Malicious code used to press-gang IoT connected devices into a botnet was leaked online over the weekend.The Mirai malware is a DDoS Trojan and targets Linux systems and, in particular, IoT devices. A botnet formed using the malware was used to blast junk traffic at the website of security researcher Brian Krebs last month in one of the largest such attacks ever recorded.The powerful zombie network that spawned a 620Gbps DDoS was created by relying on factory default or hard-coded usernames and passwords to compromise embedded devices. The availability of the Mirai source code makes it much easier for other hackers to take advantage of insecure routers, IP cameras, digital video recorders and other IoT devices to launch similar attacks.Security blogger Hacker Fantastic, who has put together an informative early analysis of the malware, summed up the feelings of several security researchers who have looked at the code. “If all it took to create biggest recorded DDoS attack in history was a telnet scanner and 36 weak credentials the net has a huge IoT problem,” he said on Twitter.

Source: Source code unleashed for junk-blasting Internet of Things botnet • The Register

Find the code here

Signal has resisted a FBI subpoena and gag order that demanded a wide range of information on two users resulted in a federal grand jury investigation in Virginia.

The makers of Signal, Open Whisper Systems, profoundly disappointed law enforcement. The app collects as little data as possible and therefore was unable to hand anything useful over to agents.

“The Signal service was designed to minimize the data we retain,” Moxie Marlinspike, the founder of Open Whisper Systems, told the New York Times.
The subpoena came with a yearlong gag order that was successfully challenged by the American Civil Liberties Union.

Such gag orders have been used against tech giants including Microsoft. Critics argue they violate the targets’ rights.

Signal’s creators challenged the gag order as unconstitutional, “because it is not narrowly tailored to a compelling government interest.” The challenge was successful. Encryption app Signal wins fight against FBI subpoena and gag order

Nice to see the good guys win for a change!

A thourough and scary analysis of what you can do with just metadata, applied to the hacking team leak.

A great case for mistrusting metadata storage by anyone.

https://labs.rs/en/metadata/

Nvidia’s GeForce Experience 3.0 is better than ever before, but you need to sign up to use it.

Source: Nvidia’s faster, better GeForce Experience 3.0 launches with mandatory registration | PCWorld

Sigh. We buy their products already, so they don’t actually need to monetise our private lives 🙁

The FCC has been formally regulating behavioural advertising since the 1990s. You’d think they’d be all over Google and Facebook, then, right? Actually, no. The FCC is now run by a former Obama fund-raiser, Tom Wheeler, and it can’t do enough for Silicon Valley, whether it’s collectivising songwriters rights or disaggregating TV.

What the FCC did this year, with little fanfare, was cripple telecoms companies and wireless networks from doing what Google and Facebook do. That’s a very odd decision. If behavioural advertising is so bad consumers need an opt-out, how come you can opt out of your ISP’s profiling, but not Google’s. How could that be?

Don’t count on “digital rights” groups to help you, dear citizen, when we discover that Google is funding them. Privacy lawsuits became cosy backroom carve-ups, with privacy NGOs greedy to pocket Google’s cash. Marc Rotenberg at EPIC is one of very few exceptions: the object to the conflict of interests raised by the cy pres settlements, that saw “digital rights” groups raise a privacy class action only to settle. Money laundering might be a better description.

Source: Google’s become an obsessive stalker and you can’t get a restraining order

Oddly enough, I had Google Maps ask me to take pictures of the restaurant I was in as a notification yesterday. That kind of freaked me out, as I wasn’t running maps at the time!

Users have reported battery life issues with the latest Android build, with many pointing the finger at Google Play – Google’s app store – and its persistent, almost obsessive need to check where you are.

Amid complaints that Google Play is always switching on GPS, it appears Google has made it impossible to prevent the app store from tracking your whereabouts unless you completely kill off location tracking for all applications.

You can try to deny Google Play access to your handheld’s location by opening the Settings app and digging through Apps -> Google Play Store -> Permissions, and flipping the switch for “location.” But you’ll be told you can’t just shut out Google Play services: you have to switch off location services for all apps if you want to block the store from knowing your whereabouts. It’s all or nothing, which isn’t particularly nice.

This is because Google Play services pass on your location to installed apps via an API. The store also sends your whereabouts to Google to process. Google doesn’t want you to turn this off.

It also encourages applications to become dependent on Google’s closed-source Play services, rather than use the interfaces in the open-source Android, thus ensuring that people continue to run Google Play on their devices.

Delete Google Maps? Go ahead, says Google, we’ll still track you

NO, there is no opt out! The Dutch government has passed a law allowing insurance companies to access medical files with a “suspicion of fraud” (whatever that is) and only have to tell the person who’s privacy has been infringed three months later.

