Tech Backlash: Not Even Apple and Goldman Sachs Exempt

November 11, 2019

Times are indeed interesting. Two powerful outfits—Apple (the privacy outfit with a thing for Chinese food) and Goldman Sachs (the we-make-money-every way possible organization) are the subject of “Viral Tweet about Apple Card Leads to Goldman Sachs Probe.” The would-be president’s news machine stated, “Tech entrepreneur alleged inherent bias in algorithms for card.” The card, of course, is the Apple-Goldman revenue-generating credit card. Navigate to the Bloomberg story. Get the scoop.

On the other hand, just look at one of the dozens and dozens of bloggers commenting about this bias, algorithm, big name story. Even more intriguing is that the aggrieved tweeter’s wife had her credit score magically changed. Remarkable how smart algorithms work.

DarkCyber does not want to retread truck tires. We do have three observations:

  1. The algorithm part may be more important than the bias angle. The reason is that algorithms embody bias, and now non-technical and non-financial people are going to start asking questions: Superficial at first and then increasingly on point. Not good for algorithms when humans obviously can fiddle the outputs.
  2. Two usually untouchable companies are now in the spotlight for subjective, touchy feely things with which neither company is particularly associated. This may lead to some interesting information about what’s up in the clubby world of the richest companies in the world. Discrimination maybe? Carelessness? Indifference? Greed? We have to wait and listen.
  3. Even those who may have worked at these firms and who now may be in positions of considerable influence may find themselves between a squash wall and sweaty guests who aren’t happy about an intentional obstruction. Those corporate halls which are often tomb-quiet may resound with stressed voices. “Apple” carts which allegedly sell to anyone may be upset. Cleaning up after the spill may drag the double’s partners from two exclusive companies into a task similar to cleaning sea birds after the gulf oil spill.

Will this issue get news traction? Will it become a lawyer powered railroad handcar creeping down the line?

Fascinating stuff.

Stephen E Arnold, November 11, 2019

The Golden Age of Surveillance

November 1, 2019

Back in 2016, then-FBI general counsel Jim Baker famously fought tooth and nail to force Apple to grant the Bureau access to an encrypted phone following a terrorist attack in San Bernardino. (The FBI eventually found another way to access the data, so the legal issue was sidestepped.) Now we learn Baker has evolved on the issue in the write-up, “Former FBI General Counsel who Fought Apple Has Now ‘Rethought’ Encryption” at 9To5Mac. Writer Ben Lovejoy pulls highlights from a lengthy piece Baker wrote for the Lawfare blog describing his current position on encryption. While he stands by his actions in the San Bernardino case, he now sees the need to balance law enforcement’s need for information and the rest of society’s need to protect valuable data from bad actors. Lovejoy writes:

“Baker says that strong encryption still poses a substantial problem for law enforcement, but he now recognizes that there is no way to square the circle of protecting both personal and government data on the one hand, and allowing law enforcement to access data on the other.

‘A solution that focuses solely on law enforcement’s concerns will have profound negative implications for the nation across many dimensions. I am unaware of a technical solution that will effectively and simultaneously reconcile all of the societal interests at stake in the encryption debate, such as public safety, cybersecurity and privacy as well as simultaneously fostering innovation and the economic competitiveness of American companies in a global marketplace.’

“He says that forcing US companies to create compromised systems would simply shift demand to foreign-made products that remain secure. Additionally, a lot can be done with metadata- that is, records of who contacted who, rather than what was said.

‘Further, the situation for law enforcement may not actually be as bad as some claim. In fact, some argue that society is in a “golden age of surveillance” as substantially more data- especially metadata- than ever before is available for collection and analysis by law enforcement.’”

“Golden age of surveillance” indeed—the man has a point. He stresses, in particular, the importance of avoiding potential spyware in Chinese-made equipment. He urges government officials to embrace encryption as necessary or, if they refuse to do that, find another way to guard against existential cyber threats. He observes they have yet to do so effectively.

