Weekly Tech News for March 10, 2019
Welcome to the March 10th, 2019 episode of the Raymond Tec News podcast. Each week I curate the articles, tweets, and backchannel sources to provide a 15 to 20-minute summary of tech news.
This week I’ll be doing things a little differently. The basic format will be the same, but I’ll only be sharing the headlines, instead spending our time together focusing in-depth on a hot button issue of the week.
Let’s dive in.
Table of Contents
Citrix, a company that provides cloud computing services to the US government and over 400,000 companies worldwide, including 98% of the Fortune 500 has had their internal network breached this week. ZDNet | Dark Reading
Jackson County, Georgia has paid a cybersecurity consultant to negotiate a ransomware fee after the local government’s IT systems were locked in an attack. ZDNet
A pair of security researchers have discovered Verifications IO, an email marketing company, has left a database containing more than 700 million email addresses exposed on the web. Wired | Researchers’ Report
Security Week reports that the Starwood hotels hack has cost parent company Marriott $28 Million dollars so far. Security Week
The House of Lords in the United Kingdom has ordered the creation of an authority to regulate online services like Facebook and Google. Computer Weekly
As you heard at the top of the show, NBC 7 in San Diego shocked the journalist community this week by revealing that the US and Mexican governments have been tracking more than 50 people including journalists, an attorney, and immigration advocates. NBC San Diego
Chelsea Manning is back in jail after refusing to testify against Wikileaks founder, Julian Assange. NPR
The NSA may finally be shutting down its phone spying program, not because of outrage, but because people have shifted to encrypted messaging. ARS Technica
Equifax is back in the privacy news again, with their MyEquifax.com site. Brian Krebs, of Krebs on Security, reported this week that it was too easy to set up an account on this site that is meant to protect credit holders. TechCrunch
Sue Kalina, a former patient coordinator at the University of Pittsburgh Medical Center, was found guilty in Federal court of disclosing patient information improperly and to cause harm this week. She faces a fine of up to $250,000 and 10 years in prison. Data Breach Today
Google has stated that it will not be pulling the Saudi app Absher from its Google Play store, even though the app is used to track and control women by Saudi men. The Verge
Facebook’s two factor authentication, which I recommend Facebook users enable, has a serious flaw that links your phone number with your account, allowing people with your phone number to find you in search. 9 to 5 Mac
Let’s move on to security headlines.
Car alarms made by Viper and Pandora which bill themselves as being unhackable, have been hacked allowing attackers to locate the cars, unlock the doors, and disable the alarms remotely. ZDNet
Google announced a new, and admittedly rare, bug in Apple’s MacOS operating system affecting all laptops and desktops. The flaw is very technical and requires physical access to the machine. No word on a patch yet. Wired
Google also announced a patch for its Chrome browser for a particularly nasty bug. Most Chrome browsers have auto-update on, but it still makes sense to check that you have the latest version. Wired
The announcement of the Chrome vulnerability came in tandem with an announcement from Google that Microsoft’s Windows 7 Operating System is vulnerable to an attack that hackers are actually using in the wild. There is no update for this issue yet. The Verge
With the 2020 US elections looming on the horizon, a report by New York University’s Brennan Center for Justice finds that state and federal governments need to boost their spending to fix and upgrade their voting machines. Wired
A new study shows nearly half of programmers will take the easy way out and not properly obfuscate passwords. But, on further digging, the study is flawed and doesn’t give a representation of real-world application development. I wanted to mention this to do my part to rid the world of click bait. ZDNet
Konstantin Ignatov and his sister Ruja Ignatova, have been arrested by US authorities for running a cryptocurrency pyramid scheme called OneCoin. The Verge
Security researchers presenting at this week’s RSA security conference have exposed major security gaps in ultrasound medical devices. Dark Reading
Trend Micro has discovered Slack, a messaging app, and GitHub, a tool used by programmers for storing and sharing source code, have been used to install backdoors in targeted attacks. Security Week
Security companies Avast and Emsisoft have released decrypters for a strain of ransomware called BigBobRoss, which has been seen in the wild since mid-January. ZDNet
Apple is well known for using China-based manufacturing for its iPhones. A new report this week shows that developer-only models are disappearing from factories and ending up on the black market for hackers to tamper with and find exploits on them. Sophos Naked Security
Let’s move on to other news.
