Experts believe that at least half the population needs to use contact-tracing apps for them to work. The challenge will be convincing the public to opt in after years of trust issues with big tech.
Source: Contact-tracing apps have a trust problem, even if they do protect your privacy – CNET
Facebook and the like need to craft a professional code of ethics for the technology industry.
Source: A Facebook request: Write a code of tech ethics – Los Angeles Times
Where this is headed, naturally, is the concept of licensed professional engineers (P.E.) in software engineering. Development of a professional engineering licensing exam for software engineering was done many years ago. I believe Texas was the only state to offer the exam; however, due to low participation, they are discontinuing the software engineering PE exam as of April 2019.
The Digital Millennium Copyright Act prohibited bypassing copyright protection systems thwarting many activities normally considered lawful such as “fair use”, use of snippets for education and critique, and investigations by computer security researchers.
The U.S. Copyright Office in the Library of Congress has issued a final rule clarifying (and expanding) exemptions for permissible activities.
We thoroughly evaluate the claims made by Bloomberg in their Supermicro China tampering stories and found them likely impossible or implausible at best. We take stock of sources and discuss the next steps calling for formal SEC and shareholder investigations of Bloomberg.
Source: Investigating Implausible Bloomberg Supermicro Stories
Apple and Amazon, both named as allegedly using the allegedly hacked servers, have denied the Bloomberg accusations. Apple has called for Bloomberg to retract the article. The U.S. Department of Homeland Security issued a statement appearing to agree with Apple.
The Bloomberg article, as noted in the linked story, appears to have numerous technical inaccuracies.
From the spec sheet, the new CPUs provide high performance at low battery power consumption, and integrated Gigabit Wi-Fi (802.11).
See Intel’s page on the new processors for more information.
Meltdown and Spectre are the names given to a security vulnerability that takes advantage of speculative branch execution to capture the side effect of cached data, thereby revealing protected data. However, just one of the two new processors addresses Meltdown while the other does not. Neither addresses Spectre.
Intel launched new eighth-generation processors slated for laptops this week: Ultra-low power 15-watt Whiskey Lake U-series chips and extremely low power five-watt Amber Lake Y-series chips. After the launch, Intel was asked if these two processor families include hardware fixes for Meltdown and Spectre.
Source: Intel’s New ‘Whiskey Lake’ CPUs Have a Hardware Fix for Meltdown | Digital Trends
Microsoft’s chief legal officer on Friday called for regulation of facial recognition technology due to the risk to privacy and human rights.
Source: Microsoft urges regulation of face-recognizing tech
Really glad to see Microsoft addressing these issues and working to take privacy seriously as a competitive alternative to Facebook and Google.
Disclosure: I am a former Microsoft employee.
Specifically, consumers say they’d share more data with their insurance company in exchange for smoke, fire and water alarm systems (and presumably also theft) that send data to their insurance company.
“Consumers appreciate the safety and security value propositions of smart home products”
Everyone wants to be inside your bedroom now, from your smart phone, to your Amazon Alexa device, to your set-top-box (which logs everything you watch) to your home security systems (which, in some cases, log everyone in and out and share with a network provider).
I have an older HP desktop computer. I’ve long observed significant slow downs as various background tasks were underway and I had assumed it was just anti-virus software running in the background. But it was not – instead, the HP Support Assistance was frequently scanning the entire system, using 55% of the CPU and hogging the disk input/output, tremendously slowing down the system. I finally disabled the HP software as I had never seen any value from it.
Then I went to read the HP Privacy policy (which may be different today from what it was when I bought the computer years ago).
(Click on any image to read the full size screen capture of the HP privacy policy).
In addition to the data collected by HP, HP also “deduces” attributes about you, and collects data when you use social media logins to access anything. This means when you log in to a site using your Facebook login, data about your visit is collected by Facebook and shared with Facebook’s partners (which is literally the entire world).
HP remotely spies on your use of HP printers, collecting a database of pages printed, type of print media used, what ink you are using, including what brand of ink, and the names of the applications from which you print.
HP also purchases information from third party data services, social media networks and advertising networks. Ad networks are used to track every web site you visit online. HP uses this, as they disclose, to get your name, address, “preferences, interests and certain demographic data”. Clearly, HP is buying data about us from Facebook, Google and Twitter.
This example illustrates the pervasive – and nasty – web of anti-privacy efforts underway by the high tech industry. The entire industry works together to intensely monitor, intercept and collect enormous quantities of data about every one of us. Further, they use automated software systems to analyze and interpret this data to then draw inferences about us.
A previous post on my SocialPanic.org blog found that inferences made by Facebook and Twitter were completely wrong – but there is no way to correct that. In most cases there is no way to know what inferences companies like HP have made about us.)
What Can You Do?
The tech industry has been operating in a free wheeling, Orwellian 1984 world of intense spying on everyone who uses online services including web sites, monitoring our email communications, our social media Likes, every where we travel, and even monitoring our use of home printers.
Automobiles are also now collecting information about our use of the vehicles, including our driving habits and locations visited.
They argue that if we don’t like this, then we should not use online services or we should not use printers or we should not drive a car. These arguments are wholly unrealistic.
Yet most people seem oblivious to this: Facebook has been widely exposed as a massive global surveillance network and propaganda platform – yet financial analysts say they see little harm to Facebook’s business as few seem to care.