Cynthia Murrell, November 1, 2019

Microsoft Github: An Issue for MSFT to Resolve? Yes!

October 30, 2019

Microsoft, the open source champion and all-time wizard of software updates, were served some spoiled digital tapas. You can read the “menu order” at this link. The idea is that Github is hosting an app which allows some individuals in Spain to thwart police actions. The English and Spanish posting states:

Spain is currently facing a series of riots involving serious public disorder and main infrastructure’s sabotage. There is an ongoing investigation being carried out by the National High Court where the movement Tsunami Democratic has been confirmed as a criminal organization driving people to commit terrorist attacks. Tsunami Democratic’s main goal is coordinating these riots and terrorist actions by using any possible mean. Among them, they have developed an app that provides information about those riots and allows their users to communicate between themselves in order to coordinate those actions. This app has been uploaded in GitHub by the user [private] ([private]), where people that want to participate in riots can access his repository ([private]) and install different versions of this app in their devices. Moreover, other repositories with the same information have been created to prevent the content being withheld.

WWMD or What will Microsoft do? Fight for open source goodness, respond to a legitimate request and warrant, or output legal-marketing goodness?

Worth monitoring? Yes. DarkCyber is interested in how activist Microsoft employees respond, both in Spain and in other MSFT office locations.

Stephen E Arnold, October 30, 2019

Facebook Takes on NSO Group

October 30, 2019

Now this is an interesting and possibly inadvisable move. Facebook is big and it has become the one company able to create more negative vibes than an outfit like Boeing (737 Max which allegedly was called “flying coffins”or Johnson & Johnson (the outfit famous for baby powder with a possible secret ingredient).

Why WhatsApp Is Pushing Back on NSO Group Hacking” provides a Facebook professional’s explanation of the decision to go after the NSO Group, a specialized software and services firm with some government clients:

As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and Internet-hosting services that were previously associated with NSO. In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.

I particularly relished this statement by the Facebook professional:

At WhatsApp, we believe people have a fundamental right to privacy and that no one else should have access to your private conversations, not even us. Mobile phones provide us with great utility, but turned against us they can reveal our locations and our private messages, and record sensitive conversations we have with others.

Yeah, yeah, the DarkCyber team hears your voice. Is that voice one that resonates with truth, honor, and “ethical behavior” cranked up on the baloney amplifier?

Several observations:

  • It is generally a good idea to understand one’s opponent before getting into a bit of a tussle. Some opponents have special capabilities which are not often understood in the go go, move fast and break things world of Facebook
  • Facebook lacks what DarkCyber thinks of as “credibility stature.” In fact, the shadow the firm casts is a long one, but the path the company has followed in its crepuscular journey of those who may be afraid of the light. (Apologies to Plato)
  • NSO Group states: “NSO products are used exclusively by government intelligence and law enforcement agencies to fight crime and terror.”

Based on information I glean from my lectures at law enforcement and intelligence conferences, WhatsApp is an encrypted messaging service popular among some bad actors.

Oh, one final question, “Where did some of NSO’s team garner their operational experience?”

Give up. Gentle reader, knowing the answer is probably important. Does Facebook know the answer? Another good question.

Stephen E Arnold, October 30, 2019

Attorneys Are Getting Better at Tech But There Are Still Some Challenges

October 24, 2019

The best attorneys put bad actors in prison, but in order to do that they need to gather evidence to support their cases in court. With the plethora of data types and sources, attorneys must organize it for quick recall, but data also comes with its own mistakes. JD Supra reveals the, “Top Five Data Collection Mistakes” and ways to avoid them in the litigation process.

There are two main data types: traditional and nontraditional. Users create traditional data, organize and place it in workflows. Nontraditional workflows comes from sources there have few or no collection or processing procedures. These usually come from social media, chat applications, cloud platforms, and text messages. Attorneys need to determine what data types they are handling in litigation, but be aware of potential mistakes.