Law makers in Philadelphia have become the first to ban cashless stores and restaurants in a move designed to help low income populations who don’t have bank accounts. CBS News
A new startup named Ever Loved has been built to guide families through the expensive, and often confusing, funeral process. TechCrunch
Finnish company, Jolla, is making waves in the business and government sectors with their Sailfish Operating System for mobile devices; an alternative to Google’s Android and Apple’s iOS. TechCrunch
Major League Baseball is partnering with the independent Atlantic league to test out new tech that will automatically call balls and strikes. TechCrunch
SpaceX’s Crew Dragon capsule has made history when it became the first privately built manned spacecraft to safely splash down in the Atlantic Ocean. TechCrunch
A professor of technology and digital business at the University of Pennsylvania, spoke with The Verge this week about how to fix the problems with search and recommendation algorithms which have been dominating the news recently. The Verge
Continuing its efforts to fight disinformation and conspiracy theories, YouTube has rolled out information panels on videos related to sensitive topics. 9 to 5 Google
Monika Bickert, Facebook’s VP of Global Policy Management, has written a blog post detailing how the social media giant will combat anti-vax conspiracy theories. Wired
FCC Chair Ajit Pai has come under fire again for allowing telecommunications companies to self-report new broadband connections, inflating the number, which is how the FCC determines where and how to spend money. TechCrunch
I reported a few weeks ago on the Olli self-driving shuttle bus trial in Australia. This week the manufacturer has released footage of the 3D-printed vehicle’s crash tests to prove its safety. The Verge
Older GPS devices will need to be updated before the end of the year to prevent a Y2K-like bug when 2020 finally arrives. The Verge
Huawei is suing the US government, not simply to contest what it calls unfair business practices, but to defend its reputation as a global telecom provider. Wired
Google has filed a patent for a new game controller which reveals details of its upcoming streaming video game service. The controller puts much of the storage and logic directly in the user’s hands. 9 to 5 Google
That’s it for other news. Now for this week’s feature story.
In this week’s feature, I’d like to discuss privacy today, and where it should go in the future.
In the 1970’s when computer networks were in their infancy, they were built across existing telephone networks. Telephones and computers at the time were similar. The phone sitting in your home didn’t do any of the routing when you dialed a phone number; this was handled by the telephone company’s switching equipment. Similarly, the computer terminal you sat in front of was used to access and manipulate mainframe computers; not do any of the processing on its own hardware. Errata Security
To further complicate things, there was no standard for communications between different types of computers. IBM systems couldn’t talk with DEC computers, and neither of those could communicate with Xerox systems. Fixing the problem wasn’t as simple as designing a new widget that made them all communicate. Architects of the early internet devised a 7-layer system known as the Open Systems Interconnect, or OSI, model. Wikipedia
At the bottom of OSI is layer 1, the physical layer. Layer 1 is the hardware; your cable modem, Wi-Fi router, network cards, and other physical equipment. Layer 2 is the data link layer, which takes the data from the network and breaks it up into smaller segments called frames for transmission. Layer 3 is the network layer, it moves the frames and keeps the different parts of data together. Layer 3 identifies that you requested a specific website and gets it to the computer you requested it on. Layer 4 is the transport layer, which keeps the data intact, checking for errors and congestion along the way, and resending when necessary. This layer is what tells Netflix that your network is slow and causes buffering. Layer 5 is the session layer which controls access and authentication. Layer 6 is the presentation layer which converts the data on your screen into the data that’s actually transmitted through the network; that picture of your cat becomes ones and zeroes here. Finally, layer 7 is the application layer, or what you work with on your screen; your email apps, web browsers, and chat apps.
The original network gurus, Bob Kahn, Vint Cerf, and others looked, discussed, and debated many different networking models before they laid out the foundations of this global network we use every day.
Just as the internet has continued to evolve and improve over the decades since its creation, so have web browsers. Tim Berners-Lee programmed the original web browser and in the mid-1990’s when the world wide web first became available commercially, browsers formatted text like a Microsoft word document. Now, web browsers can do things that were almost unthinkable 20 years ago. Each web page you load contains what’s called header information. These headers tell your browser what type of document you’re loading, give hints about the types of information contained inside, how it should be formatted, and defines how you interact with computers and people across the globe.
I know I said this would be about privacy, we’re getting there.
The current system for transmitting data was built at a time when computer networks were designed to transmit research articles. Only futurists dreamed of the ability to check whether I locked my front door in Orlando from the comfort of my Tokyo hotel room. But now nearly everyone on the planet is connected and soon, it would seem, everything will also be connected. Using a model that treats pictures of my breakfast the same as my social security number is silly.
Much like computer networks before the development of OSI, our current system for protecting personal information is broken. Our health data, passwords, email addresses, and social security numbers are still being treated like traffic on a network, rather than unique pieces of information that need securing.
