[LACNIC/Seguridad] Facebook: "surveillance capitalism" y otros (Fwd: CRYPTO-GRAM, April 15, 2018)
Fernando Gont
fgont en si6networks.com
Mar Abr 17 11:33:24 BRT 2018
FYI
-------- Forwarded Message --------
Subject: CRYPTO-GRAM, April 15, 2018
Date: Sun, 15 Apr 2018 01:18:29 -0500
From: Bruce Schneier <schneier en schneier.com>
To: fernando en gont.com.ar
CC: Crypto-Gram Mailing List <crypto-gram en lists.schneier.com>
CRYPTO-GRAM
April 15, 2018
by Bruce Schneier
CTO, IBM Resilient
schneier en schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<https://www.schneier.com/crypto-gram/archives/2018/0415.html>. These
same essays and news items appear in the "Schneier on Security" blog at
<https://www.schneier.com/>, along with a lively and intelligent comment
section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Facebook and Cambridge Analytica
News
Israeli Security Company Attacks AMD by Publishing Zero-Day Exploits
Schneier News
Obscure E-Mail Vulnerability
The Digital Security Exchange Is Live
** *** ***** ******* *********** *************
Facebook and Cambridge Analytica
In the wake of the Cambridge Analytica scandal, news articles and
commentators have focused on what Facebook knows about us. A lot, it
turns out. It collects data from our posts, our likes, our photos,
things we type and delete without posting, and things we do while not on
Facebook and even when we're offline. It buys data about us from others.
And it can infer even more: our sexual orientation, political beliefs,
relationship status, drug use, and other personality traits -- even if
we didn't take the personality test that Cambridge Analytica developed.
But for every article about Facebook's creepy stalker behavior,
thousands of other companies are breathing a collective sigh of relief
that it's Facebook and not them in the spotlight. Because while Facebook
is one of the biggest players in this space, there are thousands of
other companies that spy on and manipulate us for profit.
Harvard Business School professor Shoshana Zuboff calls it "surveillance
capitalism." And as creepy as Facebook is turning out to be, the entire
industry is far creepier. It has existed in secret far too long, and
it's up to lawmakers to force these companies into the public spotlight,
where we can all decide if this is how we want society to operate and --
if not -- what to do about it.
There are 2,500 to 4,000 data brokers in the United States whose
business is buying and selling our personal data. Last year, Equifax was
in the news when hackers stole personal information on 150 million
people, including Social Security numbers, birth dates, addresses, and
driver's license numbers.
You certainly didn't give it permission to collect any of that
information. Equifax is one of those thousands of data brokers, most of
them you've never heard of, selling your personal information without
your knowledge or consent to pretty much anyone who will pay for it.
Surveillance capitalism takes this one step further. Companies like
Facebook and Google offer you free services in exchange for your data.
Google's surveillance isn't in the news, but it's startlingly intimate.
We never lie to our search engines. Our interests and curiosities, hopes
and fears, desires and sexual proclivities, are all collected and saved.
Add to that the websites we visit that Google tracks through its
advertising network, our Gmail accounts, our movements via Google Maps,
and what it can collect from our smartphones.
That phone is probably the most intimate surveillance device ever
invented. It tracks our location continuously, so it knows where we
live, where we work, and where we spend our time. It's the first and
last thing we check in a day, so it knows when we wake up and when we go
to sleep. We all have one, so it knows who we sleep with. Uber used just
some of that information to detect one-night stands; your smartphone
provider and any app you allow to collect location data knows a lot more.
Surveillance capitalism drives much of the internet. It's behind most of
the "free" services, and many of the paid ones as well. Its goal is
psychological manipulation, in the form of personalized advertising to
persuade you to buy something or do something, like vote for a
candidate. And while the individualized profile-driven manipulation
exposed by Cambridge Analytica feels abhorrent, it's really no different
from what every company wants in the end. This is why all your personal
information is collected, and this is why it is so valuable. Companies
that can understand it can use it against you.
None of this is new. The media has been reporting on surveillance
capitalism for years. In 2015, I wrote a book about it. Back in 2010,
the Wall Street Journal published an award-winning two-year series about
how people are tracked both online and offline, titled "What They Know."