The easiest mistake to make is not realize that different data types require different collection methods. Extracting information from a computer requires knowledge about its operating system and manufacturer. Cell phone data has its own complications, such as if the data is backed up on a cloud or if the vendor must be contacted to retrieve metadata. Discovering who owns data is another issue. Data is stored on personal devices, the cloud, third party systems, and more. Ownership becomes questionable as well as if data must be shared if not physically owned. Governance policies, customer workflows, and data maps are necessary in order to address data ownership.

Proportionality cannot be ignored. A court could rule that retrieving data outweighs its usefulness. Any data, however, could change a case:

“As always, the success of this argument will depend on the specific facts of a case. For example, one federal court held that a request for text messages was disproportional to the burden of collecting and producing them even though they had been produced in a pre-litigation investigation because the text messages only added minimal evidentiary value to the case. Litigators must be able to clearly articulate a proportionality argument in order to successfully avoid the production of minimally relevant/useful data.”

Misunderstanding proportionality is understandable, but not recognizing data structure and storage is a beginner’s mistake. In order for eDiscovery algorithms to work, they need to be programmed to scan data from different database structures and storage devices. Programming the algorithm wrong is the same as expecting a US electric appliance to work in another country. Data structure and storage is not universal. Attorneys need to remember to cover all data points, search everything. Another amateur mistake is forgetting to collect data that does not provide context for raw data, it is like trying to decipher a secret code without the cipher key.

These are simple mistakes to make, but with new technology and data types new mistakes will develop. Keeping abreast of new trends, technology, communication methods, and data laws will prevent them from appearing.

Whitney Grace, October 24, 2019

FANG Alert: Government Scrutiny Increases

October 21, 2019

Certain Tech Giants Under Scrutiny for Potential Anti-Competitive Practices

Apparently, the feds have been asking Oracle for dirt on their rival. The Register reports, “Oracle: Yeah, We’ve Had a Bunch of G-Men Come Sniffing Around Asking Questions About Google.” Writer John Oates reveals:

“The two tech titans have been engaged in a bitter, eight-year long battle over the disputed use of Java code in Google’s Android mobile operating system. … Ken Glueck, veep at Oracle, told Reuters that the company had been contacted by Texan investigators, the House of Representatives Judiciary Committee and the Justice Department, all of which sought information about Google and alleged violations of antitrust law.”

But it is not just Oracle being pumped for information, and it is not just about Google. Oates continues:

“Anonymous sources quoted in the same story said the House Judiciary Committee has been asking around small firms it reckons may have been damaged by tech giants’ business practices, but added that some may wait until the committee issues legally binding subpoenas because they believe that would leave them less at risk of retaliation. The committee is waiting to see how much information it can collect voluntarily before issuing legal demands.”

This news comes amid a push by the DOJ, the House Judiciary Committee, and agencies in 48 states to ferret out anti-competitive practices at Google, Amazon, Facebook, and Apple. It looks like those companies’ lawyers are about to be very busy.

Cynthia Murrell, October 21, 2019

Oxford University and HobbyLobby: A Criminal Duo?

October 17, 2019

I have wandered around Oxford and its hallowed halls. Interesting place. Not much going on. I have also visited a HobbyLobby. Lots going on. My take: Oxford was snooty; HobbyLobby was crass.

I read “Oxford Professor Accused of selling Ancient Bible Fragments.” When I saw the headline, I thought about MIT and its tie up and cover up of its Jeffrey Epstein connection.

What’s with universities?

The write up states:

An Oxford University professor has been accused of selling ancient Bible fragments to a controversial US company that has been involved in several high-profile scandals related to its aggressive purchases of biblical artifacts.

DarkCyber noted:

Commenting after the statement on Monday, Nongbri [New Testament scholar],said: “The sale of the manuscripts and the attempt to cover it up by removing records is almost unbelievable. But the first thing to note are the words ‘so far’. We don’t yet know the full extent of this. More items may well have been sold to Hobby Lobby.”

