Crypto woes and big data boos

This week's spotlight: Crypto woes

Don't get fooled by your disdain for "crypto bros". I strongly believe that fundamentally, there is something to crypto and web3 beyond the Twitter handle emoji deluge!

The last 18 months or so saw stupendous speculation in crypto "investments", likely aided by covid stimulants (and people unable to spend them due to lockdowns). As soon as the "Ponzi-like" growth would decelerate, the crash was inevitable. The most glaring illustration of said crash comes from crypto-exchange Coinbase, which suddenly cut 18% of its workforce, or 1,200 people, despite hiring pretty much exactly the same number of individuals in the past year.

But crypto is having a bad day all over the place:

• Facebook (sorry, Meta), quietly dropped the last remnants of its mega-flop cryptocurrency Diem, né Libra. A centralized currency built on technology (and ideology) that revolves around decentralization. Who would have guessed?
• OpenSea, a large NFT marketplace, was hit by an insider threat. The malicious individual worked for its e-mail vendor (yup, another third-party attack! I chose my specialty well, I guess) and downloaded a full list of customers for prospective purposes.
• Meanwhile, malicious users are spreading malicious npm packages with crypto-miners all over code repositories in "typo-squatting" attacks. NPM is a popular platform to share "software libraries" (basically: a bunch of coded functions that do something specific very well). The idea is to trick developers of any application into linking their code with your malicious software package, giving you access to the application's users' computing power to mine your currency.

I still believe crypto and web3 have a huge upside for gaming, entertainment, tourism & hospitality, content creation, art, culture, law, notaries, registers, cartography, and everything requiring smart contracts. NFTs give the internet two extremely desirable features: scarcity and social prestige. In the end, the speculation bubble bursting means we are progressing on the hype cycle.

Pictured: not that type of hype cycle

Second spotlight: Government data collection

A trio of interesting news around the challenges of using big data and AI for mass surveillance.

AI predictive crime model leads to bias

A recent study in Nature using a predictive machine learning model trained on crime data from the city of Chicago was able to demonstrate that crime spikes in wealthy neighbourhoods correlate with increased arrests, while similar raises in lower-income areas do not. In plain English: Police would rush to help the rich and the poor were not so lucky.

My take: Goodhart's law is my favourite adage: "When a measure becomes a target, it ceases to be a good measure". If policing authorities want to reward their officers based on the number of arrests they make, the predictive algorithms will learn where the good spots for arrests are. For example, the algorithm will get better at evaluating spikes in property crime in wealthy areas than in lower-income areas. This could lead to ridiculous situations where the AI becomes optimized to target increases in Pokemon card theft because they lead to easy arrests. Wait, don't tell that to my kids, they'll want that AI!

Your watch is watching you!

I know it was an easy pun. Bear with me, I have four kids and I'm writing this between two cycles of the bedtime routine. A new version of the Apple Watch intends to detect whether its wearer has a fever. Good luck on Saturday Nights.

My take: I am uncomfortable with the fever monitoring feature due to covid restrictions. What if health authorities compel Apple to share the data in order to quarantine feverish individuals away from their families forcibly? I am not even describing a nightmare scenario; countries such as South Korea used mobile GPS, CCTV footage, and credit card records to impose self-quarantine. Hopefully, the feature is opt-in and Apple is transparent about its obligations regarding government requests to access user data.

Every step you take. I'll be watching you.

Shanghai Police Database Leak

Speaking of draconian covid restrictions, the city of Shanghai is still under the spotlight due to a massive data leak of over 1 billion citizens. This would be the biggest personal information breach in history! Rumours are that a developer leaked credentials for a database while writing a tech blog.

My take: Based on the NYT article about China's surveillance state and possible willingness to share its method with other countries, I am terrorized by the idea of rogue organizations gaining unauthorized access to such massive amounts of data. A compromised password can be rotated; biometrics, not so much.

What do we have? Big data and AI reinforcing policing bias, wearable IoT devices collecting your health information in the middle of a pandemic response that sparked massive limits on our civil rights, and finally all that data used by authorities being one gaffe away from being set as public in a cloud database. That was depressing. Here's a picture of a cute puppy to make you feel fuzzy:

Legal Jam

Uber Files

The Guardian provides a thorough investigation of Uber's unethical lobbying practices and what appears attempts by senior management to bully its way onto legitimacy. I will add that based on the website Terms of Service Didn't Read, Uber still has one of, if not the worst, privacy policies out there:

Boo-ber

Former Theranos COO Sunny Balwani Found Guilty of Fraud

Cloudy days ahead for the ex-associé of Elizabeth Holmes, herself found guilty of defrauding investors earlier this year. Balwani's defence, from my non-expert point of view, was rather foolish: "I was an investor and executive, yet it was like I wasn't there!"

Indian Mercenary Hackers hunt lawyer's inboxes

Pretty thorough article from Reuters about hacking groups from firm BellTroX being used to fabricate false documents and to dig up dirt on opposing parties during lawsuits. In a sense, this is the "consumer" version of the Pegasus attacks (more on that below). Instead of fancy zero-day exploits built from hundreds of hours of research and development, the wrongdoers use good old strength in numbers, attempting dozens of "cheap" hacks until gaining unauthorized access to e-mail.

No word on whether the "private investigators" wore cool fedoras to carry out their attacks

European Union Adopts the Digital Markets and Services Act

The biggest changes seem to target Apple by forcing the company to open up its devices to third-party payment processors and third-party app stores. That and Microsoft will maybe drop its insistent Edge promotion.

At the end of the day, I think Apple keeping 30% of any transaction costs happening on the App Store is too much. What Epic Games could not do, the Court will end up doing. Guess Apple is acting spoiled. (More)

PCI DSS 4.0 Released

PCI DSS is a standard of technical requirements to protect credit card data. The new version will continue to give headaches to compliance officers, now with extra firewall terminology. (More)

Quick hits

"Copy That, Rodger!"

All internet services provided by Rogers Communication were down for more than 15 hours. My favourite cybersecurity company, Cloudflare, provides an amazing technical breakdown of what happened. Failure appears likely to come from mishandling of the Border Gateway Protocol (BGP), which is insecure by default and was built in an era where it was expected that there would be one computer for every city.

Reactions online focus on telecommunications oligarchy in Canada. I believe the root cause is BGP being "FUBAR" and I wonder if blockchain technology, which is decentralized, could help here. I also see blockchain as a saving grace for DNS, for the record.

AI GPT-3 reads code!

Programmer Simon Willison demonstrates GPT-3's accurateness in explaining code in plain language. While the translation seems mesmerizing, Willison also demonstrates the limitations of GPT-3: the algorithm is incapable of providing insights into the code such as optimizations.

So GPT-3 excels at saying things that sound smart without having much substance behind them. I think it has a great future in politics.

Microsoft rolls back decision to block Office macros by default

Office macros are one of the preferred methods for delivering ransomware via e-mail phishing. While providing a "secure-by-default" solution should be Microsoft's priority, I believe the change was halted due to the massive use of Excel with embedded code in critical business applications (More).

I am hopeful the current generation of cloud-based "super spreadsheets" will diminish our reliance on Excel and traditional on-prem file & print servers to store critical information. But old habits die hard.

Pictured: Old rabbit dying hard.

Marriott suffers 4th data breach since 2014

A Marriott employee was tricked into revealing guest information, including credit card data. Marriott's official response was quite dismissive, arguing that "the threat actor did not gain access to Marriott’s core network" and accessed "non-sensitive internal business files". (More)

Speaking of spreadsheets and old rabbits! From an outsider's perspective, I believe Marriott's troubles are likely caused by dysfunctional data management at scale, which probably means numerous copies of personal information being stored in multiple areas, many of which non secured. I think for the foreseeable future the chain should be nicknamed "Marri-cold".

Apple Introduces "Lockdown mode" to prevent spyware

The story of malware Pegasus comes straight from a Hollywood film. In reaction to the prevalence of highly funded cyber-espionage organizations attempting to break the iPhone's security to target political activists, Apple launched a new feature that will basically close any non-used service in order to reduce the phone's attack surface.

Everything in technology comes full circle, like fashion. A Locked-down iPhone will look like this:

Pulling One on HackerOne

A malicious insider at HackerOne, a bug bounty platform, abused their privileges to submit bugs found by other researchers in order to gain bounties for the same issue on other platforms.

All I want to know is whether the plagiarist attempted to gain bounties for missing SPF records or weak TLS ciphers.

This week's rant: data scraping is evil

Meta sues a site cloner who allegedly scraped over 350,000 Instagram profiles

Meta is taking legal action against two prolific data scrapers

EngadgetIgor Bonifacic

What is Data Scraping ?

Data scraping consists of using automated bots to gather data from publicly accessible sources such as Facebook, LinkedIn, Venmo, GitHub, etc. Data scraping can afterwards be used for "data mining" purposes: finding new correlations between people and subjects, which can afterwards become commercialized. To us infosec nerds, such scraping is associated with "reconnaissance" and "Open-source intelligence" (OSINT). Hackers use these techniques to find easy targets for social engineering attacks!

The story linked above discusses Meta suing a company named "Octopus" that offers "data scraping as a service". The controversy follows a high-profile lawsuit involving data scrapers and LinkedIn where the court of appeal ruled that scraping public, non-copyrighted content, was not a violation of the antiquated Computer Fraud and Abuse Act (CFAA).

Why is this a problem?

Everybody can use automated applications to gather everything you post publicly and correlate it to fit a business need such as, obviously, advertising or, in the case of LinkedIn, recruitment.

For me, these practices are a problem because of expectations.

I remember early Facebook. People were warning about Facebook "owning" anything you upload to their website. A few years later, people were warning about Facebook using your likes to deliver personalized ads. We were freaked out! How come Facebook knows I am expecting a child? Another few years later, it was revealed Facebook was showing you ads based on all your online activity. Then Cambridge Analytica came and Facebook finally became a super-villain.

All these stories have a backdrop of Privacy Policies that require more literacy to understand than James Joyce's prose.

My point is this: the average reasonable person has no clue right now to what extent everything they do online is being harvested for purposes unknown, by unknown machine learning algorithms. Scraping can lead to either "innocent" outcomes such as showing ads, or as problematic as recommending somebody for a job or college! Coming back to the Cambridge Analytica scandal: political ads were shown to people based on their inferred personality types; data scraping enabled psychological manipulation.

We are struggling to uphold Meta, ByteDance, Microsoft, Google, and Amazon to transparency. Decentralized data scraping enables thousands of small companies to abuse public information with users having no opportunity for informed consent. On the other hand, Meta and LinkedIn are fighting data scrapers because they see the contents published by users of their platforms as their property. Preventing third parties from leveraging such content indeed hurts potential competition against these giants. As with everything, there is no simple solution: only trade-offs.

Anyway, now that I have chosen to create public content, I will be able to keep you posted on the consequences of such data scraping.

What should we do?

We have no choice but to keep educating. Data scraping will not be stopped, but people must know what is going on so they can make decisions. That's the whole point of my newsletter, after all.