Monday, June 22, 2015

Google is STILL evil and Uber still sucks - What I am reading 6/22/2015

Privacy Online News via Instapundit - Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth -

Yesterday, news broke that Google has been stealth downloading audio listeners onto every computer that runs Chrome, and transmits audio data back to Google. Effectively, this means that Google had taken itself the right to listen to every conversation in every room that runs Chrome somewhere, without any kind of consent from the people eavesdropped on. In official statements, Google shrugged off the practice with what amounts to “we can do that”.

Not quite accurate.  What they are talking about is the "OK Google" feature which allows you to do voice searches without first clicking the microphone icon.  No a feature I personally have enabled but some people like it.  I first saw this at Instapundit, where in typical internet fashion his readers a) jump to the wrong conclusion immediately, b) start spouting nonsense and c) ignore the fact that Google both announced this and that it requires agreeing to a separate terms of service.  I am not saying that this is a good feature or that I agree with the Internet of Things and devices listening to me all the time, but for craps sake know what you are agreeing to before you install it instead of years later bitching about it.

Ars Technica “EPIC” fail—how OPM hackers tapped the mother lode of espionage data -

The OPM breaches themselves are cause for major concerns, but there are signs that these are not isolated incidents. "We see supporting evidence that these attacks are related to the group that launched the attack on Anthem [the large health insurer breached earlier this year]," said Tom Parker, chief technology officer of the information security company FusionX. "And there was a breach at United Airlines that's potentially correlated as well." When pulled together into an analytical database, the information could essentially become a LinkedIn for spies, providing a foreign intelligence organization with a way to find individuals with the right job titles, the right connections, and traits that might make them more susceptible to recruitment or compromise.
OPM is not alone in neglecting basic security guidelines spelled out for them by both federal regulations and executive orders for much of the past decade. Even those agencies that have implemented systems to comply with the letter of FISMA (Federal Information and Security Management Act) and other regulations have had problems keeping on point because of the constantly changing nature of information security threats. And the complex plaque of information systems that agencies have built up often defies any sort of security management because the vendors who built many of the systems have long since disappeared.

By and large, government agencies in the last 20 years have become increasingly dependent on outside contractors to provide the most basic of information technology services—especially smaller agencies like OPM. The result has been a patchwork IT systems and security, and the Office of the CIO at OPM has a direct hand in fewer and fewer projects. Of the 47 major IT systems at OPM, 22 of them are currently run by contractors. OPM's security team has limited visibility into these outside projects, but even the internally operated systems were found to be lacking in terms of basic security measures.

In addition to the above it turns out that the contracts often had foreign nationals, including some located in the People's Republic of China, servicing them.  It just doesn't get any better than this. (remember back in the good old days when the world was all atwitter about how Obama was going to revolutionize technology in government beacuse he carried a smart phone and he didn't want to give it up?  I long for those days)

Related Idea:  There is a big push (well 4 or 5 nuts somewhere in CA) to require all kids to learn to code in school.  Fine I will back that if we also require a basic cyberhygience class. That includes things like using encryption and multifactor authentication, patching your systems, how to spot a phishing attack, how to read terms of service etc.  

Bloomberg Business Week - Instacart Reclassifies Part of Its Workforce Amid Regulatory Pressure on Uber -

I am not real sure who Instacart is, but this is obviously in response to the California ruling that found a woman was an Uber employee, not a contractor (the CEO denies this and claims it is for customer service reasons).  And probably also in response to articles like this

Pando - Uber stops people from carrying guns on vehicles it doesn’t own driven by people it doesn’t employ -
there’s still something funny about Uber making a rule that stops people from carrying firearms onto vehicles it doesn’t own that are driven by people who are considered “independent contractors” instead of actual employees
Aamzing, something I agree with Pando on.

Post a Comment

Cybersecurity Job Numbers from 3/11/2018 shows 285,681 open cybersecurity positions nation wide (not the 1,000,000 that I hear quoted so often).  The eight states with...