No digital connection. No Dark Web. Just a prestigious institution and an outfit which sells stuff to people who create owl plaques in their ovens.

Remember. Just allegations.

Stephen E Arnold, October 17, 2019

Google: A Friday Get Together in the Shadow of Dorian

September 7, 2019

When I worked in Sillycon Valley, Friday was a big deal. I am not sure why. Once or twice a month, I would trek to some local joint and hang out with others who worked at our whiz bang technology and cyber data company. In general, the mood was upbeat. We were making money. We did not have vulture capitals roosting on our shiny vehicles. We were not responding to US government mandated document collection tasks.

If the information in Mr. Jeff Bezos’s Washington Post is correct, the Googlers must have concluded that Dorian was pummeling them with rain, high winds, and untethered plastic pool floats. The story is titled “Google Receives Demand for Documents from Justice Dept., Acknowledging Federal Antitrust Scrutiny.” (I was able to read it after wading through the begging-for-dollars pop ups. Really, Mr. Bezos?)

I noted this statement, which may or may not be affected by someone who is breathing the fumes from the Bezos bulldozer idling in front of the Washington Post’s headquarters.

the Justice Department has requested records related to its prior antitrust investigations, marking the tech giant’s first major acknowledgment that it’s a subject of a federal competition probe. The civil-investigative demand — acknowledged in a securities filing and a blog post — comes weeks after Justice Department officials said they would open a broad review of big tech, including search.

Records requests are interesting. On the surface, the request is simple: Gather up the information from “past investigations.” On the other hand, fast-moving, high-tech companies are not really into archiving. Sure, there are document management systems, files on Google Drive, data tucked into USB sticks, paper stored in file cabinets (although some Googlers may not be familiar with actual records management conventions), and maybe –– just maybe — data in a Google social media system.

The unknown, as I understand the document landscape, is to comply with this simple government request.

But — and there is often a but — associated with a simple government request. The content Google provides will be compared with information that the investigators, lawyers, and analysts have.

Anomalies are, in general, not desirable. For example, if the government document reviewers have a document NOT in the Google collection delivered in compliance with the request, an int4eresting question can be raised:

Why did you Google not provide the same information you delivered in the prior antitrust matters? (Translation: We have info in our files from our previous look at you and you a leaving stuff out.)

Now let’s assume that there is information in the government’s file (usually maintained in accordance with assorted guidelines and regulations about US government document retention). Here’s the question:

Why did you provide a document pertinent to a prior antitrust matter that you previously did NOT provide? (Translation: The trove of documents you Google have just delivered includes information we have not seen before. Why?)

You can generate quite a string of questions from this type of matching exercise. Neither question trigger unencumbered joy of pre-demand Friday staff get togethers. (Did you know that Google owns the Sports Page in Mountain View?)

Worth monitoring for two reasons:

  1. Is Google’s record keeping up to snuff?
  2. Are the data provided congruent with what the lawyers, analysts, and investigators have in their files both paper and digital?

A digital Dorian in Mountain View?

Stephen E Arnold, September 7, 2019

Brave Is Brave: Google Allegations

September 5, 2019

I read “Brave Uncovers Google’s GDPR Workaround.” The main point of the write up seems to be that Googlers have allegedly engineered a way to work around the GDPR privacy protections. The write up asserts:

New evidence gathered by Brave gives the Irish DPC concrete proof that Google’s ad system did broadcast personal data about Dr Ryan, which infringed the GDPR. In addition, Brave has uncovered what appears to be a GDPR workaround that circumvents Google’s own publicly stated GDPR data safeguards.

“Dr. Ryan”  is Brave’s chief policy and industry relations officer. This individual allegedly stated:

“The evidence we have submitted to the Irish Data Protection Commission proves that Google leaked my protected data to an unknown number of companies. One cannot know what these companies then did with it, because Google loses control over my data once it was sent. Its policies are no protection.”

