Weekly Axis Of Easy #154
This Week’s Quote: “When you blame others, you give up your power to change.”…by???
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
In this issue:
- Ex security advisor: China’s hacking of Nortel was the beginning of the end
- Canadians can opt-out of facial recognition DB by opting into DB
- LinkedIn sued for iOS clipboard spying
- Police use Twitter’s Dataminr to surveil BlackLivesMatter protestors
- Backdoors found in 29 FTTH devices manufactured in China
- More malware found preinstalled in phones supplied in US gov program
- US Judge skeptical that 1st Amendment means ISPs can sell your data
- Driver charged with negligence after Tesla on autopilot crashes into police cruiser
- Mozilla suspends file-sending service on malware concerns
- Canadian Tire stores shutdown after every item scans as Mr. Potatohead
- AxisOfEasy Salon #12: The Rise and Fall of the Neo-Feudal Network State
Ex security advisor: China’s hacking of Nortel was the beginning of the end
This Bloomberg piece continues exploring the connection between the Chinese hackers penetration of Nortel, the once almighty Canadian tech giant, and its demise. We first referenced this back in AxisOfEasy #134, when a long National Post piece looked at Huawei’s possible involvement in intellectual property theft that helped them acquire dominance in the global market.
The difference in the Bloomberg piece is it more directly ascribes the hacks and thefts to state-sponsored actors, working at the behest of the Chinese Communist Party to the benefit of the state backed telecom: Huawei.
At one point hackers used then CEO Frank Dunn’s login credentials to breach the company’s uppermost trove of documents and sent over 800 of them back to China.
“Brian Shields, who was then a senior adviser on systems security and part of the five-person team that investigated the breach. Years later, …would look at the hack, and Nortel’s failure to adequately respond to it, as the beginning of the end of the company.”
In my opinion, the demise of most, if not all companies is self-inflicted. If true, being hacked by China didn’t sink them as much as the institutionalized complacency that allowed it did. CSIS had reportedly already been warning Nortel of the problem in the late 90’s but the company didn’t act on it.
I’ve mentioned it before but I will remind interested Canadian readers of Paul Manthorpe’s [Claws of the Panda book which details the CCPs espionage and propaganda efforts in Canada over the past several decades.
Canadians can opt-out of facial recognition DB by opting into DB
Canadians are able to opt-out of Clearview’s facial recognition database, the only catch is in order to opt-out you have to send them a picture of your face, ostensibly to figure out what to remove.
This is of course, nonsense, since the database matches to your identity, you can key on that identity and remove all associated pictures. If the associations are wrong, that’s Clearview’s problem, not yours.
Clearview has suspended operations in Canada in response to an investigation by Canada’s privacy commissioners, but that doesn’t mean they still don’t have lots of Canadian’s data in their database.
Jesse Hirsh also wrote a piece about this and whether the facial recognition genie has already been let out of the bottle.
This is a very similar policy the controversial database LocateFamily.com was using, who was scraping the web and compiling multiple data sources to assemble a database of personal contact data. They required you to send in photo ID to have yourself removed from their database. The astute reader may already know LocateFamily was an easyDNS client for awhile. When they came on the system one of our stipulations was that they had to lose that policy and honour all removal requests without requiring the person to submit id of any kind. When it came to light they were still enforcing the original policy we showed them the door.
LinkedIn sued for iOS clipboard spying
Lately there’s been a growing awareness around iOS clipboard spying. That’s when apps surreptitiously snoop and slurp up whatever you have copied from any app on your iOS devices for who knows what reasons.
This is all coming to light now because the next iteration of iOS, version 14, comes with a new transparency feature that warns you when an app is accessing your clipboard, similar to how you get warned now when one tries to access your camera roll, or your microphone.
Turns out, a lot of apps were doing exactly that. Two weeks ago we reported on how TikTok, who had already been caught doing this a year ago and said they would stop, got caught doing it again and they said they would stop again. Last week we reported on how there were many more apps doing it too.
LinkedIn does the same thing, according to a newly filed class-action suit. In fact LinkedIn even takes things a step further, literally, by also spying on nearby iOS device clipboards, and according to the suit filed in San Francisco federal court, the app does so “all the time” and “constantly”.
Apparently LinkedIn’s clipboard spying was reported earlier in the month by The Verge and Forbes, but I seem to have missed it.
Police use Twitter’s Dataminr to surveil BlackLivesMatter protestors
File under “woke capitalism + surveillance capitalism = Twitter”.
The Intercept looks at the “Twitter linked” startup Dataminr and their role in conducting surveillance of Black Lives Matter demonstrators during the George Floyd protests. According to Dataminr CEO Ted Baily, they are a “global sensor network for emerging events and consumer signals”.
It looks like it does more than sifting through Twitter for consumer signals, it was also used for “tipping off police to social media posts with the latest whereabouts and actions of demonstrators”.
As the Intercept notes, “The monitoring seems at odds with claims from both Twitter and Dataminr that neither company would engage in or facilitate domestic surveillance following a string of 2016 controversies”.
Twitter is one of Dataminr’s investors …(as is the CIA, via their In-Q-Tel investment fund), and Twitter gives Dataminr an advantageous access to raw, unfiltered, unmetered data from Twitter called “The Firehose”, which not very many companies can access. These guys can, giving them the ability to “scan every public tweet as soon as the author hits ’send’”.
Backdoors found in 29 FTTH devices manufactured in China
Think of FTTH OLT (Fibre to the Home / Optical Line Termination) devices as the boxes that terminate optical cable connections from your broadband provider, like a cable or a DSL modem, only for fibre.
Security researchers have discovered what appears to be intentional back doors in 29 types of FTTH devices manufactured by China-based C-Data.
The back doors “grant access to a secret Telnet admin account running on the device’s WAN interface.”
In all, 7 security vulnerabilities were detailed.
The devices are sold under the C-Data brand as well OEMed as OptiLink and BLY, are deployed worldwide across key points in various ISP networks and terminate connections in millions of homes.
The report is here: https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html
More malware found preinstalled in phones supplied in US gov program
Back in AxisOfEasy #120 we initially covered how low cost phones used in a US government subsidy program for low income households came preinstalled with malware . In January researchers uncovered “unremovable Chinese malware on the Unimax 3CL”, which was the cheapest smartphone offered under the US Lifeline Assistance subsidy program, which is administered by Virgin.
Now via DarkReading we learn that still more compromised apps have been discovered in another phone in the same program, this time it’s “the American Network Solutions (ANS) UL40 running Android 7.1.1”.
Once again, the phone ships with a compromised Settings app infected with Android/Trojan.Downloader.Wotby.SEK, which can download apps from third-party stores. Researchers tested apps downloaded from those third-party stores and so far haven’t found any further infections in them, but it would be easy to introduce further infections through those stores at a later date.
US Judge skeptical that 1st Amendment means ISPs can sell your data
An interesting legal battle taking place in the US in which the State of Maine passed an internet privacy bill that has similar characteristics to the one’s the FCC struck down in early 2017. The law reinstates many consumer protections around requiring consent before sharing data or marketing that were overturned at the federal level.
Now telecom lobby groups are suing the state alleging that the laws 1) violate their 1st amendment rights to free speech and 2) are already superseded by that federal FCC 2017 action.
The telecoms lost this round as a judge declined to apply “strict scrutiny” of the 1st amendment aspects, “instead applying an intermediate First Amendment scrutiny that applies to commercial speech”. He also rejected the claim that the law was superseded by the federal action (as a non-American, the more I do learn about states’ rights and the way the country is actually structured , I find it quite fascinating. It’s almost as if the US Federal government sometimes acts outside of its Constitutionally defined mandate, if you can imagine that).
Driver charged with negligence after Tesla on autopilot crashes into police cruiser
A Massachusetts man has been charged with negligent driving after his Tesla slammed into a stationary police vehicle. He told police “he must not have been paying attention”.
This is by no means the first accident involving a Tesla on autopilot, including several fatalities – so far it’s been mainly the drivers, but at least one case (so far) alleging that a Tesla on auto-pilot killed a pedestrian. Auto-pilot is also alleged (but not yet verified) in this head-on collision in Germany where a Model 3 veered into oncoming traffic, killing three women in another vehicle.
There’s a website that tracks all Tesla fatalities at https://tesladeaths.com
And yet, the company continues to put these buggy cars on the road, continues to promise “full self driving” vehicles by year end (again and again), not to mention, the Robotaxi fairy tale.
That’s the one where you’ll be able to buy a Tesla and have it out on the road making $30,000 a year as an Uber-like self-driving car, while you sit at the kitchen table in your underwear.
For those playing at home, Elon says a lot of things… I know a lot of people think Elon Musk is going to save the world. But I think Tesla is the next Enron. Time will tell, I only hope the body count doesn’t get too high before people realize Tesla isn’t the knight in shining armour it purports to be.
easyDNS is an unofficial web and domain provider of $TSLAQ. bIf you have a legit $TSLAQ web project and want to protect your content from Elon’s flying monkeys then hit me up and we’ll get you set up with a safe place to publish from.
Mozilla suspends file-sending service on malware concerns
This was my favourite large file sending service, Mozilla’s Firefox Send has been temporarily suspended on concerns that the system was being abused to distribute malware. Complaints were increasing and so they’ve paused it while they figure out what to do about it, as well as add a “report abuse” function.
I mention it because I thought I recommended it here once before (although I can’t find it now). I preferred Firefox Send because it didn’t require the installation of any clients on my computers or devices. You could just use the web browser and could set passwords, download limits, time limits etc.
Hopefully it’ll be back soon.
Canadian Tire stores shutdown after every item scans as Mr. Potatohead
Not the Onion: At least two Canadian Tire locations in South Western Ontario had to shut down on June 29th after something went awry with the checkout systems and every item presented scanned as Mr. Potato Head. I had to read the article twice and make sure it wasn’t a reprint from The Beaverton or something. It wasn’t. The stores known to be affected were in Lyndsay and Whitby (both smaller cities east of Toronto) and after shutting down temporarily, ascribed the error to a data download error.
This incident benignly and amusingly demonstrates the increasing brittleness of our supply chains as we become ever more reliant on algos to mediate every aspect of our lives.
My cousins recently sent me a video about a new Apple Watch app that guides you through a proper hand washing . It triggered me into old codger mode and I replied to them “this proves we’ll be doomed within three generations when we won’t have enough sense to come in out of the rain unless we have an app that tells us to”.
AxisOfEasy Salon #12: The Rise and Fall of the Neo-Feudal Network State
In this week’s AxisOfEasy Salon #12, we seemed to finally hit on a moniker that may very well describe “what comes next” after the end of the era of the Nation State. Jesse formulated the concept of “The Network State” which we think will fuse with Charles’ idea of Neo-Feudalism. I call the backdrop against how all that plays out “The Jackpot”, after the William Gibson novels.
Before you watch or listen to this week’s episode, you should really read Charle’s accompanying piece about it on his blog, or on the AoE Website.
Leave a Reply