Surveillance capitalism is deeply embedded in our increasingly
computerized society, and if the extent of it came to light there would
be broad demands for limits and regulation. But because this industry
can largely operate in secret, only occasionally exposed after a data
breach or investigative report, we remain mostly ignorant of its reach.
This might change soon. In 2016, the European Union passed the
comprehensive General Data Protection Regulation, or GDPR. The details
of the law are far too complex to explain here, but some of the things
it mandates are that personal data of EU citizens can only be collected
and saved for "specific, explicit, and legitimate purposes," and only
with explicit consent of the user. Consent can't be buried in the terms
and conditions, nor can it be assumed unless the user opts in. This law
will take effect in May, and companies worldwide are bracing for its
enforcement.
Because pretty much all surveillance capitalism companies collect data
on Europeans, this will expose the industry like nothing else. Here's
just one example. In preparation for this law, PayPal quietly published
a list of over 600 companies it might share your personal data with.
What will it be like when every company has to publish this sort of
information, and explicitly explain how it's using your personal data?
We're about to find out.
In the wake of this scandal, even Mark Zuckerberg said that his industry
probably should be regulated, although he's certainly not wishing for
the sorts of comprehensive regulation the GDPR is bringing to Europe.
He's right. Surveillance capitalism has operated without constraints for
far too long. And advances in both big data analysis and artificial
intelligence will make tomorrow's applications far creepier than
today's. Regulation is the only answer.
The first step to any regulation is transparency. Who has our data? Is
it accurate? What are they doing with it? Who are they selling it to?
How are they securing it? Can we delete it? I don't see any hope of
Congress passing a GDPR-like data protection law anytime soon, but it's
not too far-fetched to demand laws requiring these companies to be more
transparent in what they're doing.
One of the responses to the Cambridge Analytica scandal is that people
are deleting their Facebook accounts. It's hard to do right, and doesn't
do anything about the data that Facebook collects about people who don't
use Facebook. But it's a start. The market can put pressure on these
companies to reduce their spying on us, but it can only do that if we
force the industry out of its secret shadows.
This essay previously appeared on CNN.com.
https://www.cnn.com/2018/03/26/opinions/data-company-spying-opinion-schneier/index.html
What Facebook collects and knows:
https://www.express.co.uk/life-style/science-technology/751009/Facebook-Scan-Photos-Data-Collection
http://www.businessinsider.com/facebook-saves-stuff-you-start-typing-and-the-delete-2013-12
https://www.theguardian.com/technology/2017/jul/03/facebook-track-browsing-history-california-lawsuit
https://www.propublica.org/article/facebook-doesnt-tell-users-everything-it-really-knows-about-them
http://www.pnas.org/content/early/2013/03/06/1218772110
http://www.businessinsider.com/facebook-personality-test-cambridge-analytica-data-trump-election-2018-3
Surveillance capitalism:
https://www.amazon.com/Age-Surveillance-Capitalism-Future-Frontier/dp/1610395697/ref=sr_1_sc_1
Data brokers:
http://www.newsweek.com/secretive-world-selling-data-about-you-464789
Equifax:
https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
https://www.nytimes.com/2017/10/02/business/equifax-breach.html
https://www.forbes.com/sites/forrester/2017/09/08/equifax-does-more-than-credit-scores/#324765b219d8
Google Maps:
https://mashable.com/2015/07/22/google-maps-your-timeline/
Uber's data analysis on one-night stands:
https://gigaom.com/2012/03/26/uber-one-night-stands/
My book, "Data and Goliath":
https://www.schneier.com/books/data_and_goliath/
The "What They Know" series:
http://juliaangwin.com/the-what-they-know-series/
https://ashkansoltani.org/work/what-they-know/
GDPR:
https://www.cennydd.com/writing/a-techies-rough-guide-to-gdpr
PayPal's data sharing:
https://www.paypal.com/ie/webapps/mpp/ua/third-parties-list
https://rebecca-ricks.com/paypal-data/
Zuckerberg and regulating Facebook:
https://www.wired.com/story/mark-zuckerberg-talks-to-wired-about-facebooks-privacy-problem/
https://www.theverge.com/2018/3/21/17150270/mark-zuckerberg-facebook-regulated
Deleting Facebook:
https://pageflows.com/blog/delete-facebook/
Why deleting Facebook won't help:
https://www.nytimes.com/2018/03/24/opinion/sunday/delete-facebook-does-not-fix-problem.html
Facebook collecting data about people not on Facebook:
https://www.theverge.com/2016/5/27/11795248/facebook-ad-network-non-users-cookies-plug-ins
https://mashable.com/2013/06/26/facebook-shadow-profiles/
https://gizmodo.com/how-facebook-figures-out-everyone-youve-ever-met-1819822691?IR=T
Slashdot thread:
https://yro.slashdot.org/story/18/03/31/0253219/thousands-of-companies-are-spying-on-you
** *** ***** ******* *********** *************
News
This is a good article on the complicated story of hacker Marcus Hutchins.