Veoh was established years ago as a video sharing service. Perhaps as many as ten years ago, I set up two accounts there. One for my self, to which I uploaded just two videos, plus a second one to test out for a daughter who was about to do a study abroad – she could use that account to post videos. We never used this one, though, and the account languished.
I did not remember the password to that second account – but I had saved it in the browser’s automated login feature! Thus, I could log in to the account.
I thought perhaps I’d change the password to something new. Fortunately, their security prevented me from changing the password by requiring me to enter the current password before I could proceed. But I did not know the current password!
Then I noticed the email address set up for the account was an old one that my daughter used years ago. The email address probably does not exist any more. However, I could change the email address! And I did not have to enter the current password to do so!
I then logged out, went to the login screen and said I had forgotten the password. Veoh sent me a password reset link and I quickly reset the password.
This is another example – albeit a minor one – of a potential security vulnerability. I could change the email address and then use that to set a new password – but I could not directly change the password without providing the current password! Obviously, it would be safer for them to have a secondary authentication step on changing the email address.
Online service seem to be full of these poor security practice examples.
I just changed the password on an account that is not mine – but it had my email address and frequently sent me financial transaction reports in the clear. This is a lesson for how insecure online services are today – and the severe privacy problems inherent in sloppy cloud computing businesses.
Someone entered my email address for their account at Venmo. Month’s ago. Apparently Venmo NEVER VERIFIED the email address. Consequently, I receive their emailed financial transaction correspondence – for several months. Guess their customer never noticed they were not receiving emails? (Or is Google broken and one email address is being delivered to different people? Anything is possible!)
See Updates at the bottom of this post – I will be updating this post
Example
Venmo sent me financial updates like this one – sending me the name and photo of the person that I had just paid (Privacy? Hello? Remember, I am not and have never been a customer of Venmo!)
Financial records are protected by law (which law, depends on various factors). At a minimum, disclosure of your personal financial information to governments is covered by the Financial Privacy Act of 1978 and other disclosures by the Gramm-Leach-Bliley Act of 1999. They are also subject to privacy policies – Did Venmo disclose to their customers that their personal financial information may be disclosed to completely random strangers on the Internet?
Then again, Venmo, I think, may be a social network for money transactions, where it posts all of your transactions online. Judging from a search for Venmo on Twitter, Venmo is used mostly for paying off sexual favors/sugar daddy transactions/pictures of private body parts. It may well be that the purpose of Venmo is to share one’s financial transactions with everyone else! There is no financial privacy on Venmo!
Unable to Contact Venmo
Months ago I attempted to notify Venmo of this problem but they ignored me. Venmo only enables customers to contact them – see their Contact Us page. If you do not have an account number, you cannot contact them to fix this! I had no way to contact them!
I sent a description of the problem to them on Twitter. They never replied.
This is not my problem to solve and I did not want to waste a lot of time dealing with trying to fix their problem – both the customer – and me – are the victims of their defects. I never volunteered to become a party to their financial correspondence and they do not provide an obvious way for me to get rid of it or fix this for their actual customer.
Months later, as I reviewed old email I ran across this problem again.
Trying to Fix the Problem
Keep in mind – non customers cannot contact Venmo (see their Contact Us page link, above).
Today I figured I’d try to log in to the account, possibly find the individuals phone number and call them directly to let them know. (I’ve done this previously as I receive erroneous correspondence from other vendors who never verified customer entered email addresses – there is literally no easy way for drive by victims to correct this – especially when my own email address is abused this way every week.)
Today, I went to the account – entered my own email address which they’ve used incorrectly – and said I’d forgotten my password. They sent me a password reset link. I changed the account password. I should never have been allowed to do this without a secondary authentication step!
I cannot log in to the account because they do have two-factor authentication set up (good!). Their password change should have used 2FA, but they did not.
The owner of the account cannot log in either because it let me change the password – Venmo should never have allowed me to do that. I’ll be happy to give the password to Venmo if they care enough to follow up with me and fix their serious security flaws.
Venmo then emailed me to let me know that the account had been changed.
Follow up
Now that I have done this, I have again attempted to notify Venmo of their poor security through their Twitter support account. Venmo is a service of Paypal.
First, I said I forgot my password and they emailed me a link to reset the password, with no attempt to verify my credentials, nor use the two factor authentication they have set up on the account:
I then successfully began the log in process:
The following confirms they had two-factor authentication set up for the account – but they did not use this for the password change. Further, this screen appears after I have “logged in” using the email address and new password I created for their customer’s account:
Basically, Venmo has significant security problems. Will be interesting to see if they FINALLY contact me and fix their broken security. I have sent them a link on their Twitter support account explaining what was done and a link to this web page. I want them to fix this and I hope they want to fix this too.
Been dealing with several levels of security problems today and information and security are two words that should never appear in the same sentence. The tech sector is a mess.
I will update this post in the future if I hear anything.
RELATED
UPDATES 10 MARCH 2018
The problem is I am not a customer and I do not have an account on file with Venmo!
After I replied that I am not a customer, they have provided me with this information which may be of use to others:
UPDATES MARCH 11 2018
Late in the day, Venmo Support emailed me to say they have removed my email address from the account and I should no longer receive emails from Venmo. Their response did not explain how my email address became associated with the account, nor did it explain what steps they are doing to protect passwords being changed by non-Venmo customers. At this time, I strongly recommend not opening an account and not using Venmo due to their security and privacy problems – which appear to remain unresolved.