News You Need to Know – Page 7

Feed Me More Data, Seymour!

When fitness trackers started becoming affordable and popular many people knew that this was right around the corner:

Life insurance company John Hancock will stop offering traditional policies, according to Venture Beat. Instead, the company, which is one of the oldest and largest life insurance underwriters in the US, will only sell policies that track fitness and health data.

The company will offer two different types of insurance: the basic Vitality offering will require customers to enter their fitness activity into an app or on a website. They will receive gift cards and other rewards for completing goals. For a discount of up to 15 percent on premiums, though, John Hancock is offering an expanded insurance policy that will track health data and fitness using wearable devices.

Insurance companies are in the business of risk mitigation and have therefore always had an interest in collecting as much data as possible on the property and people they insure. Fitness trackers and apps provide data that can be pretty valuable to health and life insurance companies since they give some indication about an individual’s health. The danger of this kind of policy is that the insurance company gets possession of the data. Even if you trust your insurance company to not sell that data to third parties (which is something you should never trust a company to refrain from doing), the chances of that data falling into unauthorized hands through a database breach are high. Another potential danger is that this data could be used to identify unlawful activity.

Most illegal substances cause changes in heart rate. If an individual’s heart rate changes without any obvious reason (such as they’re exercising), that information could potentially be used at evidence that they’re using illegal substances. If law enforcers suspect that you’re using illegal substances, they could acquire your health data via a subpoena and use it as probable cause to get an arrest warrant issued. Worse yet, if your health data indicates that you might be using illegal substances, your insurance company might decide to hand that data over to law enforcement voluntarily. In a nation where so many activities are illegal, handing out health data can be dangerous.

Let the Speculation Begin

I’m betting that there are a lot of people who aren’t surprised to hear that Cody Wilson has been charged with the sexual assault of a child:

Cody Rutledge Wilson, the 31-year-old Texas man who’s been fighting with the U.S. government to publish instructions for 3D-printed guns on the internet, was charged today with the sexual assault of a child. Wilson allegedly met the girl on a website called SugarDaddyMeet.com.

Wilson allegedly paid the girl, whose name has been withheld in court documents, $500 for sex at a hotel in Austin, Texas. The exact age of the victim is not immediately clear, though the affidavit for the arrest warrant explains that she’s under the age of 17.

The reason I’m betting that a lot of people aren’t surprised by this is because it wouldn’t be the first time that a thorn in the government’s side found themselves falsely charged with a crime that was convenient for the government. Governments aren’t above ridding themselves of troublesome individuals by assassinating their character through fabricating evidence that they committed heinous crimes. In addition to being very convenient for the government for which Wilson is currently causing trouble, another reason this charge seems fishy is because Wilson seems to be aware enough of security matters to know that seeking sex from a minor online is a recipe for getting caught up in a sting operation.

However, in the interest of objectivity, I must also accept that there is a possibility that the charges are legitimate. If they are, Wilson wouldn’t be the first thorn in the government’s side who handed it a freebie by acting in a manner that most people find reprehensible.

What makes matters worse is if Wilson doesn’t beat the charge, we will probably never know beyond a reasonable doubt whether the charge was fabricated by the government or legitimate.

It’s Not Your Car

I think the technology behind modern electric cars is really cool. What I don’t like though is that electric car manufacturers don’t seem satisfied with simply replacing gasoline engines with electric motors, they are also trying to replace the owner as the decision maker:

Hurricane Florence is approaching the East Coast of the US, and is predicted to bring with it catastrophic flooding, high winds, as well as a life-threatening storm surge and rain in North and South Carolina. As a result, both GM and Tesla have remotely activated features in their cars that could be of use in an evacuation.

Since OnStar is a subscription service, I at least understand why GM has control over whether or not certain features are available to users. But why should Tesla owners require the manufacturer to decide they need access to the extra battery capacity in order to utilize it? Why can’t the car have a button that enables and disables the capacity lock?

