- [April 7th 2018] The Guardian: Christopher Wylie: Why I broke the Facebook data story – and what should happen now – “The whistleblower at the centre of the Cambridge Analytica storm asks if Britain will now address the hard issues which it has raised”
- [April 4th 2018] Daring Fireball quoting New York Times and Washington Post: FACEBOOK SHARPLY INCREASES ESTIMATE OF HOW MANY USERS’ INFORMATION WAS HARVESTED BY CAMBRIDGE ANALYTICA (the Post comment relates to the more recent profile scraping story, but it does tie in).
- [April 6th 2018] Graham Cluley:
Additions to the new Anti-Social Media page:
- BBC: Facebook’s Zuckerberg admits mistakes over Cambridge Analytica
- Bleeping Computer:
- Help Net Security: Cambridge Analytica and Facebook’s privacy storm: Latest developments
Additions to Meltdown/Spectre – Related Resources
- Google split into Android & Chrome OS
- Added to Chrome OS:
- 21st March 2018, The Register: Creaking Chromebooks getting Meltdown protection soon – “Chrome OS 66 to protect older Intel units, still working on ARM”
Actually, I didn’t know about felching, either, and I wish I hadn’t looked it up.
Based on Checkpoint’s blog article Malware Displaying Porn Ads Discovered in Game Apps on Google Play. Checkpoint says that this is a triple-threat attack: it may display ads that are often (very) pornographic, engineer users into installing fake security apps, and/or induce them to register with premium services.
[Content now transferred to the resource page here, which I intend to expand and maintain as time allows.]
Official commentary from Apple: About speculative execution vulnerabilities in ARM-based and Intel CPUs and from Google: Today’s CPU vulnerability: what you need to know
- Forbes: Here Are All The Available Fixes You Need For Those Huge Chip Hacks — UPDATED
- Gizmodo: Check This List to See If You’re Still Vulnerable to Meltdown and Spectre [Updated]
- Aryeh Goretsky for ESET: Meltdown and Spectre CPU Vulnerabilities: What You Need to Know (updated as a live resource, rather than as a one-off article – revision history shown at end of article).
- ESET customer advisory: other brands and advisories are available 🙂
- Sorin Mustaca has quite a few useful links: Sumup: CPU hardware vulnerable to side-channel attacks (Meltdown, Spectre and more)
- Endgame: Detecting Spectre And Meltdown Using Hardware Performance Counters
- Graham Cluley: Apple fixes the Meltdown and Spectre flaws in Macs, iPhones, and iPads
So, we hear the news that Google ‘really has’ ceased censorship in China. At least, that is the meme currently working its way around the internet. Actually, this is rather disingenuous, and shows a particularly unsavoury side of how the Google PR machine really works.
If you’ve been living on Mars or want some background, here are a couple of links on the story.
Of course, a careful read of these articles shows that Google have done nothing more than redirect their front page to their existing Hong Kong search page, and that the censorship (which operates automatically between the mainland of China and…well…everywhere else) is still very much in place.
Users inside China have no greater freedom now, and this is a very different situation than if Google had really put its money where its (big) mouth is and uncensored its .cn site search results. Clearly they wouldn’t do that though, as not only would it be illegal in China, it very likely would have caused them to have to pull out of the lucrative market they so badly want a piece of – instead of getting a bit of bluster from the Chinese government and maybe a slap on the wrist.
Do a search for, say, ‘Tiananmen Square’ from inside China, and as the Guardian article points out, the internet connection will reset. Lest we forget, this is part of what Google is complicit in covering up. The Chinese government have been almost entirely successful in expunging this monstrous event from the consciousness of those living in their country, and Google (and others) have not only not done anything to stop this, they have actively aided them in their attempts at revisionist history.
This is a security blog, so I’ll get to the point that everyone seems to be missing. This whole story erupted because, allegedly, Google suffered attacks on its Gmail network from inside of China. Let’s leave aside for the moment, the whole “buzz” fiasco which probably did Google far more harm, but this is the rather grubby truth that Google is managing to cover up so well with its big talk about not “being evil” and opening up the freedom of the internet (which they so eagerly avoided doing for so long in order to get their hands on those lovely Chinese RMB).
The point is, that rather than look at what they were doing that was wrong and securing their network; or finding out what led to the compromises against their network, Google instead simply threw their toys out of the crib and made up a new story about solidarity and freedom and so on. Do you trust Gmail more now that they’ve engaged the NSA to help them secure it? I didn’t think so.
It’s a shame that so many tech bloggers have focused on the smokescreen political issues and ignored slamming Google for the real issues, that its approach to the privacy and security of its users is time and time again a huge disaster. The real problem is that they’ve got the money and the PR machine to cover it up with a different story, and swamp all those dissenting voices to avoid having to have that brief moment of introspection that might acutally change things for the better…rather like a certain government, don’t you think?
So, the not very surprising news that Google has once again attempted to launch a social networking site – following its spectacularly unsuccessful 2004 launch of Orkut (no, unless you live in Brazil or India, you won’t have heard much about it either).
The new network, called “Buzz” integrates directly into the Gmail email client. To me this just opens up lots of new ways to exploit the users – although if you are using Gmail to do anything private or confidential, you already do need to have a brain check (more-so now the NSA will be ‘helping’ to secure it). It looks like Google want some of the big dollars that Facebook and Twitter make – and of course everything will be searchable and exploitable for ad companies to target.
All the fuss around social networking has really highlighted to me the need for good security education – we’ve moved into a new world, one where children are growing up with social networking and mobile phones etc as an integral part of life. I can’t imagine how my parents ever managed without being able to contact me by phone, or being able to look up my status on Facebook, but somehow they did. Parents have a different problem today, one of how to preserve the privacy of their families and children while taking advantage of what these new technologies offer. The sad fact is that in many cases, the kids know much more about the technology than the parents, but neither the parents or the children understand the threats. I’m often called paranoid, but it’s my belief that in some ways you can’t be too careful; our privacy and therefore our rights to a private life for ourselves and our progeny are daily being eroded by the whim of government and the campaigning of large corporations. It’s therefore refreshing that the British government has got behind a new campaign to highlight the dangers of the online world; targeting children as young as five. While the campaign understandably does focus on protection from paedophiles, the advice has wider use, though sadly it doesn’t seem to stretch to take in malware issues.
While I’m encouraged that the government is finally doing something, I’d be much happier to see a comprehensive plan in place that focuses on education in schools where security is taught as a discipline along side all IT classes. We’re a long way from that, but I (and several others who blog here) will keep tilting at that particular windmill.
CEO, AVIEN & CTO K7 Computing
David recently blogged here (http://avien.net/blog/?p=253) on his concerns over the ways that our personal data is increasingly online and available to everyone who might want it.
On a similar theme, a site called “Web 2.0 Suicide Machine” has recently been sent a cease and desist order by Facebook on the grounds that by “collecting login credentials, the site violates its Statement of Rights and Responsibilities”. This sort of controversy raises the question of who owns an account on a site – not just a social networking site – what about a webmail account? But, more on that shortly. It’s a tricky question, and I suspect that the answer is that the information is jointly owned once you give the information, you enter a contract to allow the recipient to use your info according to their terms and conditions (which could be to publish it all over the place, or just to change your password and never let you back into the account).
It’s only recently that Facebook provided its members with a facility to fully delete (rather than deactivate) their accounts. As someone who spends a lot of time on social networking sites, I’ve often felt the urge to be able to ‘get away from it all’. The idea of being able to commit ‘Web 2.0 suicide’ is in some ways quite appealing, and it does remove the awful problem of trying to delete all that data yourself – and avoids the thorny problem of always being able to get back in and start again. I did actually do this at one point, I entirely deleted my accounts on MySpace and Bebo, removed as much as I could from Orkut (more on Google below) and deactivated (the only option available at the time) my Facebook account. However, after some time after constant messages still arriving from Facebook I succumbed and reactivated my account (although I’m much less obsessive about it, and used the privacy controls to lock it down far more than had been the case before). I’ve never revived the other accounts, basically because I’m to lazy to set them up again. I’m pretty sure that I’d not have come back to Facebook had my account been actually deleted – but Web 2.0 Suicide Machine (and similar services) are in some ways even better, they leave you no option but to start again, because they change your password, and your profile will still exist, only you can’t get to it.
Of course, giving a third party (whether an SN site like Facebook or a service like W2.0SM) your account information is a risk, because you don’t really know what they’re going to do with it, maybe W2.0SM are going to sign you up to all sorts of groups or services on FB, or use your account to click through on site advertising to raise revenue, maybe they’ll harvest your email addresses and send them to spammers, maybe they’re going to use your phone number and address to do all manner of things. I doubt it, but it’s possible were less ethical people in charge of it. At least, if you’re going to use such a service, remove your most critical private information first.
You can read more on this story here: http://news.bbc.co.uk/1/hi/technology/8441080.stm
Sometime last year, I got an invitation to Google Wave (http://wave.google.com) and had a play around with it. It’s interesting in many ways – not all of them obvious. There has been plenty of comment in other places about what Google Wave does, or what it doesn’t do, but I’m not really interested in that. As far as I’m concerned it was pretty much a failure because nobody could really think of a problem that it solved in a better way than existing technologies. But, what does interest me is what that sort of platform offers to Google. In a collaboration system you have multiple people working on topics. They will discuss the topic, and the group will be focused on a single issue (or set of issues). This is a goldmine for a company like Google which makes money from selling advertising. Nearly everything that Google does is ‘free’ to the user, and the cost is that everything you do is tracked and monetized somehow for Google’s advertising clients. The more services Google provides, and the more you sign up to use, the more exposed you are (and therefore the more useful to Google). I have Gmail (and therefore Gmail Chat), Picasa, Google Wave, Google Apps, a Google Books library, a Google Calendar and so on (as mentioned above I also have a Google Orkut account, though relatively denuded of information). Now, all of those things provide information about me and my interests to Google, allowing targeted advertising to be delivered, and useful demographic information to be collected.
Google wave is a whole different beast, because it doesn’t just connect a few random parts of my life that may or may not be current (for instance, me posting photographs of me with funny hair as a teenager isn’t really that interesting to Google – nor anyone else I should think), it connects people who are discussing a topic of mutual interest, in real time. Planning a trip to India? Great, in real time, to your group specifically, Google can target advertising from firms offering travel services in India. Working on a conference in Sydney? Google can target advertising from firms in the area. Even better, your conference is at the Four Points Sheraton? Great, Google can advertise a room discount, the restaurants withing walking distance, a limo service, the theaters, cinemas etc. About to go for a coffee break? Google can pop up the location of the nearest StarCostaPacket coffee store and offer a 50c discount good for the next two hours.
It’s clear that corporations are interested in getting the most relevant information to consumers, and what better way than exploiting real time data on topics currently under discussion. It’s a goldmine, or would be, if only there was a problem that only Google Wave could fix.
Andrew Lee CISSP
AVIEN CEO, CTO K7 Computing Pvt Ltd.