First we learned from WikiLeaks that the CIA has an arsenal of code designed to break into the world’s phones, cars and TVs, not to mention old-fashioned computers. Then the US authorities announced indictments in the largest hacking case on record: the breach of half a billion Yahoo accounts in 2014. Two of the men charged are Russian spies.
The Kremlin is becoming particularly adept at blending high espionage and lowdown criminal pursuits like the online theft of other people’s data. The king of that particular castle is Evgeniy Bogachev, the guy opposite with his Bengal cat and matching pyjamas. They say he’s extremely wealthy, and once had upwards of half a million computers under his command. He’s also a criminal standout for having a $3 million FBI bounty on his close cropped head. Back home in his redoubt on the Black Sea, however, Bogachev is a popular asset among intelligence operatives. Continue reading →
Hacking that affects individuals is very widespread. The Pew Research Center reports nearly 2/3 of online Americans have experienced some form of data theft. A total of about 50% of onliners think their personal data are less secure than five years ago (see previous post for other details).
What does “data theft” look like? Pew examined seven types, and found that only two – fraudulent credit charges and stolen tax refunds – entailed direct financial loss. The others involved some less definable harm, such as an attacker getting his hands on social security numbers or login credentials for social media accounts. We call it “compromising” the data.
This amorphous concept of “compromised data” is growing into one of the chief barriers standing in the way of advances in cybersecurity for end-users. It takes what’s already invisible and annoying (see: strong passwords), and adds a hefty dose of abstraction. Exactly when can we say a piece of data has been sufficiently “compromised” to start worrying and take action? What kind of action?
WhatsApp: how secure?
Let’s look at WhatsApp to see how a popular messaging service handles security for a billion users – and how adding security can actually lead to trouble as well as safety.
Last year WhatsApp announced deployment of end-to-end encryption (E2EE) for all messages and media crossing its systems.Their FAQ assures users that everything they send is “secured from falling into the wrong hands” – right from the sender’s device all the way to the recipient’s (hence “end-to-end”). Marketing wants to be reassuring, not to mention emphatic as to why their platform is better than competing platforms. Continue reading →
Netflix CEO Reed Hastings tells investors what he thinks of privacy advocates
Back in March I wrote two posts to express my surprise and frustration that Netflix would no longer let its customers gain entry through a VPN or virtual private network. Turns out the problem hasn’t gone away. Also turns out Reed Hastings is still every bit as dismissive of our privacy concerns – and our customer experience – as he was in January.
A lot of the recent coverage of the Netflix vs privacy phenomenon was prompted by my colleagues at OpenMedia, and in particular Laura Tribe, who acts as the advocacy group’s digital rights lead. When I spoke to her this morning, she pointed to the large number of media outlets that have covered the OpenMedia campaign against the Netflix VPN blockade (OpenMedia pays me from time to time as a policy consultant).
In an email letter to supporters last Friday, Laura and her team laid out the case, opening thusly:
Is protecting your privacy and security “inconsequential?” That’s what Netflix CEO Reed Hastings seems to think, based on recent comments reported in WIRED magazine.
It’s time to remind Netflix that privacy and security matter to us. Yesterday your open letter made international headlines.
If you want to throw your name in the ring, the OpenMedia campaign page for Netflix is here. Continue reading →
The Kings of Content have always shown an intense and belligerent dislike for new technologies, regardless of their promise or popularity. History is littered with the embarrassing results. Take Jack Valenti.
For over 35 years, Valenti was head of the Motion Picture Association of America (MPAA). In 1982, the studios were in court trying to prevent Sony from shipping a single VCR to the US because of the alleged threat of piracy. Here’s how Valenti famously described the dangers of the VCR to a Congressional committee:
“I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.”
“The VPN crackdown is meeting fierce resistance from privacy activists and concerned users, with tens of thousands calling upon the streaming service to reverse its broad VPN ban.” — Torrent Freak, Feb 26
Since Netflix came to Canada in September 2010, I’ve written 51 posts carrying the Netflix tag. I’ve sung the praises of Reed Hastings; objected to the anti-Netflix manipulation of data caps by our incumbents; defended Netflix’s right to operate in Canada over the self-serving protests of our media establishment; and sympathized with Netflix for the archaic treatment meted out to streaming services by the CRTC.