https://nymag.com/selectall/2018/03/marcus-hutchins-hacker.html
Dan Geer on the dangers of computer-only systems:
https://www.hoover.org/sites/default/files/research/docs/geer_webreadypdfupdated2.pdf
Interesting paper "A first look at browser-based cryptojacking":
https://arxiv.org/abs/1803.02887v1
Interesting analysis and speculation about the Cuban sonic weapon.
https://www.spectrum.ieee.org/semiconductors/devices/how-we-reverse-engineered-the-cuban-sonic-weapon-attack
Good Snopes article on this:
https://www.snopes.com/fact-check/do-sonic-weapons-explain-the-health-diplomats-cuba/
Some details about the iPhone unlocker from the US company Greyshift,
with photos.
https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/
https://www.schneier.com/blog/archives/2018/03/greyshift_sells.html
Zeynep Tufekci is particularly cogent about Facebook and Cambridge
Analytica.
https://www.nytimes.com/2018/03/19/opinion/facebook-cambridge-analytica.html
Interesting research from 2014 into undetectably adding backdoors into
computer chips during manufacture: "Stealthy dopant-level hardware
Trojans: extended version." The moral is that this kind of technique is
*very* difficult to detect.
https://link.springer.com/article/10.1007/s13389-013-0068-0
https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf
Yet another development in the arms race between facial recognition
systems and facial-recognition-system foolers.
https://arxiv.org/pdf/1803.04683.pdf
https://boingboing.net/2018/03/26/the-threaten-from-infrared.html
Ross Anderson has a really interesting paper on tracing stolen bitcoin.
https://www.lightbluetouchpaper.org/2018/03/26/tracing-stolen-bitcoin/
https://www.cl.cam.ac.uk/~rja14/Papers/making-bitcoin-legal.pdf
Brad Templeton wrote about this years ago:
http://ideas.4brad.com/what-if-somebody-steals-bitcoin
Researchers have exploited a flaw in the cryptocurrency Monero to break
the anonymity of transactions.
https://www.wired.com/story/monero-privacy/
https://arxiv.org/pdf/1704.04299/
https://boingboing.net/2018/03/27/perfect-forward-secrecy.html
When Spectre and Meltdown were first announced earlier this year, pretty
much everyone predicted that there would be many more attacks targeting
branch prediction in microprocessors. Here's another one:
https://arstechnica.com/gadgets/2018/03/its-not-just-spectre-researchers-reveal-more-branch-prediction-attacks/
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf
It's routine for US police to unlock iPhones with the fingerprints of
dead people. It seems only to work with recently dead people.
https://www.forbes.com/sites/thomasbrewster/2018/03/22/yes-cops-are-now-opening-iphones-with-dead-peoples-fingerprints/#3f3dc52a393e
Interesting history of musical ciphers.
https://www.atlasobscura.com/articles/musical-cryptography-codes.amp
The US Consumer Product Safety Commission is holding hearings on IoT risks:
https://www.federalregister.gov/documents/2018/03/27/2018-06067/the-internet-of-things-and-consumer-product-hazards
This is a really interesting research result. This paper proves that two
parties can create a secure communications channel using a
communications system with a backdoor. It's a theoretical result, so it
doesn't talk about how easy that channel is to create. And the
assumptions on the adversary are pretty reasonable: that each party can
create his own randomness, and that the government isn't literally
eavesdropping on every single part of the network at all times.
https://eprint.iacr.org/2018/212
This result reminds me a lot of the work about subliminal channels from
the 1980s and 1990s, and the notions of how to build an anonymous
communications system on top of an identified system. Basically, it's
always possible to overlay a system around and outside any closed system.
