Meta Covets Kiddie Instagrams

January 5, 2022

Instagram CEO Adam Mosseri’s recent testimony before Congress shows Facebook continues to deny truths revealed by whistleblower Frances Haugen: The company’s own research demonstrates Instagram is harmful to children and teens. Vox Recode reports that “Facebook Still Won’t Give Up Instagram for Kids.” Mosseri was asked whether the company would permanently halt development of Instagram for Kids, a platform intended for children ages 10–12. All the CEO would commit to was that if such a project were launched it would require parental permission. So that is a long-winded no. Writer Shirin Ghaffary observes:

“The exchange reveals a deeper takeaway from the hearing: Instagram — and its parent company Meta (formerly Facebook) — do not seem to believe their product is harmful enough to children and teens that it needs radical change. That’s in spite of internal company research leaked by Facebook whistleblower Frances Haugen, which showed that one in three teenage girls who felt bad about their bodies said Instagram made them feel worse. The research also showed that 13 percent of British teenage users and 6 percent of American teenage users who had suicidal thoughts traced the desire to kill themselves to Instagram. … [Mosseri’s] answers seemed to do little to reassure the remarkably bipartisan group of US lawmakers at the hearing, who say they believe Instagram is damaging teenagers’ mental health. These lawmakers say they are committed to passing legislation that could force Facebook and other tech companies to change their businesses to better protect children.”

But are they really? We also learn:

“Right now, there are several bills out to create stronger privacy laws, to establish penalties for Facebook if it allows damaging content to surface, and to mandate that Facebook must share more data with outside researchers to assess the harms of its products. So far, none of these bills have passed or are even close to passing.”

It sounds like Meta intends to ride out the wave of outrage until something displaces it in the public’s awareness, as is bound to occur, then reintroduce its platform for tweens. Perhaps it will give the product a different name. Certainly it will continue to spin social media as a net good for children, as Mosseri did at that hearing. Given both the public’s limited attention span and Congress’ tortoise-like speed, it seems like a solid plan.

Cynthia Murrell, January 5, 2022

Microsoft: Whipping Up the Dataverse to Distract from Security Issues?

December 27, 2021

I pegged the half-baked Windows 11 as a way to deflect tech writers from Microsoft’s noteworthy security challenges. The names almost became household words, spoken in retirement facilities and pre-schools. The mantra? SolarWinds, Exchange Server, Printspooler, Azure, etc.

How does a giant company with millions of “users” respond? My first thought was: Get everyone amped over the Windows 11 release. And the “real” tech journalists responded. Big names like Paul Thurrott were not clued in to the release. Wow, surprise! ZDNet chased the ball around the cubicle. And to cap the PR push Windows 11 users cannot select a different browser. That will put some “real” tech bloggers teeth on edge.

What was the result? The mind boggling security issues have been pushed into the background. From Microsoft’s point of view, that may be a good thing.

So what’s next?

How about this? “Microsoft is mining the Xbox 360 ‘Red Ring’ controversy for profit, and that’s not cool.” Yep, that’s the headline for a story about Microsoft hardware failure. The promotion was couched within a YouTube video. Plus, Microsoft will sell its faithful and security indifferent users a poster. No NFT for the Softies? This is a tree killing, ink centric offering.

To what end?

Just try to recall that the SolarWinds’, Exchange, etc. vulnerabilities still bedevil some security professionals. Will the tech bloggers and experts cut from Thurrott wool notice?

Nah. Red herring is a wonderful dish for a New Year’s feast in my opinion.

Stephen E Arnold, December 27, 2021

Palantir Technologies: On the Runway for a Trillion Dollar Take Off?

November 29, 2021

Palantir Technologies is an interesting company. Its technology is a combination of 2003 legacy innovations, some open source goodness, and 18 years of working hard to put a fence around policeware, intelware, financial fraud, and a handful of other markets. It sure seems to me that The Motley Fool, who is neither motley nor a fool, believes that this financial benchmark is a possibility; otherwise, why write the story? PR, stock churn, controversy, to catch the attention of observers and sideline sitters like myself? I don’t know, but with Apple putting the PR in PRivacy, who knows?

The premise is interesting. I noted this passage in the Motley and Fool write up called “Will Palantir Be a Trillion Dollar Stock by 2042“:

 Palantir is valued at $41.3 billion, or 27 times this year’s sales.

Good but with unicorns being birthed with Malthusian energy, there may be some boundaries on Palantir’s ambitions. (I will mention a couple of them at the close of this blog post.)

The write up also states:

The company expects that growth to be driven by its new and expanded contracts with government agencies, as well as the growth of its Foundry platform for large commercial customers. The accelerating growth of its commercial business over the past year, which notably outpaced the growth of its government business last quarter, supports that thesis.

