Ex-Twitter CISO Flips the Bird 🐦, Apple 0-Day 🍎, Tiktok Politiks 🕵️♀️
This week's stories: Twitter Whistleblower 🐦 , Apple security flaws 🍎, TikTok getting audited⏱️, Poop delivery service hacked 💩, Janet Jackson Crashing Laptops💻 , + more
Check out my review of the project management app ClickUp. ClickUp read it and they loved it!
🧔Personal News
I've been told my life would make a funny YouTube series. I guess it's worth sharing!
This week, my eldest son fed the dog Mini-Wheats cereal. The dog regurgitated it. My third son slipped in the vomit puddle. My partner cleaned the mess.
This is a tech newsletter. To make the anecdote relevant, let's just say: my eldest is the hacker, the dog is the app which is processing the untrusted input, my third son is the user, and my partner is IT getting woken up at 6 AM on a Saturday morning.
💣 Ex-Twitter CISO Blows the Whistle on Security Practices
The Facebook Papers were the biggest story in social media in 2021. Twitter, still embroiled in drama over its non-purchase by Elon Musk, says "Hold my beer!" In an explosive whistleblower complaint to the Federal Trade Commission, the former security executive enumerates a series of misconducts from the tech giant, including the following:
- failures to delete data
- 30% of company laptops block software updates
- mislead the board on the company's security deficiencies
- uncontrolled internal access
- roughly half the company has access to "critical" systems
- lack of visibility on employee's access to the production environment
- half of the production servers running on outdated software, lacking security patches and encryption
- data centers vulnerable to outages
- probably hiring foreign spies from India and Saudi Arabia
This bird disapproves
Simply put, this portrait is catastrophic. Every layer of the company's internal security is broken. Twitter is a powerful vector of transmission for knowledge and ideas. Malicious foreign entities and criminals pose an existential threat to the company's mission. Given the level of corrupted security controls, I think regulatory pressure to force drastic action is indeed necessary. The little bird needs to be struck with the mighty hammer of the law! (That came across grimmer than expected)
Full story from the Washington Post and CNN:
Joseph Menn, Elizabeth Dwoskin, Cat Zakrzewski
Donie O’Sullivan
Back to our regularly scheduled programming...
🔦This week's spotlight: Tiktok Talk (again)
I did not expect my newsletter to morph into a chronicle of Tiktok's emergence as this generation's Facebook, but here we are.
🙈Tiktok's Transparency Audit
Axios has learned that Oracle is auditing Tiktok's algorithms for the presence of Chinese government propaganda and reviewing its content moderation practices. As an optimist, I can't help but feel Tiktok is undergoing the type of scrutiny that we privacy enthusiasts are clamouring for. Yes, they do it under regulatory pressure. But doesn't that mean the system is working, somehow? If the situation spirals into a mascarade, I will be the first to say I was naive.
🚨Tiktok's Election Involvement
Speaking of progress, Time wrote a story on social media platform's prep of the U.-S. mid-term elections. Tiktok is under the spotlight due to its pull over younger viewers and perceived inexperience in dealing with increasing misinformation. The traditional media's thinly veiled fear-mongering message is exactly what makes Tiktok cool. Whatever Time thinks, there is no stopping Tiktok (that's probably the coolest sentence I've ever written). On the contrary, my takeaway was being impressed over how much Tiktok's content moderation strategy is benefitting from Facebook's lessons learned vis à vis the catastrophic 2016 election and Cambridge Analytica Scandal. Tiktok's "election center" will provide authoritative information and the platform will label misinformation. Political advertising is already prohibited.
⌨️Tiktok Technically Serves Us a Key-Logger
As a followup from last week's story about Meta tracking users in their in-app browser, security researcher Felix Krause reveals Tiktok's in-app browser has code snippets that allow the recording of keystrokes. Tiktok's weak response: yes we could log everything but we don't. Hopefully, public pressure forces the China giant to at least provide the option to open websites in the default browser.
🙉Amazon's turn to Imitate Tiktok
In a bizarre turn of events, Amazon has been internally testing a Tiktok feed for its app. The feed would allow the giant to retrieve items shown on screens such as pieces of clothing or puppy supplies in order to suggest to the audience to purchase the product on their website. Amazon's attempt at least ties back to its shopping core. One could imagine a partnership emerging between the giant and either Tiktok or one of its competitors down the line.
