October 6, 2018 – Peter's Quasi-Daily Blah-g

Illustration by Koren Shadmi

We’ve all encountered security questions asking where we went to school, our favorite color or food, our first concert, and the ubiquitous “mother’s maiden name.” Imagine a world where on one screen you carefully chose Stanford, red, spaghetti and so on, and on the next you were shown ads for Italian restaurants, red shoes, and jobs for Stanford grads.

Seems like an insane violation, right? I mean, it stands to reason that we expect that the information we type to secure our online accounts and apps is private, safely guarded information.

Me giving Facebook my phone number for 2FA is not the same thing as me opting-in to advertiser messaging, but I bet that’s how it is spelled out in the terms of service… Wow. https://t.co/4ekfqT79G8

— Jeremy Vanderlan (@jvanderlan) September 26th, 2018

Not so, we learned this past week, when amid all the chaos of the news cycle we’re desperately trying to stay on top of, it came to light that Facebook admitted to handing over people’s phone numbers they provided for two-factor security purposes.

In response to the fact that no one knew about this, the company made it seem as though this practice was in a policy somewhere that people could’ve learned about and avoided but didn’t. “We are clear about how we use the information we collect,” a Facebook spokesperson said in a statement to press, “including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

There is no part of Facebook’s own Data Use Policy that states the company uses information provided for security purposes under “Information We Collect,” nor does security information make an appearance in “How Do We Use This Information?” — neither does the section on security.

Facebook’s Data Use Policy security section only says, “We use the information we have to verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, maintain the integrity of our Products, and promote safety and security on and off of Facebook Products.” That’s it.

To be absolutely clear, there’s nothing in Facebook’s documentation about making ad dollars off of your security info. Nor is there anything anywhere that told users their two-factor phone numbers provided for security went into a database for ad targeting. Not that it would make any of this OK at all if Facebook had come back to press saying, “Here’s our policy on doing whatever we want with things you gave us for protecting your own security.”

Facebook told press this nontransparent betrayal of trust is to make people’s experience better on the social network. If you don’t like it, now that it’s too late, it said your only option is to not use “phone number based 2FA.”

This is Facebook telling the public that if they don’t want their security information used for the purposes of advertisers stalking them, users should not use two-factor in a way that is (for many) the only way they know how.

This all came out when Gizmodo verified that Facebook has been taking our “shadow profile” information — secret dossiers it makes about us with info we don’t give the company and can’t see or control — and handing it to its unknown pool of, probably, poorly secured data dealers. But we expected that.

It flies right in the face of what the company’s security chief said back in January when infosec folks complained about giving Facebook their phone number for two-factor and then got SMS spammed with News Feed notifications via the number they provided. People who responded to these surprising and unwanted notifications found that their responses were being posted on Facebook.

Alex Stamos, Facebook’s CSO in 2016

“The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” wrote then CSO Alex Stamos. For those keeping track, he’s the same CSO who was active during the massive Facebook hack the company just admitted to, and he also ran Yahoo security during its record-setting breach of 500 million accounts. It’s probably important to keep track of such things. But I digress.

Until this past May, phone numbers were the only way Facebook users could add the extra layer of security to their accounts. During that rollout, Facebook’s Security Communications Manager Pete Voss would not tell Wired how many people two-factor on the social network. “I can just say that we’ve gotten the feedback that people want it to be easier, people do take security seriously,” he said.

Prior to that, in January Facebook added the two-factor option of security keys (like the Yubico) for users but still told them they’d need to hand over a phone number as well.

In a 2017 survey Duo Labs found that the use rate for two-factor was 28 percent, with most (85.8 percent) saying their preferred method was SMS (phone number) notification. At the Usenix Enigma 2018 security conference in California this past January, a Google engineer revealed that 10 percent of Gmail users have two-factor enabled. So we might estimate that perhaps out of every 10 people there are between one and three who use two-factor, with most of them preferring the default SMS method.