Medical privacy is one of the last untouchable bastions of privacy, I would have thought, but no, it’s been smashed. Fuckheads.

Source: De Tweede Kamer heeft het medisch beroepsgeheim gisteren stilletjes afgeschaft

145 public authorities acquired data in 2015, and most of these requests came from the UK’s police forces and law enforcement agencies. Law enforcement officers acquired 93.7 per cent of all data requested by public authorities in 2015. Only 5.7 per cent of data was acquired by the intelligence agencies, and a mere 0.6 by public authorities such as the Financial Conduct Authority, which have the statutory ability to investigate criminal offences.

0.1 per cent of requests came from local authorities such as councils.
1,199 errors

IOCCO conducted 72 inspections in 2015, looking at approximately 15,000 randomly selected applications for communications data in detail, with a further 117,000 applications being subjected to query-based examinations; IOCCO has an internally-developed query method on the records of applications to allow the office to “identify trends, patterns and compliance issues across large volumes of applications.”
[…]
A whopping 1,199 errors were reported in 2015, a 20 per cent increase year-on-year. IOCCO reported:

The main causes for the overall rise are a larger number of incorrect identifiers being submitted by applicants on their applications or, both applications and [Single Points of Contact] acquiring data over the incorrect date or time period. Once again we highlight that a significant number of these errors relate to Internet Protocol addresses being incorrectly resolves to subscribers, which can have serious consequences.

23 of these errors were considered “serious” in 2015; nine of them caused by technical system errors and 14 were attributed to human error. The nine technical system errors resulted in “multiple consequences and a large number of erroneous disclosures (2036)” while the human errors were not dissimilar to those reported by IOCCO last year, in which a typo led to a police force raiding the wrong house.

There were 17 search warrants executed at the wrong premises in 2015, which resulted in 13 arrests, although IOCCO did not give any more details on the circumstances of those. Six of those serious consequences involved people unconnected to the investigations being “visited” by police, and on seven occasions—as happened last year—welfare checks on vulnerable people, including children, were delayed.

Joanna Cavan, the head of IOCCO who has just a few weeks left at the oversight body before joining GCHQ’s tech help desk, informed The Register that the most frequent error was caused by transposing the days and months when accommodating the American format of presenting the time.
[…]
Back in February last year IOCCO published an inquiry report [PDF] into police forces acquiring journalists’ communications data to identify and determine journalistic sources. […] IOCCO discovered it had been breached during four investigations, and in one case the commissioner, Sir Stanley Burton, determined that the conduct was serious and reckless.

Source: Brit spies and chums slurped 750k+ bits of info on you last year

Now that WhatsApp is sharing phone numbers with Facebook, it’s no longer the security oasis users relied on.

Source: WhatsApp’s Privacy Cred Just Took a Big Hit | WIRED

Since Facebook owns WhatsApp, it’s finally time for the purchase to pay off. Facebook now wants your WhatsApp data, including your phone number. Here’s how to opt out.

Source: How to opt out of WhatsApp sharing your information with Facebook

You have 30 days.

Why is this a problem, what have they done? What do we not know? Does it matter?Read here

To get started, head to facebook.com/ads/preferences. Here, you’ll find a large collection of “interests” Facebook thinks you have, sorted into categories. Click on “Lifestyle and Culture” to find, among other things, where you land politically. If you haven’t explicitly Liked the Facebook page of a particular politician, Facebook will guess and place that guess here.

The entire ad preferences page is a fascinating look into how Facebook analyzes and categorizes its users. If you don’t want a particular topic influencing the ads you see, you can remove it here. Obviously, you can’t turn it off entirely, but you can tweak it.

Source: Find Out How Facebook Thinks You Lean Politically With This Setting

Facebook knows more about your personal life than you probably realize. As part of the company’s increasingly aggressive advertising operation, Facebook goes to great lengths to track you across the web. The company compiles a list of personal details about every user that includes major life events and general interests. For years, details have been murky about how exactly the social network targets ads—but the company has finally given us a glimpse into how the secret sauce is made.
[…]
As The Washington Post points out, Facebook knows every time you visit a page with a “like” or “share” button. It also gives publishers a tool called Facebook Pixel that allows both parties to track visits from any Facebook user. It also works with companies like Epsilon and Acxiom who gather information from government records, warranties and surveys, and commercial sources (such as a magazine subscription lists) to learn more about Facebook users.
[…]
If you’re curious about all the data points Facebook is using to target ads to you, here’s the full list:

Location
Age
Generation
Gender
Language
Education level
Field of study
School
Ethnic affinity
Income and net worth
Home ownership and type
Home value
Property size
Square footage of home
Year home was built
Household composition
Users who have an anniversary within 30 days
Users who are away from family or hometown
Users who are friends with someone who has an anniversary, is newly married or engaged, recently moved, or has an upcoming birthday
Users in long-distance relationships
Users in new relationships
Users who have new jobs
Users who are newly engaged
Users who are newly married
Users who have recently moved
Users who have birthdays soon
Parents
Expectant parents
Mothers, divided by “type” (soccer, trendy, etc.)
Users who are likely to engage in politics
Conservatives and liberals
Relationship status
Employer
Industry
Job title
Office type
Interests
Users who own motorcycles
Users who plan to buy a car (and what kind/brand of car, and how soon)
Users who bought auto parts or accessories recently
Users who are likely to need auto parts or services
Style and brand of car you drive
Year car was bought
Age of car
How much money user is likely to spend on next car
Where user is likely to buy next car
How many employees your company has
Users who own small businesses
Users who work in management or are executives
Users who have donated to charity (divided by type)
Operating system
Users who play canvas games
Users who own a gaming console
Users who have created a Facebook event
Users who have used Facebook Payments
Users who have spent more than average on Facebook Payments
Users who administer a Facebook page
Users who have recently uploaded photos to Facebook
Internet browser
Email service
Early/late adopters of technology
Expats (divided by what country they are from originally)
Users who belong to a credit union, national bank or regional bank
Users who investor (divided by investment type)
Number of credit lines
Users who are active credit card users
Credit card type
Users who have a debit card
Users who carry a balance on their credit card
Users who listen to the radio
Preference in TV shows
Users who use a mobile device (divided by what brand they use)
Internet connection type
Users who recently acquired a smartphone or tablet
Users who access the Internet through a smartphone or tablet
Users who use coupons
Types of clothing user’s household buys
Time of year user’s household shops most
Users who are “heavy” buyers of beer, wine or spirits
Users who buy groceries (and what kinds)
Users who buy beauty products
Users who buy allergy medications, cough/cold medications, pain relief products, and over-the-counter meds
Users who spend money on household products
Users who spend money on products for kids or pets, and what kinds of pets
Users whose household makes more purchases than is average
Users who tend to shop online (or off)
Types of restaurants user eats at
Kinds of stores user shops at
Users who are “receptive” to offers from companies offering online auto insurance, higher education or mortgages, and prepaid debit cards/satellite TV
Length of time user has lived in house
Users who are likely to move soon
Users who are interested in the Olympics, fall football, cricket or Ramadan
Users who travel frequently, for work or pleasure
Users who commute to work
Types of vacations user tends to go on
Users who recently returned from a trip
Users who recently used a travel app
Users who participate in a timeshare

Source: All of the Creepy Things Facebook Knows About You

I’d quite like to know the answers Facebook has filled in to my datapoints myself!

Anti-Beacon is small, simple to use, and is provided free of charge. It was created to address the privacy concerns of users of Windows 10 who do not wish to have information about their PC usage sent to Microsoft. Simply clicking “Immunize” on the main screen of Anti-Beacon will immediately disable any known tracking features included by Microsoft in the operating system.

Source: Spybot Anti-Beacon for Windows

the plan’s not in action yet but has been agreed in principle. It’s hoped the scheme will be up and running in about six months, by which time you’ll only be able to buy trackable SIMs when you visit.

The good news is that if your phone roams, you’ll be exempt. And with roaming plans now catering to travellers there’s a good chance you can bring your phone to Phuket without taking a bath on roaming charges.

Resident aliens will be moved to the trackable SIMs. Many such folk move to Thailand to invest or bring expertise to the nation and are unlikely to be happy that their every move is observed. One small upside is that the nation’s telecoms regulators aren’t entirely sure how to make the tracking work, with cell connection data and GPS both under consideration.

Source: Thailand plans to track non-citizens with their mobile phones

A little-known web standard that lets site owners tell how much battery life a mobile device has left has been found to enable tracking online, a year after privacy researchers warned that it had the potential to do just that.

The battery status API was introduced in HTML5, the fifth version of the code used to lay out the majority of the web, and had already shipped in Firefox, Opera and Chrome by August 2015. It allows site owners to see the percentage of battery life left in a device, as well as the time it will take to discharge or the time it will take to charge, if connected to a power source.

Intended to allow site owners to serve low-power versions of sites and web apps to users with little battery capacity left, soon after it was introduced, privacy researchers pointed out that it could also be used to spy on users. The combination of battery life as a percentage and battery life in seconds provides offers 14m combinations, providing a pseudo-unique identifier for each device.
[…]
Now, two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to “fingerprint” a specific device, allowing them to continuously identify it across multiple contexts.

Source: Your battery status is being used to track you online | Technology | The Guardian