High school hacking 🧑‍🏫 , Cisco security breach 🔓, Meta vs iOS Privacy 🧿

🧔Personal News

I've been told my life would make a funny YouTube series. I guess it's worth sharing!

My puppy turned one last week! The past 8 months have been a chaotic ride but I do not regret any of it. My favourite anecdote is when the puppy crashed the Christmas tree to the ground on December 23rd, breaking a bunch of balls in the process. A very close second is when he ate the coaxial internet cable that was placed right between my modem and the cable company's equipment.

I guess it makes my puppy a unique breed of "cord cutter".

🔦This week's spotlight: Infrastructure Giants Cisco, Cloudflare, and Twilio Under Attack

Two network giants made public details on security incidents they've suffered last week, both showcasing the level of maturity we should be expecting from them.

Cisco Systems revealed having suffered a data breach that began in May 2022. Attackers were able to gain access to internal systems and threatened to reveal documents if they weren't paid a ransom. Cisco chose to go public with a detailed technical breakdown of the breach.

The attackers were able to compromise an employee's personal gmail credentials. After logging into Chrome with the stolen credentials, the attackers were able to gather a corporate password that was synced to the personal Google Account. To defeat MFA, the attackers simply used the strategy perfected by all our 4-year-olds: asking repeatedly in the most obnoxious manner until you give in.

Once they gained access to Cisco's VPN, hackers relied on known Windows system administrators' tools to dump passwords hashes and edited the registries to maintain access. Most of these come straight from the known playbooks. They even used the famous hacking utility mimikatz!

Pictured: A bad case of mimikatz

What needs to be commended, though, is Cisco's security team's transparency and ability to share its knowledge. A strong security program does not solely focus on not getting breached. It creates a culture of ethics and integrity that persists even after a breach. Here, the team was able to showcase their talent by highlighting how they responded with detailed forensics, created antivirus signatures, shared indicators of compromises and malicious IP addresses, and attributed the attack to potential gangs. I believe such a transparent response to be the best way to save your reputation.

But you know what is better than what Cisco did? A detailed technical breakdown of how you did not get breached. Cloudflare, a Cisco competitor in some regards, posted a brilliant blog post on a sophisticated phishing attack they suffered. It is also believed that the same group that targeted Cloudflare was able to breach another competitor, Twilio.

Cloudflare's blog demonstrates how they use their own network security products to stave off the attackers, which is always a good idea (every tech company should be its own "customer zero"). They also point out how three employees fell for phishing and were saved by their hard keys which are bonded to specific resources using cryptography. The attackers, upon successful phishing, were receiving a Telegram direct message to prepare to harvest the typical 2FA codes via SMS or an Authenticator App. However, with the hard Yubi-Key, the button sends the message directly to the identity provider, rendering second-factor theft instantly detectable.

The examples here speak for themselves. Three all elite companies got attacked by advanced groups using phishing. All three had multi-factor authentication enabled. The only one who did not get breached was using hard keys with origin binding.

If you are a person of influence in your IT department, I think you need to schedule a conversation with your IT leadership about hard keys.

🥑Legal Jam

Changes to the regulatory landscape with regards to technology, privacy, security, and more.

👁️‍🗨️Meta possibly circumventing Apple's Privacy Settings

Meta is using an in-app browser they built themselves to track users' activity once they click an ad on Facebook or Instagram. It is widely reported that Apple's App Tracking Transparency technology, which prompts the user with a rather scary message to request consent for cross-site trackers, is expected to cost Meta $10 billion this year alone. Meta, like the all-female dinosaurs in Jurrasic Park, uh, found a way. The whole enterprise does seem like a hack to better track ad conversions. While I dislike Apple leveraging "privacy" to build itself an ad business, I think Meta should focus less on getting back to where things were and spin off into entirely new territory. It can afford it. Users have been educated, they know if they do not pay for a product that they are the product.

🙅‍♀️Meta and Apple Discussed Ad Revenue Sharing for 3 Years

The Verge shares a fascinating story that highlights exactly how the Meta and Apple clash emerged. Apple claimed conversions (i.e. "person clicking on an ad") were part of its ecosystems and they should therefore get their usual 30% cut. Facebook held its own and Apple struck back with ATT. This scuffle feels like we're the humans in Godzilla vs King Kong. Except instead of radioactive fireballs we've got... code snippets.

🖐️Amazon Allowing Payment Using Palm Scans

Amazon is now rolling out palm-based payment across its WholeFoods shops in California, to the dismay of some privacy activists who responded with the campaign "Amazon Doesn't Rock". Yes, this sounds exactly like those awful 1990s anti-drug commercials. I just can't get myself to feel psyched about this. Phone payments are so convenient that I don't see the plus value of showing my hand instead. I don't think we need campaigns and boycotts, just let the bad idea fade away by itself.

🧑‍⚖️👩‍⚖️Google Fined $40 Million For Misleading Australian Consumers

Australian Courts settled that Google displayed "dark patterns" to mislead Australians into sharing their location for personalized ads. The faulty screens belong to the "Web & App Activity" setting, which enabled location sharing by default, unbeknownst to the users. I might be in the minority, but I am applying Hanlon's Razor here. I think Google product managers worked in silos, and they ended up keeping a default that shouldn't have been. That's a $40 million mistake, indeed. The bigger picture here is the forthcoming EU Digital Services Act, which will carry heftier fines for similar misleading practices, whether they are born of malice or stupidity. See my comments above about Meta. Days of quietly collecting user data with a Privacy Policy requiring a Ph.D. literacy level to understand are toast.

🎯Quick Hits

A series of relevant news items from the week, with my grain of salt.

⏱️Google admits TikTok is Taking Over the World

Head of Google's Knowledge & Information Division noted that younger users prefer discovering places and products using TikTok rather than Search & Maps. Maps and text-based search are being seen as "digitized" versions of "real-world" knowledge, which do not appeal to "digital natives".  I'll repeat myself: TikTok's ascension is the biggest news in social media since Facebook acquired Instagram in 2012. While the shift to augmented reality sounds interesting for Google, I think it lacks the interpersonal dimension that allows TikTok and Instagram to grab people's attention.

📻AWS Rolling Out Services to Build Your Own 4G

In perhaps my favourite news story of the week, AWS launched Private 5G to allow companies to build their own 4G networks. Customers will order SIM cards and hardware from Amazon to allow them to set up their private mobile network. I think any company in law enforcement, military, and first responders should experiment with such a technology that basically provides a mobile-optimized Wireless Metropolitan Area Network under your full control. I am also excited by the prospect of some companies building a "Micro Internet Service Provider" in large cities. Gaming seems a no-brainer here: buy your $10 Epic Game Pass (no marginal costs) with a SIM card providing you 25GB of dedicated Fortinte bandwidth anywhere, without eating away your parent's mobile data plan!

🤖Is Hyundai Building Skynet and Terminators?

This week I learned Hyundai owned Boston Robotics. And also that a hacker was able to compromise a Hyundai car in May 2022 thanks to the developers using encryption keys taken from an online tutorial. The company announced an investment of $400 million in AI to bring us closer to the robotic automation of menial tasks. In fact, McKinsey reports that 60% of occupations have at least 30% of tasks that are automatable, principally physical labour and data collection. Finding occupations for workers sidelined by robots will be a challenge in the next 20 years. My instant proposition is healthcare and education, as both sectors require interpersonal relationships.

🚜John Deere Tractors Hacked

Speaking of hacking motor vehicles, a hacker known as Sick Codes presented a John Deere jailbreak at the hacking conference DEFCON in Las Vegas last week. Technical details remain scarce. What matters is the controversy over software's omnipresence in vehicles. I love innovative software that people happily pay for because it makes their lives easier. Automakers turning their vehicles into "black boxes" fills none of that criteria. John Deere is sure losing traction here!

⛓️Etherium Reducing Its Carbon Footprint

Ethereum is moving closer to becoming energy-efficient by mid-September. While criticisms against cryptocurrencies' fossil-fuel consumption remain valid, I always felt it was not sufficient to justify "brushing off" crypto into the void of bad ideas (along with Google+ and the Windows Phone). Ethereum's most recent change proves why. Reducing emissions correlates with reducing computing cycles. Designing algorithms which minimize computing cycles is literally the most foundational aspect of computer science. Of course scientists would figure this out! With the move, I think Ethereum's blockchain is uniquely positioned to become the primary infrastructure of whatever innovations will emerge from web3 - and I'm not talking solely about Bored Apes NFTs.

🐶This week's rant: How a High School Kid Hacked his Whole School District

A highlight of Defcon is this conference where a high school senior Rick Rolled his entire school district. I love this story because it brought me back to the roots of hacking. Nowadays we are so concerned about organized crime and nation-states that it feels good to remember hacking started as a lighthearted activity of enthusiastic teenage nerds.

High schools always have been the quintessential victims of hacks, for obvious reasons. Schools are authoritarian by essence. Hackers use objects and software in ways that were not originally intended. They like to circumvent the rules, and question authorities. Hacking culture was not pulled out of some marketer's hoodie!

Alright, maybe a little bit of marketing.

While witnessing these teenagers' giddiness, especially as a parent, gave me a warm feeling, we must also look at the story from the school district's point of view. The outlook is bleak. The teenagers pwned the invasive spyware agent installed in school computers using default passwords and manufacturer's backdoors that were documented in online manuals. One of the default passwords was, well, password. In a commercial-grade product! In 2022!

The root cause is obvious. Schools are up against an immense threat (students hacking for prestige and cheaters) with extremely limited budgets. I went online and found SysAdmin's job postings for my local school district. While retirement and vacation time remain appealing, the base salary for entry-level is barely above what my neighbourhood's McDonald's advertises. There is no reason to believe that my local school board has any budget to purchase first-grade "spyware" for its Chromebooks. I am certain that the situation is similar if not worse in the USA.

I do not envision things improving much from the IT point of view in the schooling system. In light of the threat of automation discussed previously, teachers' skills will become more valuable. We need more teachers and better-paid teachers, which should be prioritized over technology. Yet we need more than ever for our young generations to develop digital literacy, which only schools can reliably provide at a population scale.

I don't really have a solution here. My knee-jerk is to think that spyware belittles teenagers and school staff should stay out of kid's intimacies anyway. But that's not fixing any historic lack of investments. Here's a sad puppy to close this one out.

I bet he's sad because he wasn't invited to my pup's birthday.