Now let’s look at a Facebook number: the 50 million people whose accounts we just found out were exposed in the company’s jaw-dropping 2017-2018 authentication token snatch and grab. So if even just one in 10 used 2FA and we used Duo’s 85 percent for guessing how many of those use SMS… 4.25 million Facebook users who thought they gave Facebook a phone number in good faith now risk being stalked by the company’s pet advertisers. I’m sure there were even more ad targets scooped into the mix when Facebook made 2FA mandatory for “some” Page managers in August.

This, however, cuts deep in the worlds of both security and the secured. Taking people’s security stuff and trading it (or maybe renting it, as Facebook is keen to avoid the word “selling”) is the infosec equivalent of poisoning a water supply. It establishes Facebook as a threat to the core principles of security. It is a betrayal of trust that left many in the security profession speechless with anger — and tech lawyers furiously disgusted. And worried. Very worried about what this means for everyone.

Plainly put, people will be discouraged from using 2FA, and this is a net loss for everyone. They’ll see things like “You Gave Facebook Your Number For Security. They Used It For Ads.” And despite the cautions of that article, people now know that big companies like Facebook are doing this unapologetically, and they will be safe in assuming that other companies do this as well.

We all know that humans are crap at making good passwords, that everything runs on passwords and that not enough people use password managers. Two-factor SMS is a tacked-on solution and it’s not the best, but it’s battle-tested as being something that reduces risk.

I mean, talk about undoing years of hard work convincing people to secure their accounts.

Images: Stephen Lam/Reuters (Zuckerberg); Brendan McDermid/Reuters (Alex Stamos); Motortion via Getty Images (phone in hand)

via Engadget http://www.engadget.com

October 5, 2018 at 02:00PM

October 6, 2018

Google Maps Music Integration, Dark Google Feed, New Assistant UI All Rolling Out

https://www.droid-life.com/2018/10/05/google-maps-commute-music-spotify-assistant/

Over the past couple of weeks, Google has announced some pretty big changes to some of its apps and services, like Google Assistant, Google Maps, and the Google Feed, which is now called Discover. As we approach the weekend, a number of those changes are arriving on phones, according to so many of you readers.

For Google Assistant, Google announced just this week that Assistant is getting a bit of a makeover. That makeover includes more touch controls, bigger touch points, and a balancing of voice and physical interactivity. The new Assistant also lets you quickly swipe up as it listens to get into your updates for the day.

You can see just how that new Assistant UI looks above. As of today, it seems to be widely rolling out. Check for a Google App update on Google Play if you aren’t seeing it just yet.

For Google Maps (below), Google introduced music controls within the navigation UI and a new commute tab to help you better manage your daily to-and-from work route. We haven’t seen the commute tab yet, but the music support is there.

Currently, Maps has support for Google Play Music, Spotify, and Apple Music, so you can jump between tracks without ever leaving your navigation screen. For Spotify, users also have quick access to their library of songs, albums, podcasts, and playlists.

To turn on the new music controls in Google Maps, you’ll head into Maps, swipe out the side bar and go into Settings>Navigation Settings. From there, scroll all of the way to the bottom and toggle on “Show media playback controls.” Once you’ve done that, you’ll be able to tap on the “Default media app” and choose the music service you use.

And finally, the new “Discover” feed has rolled out to most, but what users are finding is a dark theme or mode with supported launchers. If you own a Pixel or Pixel 2 and have the Google app enabled as a swipe to the left of your home screen, this Discover feed now pays attention to your phone’s theme. If you have the light Pixel theme applied, Discover will match that. If you have the dark theme selected, it’ll turn dark as you can see below.

Google Play Links: Google App | Google Maps

Cheers Brent, Derek, Randy, Mark, and everyone else!

via Droid Life: A Droid Community Blog https://ift.tt/2dLq79c

October 5, 2018 at 04:19PM

October 6, 2018

Large-Scale Wind Farms Could Warm the U.S.

http://blogs.discovermagazine.com/d-brief/?p=27678

If we humans want to slow down global warming due to carbon emissions, clean energy is the way. But, as with all things, there are cons to go along with those pros. New research reports that installing large-scale wind farms across the country could raise the temperature of the continental United States.
The study, published in the journal Joule, is based on mathematical modeling done by experts at Harvard University. First, the team created a climate baseline; they used a standard weathe

via Discover Main Feed https://ift.tt/1dqgCKa

October 5, 2018 at 06:52PM

October 6, 2018

Feds to judge: We still think we can put GPS trackers on cars entering US

https://arstechnica.com/?p=1388267

Article intro image — Enlarge /

Aerial view of vehicles lining up to cross to the United States at San Ysidro Port of Entry as seen from Tijuana, Baja California state, Mexico on August 10, 2018.

