Read.  Learn.  Share.  

Tech Talk Show Notes 

April 11, 2021

DHS Preparing to Use Private Contractors to “Scour Public Data and Social Media” To Compile Dissident Citizens for Watch List and No Fly Lists

The U.S. Department of Homeland Security is now getting ready to hire public companies, individual contractors outside government, to scour public data and social media in order to provide information for the new “domestic terror watch lists.”  From the description it appears DHS is going to pay “big tech” (Google, Facebook, YouTube, Instagram, SnapChat, Twitter, etc.), via contracts, to hire and organize internal monitoring teams to assist the government by sending information on citizens they deem “dangerous.”

Gee, what could possibly go wrong with this?…

NBC is reporting on these new developments as the U.S. intelligence apparatus is preparing to go live with the assembly of lists of Americans who “could be” potential threats to the government; and need to be watched.

However, even NBC is beginning to realize the consequences: “DHS planning to expand relationships with companies that scour public data for intelligence and to better harness the vast trove of data it already collects on Americans. The department is also contemplating changes to its terrorist watch listing process.


Feds say hackers are likely exploiting critical Fortinet VPN vulnerabilities

The FBI and the Cybersecurity and Infrastructure Security Agency said that advanced hackers are likely exploiting critical vulnerabilities in the Fortinet FortiOS VPN in an attempt to plant a beachhead to breach medium and large-sized businesses in later attacks.

“APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services,” the agencies said Friday in a joint advisory. “Gaining initial access pre-positions the APT actors to conduct future attacks.” APT is short for advanced persistent threat, a term used to describe well-organized and well-funded hacking groups, many backed by nation states.

Fortinet FortiOS SSL VPNs are used mainly in border firewalls, which cordon off sensitive internal networks from the public Internet. Two of the three already-patched vulnerabilities listed in the advisory—CVE-2018-13379 and CVE-2020-12812—are particularly severe because they make it possible for unauthenticated hackers to steal credentials and connect to VPNs that have yet to be updated.


Mark Zuckerberg’s cell phone number is among leaked personal data from 533 MILLION Facebook users including two other founders that has been released for FREE by hackers

Facebook CEO Mark Zuckerberg’s cell phone number is among the leaked personal data from 553 million users of the site posted online by hackers. 

Zuckerberg’s name, location and marriage information, date of birth and Facebook user ID were among the trove of stolen personal data published on a hacker forum on Saturday, cyber researcher Dave Walker confirmed. 

Facebook co-founders Chris Hughes and Dustin Moskovitz also had similar personal details included in the leaked data.

A Facebook spokesman said in a statement to ‘This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.’ 

The database appears to be the same set of numbers circulating in hacker circles at least since January, according to Alon Gal, co-founder of Israeli cybercrime intelligence firm Hudson Rock.

That data had been sold and resold among cybercriminals for some time, but Saturday’s leak on the hacker forum now makes it available essentially for free.


How scammers siphoned $36B in fraudulent unemployment payments from US

In a Zoom session with the camera turned off, Mayowa describes how he scoops up U.S. unemployment benefits fattened by COVID-19 relief, an international imposter attack that has contributed to at least $36 billion being siphoned away from out-of-work Americans. 

Mayowa is an engineering student in Nigeria who estimates he’s made about $50,000 since the pandemic began. After compiling a list of real people, he turns to databases of hacked information that charge $2 in cryptocurrency to link that name to a date of birth and Social Security number. 

In most states that information is all it takes to file for unemployment. Even when state applications require additional verification, a little more money spent on sites such as FamilyTreeNow and TruthFinder provides answers – your mother’s maiden name, where you were born, your high school mascot. Mayowa said he is successful about one in six times he files a claim. 

“Once we have that information, it’s over,” Mayowa said. “It’s easy money.” 

Mayowa agreed to take USA TODAY inside the fraud in an interview arranged by security firm Agari, using only his first name to hide his identity. The security company gives him another source of cash: It pays him in Bitcoin to provide information about active scams.


Fender bender in Arizona illustrates Waymo’s commercialization challenge

A police report obtained by the Phoenix New Times this week reveals a minor Waymo-related crash that occurred last October but hadn’t been publicly reported until now.

