Weekly Axis Of Easy #51
In this issue:
- Amazon’s Alexa sent this couple’s private conversations to somebody else
- Google shuts down entire company after one employee triggers AUP violation
- Company buying location data from telecoms was also leaking it via security flaw
- Hackers target home routers and IoT devices
- Emergency brakes disabled on Uber autonomous car that killed pedestrian
- 11 million Chinese citizens barred from flights and trains under Sesame Credit
- New bill would prohibit government backdoors into encryption
- US Army Surgeon General: All soldiers should be microchipped
- Why should non-Euro companies care about GDPR?
Out of all the new TLDs, .app seems to be catching on more than most. As rare as it is for us to say “grab your .app domain before somebody else does”, somebody already grabbed our .app domain, so maybe this is one you may want to pick up.
A Portland, Oregon couple was stunned to receive a phone call from a co-worker telling them to “unplug all your Alexa devices” because the proto-AI home automation device has just sent a recording of their private conversation to the co-worker’s husband, who was in their contact list. “Amazon confirmed that it was the voice-activated digital assistant that had recorded and sent the file to a virtual stranger, and apologized profusely, but gave no explanation for how it may have happened.” Speaking of Amazon, they’ve also got some nifty facial recognition software which they’re selling to a police department near you.
Mind-blowing post on Reddit from a hapless employee who got his entire business shutdown because of an inside joke between himself and one of his buddies. In his own words:
“TLDR; Company uses Google accounts that are all connected. I f****ed up and abused a policy that turns out results in a complete ban/block on the Google account, and ALL associated accounts. Everyone in my company is now blocked by Google and some of their personal e-mails are also blocked as well. Google isn’t helping us out since their policy is final and will not share any information regarding the problem, but we hope to get in contact with someone who can fix this for us.”
The company is a software firm with 100-150 employees. I know we have vested interests here, but it simply astounds me whenever I see any company who would want any semblance of confidentiality for their internal email using Google mail. Law firms, investment banks, start-ups in stealth mode, are you kidding me? Never mind the arbitrariness, the imperiousness and the inaccessibility of the Leviathan, its core business is data mining. Are you nuts? Use easyMail for God’s sake. It’s already bundled with most of your domain service levels anyway.
Krebs on Security reports that LocationSmart, a private entity that was buying and aggregating realtime location data from the major US telecoms was, via its website, leaking that data. Users could exploit a flaw in the LocationSmart website and obtain realtime location data on any mobile subscriber in the US simply by supplying the victims’ mobile number. (Not to be outdone, a bug in T-mobile’s website also allowed anybody to view any subscribers’ account details)
A recent advisory from US-CERT (TA18-145A) warns that hackers have compromised as many as 500,000 home routers and storage devices worldwide. The worm, which was distributed via malware called “VPNFilter”, is spreading worldwide but currently concentrating on targets within the Ukraine. Routers known to be affected include Linksys, MikroTik, Netgear and TP-Link and storage devices include QNAP network-attached storage (NAS) devices
A preliminary National Transportation Safety Board report on the fatal accident involving an Uber self-driving car indicates that the emergency braking system was disabled, despite the car indicating the need to apply the brakes:
‘At 1.3 seconds before impact, the self-driving system determined emergency braking was needed. But Uber said, according to the NTSB, that automatic emergency braking maneuvers in the Volvo XC90 were disabled while the car was under computer control in order to “reduce the potential for erratic vehicle behavior.”’
Sounds like a bug.
I’ll keep reporting on China’s chilling Sesame Credit system, which gamifies obedience to the State and becomes compulsory in 2020 because it’s a cautionary tale that could very well happen here, in our own characteristically Western way (see Google shuts down entire company item, above). A a senior Chinese official opines on how 11.4 million flights and 4.25 high speed train rides have been denied to citizens because of low social credit scores:
“An improved social credit system was needed so that “discredited people become bankrupt,” Hou Yunchun, former deputy director of the development research center of the State Council, was quoted as saying by Sina Finance at an annual credit development forum in Beijing on Saturday.”
Kim Crawley asks the question if governments are becoming more enlightened about encryption. If The Secure Data Act of 2018 becomes law it could be, it contains provisions that no government agency can request, nor can any court:
“order to compel a manufacturer, developer, or seller of covered products to design or alter the security functions in its product or service to allow the surveillance of any user of such product or service”.
Except, as I notice, as provided in subsection C. Section C says this shall not apply to mandates, requests, or court orders authorized under the Communications Assistance for Law Enforcement Act. According to Techdirt, CALEA is “fairly narrow” in scope, so we file this under “cautiously optimistic”.
Lt. Gen. Nadja West, the 44th US Army Surgeon General has opined that someday soon, all soldiers may carry or have implanted, tracking devices that would enable remote monitoring and diagnosis of health issues. “We can do better when every soldier is a sensor, and we can continuously monitor information culled from them.”
You’ve probably been overrun with GDRP / updated privacy policies over the last week as the European GDPR took effect on May 25. The fallout is already occurring, with some US sites initially barring access to European users, and privacy activist Max Schrems hitting Google and Facebook with $8.8 billion in lawsuits right out of the gate. Whois is hit-and-miss depending on how various registries and registrars are reacting to it.
But I found myself wondering, in the absence of some treaty between one’s own nation state and the EU, why would non-Euro companies be tripping over themselves to comply with somebody else’s new regulations? It reminds me of the time the EU said everybody outside the EU had to start collecting VAT tax for them. It didn’t make sense then, and it doesn’t make sense now, as I expand on further in a separate blog post.