A top Homeland Security Investigations official has told a federal court that it remains the agency’s policy that officers can install a GPS tracking device on cars entering the United States “without a warrant or individualized suspicion” for up to 48 hours.

There is no such time limit, HSI Assistant Director Matthew C. Allen also told the court, for putting such trackers on “airplane, commercial vehicles, and semi-tractor trailers, which has a significantly reduced expectation of privacy in the location of their vehicles.”

Such an assertion comes over a month after a federal judge recently told the Department of Justice that such a practice—at least in one drug-trafficking case—is unconstitutional. His decision is based on a landmark 2012 Supreme Court ruling involving GPS tracking, known as Jones.

Prosecutors had claimed that installing such a tracker was valid under the “border doctrine” exception to the Fourth Amendment, which finds that limited, warrantless searches at the border are allowed. US District Judge Jesus G. Bernal disagreed in an August 24, 2018 ruling.

Allen continued, saying that HSI believes that its policy is “consistent” with both the Jones decision and a case from 2004 case known as Flores-Montano. In that instance, the Supreme Court ruled that there is a “diminished” expectation of privacy at the border.

Legal experts find this newly disclosed HSI policy to be troubling.

“It is hard to square with the [Supreme] Court’s decision in Jones,” wrote Michael Price, an attorney with the National Association of Criminal Defense Lawyers, in an email to Ars.

“For starters, it ignores the fact that physical trespass was the basis for the Supreme Court’s holding in Jones—the act of placing a tracker on a vehicle is itself a search, regardless of how long police track it.”

Similarly, law professor Brian Owsley of the University of North Texas, who formerly served as a federal magistrate judge along the border in southern Texas, agreed in an email to Ars:

If HSI wants to argue that it can engage in warrantless GPS tracking of vehicles, that is within its prerogatives… However, Jones does not support a 48-hour window within the border. Instead, Jones establishes that the government needs a warrant signed by a neutral magistrate judge based on probable cause consistent with the Fourth Amendment. Moreover, Congress has established that a warrant is necessary for the installation of a mobile tracking device, which included GPS devices. In 18 U.S.C. 3117, Congress does not discuss any exception for border searches. Indeed, once a device is put on a vehicle, it likely will leave the border area, which undercuts the government’s position.

“Law enforcement sensitive”

HSI Assistant Director Allen’s statement was made in a September 28 court filing in a case known as United States v. Slavco Ignjatov et al., which is currently winding down in federal court in Riverside, California.

The government said in a separate September 28 filing that it would soon ask the court to dismiss the charges in the wake of Judge Bernal’s August 24 ruling, which suppressed evidence found as a result of the illegal search—the installation of two such tracking devices.

As part of the investigation into Ignjatov, an FBI agent, after consulting with two HSI agents, ordered that a pair of GPS trackers be installed on a big-rig truck as it approached a border crossing at Port Huron, Michigan. Authorities believed that this truck and its occupants were involved in smuggling cocaine.

Prosecutors said that investigators tracked the truck from Michigan as it drove 33 hours to Los Angeles, where local police confronted the driver and his passenger. In addition to transporting its bona fide cargo of frozen cheese danishes, the truck was found to contain 15 four-pound packages of sugar.

The government believes that these sacks of sugar were effectively a “dry run” for a future delivery of cocaine, particularly as the very same truck had been caught delivering nearly 200 kilograms of cocaine in 2017.

Lawyers for defendants Slavco Ignjatov and Valentino Hristovski filed a motion to suppress, which was successful. When the government chose not to appeal the ruling, the judge eventually ordered that the men be released so that they could return home to Canada.