More and more consumers are losing control over devices that are supposedly theirs. Consumers are being treated like children who are incapable of making rational decisions and must therefore be guided by the manufacturer. This doesn’t sit well with me. When I buy something, I want complete control over it. If there is extra capacity in my vehicle’s battery, I want to have the ability to decide whether or not it’s being utilized. Unfortunately, it appears that I’m in the minority because most consumers appear to welcome having an overlord dictate what they can and cannot do with their devices.

The Power of Public Shaming

Every major security breach is followed by calls for politicians to enact more stringent regulations. When I see people demanding additional government regulations I like to point out that there is a list of alternative solutions that can yield far better results (especially since regulations, being a product of government, are extremely rigid and slow to change, which makes them a solution ill-suited to fast moving markets). One of those solutions is public shaming. It turns out that public shaming is often a viable solution to security issues:

See the theme? Crazy statements made by representatives of the companies involved. The last one from Betfair is a great example and the entire thread is worth a read. What it boiled down to was the account arguing with a journalist (pro tip: avoid arguing being a dick to those in a position to write publicly about you!) that no, you didn’t just need a username and birth date to reset the account password. Eventually, it got to the point where Betfair advised that providing this information to someone else would be a breach of their terms. Now, keeping in mind that the username is your email address and that many among us like cake and presents and other birthday celebratory patterns, it’s reasonable to say that this was a ludicrous statement. Further, I propose that this is a perfect case where shaming is not only due, but necessary. So I wrote a blog post..

Shortly after that blog post, three things happened and the first was that it got press. The Register wrote about it. Venture Beat wrote about it. Many other discussions were held in the public forum with all concluding the same thing: this process sucked. Secondly, it got fixed. No longer was a mere email address and birthday sufficient to reset the account, you actually had to demonstrate that you controlled the email address! And finally, something else happened that convinced me of the value of shaming in this fashion:

A couple of months later, I delivered the opening keynote at OWASP’s AppSec conference in Amsterdam. After the talk, a bunch of people came up to say g’day and many other nice things. And then, after the crowd died down, a bloke came up and handed me his card – “Betfair Security”. Ah shit. But the hesitation quickly passed as he proceeded to thank me for the coverage. You see, they knew this process sucked – any reasonable person with half an idea about security did – but the internal security team alone telling management this was not cool wasn’t enough to drive change.

As I mentioned above, regulations tend to be rigid and slow to change. Public shaming on the other hand is often almost instantaneous. It seldom takes long for a company tweet that makes an outrageous security claim to be bombarded with criticism. Within minutes there are retweets by people mocking the statement, replies from people explaining why the claim is outrageous, and journalists writing about how outrageous the claim is. That public outrage, unlike C-SPAN, quickly reaches the public at large. Once the public becomes aware of the company’s claim and why it’s bad, the company has to being worrying about losing customers and by extent profits.

From Their Beloved to Their Bitter Enemy

Remember just a few weeks ago when the European Union passed the General Data Protection Regulation (GDPR) and became the beloved of Internet activists across the globe? In the wake of GDPR’s passage I saw a ton of European peasants claim that the passage of the law demonstrated that the European Union, unlike the United States government, actually represents and watches out for its people.

A rule I live by is if you see a government do something you like, stick around for a short while longer because it’ll soon do something you really don’t like. The European Union just proved this rule. Within a few short weeks it went from the beloved of Internet activists to their bitter enemy:

The EU has voted on copyright reform (again), with members of European Parliament this time voting in favor of the extremely controversial Articles 11 and 13. The 438 to 226 vote, described as “the worst possible outcome” by some quarters, could have significant repercussions on the way we use the internet.

The Copyright Directive, first proposed in 2016, is intended to bring the issue of copyright in line with the digital age. Articles 11 and 13 have caused particular controversy, with many heralding their adoption as the death of the internet. Article 11, also known as the “link tax”, would require online platforms such as Google and Facebook to pay media companies to link to their content, while Article 13, the “upload filter”, would force them to check all content uploaded to their sites and remove any copyrighted material. How this will affect regular internet users is still subject to debate, but it could seriously limit the variety of content available online — and it could pretty much spell the end of memes.