DARPA is launching a program aimed at vulnerability discovery via
human-assisted AI. The new DARPA program is called CHESS (Computers and
Humans Exploring Software Security), and they're holding a proposers day
in a week and a half.
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-SN-18-40/listing.html
This is the kind of thing that can dramatically change the
offense/defense balance.
Good article about how difficult it is to insure an organization against
Internet attacks, and how expensive the insurance is.
https://www.wired.com/story/cyberinsurance-tackles-the-wildly-unpredictable-world-of-hacks/
Interesting research: "'Won't Somebody Think of the Children?' Examining
COPPA Compliance at Scale":
https://petsymposium.org/2018/files/papers/issue3/popets-2018-0021.pdf
** *** ***** ******* *********** *************
Israeli Security Company Attacks AMD by Publishing Zero-Day Exploits
Last week, the Israeli security company CTS-Labs published a series of
exploits against AMD chips. The publication came with the flashy
website, detailed whitepaper, cool vulnerability names -- RYZENFALL,
MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from
these sorts of things. What's new is that the company only gave AMD a
day's notice, which breaks with every norm about responsible disclosure.
CTS-Labs didn't release details of the exploits, only high-level
descriptions of the vulnerabilities, but it is probably still enough for
others to reproduce their results. This is incredibly irresponsible of
the company.
Moreover, the vulnerabilities are kind of meh. Nicholas Weaver explains:
In order to use any of the four vulnerabilities, an attacker
must already have *almost* complete control over the
machine. For most purposes, if the attacker already has this
access, we would generally say they've already won. But these
days, modern computers at least attempt to protect against a
rogue operating system by having separate secure subprocessors.
CTS-Labs discovered the vulnerabilities when they looked at
AMD's implementation of the secure subprocessor to see if an
attacker, having already taken control of the host operating
system, could bypass these last lines of defense.
In a "Clarification," CTS-Labs kind of agrees:
The vulnerabilities described in amdflaws.com could give an
attacker that has already gained initial foothold into one or
more computers in the enterprise a significant advantage
against IT and security teams.
The only thing the attacker would need after the initial local
compromise is local admin privileges and an affected machine.
To clarify misunderstandings -- there is no need for physical
access, no digital signatures, no additional vulnerability to
reflash an unsigned BIOS. Buy a computer from the store, run
the exploits as admin -- and they will work (on the affected
models as described on the site).
AMD responds:
AMD's response today agrees that all four bug families are real
and are found in the various components identified by CTS. The
company says that it is developing firmware updates for the
three PSP flaws. These fixes, to be made available in "coming
weeks," will be installed through system firmware updates. The
firmware updates will also mitigate, in some unspecified way,
the Chimera issue, with AMD saying that it's working with
ASMedia, the third-party hardware company that developed
Promontory for AMD, to develop suitable protections. In its
report, CTS wrote that, while one CTS attack vector was a
firmware bug (and hence in principle correctable), the other
was a hardware flaw. If true, there may be no effective way of
solving it.
The weirdest thing about this story is that CTS-Labs describes one of
the vulnerabilities, Chimera, as a backdoor. Although it doesn't come
out and say that this was deliberately planted by someone, it does make
the point that the chips were designed in Taiwan. This is an incredible
accusation, and honestly needs more evidence before we can evaluate it.
The upshot of all of this is that CTS-Labs played this for maximum
publicity: over-hyping its results and minimizing AMD's ability to
respond. And it may have an ulterior motive. From Wired:
But CTS's website touting AMD's flaws also contained a
disclaimer that threw some shadows on the company's motives:
"Although we have a good faith belief in our analysis and
believe it to be objective and unbiased, you are advised that
we may have, either directly or indirectly, an economic
interest in the performance of the securities of the companies
whose products are the subject of our reports," reads one line.
WIRED asked in a follow-up email to CTS whether the company
holds any financial positions designed to profit from the
release of its AMD research specifically. CTS didn't respond.
We all need to demand better behavior from security researchers. I know
that any publicity is good publicity, but I am pleased to see the
stories critical of CTS-Labs outnumbering the stories praising it.