I noted this statement, which I find somewhat amusing:

The company has gained a firm foothold with the U.S. government, but it still faces competition from internally developed systems. Immigration and Customs Enforcement (ICE), for example, has been developing its own platform to replace Palantir’s Falcon. If other agencies follow ICE’s lead, the company’s dream of becoming the “default operating system for data across the U.S. government” could abruptly end.

I assume that Messrs. Motley and Fool know something about government procurement, why US and EU agencies license multiple systems, and stimulate internal innovation. Yep, I am thinking about DoD incubation centers and 18f. To Motley’s and Fool’s analysis, I tip my fake fur hat to the mention of Amazon as a competitor. Many don’t understand the scope of Amazon’s government services, and probably if told, still wouldn’t grasp the online bookstore as provider of streaming business data and slick AWS blockchain tools.

Let me share some of the hurdles that the galloping stallion has to clear after 18 years on the track:

  1. The NSO Group dust up has changed the table stakes for policeware and intelware outfits which seek to expand into commercial markets. The impact of NSO Group has been biting Israeli firms, but who knows what will happen tomorrow. The past is not a reliable predictor in today’s flash mob environment.
  2. The newer methods developed since Palantir opened for “business” are impressive. Many are more capable than Palantir because many tasks with which a trained Palantir forward deployed engineer must engage are point-and-click. Check out Datawalk, Sphinx 12, or a few of the Tel Aviv based outfits’ methods. (A ton of Voyager insider information has been dumped online courtesy of FOIA and the LAPD.)
  3. Crime is rising, but cyber crime in its multiferous manisfestations is sky rocketing. That means that the vendors pitching solutions could face buyer remorse. What will some of those who find that nifty smart software is not too much of a barrier to novel exploits engendered by the good enough software approaches of Google-Android type coding or Microsoft cloud-type engineering? Maybe some big time litigation?

Net net: From my perspective Palantir Technologies is an intelware and policeware outfit which has to deal with upstart competitors, tough to predict regulation and trade controls, and the looming shadow of buyer remorse which will fall across the cyber intelligence sector and hit vendors indiscriminately.

A trillion dollar outfit? Is there an NFT for Seeing Stones yet?

Stephen E Arnold, November 29, 2021

A Simple Query, Interesting Consequences

October 15, 2021

The balance between effective tools for law-enforcement and civil liberties is, of course, a tricky one. Forbes discusses the thorny issue of keyword warrants in, “Exclusive: Government Secretly Orders Google to Identify Anyone Who Searched a Sexual Assault Victim’s Name, Address and Telephone Number.” The use of this specific warrant was inadvertently, and temporarily, unsealed by the Justice Department in September. Forbes was able to review the documents before they were sealed again. The write-up gives some relevant details of the Wisconsin case, but basically investigators asked Google for the Google account information and IP addresses of anyone who had searched for the victim’s name, two spellings of her mother’s name, her address, and her phone number on 16 specific days. Before this, we’re told, only two other keyword warrants had been made public. Write Thomas Brewster emphasizes:

“While Google deals with thousands of such orders every year, the keyword warrant is one of the more contentious. In many cases, the government will already have a specific Google account that they want information on and have proof it’s linked to a crime. But search term orders are effectively fishing expeditions, hoping to ensnare possible suspects whose identities the government does not know. It’s not dissimilar to so-called geofence warrants, where investigators ask Google to provide information on anyone within the location of a crime scene at a given time. … The latest case shows Google is continuing to comply with such controversial requests, despite concerns over their legality and the potential to implicate innocent people who happened to search for the relevant terms.”

In this particular case, the warrant’s narrow scope probably prevented that from happening. Still, even the most carefully worded requests set precedent. And others have been broad enough to impugn the merely curious, as with these orders made to Google, Microsoft, and Yahoo during the investigation into 2018’s serial bombings in Austin. Those warrants called for the account information and IP addresses of anyone searching for certain addresses and terms like “low explosives” and “pipe bomb.” As the ACLU’s Jennifer Granick observes:

“Trawling through Google’s search history database enables police to identify people merely based on what they might have been thinking about, for whatever reason, at some point in the past. This is a virtual dragnet through the public’s interests, beliefs, opinions, values and friendships, akin to mind reading powered by the Google time machine.”

As Granick sees it, keyword warrants not only breach the Fourth Amendment’s protections from unreasonable searches, they also threaten the freedom of speech granted by First Amendment: Google users may hesitate to look up information if their search histories could be handed over to the government at any moment. It does not help, she notes, that this is all going down in secret. See the article for more information.

Cynthia Murrell October 15, 2021

Google: Is Duplicity THE Game Plan?