Excuse me for a minute while I laugh at all of the suckers who claimed that the European Union represents and watches out for its people.

The Internet started off as a strongly decentralized network. Eventually it turned into the highly centralized mess that we’re dealing with now. Soon it may return to its decentralized nature as international companies find themselves having to abandon regions because they cannot comply with all of the different legal frameworks. Google and Facebook make a lot of money off of Europe but do they make enough money to justify paying link taxes? Do small content hosting sites have the spare resources to scan every file that has been uploaded for copyrighted material?

Moreover, legislation like this will push more Internet traffic “underground.” As long ago as the Napster lawsuit it became obvious that people on the Internet weren’t going to comply with copyright laws. Instead when one system of bypassing copyright laws is destroyed by the State, another is created in its place. So sharing memes online, at least for European peasants, might require the Tor Browser in order to access hidden image sharing sites but they will continue to share memes.

Potentially Most Worthless Form of Protest Ever

When a bunch of triggered snowflake conservatives started burning their Nike products to protest the company’s decision to make Colin Kaepernick its mascot, I foolishly asked if there a more useless way to protest a company than destroying your own property? The question was meant to be rhetorical but a trigger snowflake liberal stepped up to the plate to prove that there are more useless forms of protest through his act of protesting by shooting himself in the arm:

Mark J. Bird, 69, was charged last month with discharging a gun within a prohibited structure, carrying a concealed weapon without a permit and possessing a dangerous weapon on school property, court records show. He was found bleeding from a self-inflicted gunshot wound to his arm about 8:15 a.m. on Aug. 28 outside a bathroom in the Charleston campus K building.

[…]

One college employee told police that he held Bird’s hand to calm him down as others tried to stop the bleeding. While waiting for authorities to arrive, Bird said he had shot himself in protest of President Donald Trump, police noted in their report. The report did not elaborate.

I’m sure Trump is all broken up over the fact that some college professor, whom he would probably tear apart on Twitter if he was even vaguely aware of his existence, from Las Vegas decided to shoot himself in the arm with a .22 pistol. I expect Trump to announce his resignation this week due to the power of this professor’s protest.

The real icing on the cake though was this:

Inside the bathroom, campus police found a $100 bill taped to a mirror along with a note that said, “For the janitor,” according to Bird’s arrest report. On the floor of the restroom was a black-and-white, .22-caliber pistol and one spent shell casing.

$100 to clean up blood? Obviously this professor has no idea how expensive it is to cleanup a scene contaminated with blood. You don’t just run a mop across it and call it a day. The scene has to be sterilized because human blood can carry some really nasty shit.

I will probably regret this but I’ll ask anyways, is there a more useless way to protest than shooting one’s self in the arm with a small caliber handgun?

Don’t Trust Snoops

Software that allows family members to spy on one another is big business. But how far can you trust a company that specializes in enabling abusers to keep a constant eye on their victims? Not surprisingly, such companies can’t be trusted very much:

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.

Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.

Oops.

I can’t say that I’m terribly surprised by this. Companies that make software aimed at allowing family members to spy on one another already have, at least in my opinion, a pretty flexible moral framework. I wouldn’t be surprised if all of the data collected by mSpy was stored in plaintext in order to make it easily accessible to other buyers.

Security Theater Is Expensive

During the Super Bowl Minneapolis was effectively turned into a giant prison camp. Barriers were erected, snipers were positioned, Humvees were cruising around, and heavily militarized law enforcers from numerous agencies were marching around. While all of that security theater may have looked impressive, it was also expensive:

The department is expected to spend $175.6 million for the fiscal year, coming in at $1.9 million over its $173.7 million budget, according to new projections from the city’s finance department. The projections were a part of a second quarter 2018 financial report presented to the Ways & Means Committee on Tuesday.