What did Google allegedly do?

First, Google allegedly used DoubleClick components. (Note: DoubleClick patents are quite interesting. You can get started on the path to grasping the nature of the systems and methods Google acquired in 2007 for about $3 billion at this link.)

We learned:

Google allowed not only one additional party, but many, to match with Google identifiers. The evidence further reveals that Google allowed multiple parties to match their identifiers for the data subject with each other.

We noted:

Google Push Pages are served from a Google domain ( and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible. All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.

The write up argues:

Brave’s evidence shows that Google’s Push Page mechanism undermines Google’s purported data protection measures. They are also vulnerable to abuse by other parties. We are aware that companies other than Google have used the Push Page mechanism to establish their own Push Pages to share data with their own business partners. This appears to happen without Google’s knowledge. The loss of control over personal data in Google’s RTB system is again evident, and it is clear that Google’s policies have provided no protection.

Let’s assume Brave’s data are accurate. Furthermore, let’s assume that the Irish Data Protection Commission integrates these data into its deliberations. What’s the outcome?

DarkCyber believes that Google’s credibility would take another hit. Fines are unlikely to apply friction to the alleged behavior. Understanding the nuances of what it means when Google operates in a way that is not easily understood by anyone other than specialists is a type of digital circumvallation. It worked for Caesar, and it seems to be working for Google. Of course, if Brave’s data are inaccurate, then Google is just another simple online outfit selling ads. Simple. Efficient. Business as usual.

Stephen E Arnold, September 5, 2019

Conference Presentation Peril

August 29, 2019

No wonder giving a talk at a conference is a terrifying experience for some people. DarkCyber noted “Cryptography Startup Sues Black Hat Conference after Getting Booed and Heckled.” The write up explains:

Crown Sterling, was heckled during its presentation of the paper titled “Discovery of Quasi-Prime Numbers: What Does this Mean for Encryption”

The procedure described in the talk has some value to those engaged in horoscope generation.

A lousy and stupid talk at a conference – so what?

The answer to this question is a lawsuit charging Black Hat “for not upholding its standards of conduct for attendees and for violating their terms of Crown Sterling’s sponsorship package.”

The “sponsorship” angle is very popular at some technology conference venues. Here’s the basic idea:

  1. Pick a sponsorship package like hosting a luncheon, leasing a booth or “stand” in an exhibit hall, providing a mostly useless bag or carry all for marketing collateral, or some other activity. (The conference organizers call these deals by such names as “platinum sponsor” or “open bar courtesy of XYZ Corp.”
  2. Get one or more speaking slots. You can spot the lack of objectivity in the programs of sponsor supported conferences. Just look for the companies which have two or more presentations; for example, one keynote (big bucks), one thought piece presentation with minimal sales spin, and/or one product presentation (a pure sales pitch).
  3. A list of names of people who stopped by the booth courtesy of a bar code scanner which sucks in a person’s conference ID code and the handful of people who stop by the conference organizer office and ask, “Could you give my card to XYZ Corp’s rep. She was not available when I stopped by the booth.”
  4. Watch for conferences at which the “organizer” gives lengthy presentations. These conferences often have an agenda, and it may not be the attendees’ or reflect significant issues of interest to those who have an annual migration to an event.

The problem with this approach to conferences is that when one pays money, maybe as much as $150,000, the company buying a package wants results. Getting heckled is not what the sponsor expects. Therefore, the lawsuit sallies forth.

Attendees, check out who is speaking and how these people get on the program. Conference organizers, why not put on better events so the “sponsorship” lawsuit becomes impossible?

Note: I do attend a few conferences each year. I still get invited to give a talk. This is semi gratifying, but I will be 76 this year, and I have watched the decline in presentation quality and program value. Like many aspects of the tech world, deterioration and Las Vegas razzle dazzle are now the norm.

Stephen E Arnold, August 29, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta