Weekly Axis Of Easy #158
Also, I once again missed a correct quote contest winner for #156, the Einstein quote was indeed correctly answered by Ron A Belaire.
In this issue:
- Private companies installed trackers in apps on your phone and sell the data to the government
- Intel hacked, 20GB of corporate data and chip designs dumped on the net
- “All your DNA are belong to Blackstone” In 4.7B Ancestry.com deal
- Tik Tok odyssey continues as merger with Twitter floated
- Protonmail founder says Apple uses monopoly to hold everybody hostage
- Uber and Lyft brace for California ruling on gig economy drivers
- AxisOfEasy: The No-Man’s Land Where Technology and Reality Intersect
If you’ve never heard of Anomaly Six or Babel Street, you’re not alone. I think the point is we’re not supposed to have heard of them. They are somewhat secretive data mining companies that cut deals with smartphone app developers that put their location tracking SDKs into those developers’ apps. Developers charge an up front fee to get into the app, and then they take a cut of the revenues these companies make from selling your location data to government entities, intelligence agencies and other private companies.
The Wall Street Journal broke the story but was unable to obtain the list of apps that have embedded these trackers, but they reportedly number in the hundreds.
Anomaly Six was started by a pair of ex-military personnel with defense contractor backgrounds and contacts to US intelligence agencies who used to work for Babel Street. The latter has sued the former, which neither will comment on, and was settled out of court last year.
Read: https://www.wsj.com/articles/u-s-government-contractor-embedded-software-in-apps-to-track-phones-11596808801 (Paywall)
This piece has me wondering, how can the “collective we” figure out which apps have the AnomalySix or Babel Street SDKs installed? One way I figure is these apps have to phone home, so if we can figure out where they’re phoning home to, all we have to do is somehow sniff our smartphone traffic, à la Little Snitch, but for iOS or Android. Apparently you can’t do this on an iOS device unless it’s jail broken. But this article in dzone did show how you could setup a VPN client on your phone, you can then sniff your own traffic to the VPN endpoint.
What do you sniff for? I couldn’t figure it out for Anomaly Six, but using Robtex I found that Babel Street has a subdomain hosted on Amazon AWS called app.babelstreet.com, so that’s one place I’d start, oh and over here on securitytrails we have all kinds of subdomains for babelstreet.com, including multiple “Apple” and “Matomo” (data analytics) hostnames.
Another approach could be to run a binary string search on the app itself for that hostname.
Not sure I’ll get around to this anytime soon, but if anybody out there does, please report your findings back to us so we can start naming and shaming apps that contain these SDKs.
It looks like the Breach of The Week is a little different than the usual dump of user creds and payment data. Intel has been hacked and now somebody is dumping internal company data on the net via Telegram.
The initial 20GB dump entitled “Intel Exconfidential Lake” a hacker dubbed @deletescape has released documents that purportedly contain source code for various packages, company roadmaps, firmware and bootloader source, BIOS reference code, and myriad other materials which security researchers fear could be used to create new 0-day attacks across multiple platforms:
genetic profiling and DNA tracing family tree and health testing tool Ancestry.com has been acquired, again. This time the company has been sold by private equity firms to the Blackstone Group, a publicly traded private equity firm (NASDAQ:BX)
“Ancestry.com is the world’s largest provider of DNA services, allowing customers to trace their genealogy and identify genetic health risks with tests sent to their home.”
The company was valued at 2.6B four years ago in their previous investment round.
I had sort of given up trying to follow the Tik Tok story, it’s been changing so much since last weekend (as reported in AxisOfEasy 157)
My guess was that at some point, something would actually, you know, happen and then the hysterical shrieking and gushing over what happened would be impossible to miss, and then I would write an “in case you missed it” fluff piece right here.
But I guess I should at least acknowledge that the latest is the possibility of a Twitter / Tik Tok combination of some sort. If you’re holding your breath you should stop. After we went to press last week Axios reported that Apple was considering purchasing Tik Tok and then had to retract the story within hours.
Apple is increasingly coming under fire from developers who accuse them of anti-competitive practices and operating a quasi-monopoly. Secure email company Protonmail’s CEO went so far as to call it a protection racket that also props up authoritarian dictators.
“Apple has become a monopoly, crushing potential competitors with exploitative fees and conducting censorship on behalf of dictators”
Protonmail is not alone, both Telegram and Spotify recently lodged antitrust complaints with EU regulators, who have opened a formal probe into Apple’s App Store practices.
It must be tough to be a unicorn. You don’t have to earn any profits, you can disavow your staff and deem them “independent contractors” and of course, shroud your EULAs in “take or leave it” terms that absolve you of any responsibilities whatsoever and still get valued in the billions. Then if the economy takes a hit (and you have the audacity) you can even go hat in hand for government bailouts.
So it’s no surprise why Uber and Lyft say that if a judge in California hands down a ruling that forces those companies to treat their
indentured serfs independent contractors as employees, befitting of wages and benefits, it will cause them “irreparable damage”.
The damage is basically that the ruling would force these companies to stop externalizing all their costs while keeping all their valuation gains. It would force them into an unthinkable scenario: having to operate like a real business in the real world.
The Judge, Ethan P. Schulman has finished hearing arguments from the tech companies and the State of California and is expected to hand down his decision within days.
As we headed to press, Uber’s CEO, Dara Khosrowshahi, just happened to pen an op-ed in the New York Times showing solidarity with gig economy workers (which Uber pretty well invented). In it Khosrowshahi (whose compensation package last year was $45,000,000) pleads that ‘There has to be a “third way” for gig workers.’ What he’s really saying is: “our business model doesn’t mesh with economic reality and is financially incoherent, somebody do something”.
(Uber and Lyft started the year with 11.3 and 2.8 billion in cash on their balance sheets respectively, they posted TTM losses of 10B and 2B respectively. They are valued at 54B and 9.2B).
On last week’s AxisOfEasy we had our first ever guest on the show with Let’s Talk Bitcoin co-founder, and now Coindesk podcast editor, Adam B. Levine coming on to talk about how the current geopolitical and economic events are impacting the crypto-currency space.