“The Police department expects to come in $1.9 million over budget due to payments to other agencies and overtime related to the Super Bowl and SWAT for the X-Games,” read an earlier draft of the report released on Monday. In the final version that was presented at Ways & Means, the wording was revised to “large planned events.”

It’s a good thing that Minneapolis has so many tax cattle to make up for this shortfall. It’s also a good thing that the National Football League was able to subsidize its security expenses by shoving a huge chunk onto the tax cattle. And let’s be honest here, you can’t put a price on the the convenience of the super wealthy tax cattle being able to attend the big game without the hassle of flying to it on their personal jet.

Pointless Judicial Decrees

A bunch of states decided to sue Cody Wilson’s company Defense Distributed after the Justice Department gave up its futile fight against the company. As part of this ongoing lawsuit a federal judge has extended the ban against Defense Distributed distributing its 3D printer designs for firearms:

A federal judge in Seattle issued an injunction today that blocks Defense Distributed from publishing its 3D-printed gun designs online. The move extends a temporary ban issued last month and the injunction will remain in place until a lawsuit brought forth by a number of state attorneys general is resolved. Washington, New York, New Jersey, Pennsylvania, Connecticut, Oregon, Maryland and Washington, DC signed onto the suit last month in an effort to reverse a US Department of State settlement that allowed the 3D gun designs to be published online. Eleven additional states joined the lawsuit earlier this month.

Gun control advocates, who have never been the sharpest tools in the shed, are celebrating this ruling. In their fantasy land where laws have power they view this judge’s ruling as a strike against 3D printed firearms. The problem is that this ruling, just like the previous ruling it extends, is meaningless because you can find the designs all over the Internet.

What gun control advocates and the states that are bringing this lawsuit against Defense Distributed fail to understand is that the gun control debate is over. Once guns became data that could be uploaded to the Internet the ability to control them ceased to exist. It doesn’t matter what the outcome of this lawsuit is, the files released by Defense Distributed will remain available.

How Quickly People Forget

There has always been a cat and mouse game between game developers and pirates. Over the years developers have tried various tricks to prevent people from pirating their games. My earliest experience with piracy prevention the original MechWarrior. When you first loaded the game it presented you with a prompt that required entering information based on what was prompted. That information was found in the game manual. Of course this method was a pain in the ass if you either lost the manual or bought the game used without the manual because you didn’t realize that you needed it in order to play the game. Therein lies the problem with piracy prevention mechanisms, they always inconvenience paying customers.

Piracy prevention mechanisms continued to evolved after MechWarrior. Not too long ago computer games started including what amounted to literal kill switches. These mechanisms were referred to as Digital Rights Management (DRM). The name was idiotic since rights should need to be managed but it sounded friendlier than Developer Kill Switch so the marketing teams went with it. As you might expect, these kill switches didn’t sit well with a lot of games. However, time heals all wounds and now many games are unaware that their games include a kill switch.

Enter GOG. GOG is my favorite game distributor because, unlike Steam, it provides titles without DRM. And it has decided to make modern gamers aware of the fact that they don’t own many of their games, they merely rent them:

The landscape has changed since 2008, and today many people don’t realize what DRM even means. And still the DRM issue in games remains – you’re never sure when and why you can be blocked from accessing them. And it’s not only games that are affected, but your favourite books, music, movies and apps as well.

To help understand what DRM means, how it influences your games and other digital media, and what benefits come with DRM-free approach, we’re launching the FCK DRM initiative. The goal is to educate people and ignite a discussion about DRM. To learn more visit https://fckdrm.com, and share your opinions and stories about DRM and how it affects you.

This is the kind of marketing I like. GOG is telling gamers why its service is superior by pointing out the very real flaws that exist in many of their competitors’ services. It’s also important for everybody to understand exactly what DRM is, especially since it can render a legitimate copy of a game unplayable. DRM mechanisms usually involve a phone home system where the game contacts a DRM server to get authorization to load. If that server cease to exist, say if the developer goes out of business or decides that maintaining the server is costlier than an old game warrants, then legitimate copies of the game can no longer be played.