The longest pair of posts I’ve ever written (about 6,000 words) was on the attempt by the CRTC and selected media barons to make life as difficult as possible in Canada for Netflix. That was 2011: Get yer grimy paws off my Netflix: Ottawa’s big OTT scam (part 1, June 16; and part 2, June 18).
Ms Taylor’s old-fashioned apology for Cancon, with its predictable sideswipes at “freeriding” Netflix and marauding pirates, is based on ideology rather than evidence. It completely misconstrues the role of security tools like VPNs, at a time when Canadians should be far more concerned about their privacy and security online than about shelf space on the network for domestic TV shows. Most of all, it treats the Internet like a cultural and economic aberration that’s ruining our TV system, when the aberration is Canada’s bizarre and unworkable framework for broadcasting.
Virtual private networks and why you need one
What the article says about VPNs:
“The latest scheme is to use a virtual private network, or VPN, to trick Netflix into believing you are located in the United States and can thus subscribe to the video-streaming service’s American catalogue….
Internet advocates love to preach choice, diversity and freedom – after all, a VPN can also be used by citizens in China to access content censored by their government.”
A VPN is specialized client software that encrypts online messages, and is said metaphorically to “tunnel” through the public Internet. It’s a “virtual” network because there’s no real tunnel or separate physical network. Your data packets are still co-mingling with other people’s packets, but only you and folks with the authentication tools – like a password – can read those packets. The VPN is said to be private for exactly that reason, like an office behind a locked door. Continue reading →
Here in a nutshell is how things stand a week after my original comments on the hack and Sony’s culpability:
Sony Pictures chair Michael Lynton has even more pointedly dodged any responsibility for the damage caused on November 24.
FBI director James Comey insists more than ever that North Korea engineered the hack.
A high-profile crypto expert, Marc Rogers, has just published a detailed critique of the claims made by the FBI and Sony.
Lynton’s lapses. In an interview last week for ABC News, Chairman Lynton said the following:
“We are the canary in the coal mine, that’s for sure. There’s no playbook for this, so you are in essence trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of you’ve had in the past or other peoples’ experiences. You’re on completely new ground.”
Talk about revisionist history. In case you haven’t read my previous post, I lay out the sordid 10-year history of Sony’s experiences in the so-called “coal mine.” Needless to say, Lynton has a vested interest in getting the audience to believe the November 24 attack came out of the blue. That makes him look less like a failed leader, and probably prevents him sinking even further into legal liability. Here are three highlights of the backstory he conveniently overlooks:
Sony Pictures itself (not the parent company) was hacked – with many of the same awful results – in the summer of 2011. No, November 24 didn’t happen without any “playbook.”
IT consultants hired by Sony Pictures in the summer of 2014 warned of numerous security vulnerabilities in their netwok, which management apparenty ignored.
Sony Corp’s fight with the hacker community began all the way back in 2005, with the Sony rootkit scandal, which produced years of conflict and plenty of guideposts to refer to, if the Lynton squad had been paying attention.
Sony Pictures, the White House and the FBI should get a medal for the greatest political marketing triumph of 2014.
After the horror show following the November 24 hack of Sony Pictures by the Guardians of Peace (GOP), America rallied behind Washington’s theory that Sony was the hapless victim of a Cold War cyberattack. Kim is certainly an easy guy to dislike and no friend of the Americans – no friend of anybody but Kim for that matter. (He comes by it legitimately. His dad and predecessor once had an actor hired to play grandpa Kim Il-sung in a movie role, for which the actor underwent plastic surgery to more closely resemble a Kim; once the shoot was over, the actor was shipped off to a concentration camp.)
The triumph of Cold War marketing over any hint of Sony’s bad behavior is all the more remarkable given the nasty quarrels that have embroiled US stakeholders, press and critics of all stripes. Not to mention the fact that as recently as New Year’s Eve, cryptographer Bruce Schneier and others were still casting doubt on the official claim that the hack was carried out by the Kim regime.