Once upon a time, we actually enjoyed privacy

[kscarbel2]

Major security flaw found in Intel processors

The Guardian  /   January 3, 2017

A security flaw has been found in virtually all Intel processors that will require fixes within Windows, macOS and Linux.

Developers are currently scrambling behind the scenes to fix the significant security hole within the Intel chips, with patches already available within some versions of Linux and some testing versions of Windows, although the fixes are expected to significantly slow down computers.

The specific details of the flaw, which appears to affect virtually all Intel processors made in the last decade and therefore millions of computers running virtually any operating system, have not been made public.

But details of the fixes being developed point to issues involving the accessing of secure parts of a computer’s memory by regular programs. It is feared that the security flaw within the Intel processors could be used to access passwords, login details and other protected information on the computer.

“Modern operating systems rely upon Intel’s chips to provide some essential security services – but if a flaw has been found then the operating systems themselves will need to be updated to do the job that they believed Intel’s chips were doing properly,” said independent security expert Graham Cluley.

The fixes involve moving the memory used by the core of the computer’s operating system, known as the kernel, away from that used by normal programs. In that way, normal programs, including anything from javascript from a website to computer games, cannot be manipulated to exploit the hole and gain access to the protected kernel memory.

But implementing the fix is expected to significantly affect the performance of the computer, making some actions up to around 30% slower.

While normal computer users could see performance problems, the security flaw also affects cloud servers, with Amazon, Microsoft and Google all expected to have to fix the bug with similar performance-reducing patches.

The exact severity of the flaw has not yet been publicly disclosed, but the lengths being taken by the various operating system developers to fix something indicates that they view it as a serious problem that apparently cannot be patched with a small update.

“The good news is that it sounds as if this flaw has been known about (but kept quiet) for a couple of months. The bad news is that users will once again have to install a security update, and businesses are likely to have to restart thousands of computers to apply the fixes,” said Cluley.

More details are expected to be divulged as soon as the end of this week, along with fixes for operating systems.

[kscarbel2]

Tim Cook blasts 'weaponisation' of personal data and praises GDPR

Chris Baraniuk, BBC  /  October 23, 2018

Apple chief executive Tim Cook has demanded a tough new US data protection law, in an unusual speech in Europe.

Referring to the misuse of "deeply personal" data, he said it was being "weaponised against us with military efficiency".

"We shouldn't sugar-coat the consequences," he added. "This is surveillance."

The strongly-worded speech presented a striking defence of user privacy rights from a tech firm's chief executive.

Cook also praised the EU's new data protection regulation, the General Data Protection Regulation (GDPR).

The new law came into force in May.

Cook's speech was made in Brussels, at the International Conference of Data Protection and Privacy Commissioners.

The Apple boss described in some detail what he called the "data industrial complex", noting that billions of dollars were traded on the basis of people's "likes and dislikes", "wishes and fears" or "hopes and dreams" - the kind of data points tracked by tech firms and advertisers.

He warned that the situation "should make us very uncomfortable, it should unsettle us".

And the trade in personal data served only to enrich the companies that collect it, he added.

Cook went on to commend the EU's GDPR, which places stricter rules on how personal data is handled by businesses and organisations.

'Follow EU's lead'

"This year, you've shown the world that good policy and political will can come together to protect the rights of everyone," he said.

"It is time for the rest of the world, including my home country, to follow your lead.

"We at Apple are in full support of a comprehensive federal privacy law in the United States."

The remark was met with applause from the conference audience.

"I think it is striking that he's saying this," said Jim Killock, director of the Open Rights Group.

"It's the kind of thing you normally hear from civil society organisations."

However, Prof Mark Elliot at Manchester University argued Mr Cook did not go far enough.

"The implication of fully functioning privacy in a digital democracy is that individuals would control and manage their own data and organisations would have to request access to that data rather than the other way round," he said.

Apple has long been committed to privacy protection.

[kscarbel2]

Hacker gained access to customer data at 130 dealerships

Jackie Charniga, Automotive News  /  June 12, 2019

DealerBuilt, an Iowa dealership software provider, reached a settlement with the Federal Trade Commission Wednesday over a 2016 breach of customer data that allowed a hacker to gain access to the personal information of about 12.5 million consumers stored by 130 dealership clients.

The dealership management system provider agreed to a settlement with the FTC over the attack and will "take steps to better protect the data it collects," the FTC said.

The agency said in a statement that LightYear Dealer Technologies, known commercially as DealerBuilt, failed to properly encrypt sensitive data and conduct necessary vulnerability and penetration testing.

The breach will be resolved with a final consent agreement, which won't be made public unless it is accepted by the FTC. As part of the proposed consent agreement, DealerBuilt is required to implement a security program in accordance with the Safeguards Rule, and is prohibited from handling consumer data until the program is in place.

The settlement also requires the company to obtain third-party assessments of its security program every two years.

The FTC does not have authority to seek monetary penalties for an initial violation, but if the company violates the settlement, the commission could seek civil penalties of up to $42,530 per violation.

