Privacy for me but not for thee

News of the fact that federal law enforcement is exploiting a little-known law (not envisioned for use in cases like this) to mine state driver’s license images and subjecting them to facial recognition algorithms came as a shock to many. What’s more shocking is the dismal accuracy rate, not to mention bias, such algorithms have, and that their use is almost certainly subjecting innocents and citizens to the full force of the “justice” system. As we saw roughly 15 years ago, the fact that you can collect and look at everything doesn’t mean it’s a good idea. In all my years as an analyst I don’t recall every walking into the office and going, “Man, I sure wish I had more data of questionable value to sort through.” Apparently decision-makers have forgotten – or never learned – that garbage input can only lead to output that is also garbage.

 

FaceApp SchmaceApp

Speaking of privacy, it’s another day that ends in “Y” so that must mean another hype-filled, fact-light story about ruskies exploiting facial recognition, or AI, or deep fakes, or who knows what because FaceApp = KGB…or something. An actual examination of the app doesn’t reveal any special capabilities you don’t find in your average cell phone app, which is to say code of varying value that silently sucks down your contacts, call/text records, photos, and other data in lieu of actual cash payment. You are the product. You’ve been bought and sold a thousand times over. Yes, a long chain of events could lead to your image being used to make it look like you’re participating in something evil, because that’s how movie plot threats work.The fact of the matter is that FaceApp is one of a couple of dozen times you decided to trade privacy for convenience or fun in just the past year. You have no idea what those other firms did with your data, and we have no idea what might happen in this case, yet your first reaction a week from now upon hearing of a cool new app isn’t to pause, it’s to tap and swipe.

 

Ransomware: is paying still smart?

Alaska, Atlanta, Baltimore, and dozens of smaller cities and even court systems have all been hit with ransomware in the recent past. My advice to those fully and completely infected by ransomware, who lack current backups, has always been to pay. If the infection is incomplete, or if you’re lucky enough to get hit with a variant for which a solution is available, great, but for everyone else, I drive home the point that paying is the best business decision (it’s not personal). More recently however the UK’s the largest police forensics lab (a contractor) was also held hostage. The idea of losing control of evidence related to criminal matters is something I don’t think a lot of experts have considered. Does a ransomware infection take files out of the chain of custody? Proponents of not paying will argue that ransoms only fuel more attacks, which is true, but the lesson here isn’t “payers never win” it’s that no one – not even those who should know better – are taking the very basic step of creating current off-line backups despite being reminded of their importance on an almost daily basis.

 

Huawei Smoking Gun?

‘Huawei is an extension of the Chinese intelligence apparatus.’ You’ve heard it so many times it’s become conventional wisdom. Yet the vehement denials and proposed concessions the company has made makes you wonder: are we hyping the threat? A little independent research suggests we haven’t. Yet all is not necessarily as it seems. A grand total of one resume shows simultaneous employment with Huawei and the Ministry of State Security. What about all the resumes that showed MSS personnel later going to work for Huawei (and vice versa). I’d be careful pointing fingers, given how many companies within a 50 mile radius of Washington D.C. that were founded and staffed by DOD/IC alumni. Yes, being a contractor for the government and a proxy are not the same thing in theory, but given the pervasiveness of the contract workforce in what used to be inherently governmental work, is it in practice? Even if the relationship is closer than this investigation reveals, given what rubbish Huawei code is, is it that fruitful of a relationship?

 

What Value Keynotes?

Apparently Rep. Will Hurd isn’t woke enough for Blackhat (per people who have no idea how governmental sausage is made). Likewise, the irony of having former Secretary of State Clinton keynote at a FireEye conference was also too much for Con organizers. Hurd wasn’t coming to BH to talk about women’s rights, and Clinton was invited given her role in and knowledge of international affairs, not cyber hygiene. As private concerns both entities are free to invite – or disinvite – who they want, but at some point you have to wonder if we’re looking at the role of a keynote in the right way? By definition a keynote (and there should be only one) is supposed to be focused on the main theme of the event. Given that, neither Hurd nor Clinton are controversial figures, but then they weren’t figuratively run out of town on a rail because of the issue(s) at hand. We’re in the second decade of the information age, and depending on how you count the fourth or fifth decade of the security industry, and yet have things changed substantially since the first salami attacks and events of The Cuckoo’s Egg? We can only benefit from new ideas and new voices. No offense, but you can only hear Bruce Schneier and Mikko Hypponen so many times.

 

Stiff Upper Lip

British Airways was hit with a $230M fine for a data breach that occurred last year. So was Marriott (though they’re contesting). Some hail this as a sign of progress: hitting companies in the pocketbook has often been one way to get them to pay attention to issues they had previously given short shrift. But others argue that fines are a blunt, often ineffective instrument, depending on the situation. BA makes about $14B (US) annually, so $230 large isn’t that big of a kick in the shins (Facebook’s $5B fine sounds awesome too, till you remember Facebook makes orders of magnitude more money every year); a fine imposed on an SMB on the other hand, could send it into bankruptcy. Does BA learn a lesson and improve security, or does it do the math and realize that the minimum required to get the authorities off their back is the right business move?

What Value Takedowns?

When darknet markets are taken down, it’s a win. The same is true for botnet takedowns. What’s unclear is how much of a victory such actions really are. In both cases, it doesn’t take long for others to fill the void, yet takedowns are one of the few methods we have at our disposal that work at scale. It’s not that we’re playing whack-a-mole, it’s that we’re making it more expensive and dangerous to be a mole. Takedowns don’t take place as nearly as frequently as they should. If they did, we wouldn’t be having this discussion, we’d be reading about the next thing bad guys moved to because the ROI on botnets and dark markets wasn’t worth it.

 

Cybering is Hard, even for Experts

NSA’s OIG reports that the agency is failing to live up to government standards for cybersecurity, leaving the organization potentially vulnerable to digital attacks. This serves as your regular, and pointed reminder that no one is in the security business, they’re just in business.

 

Functionality Trumps Security, Every Time

If you’ve been in this business for any length of time you know that connecting random things to the internet and hoping for the best is how things are done. The idea of ‘baking in’ security from the get-go is something we’ve heard about for decades, but for some reason we still haven’t cracked that nut. Where it’s consumer devices or “privacy” apps or election systems, the markets care about getting things done, not getting things done securely. This is, of course, human nature. We’ll pay attention when the body count gets high enough, not before. 

 

The Price of Doing Business

The FTC is going to fine Facebook $5B for its role in the Cambridge Analytica scandal. Some applaud the move as a demonstration of government getting tough on tech giants who seem to run roughshod over the rules that would end lesser companies. The fact of the matter is that while $5B isn’t exactly pocket change, it is not an amount that is likely to change attitudes at the social networking firm, which has no qualms about buying, selling, or manipulating member data a hundred times over if it will make a buck. How much of a buck? Facebook make over $55B in revenue last year. The question isn’t ‘will this fine finally make Facebook take security and privacy seriously?’ it is ‘what can they get away with before it really begins to hurt?’