Overall, Waymo has a strong safety record. Waymo has racked up more than 20 million testing miles in Arizona, California, and other states. This is far more than any human being will drive in a lifetime. Waymo’s vehicles have been involved in a relatively small number of crashes. These crashes have been overwhelmingly minor with no fatalities and few if any serious injuries. Waymo says that a large majority of those crashes have been the fault of the other driver. So it’s very possible that Waymo’s self-driving software is significantly safer than a human driver.

This Arizona college student has taken over 60 driverless Waymo rides

At the same time, Waymo isn’t acting like a company with a multi-year head start on potentially world-changing technology. Three years ago, Waymo announced plans to buy “up to” 20,000 electric Jaguars and 62,000 Pacifica minivans for its self-driving fleet. The company hasn’t recently released numbers on its fleet size, but it’s safe to say that the company is nowhere near hitting those numbers. The service territory for the Waymo One taxi service in suburban Phoenix hasn’t expanded much since it launched two years ago.

Waymo hasn’t addressed the slow pace of expansion, but incidents like last October’s fender-bender might help explain it.


New wave of App Store rejections suggests iOS 14.5, new iPad may be imminent

Apple has begun rejecting app submissions that do not follow its updated privacy policies regarding device fingerprinting and user tracking, according to a report in Forbes. This move strongly suggests that the release of iOS 14.5—and possibly new hardware products—is imminent.

This message to developers makes it clear that affected apps are in violation because they use a technique that seeks to track the user without consent (device fingerprinting). A few months ago, Apple announced plans to implement “App Tracking Transparency,” which would require apps to request user opt-in to track them using IDFAs, a common tracking tool that is vital for many targeted advertising techniques. This change drew the ire of Facebook and other companies who rely on that type of tracking to maximize advertising revenue. But it’s also clear that App Tracking Transparency means that apps that seek to nonconsensually track users by any means, IDFA or otherwise, are going to face rejection. Device fingerprinting has often been used as an alternative to IDFA when users or platforms prevent the use of the latter.

Mobile marketing analyst Eric Seufert told Forbes that many thousands of apps might be rejected because, for at least some, the violation appears to be caused by an SDK from mobile analytics company Adjust; the company claims the SDK is used in more than 50,000 apps. Adjust has updated the SDK to remove at least some of the violating functionality, but not all developers are using the latest version.


What we’re expecting from Google’s custom “Whitechapel” SoC in the Pixel 6

It sounds like this custom Google SoC-powered Pixel is really going to happen. Echoing reports from about a year ago, 9to5Google is reporting that the Pixel 6 is expected to ship with Google’s custom “Whitechapel” SoC instead of a Qualcomm Snapdragon chip.

The report says “Google refers to this chip as ‘GS101,’ with ‘GS’ potentially being short for ‘Google Silicon.'” It also notes that chip will be shared across the two Google phones that are currently in development, the Pixel 6 and something like a “Pixel 5a 5G.” 9to5 says it has viewed documentation that points to Samsung’s SLSI division (Team Exynos) being involved, which lines up with the earlier report from Axios saying the chip is “designed in cooperation with Samsung” and should be built on Samsung’s 5nm foundry lines. 9to5Google says the chip “will have some commonalities with Samsung Exynos, including software components.”

The Pixel 6 should be out sometime in Q4 2021, and Pixel phones always heavily, heavily leak before they launch. So I’m sure we’ll see more of this thing soon.


NFTs Weren’t Supposed to End Like This

The only thing we’d wanted to do was ensure that artists could make some money and have control over their work. Back in May 2014, I was paired up with the artist Kevin McCoy at Seven on Seven, an annual event in New York City designed to spark new ideas by connecting technologists and artists. I wasn’t sure which one I was supposed to be; McCoy and his wife, Jennifer, were already renowned for their collaborative digital art, and he was better at coding than I was.

At the time, I was working as a consultant to auction houses and media companies—a role that had me obsessively thinking about the provenance, ownership, distribution, and control of artworks. Seven on Seven was modeled after tech-industry hackathons, in which people stay up all night to create a working prototype that they then show to an audience. This was around the peak of Tumblr culture, when a raucous, wildly inspiring community of millions of artists and fans was sharing images and videos completely devoid of attribution, compensation, or context. As it turned out, some of the McCoys’ works were among those being widely “reblogged” by Tumblr users. And Kevin had been thinking a lot about the potential of the then-nascent blockchain—essentially an indelible ledger of digital transactions—to offer artists a way to support and protect their creations.