Attack:
https://amdflaws.com/
https://safefirmware.com/amdflaws_whitepaper.pdf
https://safefirmware.com/Whitepaper+Clarification.pdf
Nicholas Weaver:
https://www.lawfareblog.com/researchers-find-serious-vulnerabilities-amd-processors
Wired story:
https://www.wired.com/story/amd-backdoor-cts-labs-backlash/
AMD responds:
https://arstechnica.com/gadgets/2018/03/amd-promises-firmware-fixes-for-security-processor-bugs/
https://community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research
** *** ***** ******* *********** *************
Schneier News
I'm speaking at the RSA Conference on April 17-18 in San Francisco:
https://www.rsaconference.com/events/us18
I'm speaking at an IBM event in Mumbai on May 3.
I'm speaking at an IBM event in Istanbul on May 9.
I'm speaking at an IBM event in London on May 15.
** *** ***** ******* *********** *************
Obscure E-Mail Vulnerability
This vulnerability is a result of an interaction between two different
ways of handling e-mail addresses. Gmail ignores dots in addresses, so
bruce.schneier en gmail.com is the same as bruceschneier en gmail.com is the
same as b.r.u.c.e.schneier en gmail.com. (Note: I do not own any of those
email addresses -- if they're even valid.) Netflix doesn't ignore dots,
so those are all unique e-mail addresses and can each be used to
register an account. This difference can be exploited.
I was almost fooled into perpetually paying for Eve's Netflix
access, and only paused because I didn't recognize the declined
card. More generally, the phishing scam here is:
1. Hammer the Netflix signup form until you find a
gmail.com address which is "already registered". Let's say you
find the victim jameshfisher.
2. Create a Netflix account with address james.hfisher.
3. Sign up for free trial with a throwaway card number.
4. After Netflix applies the "active card check", cancel the
card.
5. Wait for Netflix to bill the cancelled card. Then Netflix
emails james.hfisher asking for a valid card.
6. Hope Jim reads the email to james.hfisher, assumes it's for
his Netflix account backed by jameshfisher, then enters his
card **** 1234.
7. Change the email for the Netflix account to eve en gmail.com,
kicking Jim's access to this account.
8. Use Netflix free forever with Jim's card **** 1234!
Obscure, yes? A problem, yes?
James Fisher, who wrote the post, argues that it's Google's fault.
Ignoring dots might give people an enormous number of different email
addresses, but it's not a feature that people actually want. And as long
as other sites don't follow Google's lead, these sorts of problems are
possible.
I think the problem is more subtle. It's an example of two systems
without a security vulnerability coming together to create a security
vulnerability. As we connect more systems directly to each other, we're
going to see a lot more of these. And like this Google/Netflix
interaction, it's going to be hard to figure out who to blame and who --
if anyone -- has the responsibility of fixing it.
https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html
** *** ***** ******* *********** *************
The Digital Security Exchange Is Live
Last year, I wrote about the Digital Security Exchange. The project is live:
The DSX works to strengthen the digital resilience of U.S.
civil society groups by improving their understanding and
mitigation of online threats.
We do this by pairing civil society and social sector
organizations with credible and trustworthy digital security
experts and trainers who can help them keep their data and
networks safe from exposure, exploitation, and attack. We are
committed to working with community-based organizations, legal
and journalistic organizations, civil rights advocates, local
and national organizers, and public and high-profile figures
who are working to advance social, racial, political, and
economic justice in our communities and our world.
If you are either an organization who needs help, or an expert who can
provide help, visit their website.
Note: I am on their advisory committee.
https://digitalsecurityexchange.org/
My previous blog post:
https://www.schneier.com/blog/archives/2017/03/digital_securit.html
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address on
the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are
also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security guru"
by The Economist. He is the author of 12 books -- including "Liars and
Outliers: Enabling the Trust Society Needs to Survive" -- as well as
hundreds of articles, essays, and academic papers. His influential
newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by
over 250,000 people. He has testified before Congress, is a frequent
guest on television and radio, has served on several government
committees, and is regularly quoted in the press. Schneier is a fellow
at the Berkman Center for Internet and Society at Harvard Law School, a
program fellow at the New America Foundation's Open Technology
Institute, a board member of the Electronic Frontier Foundation, an
Advisory Board Member of the Electronic Privacy Information Center, and
CTO of IBM Resilient and Special Advisor to IBM Security. See
<https://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of IBM Resilient.
Copyright (c) 2018 by Bruce Schneier.
** *** ***** ******* *********** *************
Más información sobre la lista de distribución Seguridad