➕My Optimist Take
Tiktok is emerging in an environment of increased awareness. Whatever the community has been doing in the past decade works. Algorithm transparency, privacy, misinformation management: Tiktok's ethics bar at this stage of its development is much, much higher than any other social media before.
🔦This week's second spotlight: The Big Apple Zero-Day Everyone Talks About
I had pegged this story as the surefire lead in the newsletter given the widespread media coverage, but there seems to be no story there. Apple released two security updates to resolve severe vulnerabilities that are being actively exploited. Technical details remain scarce. The vulnerabilities seem to be related to the engine that powers Safari and the App Store. And that's all I could find. It's still summer, and Log4j is long gone. Maybe we needed another security story to fill the void?
Reactions seem more interesting than the vulnerability itself. I think the perception of "viruses only attack Windows" runs deep. In that case, the security advisory can serve as a wake-up call.
🥑Legal Jam
Changes to the regulatory landscape with regards to technology, privacy, security, and more.
😱Illinois Bad Ass BIPA Law Putting Insurers on Edge
The Biometric Information Privacy Act in Illinois is one of the only two jurisdictions allowing for class action lawsuits over biometric data collection concerns. A recent settlement awarded plaintiffs $36 million from Six Flags Entertainment over the use of fingerprint scanners on minors. The amount was calculated based on a $200 penalty for each fingerprint scan of a minor during the 5 years the scanner operated. Issues are now brought up to the Illinois Supreme Court to rule whether a privacy violation happens every time someone gets scanned, or only once per individual. Another case aims to rule on how long the "statute of limitation" (the delay where you can file a lawsuit after the alleged violation) is. Insurers on the other hand are crafting new exclusions to deny coverage for certain scenarios such as access and disclosure.
🤰Period and Pregnancy Tracking Apps are not Privacy Friendly
A recent study from Mozilla shows how most of the major period and pregnancy apps lack basic protections around data disclosure to authorities. Problems highlighters by the researchers go from omitting the GDPR to full-blown restriction-less sharing of health data to advertisers. HIPAA is the US federal law that protects health information. However, the law only covers healthcare services. Apps, therefore, fall outside the scope of HIPAA.
🎯Quick Hits
With my grain of salt, a series of relevant news items from the week.
💽Janet Jackson awarded CVE for Crashing Laptops
In what is perhaps the funniest vulnerability story that ever happened, researchers found out that Janet Jackson's "Rhythm Nation" vibrates at a certain frequency which causes hard drives to crash. Better safe than sorry: let's prohibit Janet Jackson songs at your workplace.
💩When Shit Hits the Fan
Poop delivery web service ShitExpress got hacked by a hacker nicknamed pompompurin. I'll let you roll a little bit on the floor before you continue reading this. ShitExpress allows customers to send animal feces anonymously for pranks or acts of vengeance. Apparently, shit got real when pompompurin found a SQL injection in the web app and leaked the contents, causing quite a shitstorm in the process. According to the BleepingComputer report, purin (or rather "purine") discovered the vulnerability because he or she wanted to send a "gift" to a rival hacker, "Troia", as part of a multi-layered online feud that somehow involved pompompurin hacking the FBI. You can't make this shit up.
Hope you brought the toilet paper
✉️Email marketing firm Klaviyo suffers a data breach
After Mailchimp fell victim to two breaches this year, crypto-currency marketing firm Klaviyo lost customer contact information after a successful phishing attack. It is believed the harvested emails will be used for spear phishing campaigns. These breaches must not be taken lightly. A typical marketing lead for a B2B campaign ranges from $50-$400. Ransomware targets business, therefore obtaining such leads illicitly puts criminals at an advantage. Marketers rely on similar techniques as phishers to trigger responses. I am worried criminals have figured this similarity out. Marketing apps typically remain low on our risk assessments due to the public nature of marketing content. There are few incentives for marktech to bolster its security.
Hopefully cyber-criminals don't re-use those "generic happy office people" pictures. Everybody would believe phishing to be legit.
🐍Supply-chain attack targeting gamers' chat app Discord
Researchers at Snyk recently discovered malicious Python packages targeting the Discord client. The malicious packages shadow as Roblox tools. Once a developer is tricked into installing the malware, it corrupts the developer's Discord client to steal password and credit card information. PyPI is the central repository hosting those thousands of packages, and its small team of volunteers is, needless to say, overwhelmed. Shall we say, Bye-bye PyPI?