On Thursday, Ars asked HSI to provide a copy of its GPS-at-the-border policy and any related legal memos.

“Because the policy you are asking about is deemed law enforcement sensitive, you will need to file a FOIA request for the policy,” Lauren Mack, an agency spokeswoman, emailed Ars.

Ars has already filed a records request under FOIA, the Freedom of Information Act. This process can take months to years.

Government lawyers have asked Judge Bernal to amend his August 24 order simply to include that the FBI agent and Los Angeles Police Department officer involved in the arrest should not be reprimanded for what turned out to be bad legal advice.

On Friday, Steven Gruel and Marilyn Bednarski, attorneys for the defendants, filed a motion to the court, arguing against the government’s position.

“If the federal government does in fact have such a policy and is training law enforcement agents to act as the policy suggests, which is a violation of the 4th amendment, the government should be deterred and the agencies’ internal policies and training should be revealed and scrutinized,” they wrote.

The two sides will be back in court on November 5 at 2pm to discuss the matter.

via Ars Technica https://arstechnica.com

October 6, 2018 at 09:05AM

October 6, 2018

Former South Korean President Sentenced To 15 Years In Prison On Corruption Charges

https://www.npr.org/2018/10/05/654851055/former-south-korean-president-sentenced-to-15-years-in-prison-on-corruption-char?utm_medium=RSS&utm_campaign=news

Former South Korean President Lee Myung-Bak was sentenced on Friday for bribery and embezzlement. He had been convicted of taking $5.4 million in bribes from Samsung during his campaign and presidency.

Chung Sung-Jun/Getty Images

hide caption

toggle caption

Chung Sung-Jun/Getty Images

South Korea’s former president, Lee Myung-bak, was sentenced Friday to 15 years in prison for bribery and embezzlement. He will also have to pay $11.5 million in fines.

Lee is the second South Korean leader convicted this year on charges of corruption, and the fourth president to be arrested for corruption since the 1990s. Prior to entering politics, Lee had been an executive at Hyundai, and campaigned on a promise to help South Korea’s economy grow.

Lee served as president of South Korea from 2008 until 2013. A court ruled Friday that before and during his presidency Lee Myung-bak accepted $5.4 million in bribes from Samsung, South Korea’s largest conglomerate.

In exchange, Lee granted a presidential pardon to Lee Kun-hee, Samsung’s chairman, who had been convicted of embezzlement and tax evasion. The conviction had forced Lee Kun-hee to resign from Samsung in 2008; he returned to work at the company shortly after receiving the presidential pardon.

The court also found that former president Lee disguised his ownership of a lucrative auto-part maker under the names of his relatives, and embezzled 24 billion Korean won from the company, according to The New York Times. Samsung later offered to pay legal fees for a court case involving the auto parts company.

Lee did not appear in court on Friday, and has previously denied the charges. “During the hearings, he shifted the blame to his aides, accusing them of committing the crimes for their own profit and conspiring against him,” Judge Chung said on Friday, according to the Times.

South Korea became a democracy in the 1980s, but corruption continues to taint elected leaders’ ties to business leaders.

In 2013, Lee was succeeded as president of South Korea by Park Geun-Hye, who was impeached and ousted on charges of corruption and abuse of power. Park was later sentenced to 25 years in prison for those crimes. In February, an appeals court convicted the son of Samsung chairman Lee Kun-hee of bribing Park.

Two other former South Korean presidents, Chun Doo-hwan and Roh Tae-woo, were convicted of corruption and separate offenses in 1997; they were both later pardoned.

South Korea’s current president, Moon Jae-In, has promised to root out corruption in the government. He won an election to replace Park in May of last year.

via NPR Topics: News https://ift.tt/2m0CM10

October 5, 2018 at 02:38PM

Day: October 6, 2018

Facebook’s two-factor ad practices give middle finger to infosec

Google Maps Music Integration, Dark Google Feed, New Assistant UI All Rolling Out

Large-Scale Wind Farms Could Warm the U.S.

Feds to judge: We still think we can put GPS trackers on cars entering US

Former South Korean President Sentenced To 15 Years In Prison On Corruption Charges