According to the complaint, DealerBuilt failed to protect the sensitive customer data, despite those resources being "readily available and relatively low-cost" to the provider. DealerBuilt sells dealership management systems and data processing systems.

Detected by dealer

The breach, which occurred over 10 days, took place in DealerBuilt's backup database beginning in late October 2016.

"The hacker downloaded the personal information of more than 69,000 consumers, including their Social Security numbers, driver's license numbers, and birthdates, as well as wage and financial information," the FTC said in the statement.

In the complaint, the FTC said the hacker attacked DealerBuilt's system "multiple times, downloading the personal information of 69,283 consumers, the entire backup directories of five customers."

The breach was detected by a DealerBuilt auto dealer customer, who had found customers' data online.

"The settlement with DealerBuilt imposes more specific security requirements and requires company executives to take more responsibility for order compliance, while also strengthening the third party assessor's accountability and providing the FTC with additional tools for oversight," FTC Chairman Joe Simons said in the statement.

Safeguards Rule violation

The FTC alleges that the data DealerBuilt collected was stored and transmitted in clear text, in violation of the Gramm-Leach-Bliley Act's Safeguards Rule, which requires encryption of sensitive data. Data also was stored without access controls or authentication protections, also deemed necessary under the rule.

The FTC considers DealerBuilt's activities an example of unfair practices.

DMS systems typically store private and public consumer data, including but not limited to names, addresses, birth dates, credit information and Social Security numbers. The software also contains similarly sensitive information about dealership employees, such as payroll data and bank account information, according to the statement.

The complaint also alleges that a DealerBuilt employee "connected a storage device to the company's backup network without ensuring that it was securely configured, leaving an insecure connection for 18 months."

Additionally, the FTC alleges DealerBuilt never conducted vulnerability or penetration testing; drafting, implementing or maintaining a written security policy; or provided training for employees.

[Bullheaded]

The one that blows my mind is that they can see a whole 3D image of the inside of your home through your wi-fi.

Luckily I have no shame, so have at 'er. LOL

And another benefit of being a broke-ass trucker......I don't have anything anyone else wants, hahahaha.

Edited June 13, 2019 by Bullheaded

[tjc transport]

i have no problem with that either, since i don't have a wi-fi. 

[kscarbel2]

Pentagon testing mass surveillance balloons across the US

Mark Harris, The Guardian. /. August 2, 2019

The US military is conducting wide-area surveillance tests across six midwest states using experimental high-altitude balloons, documents filed with the Federal Communications Commission (FCC) reveal.

Up to 25 unmanned solar-powered balloons are being launched from rural South Dakota and drifting 250 miles through an area spanning portions of Minnesota, Iowa, Wisconsin and Missouri, before concluding in central Illinois.

Travelling in the stratosphere at altitudes of up to 65,000ft, the balloons are intended to “provide a persistent surveillance system to locate and deter narcotic trafficking and homeland security threats”, according to a filing made on behalf of the Sierra Nevada Corporation, an aerospace and defence company.

The balloons are carrying hi-tech radars designed to simultaneously track many individual vehicles day or night, through any kind of weather. The tests, which have not previously been reported, received an FCC license to operate from mid-July until September, following similar flights licensed last year.

Arthur Holland Michel, the co-director of the Center for the Study of the Drone at Bard College in New York, said, “What this new technology proposes is to watch everything at once. Sometimes it’s referred to as ‘combat TiVo’ because when an event happens somewhere in the surveilled area, you can potentially rewind the tape to see exactly what occurred, and rewind even further to see who was involved and where they came from.”

The tests have been commissioned by the US Southern Command (Southcom), which is responsible for disaster response, intelligence operations and security cooperation in the Caribbean and Central and South America. Southcom is a joint effort by the US army, navy, air force and other forces, and one of its key roles is identifying and intercepting drug shipments headed for the United States.

“We do not think that American cities should be subject to wide-area surveillance in which every vehicle could be tracked wherever they go,” said Jay Stanley, a senior policy analyst at the American Civil Liberties Union.

“Even in tests, they’re still collecting a lot of data on Americans” he said. “We should not go down the road of allowing this to be used in the United States and it’s disturbing to hear that these tests are being carried out, by the military no less.”

For many years, Sierra Nevada has supplied Southcom with light aircraft packed with millions of dollars’ worth of sensors, which then flew over Mexico, Colombia, Panama and the Caribbean sea. But planes require expensive crews and can only fly for a few hours at a time. In a report to the Senate armed services committee this February, Southcom’s commander, Admiral Craig Faller, wrote: “While improving efficiency, we still only successfully interdicted about six percent of known drug movements [in 2018].”

The new balloons promise a cheap surveillance platform that could follow multiple cars and boats for extended periods. And because winds often travel in different directions at different altitudes, the balloons can usually hover over a given area simply by ascending or descending.

Neither Sierra Nevada nor US Southcom responded to requests for comment on this story. However, the rival balloon operator World View recently announced that it had carried out multi-week test missions in which its own stratospheric balloons were able to hover over a five-mile-diameter area for six and a half hours, and larger areas for days at a time.