Facebook’s much maligned Mark Zuckerberg announced that he would be pivoting Facebook to be more privacy oriented. But his concept relies on using the existing tools of the broken system that’s already in place. Wired
What we need is a ground up rebuild of the way data is handled so it can be properly classified, transmitted, stored, secured, and wiped. For lack of a better term, an open data interconnect model would need to be built with cooperation from governments, software companies, and hardware manufacturers. Using the header information model from web browsers would allow data to be classified, indicate use, how long it should be stored and by whom, and the source of the data without having to reveal the data within to malicious parties. Building this model on a multilayer system would help to ensure its integrity without locking data to a specific corporate or government standard.
In the ideal scenario, an open source standards body of government and non-government organizations would be convened to define this new data model to protect privacy and ensure standards are met and followed in all sectors.
Hardware manufacturers must close holes that allow attackers to access information stored in memory after applications are closed. If you’ll recall, I mentioned a vulnerability in password managers that allows passwords to be read from memory even after they’re closed. This simply shouldn’t happen, and is another artefact left from when computers were meant solely for large organizations and research institutions.
Software designers should be given a firm standard to be held to, not to make things more complicated, but to give them clear guidelines for how to build secure, functional applications that don’t result in weekly reports of data leaks and breaches.
Governments need to have tools to identify what data should be secured and how to enforce standards violations.
By identifying and classifying the various types of data and defining how, where, when, and for how long they’re transmitted, stored, and used we can work towards remediating the problem of data privacy that has crept up over the last decade.
Let’s move on to the Good News.
In the feature, I mentioned being able to identify the source of information without revealing the personal details. This may be closer to reality thanks to a new standard by the World Wide Web Consortium, or W3C. WebAuthn, short for Web Authentication, has just been finalized and is already supported by Chrome, Firefox, Edge, and Safari web browsers. The standard will allow website to communicate with a physical authentication device. For instance, rather than having to use a password manager, you may plug a USB key into your computer which uniquely identifies you to a website without having to expose a password on the internet. The Verge
Passwords won’t be going away just yet though, so I still recommend you use a password manager in the meantime. You are using one, right? If you’re not, I recommend LastPass. LastPass allows you to sync passwords securely across your computer, phone, and tablets. More than just keeping a list of your logins, it generates secure random passwords for you and on many websites allows you to change your password with just a couple of clicks.
Don’t get caught recycling passwords, use LastPass. You can learn more about LastPass by visiting my affiliate link at Raytec dot co slash LastPass, that’s r-a-y-t-e-c dot c-o slash l-a-s-t-p-a-s-s.
Back to the good technology news.
Representatives Jim Langevin of Rhode Island and Glenn Thompson of Pennsylvania have reintroduced a bill in the US House of Representatives this week would fund cybersecurity education programs. The bill aims to ensure the workers of the future understand how to meet changing technical security needs. It focuses on funding for cybersecurity for power plants, dams, hospitals, and other critical infrastructure. Health IT Security
Creative Commons, which is an alternative to copyright and public domain licensing got a big win this week when Flickr announced that photos licensed under the Creative Commons framework won’t be subject to its 1,000-picture limit. Creative Commons allows creators of original works to specify how their works are to be used and attributed. The least stringent being Creative Commons Zero, which doesn’t require attribution and may be used in any way. All the way to Creative Commons NC-ND, or Non-Commercial, No Derivative Works which specifies the original content may not be remixed into other work or used for commercial gain and must show attribution to the original creator. The Verge | Creative Commons
Friday was International Women’s Day. To celebrate an app called Safe & the City, or SatC, released a slew of new features. SatC uses GPS, crowdsourced information, and police risk data to reduce the chances of women falling victim of crime and sexual harassment. Billed as a personal safety navigation app, it uses route sharing and geotagging then shares its data with businesses and authorities to advise insecurities. SatC is also adding safe sites identified by users as places where women can get support. Its pilot program focuses on London, but a global rollout is coming soon. TechCrunch
That’s it for this week in tech news that matters to you. If you’ve enjoyed the podcast, please share what you found interesting in a post on your social media by linking to Raytec dot co slash listen. That’s r-a-y-t-e-c dot c-o slash listen. That will link directly to the current episode’s show notes along with a podcast player. I really appreciate anyone who’s willing to share my podcast.
As always, there are bonus links in the show notes. Articles in this week’s extracurricular reading include: an update to the court case of Adnan Syed the star of Serial podcast’s first season, an interview with a Tufts University student who was unfairly expelled for grade hacking, a chat room that charges you a penny per letter to talk to others, and much more. The show notes have links to each of the podcast apps I’m listed on and links to my social media. If you have any information, updates, or constructive criticism, feel free to reach out via social media.
Thanks for listening and have a great week!