September 27, 2021

I read “Google CEO Sought to Keep Incognito Mode Issues Out of Spotlight, Lawsuit Alleges.” Keep in mind that this is an allegation. The write up reports:

Google Chief Executive Sundar Pichai in 2019 was warned that describing the company’s Incognito browsing mode as “private” was problematic, yet it stayed the course because he did not want the feature “under the spotlight,” according to a new court filing. Google spokesman José Castañeda told Reuters that the filing “mischaracterizes emails referencing unrelated second and third-hand accounts.”

Like the word “unlimited” in “unlimited downloads”, my hunch is that “incognito” has a special meaning to Googlers. Those who are not Googley will not understand that “incognito” is a flag which makes it possible to pay attention to such actions within that browser function.

I am not Googley; therefore, I inferred that incognito meant:

with one’s identity concealed

There you go. A simple error caused because I, like some other people, assume that definitions matter. They do. What’s left out is that super smart executives at some high tech companies speak their own language. Like “diversity” and “Timnit Gebru.”

The Googley don’t make mistakes with words.

Stephen E Arnold, September 27, 2021

DuckDuckGo Email Protection Now in Beta

August 4, 2021

DuckDuckGo has released a new privacy-centric service. The Verge reports, “DuckDuckGo Launches New Email Protection Service to Remove Trackers.” Famous for its non-tracking search platform, the company also offers mobile and desktop browser extensions and is working on its own privacy-focused desktop browser. Metasearch to browser to email: the company aims to protect privacy across the online environment. The article describes how the email service removes trackers, and one can find details on how its other offerings work at its website. It all sounds very effective, and we are glad to see these measures in place. However, we have a question: What about those log files? I suppose we are to assume no admin ever, ever looks at that data.

Writer Dave Gershgorn describes how the Email Protection tool works:

The company’s new Email Protection feature gives users a free ‘@duck.com’ email address, which will forward emails to your regular inbox after analyzing their contents for trackers and stripping any away. DuckDuckGo is also extending this feature with unique, disposable forwarding addresses, which can be generated easily in DuckDuckGo’s mobile browser or through desktop browser extensions. The personal DuckDuckGo email is meant to be given out to friends and contacts you know, while the disposable addresses are better served when signing up for free trials, newsletters, or anywhere you suspect might sell your email address. If the email address is compromised, you can easily deactivate it. These tools are similar to anti-tracking features implemented by Apple in iOS 14 and iOS 15, but DuckDuckGo’s approach integrates into iOS, Android, and all major web browsers. DuckDuckGo will also make it easier to spin up disposable email addresses on the fly, for newsletters or anywhere you might share your email. Tackling email privacy has been a major goal for DuckDuckGo, as the company pushes for privacy-friendly methods for various online tasks.”

According to this 2017 study, more than 70 percent of email lists employ trackers that tell advertisers when, where, and on what device a message is opened. This information, of course, is then used to build advertising profiles. DuckDuckGo knows switching email addresses is a hassle most users would be unwilling to endure, so it came up with this intermediary layer. Naturally, the tool integrates with the company’s browser extensions. One limitation—while a user can respond to email that comes in to their @duck.com address, one cannot use it to initiate a new email thread. Email Protection is currently in beta; no word on when we can expect the tool to be released to the public.

Cynthia Murrell, August 4, 2021

Microsoft: China Fingers Data Collectors

May 21, 2021

I read “China Says ByteDance, Baidu, and Microsoft Improperly Collected User Data.” The story reports:

China Cyberspace Administration also named American tech giant Microsoft and its two products Bing and LinkedIn in a statement.

Bing and LinkedIn. What about Windows 10, the nifty Office system, and the ever Bob Windows Defender and its file monitoring and remembering capability?

The story pointed out nothing more.

China’s Internet Watchdog Says ByteDance, TikTok, Microsoft Collected User Data” noted that  Kuaishou (a social media platform) was snagged in the monitoring sweep. Apparently about 100 other applications and vendors were identified. This story said:

The authorities reportedly said that the apps violated several laws and had even infringed personal information through illegal access, over-collection and excessive information. The notice, reportedly, was shared to a notice on its WeChat official account. Earlier in April, Chinese regulators had called on 13 online platforms to adhere to stricter regulations in their financial divisions as a push to rein in China’s tech giants.

More information (maybe disinformation) will appear, but it seems as if China wants to send a message to technology companies. Executive changes, financial penalties, and mind games are likely to be fellow travelers for this government move. My take is that China will focus on the senior management of certain firms. High technology companies’ senior managers operate without fear of government action in the US and elsewhere. If China flexes its muscles, those relaxing cruises up the Yangtze River may provides some passengers with unexpected destinations. Fancy Qincheng Prison, anyone?