“The very nature of [these balloons] is that they can operate for weeks and months,” said Ryan Hartman, the CEO of World View. “The challenge is how to harness the stratospheric winds to be able to create a persistent station-keeping capability for customers.”

Raven Aerostar, the company that is supplying the balloons for Southcom’s tests and launching them from its facility in South Dakota, told the Guardian that it has had balloons remain aloft for nearly a month. Raven also makes balloons for the Alphabet subsidiary Loon, which uses them to help deliver internet and cellphone service from the stratosphere.

The FCC documents show that Southcom’s balloons are carrying small, satellite-like vehicles housing sophisticated sensors and communication gear. One of those sensors is a synthetic aperture radar intended to detect every car or boat in motion on a 25-mile swath beneath the balloon.

The balloons also have advanced mesh networking technologies that allow them to communicate with one another, share data and pass it to receivers on the ground below.

The FCC filing notes that this networking includes video information. That suggests that the balloons might also carry a Sierra Nevada video capture system called Gorgon Stare. This wide-area surveillance system comprises nine cameras capable of recording panoramic images across an entire city simultaneously.

While Gorgon Stare is usually deployed on drones, Michel said that the US army has used tethered spy blimps in Afghanistan, and that US Customs and Border Protection has experimented with low-altitude balloons along the Mexico border.

But wide-area surveillance from stratospheric balloons is relatively new, said Michel: “The higher the altitude of the system, the wider the area that you can cover. The trade-off is that depending on the area and the system, you may get lower-resolution images.” Balloons are also subject to fewer restrictions and regulations than drones.

It is unclear from the FCC documents whether Southcom’s tests within the US are linked to any active narcotic or counter-terrorism investigations. Also, none of the parties involved would say whether the midwest vehicle data would be deleted, stored or passed on to other federal or local agencies.

“[We would like to know] what they are they doing with that data, how they are storing it, and whether they are contemplating deploying this in the US,” said the ACLU’s Stanley. “Because if they decide that it’s usable domestically, there’s going to be enormous pressure to deploy it.”

The Southcom surveillance tests are probably just the tip of the iceberg. Scott Wickersham, the vice-president of Raven Aerostar, told the Guardian that it has also been working with Sierra Nevada and the Pentagon’s research arm Darpa on a “highly sophisticated and challenging development around the stratosphere”. This refers to the agency’s Adaptable Lighter-Than-Air (Alta) program, an ongoing effort to perfect stratospheric balloon navigation which has included multiple launches across the country, Wickersham said.

Ryan Hartman said that World View had also completed a dozen surveillance test missions for a customer it would not name, capturing data he would not specify.

“Obviously, there are laws to protect people’s privacy and we are respectful of all those laws,” Hartman said. “We also understand the importance of operating in an ethical way as it relates to further protecting people’s privacy.”

Meanwhile, World View is currently preparing for its next surveillance flight, and Sierra Nevada’s tests in the midwest continue.

[41chevy]

Let's see, high tech surveillance, facial recognition, retina and finger print I.D. and now N.Y.'s Schumer is pushing to ament the 1st amendment to control and limit political free speech that is not Federally approved (he's been trying since 2014). One would think the citizens not to be trusted.

 

https://www.cnsnews.com/commentary/terence-p-jeffrey/schumer-calls-amending-first-amendment-limit-political-speech

 

From 2014 bill to protect Hillary from bad press.

 

https://nypost.com/2014/05/07/chucking-the-first-amendment-schumers-cranky-scheme/

Edited August 2, 2019 by 41chevy

[kscarbel2]

Project Nightingale: Google accesses data of millions of US patients…..without permission

BBC  /  November 12, 2019

Google has gained access to a huge trove of US patient data - without the need to notify those patients - thanks to a deal with a major health firm.

The scheme, dubbed Project Nightingale, was agreed with Ascension, which hopes to develop artificial intelligence tools for doctors.

Google can access health records, names and addresses without telling patients, according to the Wall Street Journal, which first reported the news.

Google said it was "standard practice". [?????]

Among the data the tech giant reportedly has access to under the deal are lab results, diagnoses, records of hospitalisation and dates of birth.

Neither doctors nor patients need to be told that Google can see this information.

The Wall Street Journal reports that data access began last year and was broadened over the summer.

Ascension, which runs 2,600 hospitals, said the deal would help it to "optimise" patient care and would include the development of artificial intelligence (AI) tools to support doctors.

The company also said it would begin using Google's cloud data storage service and business applications known as G Suite.

Privacy concerns

However, Project Nightingale has already attracted criticism from those who argue that it takes away patients' control of their own data.

"There's a massive issue that these public-private partnerships are all done under private contracts, so it's quite difficult to get some transparency," said Prof Jane Kaye at the University of Oxford.

"Google is saying they don't link it to their other data but what they're doing all the time is refining their algorithms, refining what they do and giving them[selves] market advantage."

In the UK, Google's AI-focused subsidiary DeepMind was found to have broken the law when it failed to explain properly to patients how their data would be used in the development of a kidney disease app.