Tuesday, May 22, 2018

No real chance that customers would win a lawsuit, so why spend money ensuring security?
Comcast website bug leaks Xfinity customer data
… The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password.
… The site returned the Wi-Fi name and password – in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router – and the site didn't return the Wi-Fi network name or password.




Retaliation is a step to all-out cyberwar.
Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
A confidential information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.
… The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.
It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.




Isn’t this what Hillary Clinton said about email servers? Good thing the President doesn’t email…
Too inconvenient’: Trump goes rogue on phone security
President Donald Trump uses a White House cellphone that isn’t equipped with sophisticated security features designed to shield his communications, according to two senior administration officials — a departure from the practice of his predecessors that potentially exposes him to hacking or surveillance.
The president, who relies on cellphones to reach his friends and millions of Twitter followers, has rebuffed staff efforts to strengthen security around his phone use, according to the administration officials.
… While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted their entreaties, telling them it was “too inconvenient,” the same administration official said.
The president has gone as long as five months without having the phone checked by security experts. It is unclear how often Trump’s call-capable phones, which are essentially used as burner phones, are swapped out.




Told ya so!
Explaining Efail and Why It Isn’t the End of Email Privacy
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients, but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.




More that TSA on steroids, this is Big Brothering at its best. Any country could do this, including the US.
China's social credit system has blocked people from taking 11 million flights and 4 million train trips
China's social credit system has blocked people from taking 11.14 million flights and 4.25 million high-speed train trips.
The numbers, from the end of April, were included in a report by China's state-run news outlet Global Times, but it is unclear what offenses those targeted in the travel ban have committed.
The social credit system is actually a collection of blacklists, of which there are more than a dozen at the national level. Each list is based on similar offenses — such as misbehavior on planes and trains, or failing to abide by a court judgment — and determines the punishments people face, from throttling internet speeds to blocking loans.




Keeping up with the players in the intelligence game.
… the Directorate for Signals Intelligence, Japan’s version of the National Security Agency.
The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly classified that the Japanese government has disclosed little about its work – even the location of its headquarters. Most Japanese officials, except for a select few of the prime minister’s inner circle, are kept in the dark about the directorate’s activities, which are regulated by a limited legal framework and not subject to any independent oversight.
Now, a new investigation by the Japanese broadcaster NHK — produced in collaboration with The Intercept — reveals, for the first time, details about the inner workings of Japan’s opaque spy community. Based on classified documents and interviews with current and former officials familiar with the agency’s intelligence work, the investigation shines light on a previously undisclosed internet surveillance program and a spy hub in the south of Japan that is used to monitor phone calls and emails passing across communications satellites.




Perspective.
… while digital marketers are aware of the strict new regulatory regime, seemingly few have taken active steps to address how it will impact their day-to-day operations.
GDPR will force marketers to relinquish much of their dependence on behavioral data collection. Most critically, it will directly implicate several business practices that are core to current digital ad targeting. The stipulation that will perhaps cause most angst is the new formulation for collecting an individual’s consent to data gathering and processing; GDPR requires that consent be active (as opposed to passive) and represent a genuine and meaningful choice. Digital marketers know that users of internet-based services like Snapchat, Facebook, and Google technically provide consent by agreeing to these companies’ terms of service when they sign up. But does this constitute an active and genuine choice? Does it indicate that the user is willing to have her personal data harvested across the digital and physical worlds, on- and off-platform, and have that data used to create a behavioral profile for digital marketing purposes? Almost certifiably not.


(Related)
Most GDPR emails unnecessary and some illegal, say experts
… Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.
… “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.




Interesting.
How Human-Computer ‘Superminds’ Are Redefining the Future of Work
The ongoing, and sometimes loud, debate about how many and what kinds of jobs smart machines will leave for humans to do in the future is missing a salient point: Just as the automation of human work in the past allowed people and machines to do many things that couldn’t be done before, groups of people and computers working together will be able to do many things in the future that neither can do alone now.




No doubt this is their strategy to entice kids to write rather than Tweet.
U.S. Postal Service announces first-ever scratch and sniff stamp with popsicle scent
… The U.S. Postal Service said Monday that it will issue its first-ever scratch-and-sniff stamps that will aim to evoke the sweet scent of summer. The 10 different stamp designs each feature a watercolor illustration of two different ice pops on a stick.
There will be one scent for all of the stamps and the secret smell will be unveiled when the Postal Service issues the stamps on June 20, according to U.S. Postal Service public relations representative Mark Saunders.


No comments: