Posts tagged as:

Autonomous Vehicles Under Attack: Cyber Dashboard Standards and Class Action Lawsuits

by on March 14, 2015 · 0 comments

In a recent Senate Commerce Committee hearing on the Internet of Things, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) “announced legislation that would direct the National highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy.” Spurred by a recent report from his office (Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk) Markey argued that Americans “need the equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century.”

Among the many conclusions reached in the report, it says, “nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” This comes across as a tad tautological given that everything from smartphones and computers to large-scale power grids are prone to being hacked, yet the Markey-Blumenthal proposal would enforce a separate set of government-approved, and regulated, standards for privacy and security, displayed on every vehicle in the form of a “Cyber Dashboard” decal.

Leaving aside the irony of legislators attempting to dictate privacy standards, especially in the post-Snowden world, it would behoove legislators like Markey and Blumenthal to take a closer look at just what it is they are proposing and ask whether such a law is indeed necessary to protect consumers. Continue reading →

SHARE: 0 comments

Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security

by on February 10, 2015 · 3 comments

do not panicOn Sunday night, 60 Minutes aired a feature with the ominous title, “Nobody’s Safe on the Internet,” that focused on connected car hacking and Internet of Things (IoT) device security. It was followed yesterday morning by the release of a new report from the office of Senator Edward J. Markey (D-Mass) called Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,  which focused on connected car security and privacy issues. Employing more than a bit of techno-panic flare, these reports basically suggest that we’re all doomed.

On 60 Minutes, we meet former game developer turned Department of Defense “cyber warrior” Dan (“call me DARPA Dan”) Kaufman–and learn his fears of the future: “Today, all the devices that are on the Internet [and] the ‘Internet of Things’ are fundamentally insecure. There is no real security going on. Connected homes could be hacked and taken over.”

60 Minutes reporter Lesley Stahl, for her part, is aghast. “So if somebody got into my refrigerator,” she ventures, “through the internet, then they would be able to get into everything, right?” Replies DARPA Dan, “Yeah, that’s the fear.” Prankish hackers could make your milk go bad, or hack into your garage door opener, or even your car.

This segues to a humorous segment wherein Stahl takes a networked car for a spin. DARPA Dan and his multiple research teams have been hard at work remotely programming this vehicle for years. A “hacker” on DARPA Dan’s team proceeded to torment poor Lesley with automatic windshield wiping, rude and random beeps, and other hijinks. “Oh my word!” exclaims Stahl. Continue reading →

SHARE: 3 comments

Hack Hell

by on December 31, 2014 · 0 comments

2014 was quite the year for high-profile hackings and puffed-up politicians trying to out-ham each other on who is tougher on cybercrime. I thought I’d assemble some of the year’s worst hits to ring in 2015.

In no particular order:

Home Depot: The 2013 Target breach that leaked around 40 million customer financial records was unceremoniously topped by Home Depot’s breach of over 56 million payment cards and 53 million email addresses in July. Both companies fell prey to similar infiltration tactics: the hackers obtained passwords from a vendor of each retail giant and exploited a vulnerability in the Windows OS to install malware in the firms’ self-checkout lanes that collected customers’ credit card data. Millions of customers became vulnerable to phishing scams and credit card fraud—with the added headache of changing payment card accounts and updating linked services. (Your intrepid blogger was mysteriously locked out of Uber for a harrowing 2 months before realizing that my linked bank account had changed thanks to the Home Depot hack and I had no way to log back in without a tedious customer service call. Yes, I’m still miffed.)

The Fappening: 2014 was a pretty good year for creeps, too. Without warning, the prime celebrity booties of popular starlets like Scarlett Johansson, Kim Kardashian, Kate Upton, and Ariana Grande mysteriously flooded the Internet in the September event crudely immortalized as “The Fappening.” Apple quickly jumped to investigate its iCloud system that hosted the victims’ stolen photographs, announcing shortly thereafter that the “celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions” rather than any flaw in its system. The sheer volume produced and caliber of icons violated suggests this was not the work of a lone wolf, but a chain reaction of leaks collected over time triggered by one larger dump. For what it’s worth, some dude on 4chan claimed the Fappening was the product of an “underground celeb n00d-trading ring that’s existed for years.” While the event prompted a flurry of discussion about online misogyny, content host ethics, and legalistic tugs-of-war over DMCA takedown requests, it unfortunately did not generate a productive conversation about good privacy and security practices like I had initially hoped.

The Snappening: The celebrity-targeted Fappening was followed by the layperson’s “Snappening” in October, when almost 100,000 photos and 10,000 personal videos sent through the popular Snapchat messaging service, some of them including depictions of underage nudity, were leaked online. The hackers did not target Snapchat itself, but instead exploited a third-party client called SnapSave that allowed users to save images and videos that would normally disappear after a certain amount of time on the Snapchat app. (Although Snapchat doesn’t exactly have the best security record anyways: In 2013, contact information for 4.6 million of its users were leaked online before the service landed in hot water with the FTC earlier this year for “deceiving” users about their privacy practices.) The hackers received access to 13GB library of old Snapchat messages and dumped the images on a searchable online directory. As with the Fappening, discussion surrounding the Snappening tended to prioritize scolding service providers over promoting good personal privacy and security practices to consumers.

Continue reading →

SHARE: 0 comments

Thomas Rid on cyber war

by on September 3, 2013 · 0 comments

Thomas Rid, author of the new book Cyber War Will Not Take Place discusses whether so-called “cyber war” is a legitimate threat or not. Since the early 1990s, talk of cyber war has caused undue panic and worry and, despite major differences, the military treats the protection of cyberspace much in the same way as protection of land or sea. Rid also covers whether a cyber attack should be considered an act of war; whether it’s correct to classify a cyber attack as “war” considering no violence takes place; how sabotage, espionage and subversion come into play; and offers a positive way to view cyber attacks — have such attacks actually saved millions of lives?

Download

Related Links

SHARE: 0 comments

Parmy Olson on Anonymous and LulzSec

by on July 24, 2012

Parmy Olson, London Bureau chief for Forbes, discusses her new book We are Anonymous: Inside the Hacker World of Lulzsec, Anonymous and the Global Cyber Insurgency. The book is an inside look at the people behind Anonymous, explaining the movement’s origins as a group of online pranksters, and how they developed into the best known hacktivist organization in the world. Olson discusses the tension that has existed between those that would rather just engage in pranks and those that want to use Annoymous to protest different groups they see as trying to clamp down on internet freedom, as well as some of the group’s most famous campaigns like the attacks against the Church of Scientology and the campaign against Paypal and Mastercard. Olson also describes the development of LulzSec which became famous for a series of attacks in 2011 on high profile websites including Fox, PBS, Sony, and the CIA.

Download

SHARE:

Nuts & Bolts: Everything You Wanted To Know About Cookies But Were Afraid To Ask

by on January 27, 2009 · 16 comments

As a means of introducing myself to TLF readers, this is an article that I wrote for the PFF blog in September that has not been previously mentioned on the TLF. Most of my other PFF blog posts have been cross-posted by Adam Thierer or Berin Szoka, but I’ve taken ownership of those posts so they appear on my TLF author page.

This is the first in a series of articles that will focus directly on technology instead of technology policy. With an average age of 57, most members of Congress were at least 30 when the IBM PC was introduced in 1981. So it is not surprising that lawmakers have difficulty with cutting-edge technology. The goal of this series is to provide a solid technical foundation for the policy debates that new technologies often trigger. No prior knowledge of the technologies involved is assumed, but no insult to the reader’s intelligence is intended.

This article focuses on cookies–not the cookies you eat, but the cookies associated with browsing the World Wide Web. There has been public concern over the privacy implications of cookies since they were first developed. But to understand them , you must know a bit of history.

According to Tim Berners Lee, the creator of the World Wide Web, “[g]etting people to put data on the Web often was a question of getting them to change perspective, from thinking of the user’s access to it not as interaction with, say, an online library system, but as navigation th[r]ough a set of virtual pages in some abstract space. In this concept, users could bookmark any place and return to it, and could make links into any place from another document. This would give a feeling of persistence, of an ongoing existence, to each page.”[1. Tim Berners-Lee, Weaving The Web: The Original Design and Ultimate Destiny of the World Wide Web. p. 37. Harper Business (2000).] The Web has changed quite a bit since the early 1990s.

Today, websites are much more dynamic and interactive, with every page being customized for each user. Such customization could include automatically selecting the appropriate language for the user based on where they’re located, displaying only content that has been added since the last time the user visited the site, remembering a user who wants to stay logged into a site from a particular computer, or keeping track of items in a virtual shopping cart. These features are simply not possible without the ability for a website to distinguish one user from another and to remember a user as they navigate from one page to another. Today, in the Web 2.0 era, instead of Web pages having persistence (as Berners-Lee described), we have dynamic pages and “user-persistence.”

This paper describes the various methods websites can use to enable user-persistence and how this affects user privacy. But the first thing the reader must realize is that the Web was not initially designed to be interactive; indeed, as the quote above shows, the goal was the exact opposite. Yet interactivity is critical to many of the things we all take for granted about web content and services today.

Continue reading →

SHARE: 16 comments

Go to Jail for Online Anonymity: The End of Internet Freedom?

by on September 22, 2008 · 19 comments

Forget net neutrality and the growing Googleplex. The real threat to Internet freedom comes from plain old criminal law.

In three weeks time, Missouri housewife Lori Drew will face trial for entering false personal details when she signed up for a MySpace account. Her indictment alone, whether or not she is convicted, should frighten anyone who’s ever filled out a form online.

The case, which captured the tabloid media when it broke last year, turns on unusual facts. Drew, posting as a teenage boy, created the MySpace account to probe why a neighbor’s daughter, Megan Meier, had broken off a friendship with her own daughter. She gave a few others access to the account, and things quickly spiraled out of control. Before long, “Josh Evans” (the fictional teen) and Meier were an online couple, and soon after that, they were hurling insults at one another on public message boards.

Meier, already suffering from depression, was devastated by Josh’s turnabout. A final private message from the Evans account–“The world would be a better place without you”–pushed her over the edge. Twenty minutes after receiving it, Meier hung herself in her closet.

Even though she was not responsible for the worst of the messages (according to a prosecutor who investigated the case but declined to file charged), Lori Drew mislead an emotionally troubled youth, and that was surely wrong.

But it’s more problematic to say that it’s a crime.

The theory of the prosecutor behind this case would make all Internet users criminals. Continue reading →

SHARE: 19 comments

Palin Hackers Face Jail Time

by on September 18, 2008 · 15 comments

From triumph to terror—that’s the likely emotional rollercoaster of the denizens of the “/b” message board on the 4chan website who hacked into Gov. Sarah Palin’s email account earlier this week. The toasts of the left-learning Internet on Tuesday, by this morning they knew themselves to be in the crosshairs of the FBI and Secret Service.

Next stop: jail. That’s the law, and it’s a fair punishment for digital breaking and entering.

According to British tech tabloid The Register, the hackers accessed Palin’s Yahoo account by way of a proxy, relaying all traffic through it to cloak their identities. The proxy’s owner promises to make his log data available to authorities, and it’s probably only a matter of time before that leads to living, breathing (nervous, sweating?) people.

The most likely charge is hacking. Federal law prohibits virtual trespassing for the purposes of stealing information. So cracking the password to a governor’s email account and perusing her messages is a clear violation. The punishment: criminal fines and imprisonment of up to 5 years.

Throw in a few conspiracy offenses—according to reports, a slew of “/b-tards” were in on the act—and the prison term could double.

No, going after a major party’s vice presidential candidate was not smart: Police and prosecutors put extra effort into famous crimes.

As for the media publishing Palin’s emails and family photos, shame on them, but it’s not against the law. In Bartnicki v. Vopper, the Supreme Court held that they have a First Amendment right to publish materials of public importance, even if illegally obtained, so long as the media doing the publishing committed no wrong itself.

But just because it’s legal doesn’t mean it’s right. No one deserves to have their private correspondence stolen (not, as per the AP, “leaked”) and posted online for the world to see. It speaks to Palin’s classiness that nothing objectionable—not even a cuss—has come to light. Too bad that the press and online gossip-mongers don’t share that trait and take the material down.

SHARE: 15 comments