🥥Big Tech has had it with this Work From Anytime Anywhere Thing
CEOs of Google and Meta recently made the headlines due to their cost-cutting goals. Apple reiterated its desire to make office attendance mandatory 3 days per week. These positions matter to the extent that many companies model their approach on these giants. Zuckerberg struck me as particularly blunt, noting there are probably a bunch of people at the company who shouldn’t be here and calling the upcoming changes a natural selection.
We should not read too much into this, either. Speeches on "efficiency" and "productivity" are natural as companies reduce expenses. One of the biggest pros of the normalization of remote work has been the opening of new opportunities: companies can hire talented individuals everywhere, and employees can work for anybody! I see how Google, Meta and Apple, which have thousands of candidates lining up for positions, would not evaluate this advantage to the same level as a smaller player.
🐶This week's rant: The New World Order of Platforms
Back in 2013, I had plans to launch a comedy website as a complimentary gig. My plan fizzled out when I met a business advisor who basically calculated that I would never make enough ad revenue to make a profit. A friend of a friend was writing for a well-known online magazine at the time, and when I asked about payment, he told me to expect "between zero and 50$" for a text, if it was approved. I was already blogging for free exposure for a national newspaper, getting insulted weekly in the comments section. I stopped writing online shortly thereafter.
I would love to tell you that since coming back to writing online this year I have had this incredible amount of success and revenue. That's not the case. As a matter of fact, the future of content creation seems inevitably tied to AI-generated content, as Ben Thompson points out. The emergence of Dall-E 2 and MidJourney AI imaging software has already driven claims of the AI Art Apocalypse. It is likely that a swarm of digital graphics artists will be out of commission. Writers will not be spared by GPT-3's heirs. Content Marketing Optimization Platforms (that's a mouthful) already provide AI-generated SEO content. It is likely that in the next 3-5 years, auto-generated content will be indistinguishable from human-created text, images and video.
Yet, I feel more optimistic than in 2013 about writing online. 9 years ago, ads were the unique revenue stream. Both Google and Facebook were flooding the market with an all-around better advertisement suite. "Writing" was still associated with "Writing for a media" (e.g. being a "freelancer" for a journal). Today's infrastructure for content creators did not exist. Now, with my content management platform and newsletter, as a sovereign writer, I have a direct relationship with you, my reader, without writing any code. This relationship is also how I expect to differentiate from AI-generated content. While I wouldn't put past GPT-3 to spew a few good dad jokes and puppy anecdotes, I still believe we as humans crave connection to each other. Knowing a real person experienced the puppy vomit incident makes all the difference. Remember: the only skill a machine can never have is the ability of humans to empathize and care for each other.
I may never reach a level of popularity that will translate into enough paying subscribers to make a profit with my website, but there is a path that does not require me to gather hundreds of thousands of viewers to obtain revenue from my creation. More importantly, we have reached a mental state where we have accepted that personalized, premium content warrants direct payment. This wasn't there in 2013.
Direct, individual payments are also re-shaping how we build software and apps. Last week, Reddit launched a new developer portal to allow developers to sell their apps as "add-ons". Netflix's booming game division has freed developers from their "hackish" micro-transaction models. The trend of building natively on an ecosystem has been pioneered by Salesforce with its AppExchange. Shopify and Slack also host thriving third-party apps marketplaces, all to extend their platforms. Notion, Airtable and Monday.com, which I have reviewed, all list third-party templates and apps, some of which make a quarter million in revenue a year. A Monday.com native app was recently "microacquired" for a six-figure amount.
Previous start-ups used public cloud services such as AWS to accelerate their time to market. While we have ample space to still grow in those areas, the aforementioned ecosystems allow for no-code creations. People can focus on the business logic without worrying about instances, security patches, access controls, and especially cloning a repo. AI-generated code will not discover a workflow to reduce student procrastination. There is plenty of room to create and solve problems left. More importantly, we have turned the corner on "everything is supposed to be free on the Internet". Craving free product lead to companies turning us into the product.
Speaking of Tiktok, content creation, and pets, here's my bunnies' viral Tiktok:
@ppferland My bunnies 🐰🐇 to explain asset classification! #infosec #assetprotection ♬ Stylish neon future base(852313) - Red Cat Blue