address and then use that to set a new password – but I could not directly change the password without providing the current password! Obviously, it would be safer for them to have a secondary authentication step on changing the email address.

Online service seem to be full of these poor security practice examples.

Security

Venmo’s broken security

1 Comment

I just changed the password on an account that is not mine – but it had my email address and frequently sent me financial transaction reports in the clear. This is a lesson for how insecure online services are today – and the severe privacy problems inherent in sloppy cloud computing businesses.

Someone entered my email address for their account at Venmo. Month’s ago. Apparently Venmo NEVER VERIFIED the email address. Consequently, I receive their emailed financial transaction correspondence – for several months. Guess their customer never noticed they were not receiving emails? (Or is Google broken and one email address is being delivered to different people? Anything is possible!)

See Updates at the bottom of this post – I will be updating this post

Example

Venmo sent me financial updates like this one – sending me the name and photo of the person that I had just paid (Privacy? Hello? Remember, I am not and have never been a customer of Venmo!)

Financial records are protected by law (which law, depends on various factors). At a minimum, disclosure of your personal financial information to governments is covered by the Financial Privacy Act of 1978 and other disclosures by the Gramm-Leach-Bliley Act of 1999. They are also subject to privacy policies Did Venmo disclose to their customers that their personal financial information may be disclosed to completely random strangers on the Internet?

Then again, Venmo, I think, may be a social network for money transactions, where it posts all of your transactions online. Judging from a search for Venmo on Twitter, Venmo is used mostly for paying off sexual favors/sugar daddy transactions/pictures of private body parts. It may well be that the purpose of Venmo is to share one’s financial transactions with everyone else! There is no financial privacy on Venmo!

Unable to Contact Venmo

Months ago I attempted to notify Venmo of this problem but they ignored me. Venmo only enables customers to contact them – see their Contact Us page. If you do not have an account number, you cannot contact them to fix this! I had no way to contact them!

I sent a description of the problem to them on Twitter. They never replied.

This is not my problem to solve and I did not want to waste a lot of time dealing with trying to fix their problem – both the customer – and me – are the victims of their defects. I never volunteered to become a party to their financial correspondence and they do not provide an obvious way for me to get rid of it or fix this for their actual customer.

Months later, as I reviewed old email I ran across this problem again.

Trying to Fix the Problem

Keep in mind – non customers cannot contact Venmo (see their Contact Us page link, above).

Today I figured I’d try to log in to the account, possibly find the individuals phone number and call them directly to let them know. (I’ve done this previously as I receive erroneous correspondence from other vendors who never verified customer entered email addresses – there is literally no easy way for drive by victims to correct this – especially when my own email address is abused this way every week.)

Today, I went to the account – entered my own email address which they’ve used incorrectly – and said I’d forgotten my password. They sent me a password reset link. I changed the account password. I should never have been allowed to do this without a secondary authentication step!

I cannot log in to the account because they do have two-factor authentication set up (good!). Their password change should have used 2FA, but they did not.

The owner of the account cannot log in either because it let me change the password – Venmo should never have allowed me to do that. I’ll be happy to give the password to Venmo if they care enough to follow up with me and fix their serious security flaws.

Venmo then emailed me to let me know that the account had been changed.

Follow up

Now that I have done this, I have again attempted to notify Venmo of their poor security through their Twitter support account. Venmo is a service of Paypal.

  • This is scary when a financial service does not verify the email address and sends correspondence to the wrong person, and further enables anyone with a reset link to reset the password.
  • You should not use a financial service that does not respond when someone notifies them of a security problem – months ago.
  • I am hopeful this finally gets their attention, they fix the problem, and they enable their actual customer to get their account set up properly.
  • All companies need to provide a simple way for “drive by victims” of incorrect email addresses an easy way to fix this problem. This is a serious issue; my email account generally receives emails intended for other people many times per week, including documents marked confidential. Yet I often have no way to contact anyone to get them to fix the problem.
  • These are extremely serious security problems, not just at Venmo.
  • If I do not hear from them, I will print out this blog post and mail it to the CEO of the company and the Federal banking regulator. No one should have to go to such lengths to get them to fix their security problems. Good grief. I am hopeful this post might get someone at Venmo to care about this.

Details and Screen Shots

First, I said I forgot my password and they emailed me a link to reset the password, with no attempt to verify my credentials, nor use the two factor authentication they have set up on the account:

I then successfully began the log in process:

The following confirms they had two-factor authentication set up for the account – but they did not use this for the password change. Further, this screen appears after I have “logged in” using the email address and new password I created for their customer’s account:

Basically, Venmo has significant security problems. Will be interesting to see if they FINALLY contact me and fix their broken security. I have sent them a link on their Twitter support account explaining what was done and a link to this web page. I want them to fix this and I hope they want to fix this too.

Been dealing with several levels of security problems today and information and security are two words that should never appear in the same sentence. The tech sector is a mess.

I will update this post in the future if I hear anything.

RELATED

UPDATES 10 MARCH 2018

The problem is I am not a customer and I do not have an account on file with Venmo!

After I replied that I am not a customer, they have provided me with this information which may be of use to others:

UPDATES MARCH 11 2018

Late in the day, Venmo Support emailed me to say they have removed my email address from the account and I should no longer receive emails from Venmo. Their response did not explain how my email address became associated with the account, nor did it explain what steps they are doing to protect passwords being changed by non-Venmo customers. At this time, I strongly recommend not opening an account and not using Venmo due to their security and privacy problems – which appear to remain unresolved.