Stephen E Arnold, May 21, 2021

Hard-to-Detect Cybercrime Bots Target Young and Old

April 2, 2021

A recent report from research firm LexisNexis emphasizes bad actors’ growing reliance on bots to pull off their attacks. Not only that, these bots are becoming harder to catch. As TechBullion states, “Cybercrime Report Highlights the Need for Greater Security Visibility.” Reporter Oren Rofman writes:

“While hacks and attacks primarily driven by humans tend to be more sophisticated, bot attacks are not much easier to detect and remediate. Former Akamai security expert Ido Safruti, who is now CTO at PerimeterX, describes new bot attacks as invisible invaders that are becoming more difficult to detect. … Having evolved over the decades, these attacks have become more sophisticated than ever. While previous bots can be detected because of their inability to perform tasks humans are expected to do easily, advanced bots are now capable of doing complex actions and can even interact with humans. They can latch onto host users like parasites and perform actions that make them appear as human users.”

Since bot attacks tend to infect multiple devices, IP blacklists do little against them. Application firewalls and similar defenses are also ineffective because attacks successfully mimic legitimate users. Instead, we’re advised, companies must boost their security visibility so they can react to threats promptly. Rofman suggests continuous security validation as an effective approach. He writes:

“This entails the use of multiple strategies including behavioral detection solutions, SIEM/SOC validation, full-kill chain APT simulation, and purple team automation. The creation of the MITRE ATT&CK framework also helps in dealing with the most recent bot attacks, as it provides comprehensive and up-to-date threat intelligence along with detailed descriptions and information on attack patterns and processes. Many security solutions already integrate ATT&CK in their systems.”

Another important, though perhaps obvious, point is the role age plays in user vulnerability—those over 75 are more likely to fall victim because they are less familiar with technology in general. Those under 25, on the other hand, are profitable targets due to their lack of experience and tendency to forgo security best practices. The report also found that mobile e-commerce transactions are especially vulnerable, and that streaming media has opened new opportunities for hackers. One thing is clear—the problem of cybercrime is only getting worse, and users of all ages need to learn, and follow, security best practices.

Cynthia Murrell, April 2, 2021

How about Those Cyber Security Awards? Great in the Wake of SolarWinds and the MSFT Exchange Issues

March 26, 2021

The Cyber Defense Awards, hosted by Cyber Defense Magazine, has released its list of “InfoSec Awards for 2020-Winners.” The introduction reads:

“These InfoSec Awards are in their 8th year and specifically focused on finding innovative infosec players who have a presence in the United States and other countries. With over 3,200 cybersecurity companies worldwide, only a small number – roughly 10% – are highlighted as InfoSec Awards 2020 winners, based upon independent judging and analysis.  This year, we’ve continued to expand our coverage of some of our winning Women in Cybersecurity who will be rolled into our annual update, highlighting some of the innovative women helping taking cybersecurity to new heights.”

It is nice that the awards are recognizing the contributions of women in the male dominated field, and the post presents us with an impressive list of companies. However, we note one name seems to be missing—FireEye, the firm whose smart human analyst (non AI infused) actually caught the widespread SolarWinds’ attack. After that debacle, the effects of which the cyber-security community is still unraveling, we wonder whether these awards are justified. Perhaps they should have taken the year off.

Be that as it may, those interested in the cyber security field may want to check out the full list. It and a description of the judges’ approach can be viewed at the link above.

Now the $64 dollar question: How many of these “winners” detected the SolarWinds and Exchange breaches? Choose one: [a] None, [b] Zip, [c] Zero, [d] Nada.

Cynthia Murrell, March 26, 2021

Microsoft: Losing an Appetite for Chinese Take Out?

March 16, 2021

I read “Microsoft Claims They Are under Attack by China.” Last month, Microsoft was under attack by Russia. In this most recent round of finger pointing, the Giant Freakin Robot states:

Microsoft says this hack actually began months ago, maybe as early as January with the hackers masking their efforts along the way and prying deeper into the base systems that stand up these email servers. Once it was noticed in early March, the company worked on a fix.

The bad actors have done significant harm. Attributing the attack to a nation state suggests that companies based in the US and deploying software and services worldwide are targets of value.

Several questions come to mind:

  1. With an attack which began months ago, why weren’t existing cyber security systems able to discern the breach and issue alerts?
  2. How long is “months ago”? What if the Exchange breaches occurred three, six, a year or more before being detected? Microsoft “defender” should have defended, but what about third party cyber security systems?
  3. Will the patches remediate the problem? Microsoft issued a Windows 10 update which caused some print functions to fail? Are Microsoft’s “fixes” introducing new vulnerabilities?

Net net: The bad actors (whether kids in McDonalds) or trained cyber warriors in bunkers may not be the actual problem.

What’s the problem?

Microsoft’s core business processes maybe?

The move to the cloud, background updates, flawed quality checks, and an eagerness to blame others could be contributing factors to the Redmond giant’s spate of woes.

What countries will be blamed for attacking Microsoft? I think Liechtenstein looks suspicious, don’t you?

Scrap the Chinese lunch order for today too.

Stephen E Arnold, March 16, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta