Uber Hacked by Teenager🧒Google Quells Quiet Quitters 🛫Texas Anti-Censorship Law 🦅

🧪New Formula

I'm taking advantage of a slow news week to test a new format for the newsletter. I will cover fewer items and focus more on my analysis. Please tell me which you prefer!

🔦This week's spotlight: Uber Pwned

The technology world lived a "media eclipse" when news broke that ride-sharing company Uber suffered a terrible hack. The hacker, who claims to be 18 years old, gained access thanks to the same social engineering attack that was used last month to breach Cisco and Twilio. The hack involves stealing passwords and then spamming the person with MFA push notifications until they accept. Here, the hacker impersonated Uber IT to have the victim accept the MFA prompt.

The whole journey of the hacker deserves mention. Highlights include: finding a Powershell script that contained privileged credentials, announcing the hack on the company Slack channel and employees thinking it was a joke, compromising AWS credentials, and unauthorized access to Uber's HackerOne bug bounty page! Uber later confirmed the breach and blamed a contractor.

The hack happens as Uber's former Chief Information Security Officer is put on trial for attempting to cover up a hack in 2016 and two months after The Guardian's incendiary long-form report about Uber's unethical lobbying practices.

Information Security's raison d'être in an organization is to act as a beacon of ethics and integrity. Companies invest in cybersecurity because it is the right thing to do. How could Uber, which rose thanks to deeply unethical behaviour, really build a culture of security?

I have seen messages about how over 90% of companies would not have fared better than Uber, so we should not focus on the tech giant but on the underlying phenomenon. This opinion is not wrong. However, as part of the most privileged cast of tech companies, my opinion is that Uber should have known better.

Think about how the organization you work in sees its security and privacy practices. Are they just filling compliance checkmarks? Between Uber, Twitter and Facebook, a pattern of these "late-2000s-go-fast-and-break-stuff" emerge: let's goozle as much user data as possible and worry about the consequences later. Now are the consequences.

A special shout-out to one of my favourite influencers, Sean Wright, who compiled a list of security vendors claiming their product would have magically stopped the Uber hack:

🥑Legal Log

💫Does the USA need a Federal Privacy Law?

In the aftermath of the Roe Supreme Court Decisions, Democrats attempt to pass a federal privacy law protecting individuals seeking abortion services across States. The problem? The California Consumer Privacy Act (CCPA). As explained in Wired, the pitched federal privacy bill would decrease the protection Californians get from the CCPA. Meanwhile, the Health Insurance Portability and Accountability Act (HIPAA), a federal law, remains bound by its association with healthcare services. Googling locations of abortion clinics is therefore not protected.

Whatever the law ends up becoming, it is safe to say that individuals must act now. Privacy tools fostered by the hacking community will provide protection.

What strikes me here is how much the Roe decision highlights the problems with the "I don't have anything to hide" argument. You don't have anything to hide... as long as your government shies away from authoritarianism. As long as you do not become a person of interest.

Think about your political beliefs, your hobbies, and your communities. Imagine one member of these groups commits an awful act which stains your community. Or imagine that suddenly rights you thought were acquired vanish after a court decision - just like Roe. It's amazing how easy civil rights fall when fear dominates. This is why we need privacy laws.

🎯InfoSec Stories

🧨Microsoft Teams storing auth token in clear text is a damp squib

Much talk was made about the discovery that Microsoft Teams stores clear text authentication tokens in the user's machine. What does this mean and why you should not be worried? Essentially, Teams keeps an authentication token to maintain its session alive in some well-known locations on your disk. Attackers who gain access to an unencrypted machine or to your user account could therefore use the token to bypass your MFA and access the Teams environment, which includes Sharepoint, Onedrive, and Outlook.

This story was a bit overblown because nearly all application store tokens in user-accessible locations. Here's why: the user needs to access the authentication token to re-authenticate! Hit F12 on your browser, and go to Applications/Cookies: here are your tokens!

The coverage of the "vulnerability" is a reminder of how sometimes the media will be the media. They will get a juicy headline and run with it. This comes from somebody that hates Teams by the way! Teams doesn't need a security flaw for us to dismiss it: it simply sucks.  

🗣️Social Media Chronicles

😱Parler and Censorship of Conservatives VIews Online

Two technology items about social media platforms' content moderation of conservative views caught my attention. Alternative social network Parler announced the acquisition of cloud services provider Dynascale to allow businesses a more laisser-faire infrastructure. Observers are reporting, for example, that Cloudflare's blocking of harassment website Kiwifarms basically killed the website. One of its last bastions was in a data center run by a 23-year-old Finnish living literally in his mother's basement. Parler's services would therefore create a more "sympathetic" provider.  

The second item is that Texas passed an anti-censorship law that prohibits large social media to ban users based on their "viewpoints". The law was met by the giant platforms with relative indifference, as executives deny removing people based on such criteria and instead base their decisions on bullying, misinformation and hate speech.

Are conservatives getting censored? The examples we have from either Kiwifarms, 8chan or DailyStormer do not suggest such. All three were dissolved from the internet for crossing lines into violence and criminal acts. But then, why are more moderate conservatives feeling this sentiment to a point of creating alternative infrastructures, social networks, and laws? We have a duty to empathize with these individuals. It is taking the easy way out to label all this a byproduct of polarization.

I am brought back to my story above about Roe. We never know when the tides could turn. What if more conservative views become mainstream? Who knows what happens if conservatives start campaigning against "obscene" content on large social media platforms... I would love a law in the same vein as Texas to prevent organized pressure groups from banning homosexual people from Instagram! This could happen. Platforms must moderate the content because law enforcement will never have the bandwidth to do so. But I wish they keep a very high tolerance. So yes, that means you must still endure your racist uncle on Facebook.

I'm not racist, I just don't like Dobermans.

🧛More Facebook Horror

More unsealed docs of the Cambridge Analytica lawsuit that was recently settled continue to paint a very bad picture of the social media giant. This week, Facebook's internal audit of third-party apps has leaked damming results. Looking at the top ten worse users of the now-infamous "collect information about your friends' friends" developer feature, plaintiffs were able to conclude that they could theoretically have scraped everybody's data. Worse, it is unclear what if any consequences were brought upon the apps that auditors marked as having "ulterior motives".

The audit does feel like a good theatre play Mark Zuckerberg put out to appease Congress when he was asked to testify. The audit did happen, but the conclusions seem to have been put on a tablet.

Let me recap: we learned Facebook has no idea where all its user's private data is located. Now we learn that Facebook sort-of knows which app abused the "collect friends of your friends' data" feature and sort-of didn't do anything about it. We need a bigger GDPR!

🤖AI Almanac

💔Artists Upset With Their Art Being Used to Train AI

A group of artists released Have I been Trained? to identify whether their work was included in Stable Diffusion's training set in violation of copyright laws. Based on my research (I am not a lawyer), the use of previous works to train an AI is in a grey zone, duh. Or shall I call it sfumato? Nevertheless, the question to me is not whether or not artists can have the choice of their work being used to train AI... The question is whether that model should be opt-out or opt-in! For example, this Deloitte research cites that users agree to tracking cookies at 16% in an opt-in setting, while this study suggests around 88% acceptance in an opt-out scenario.

In the end, open-source models are probably better off with an opt-in setting, since the AI is supposed to belong to the community. Paid-for models such as OpenAI's DALL-E or Midjourney should offer a share of the profits to artists whose work is being used to generate the art. Rates would probably be abysmal, similar to what musicians get on Spotify, but it would be the right thing to do. Those are temporary measures, as one can imagine AI art rapidly feeding onto itself.

The big picture will not change. Traditional art will join smithing, woodworking, watchmaking, jewelry, and weaving as more high-end "made by hand" goods we purchase both for the object itself and the story it carries. Every other art will be commodified to a model with zero marginal costs. The new class of artists' gigs will belong to those who have mastered the prompts to streamline AI art creation. This will be how artists make a living now!

⛓Web3 Trippin'

🔁The Merge is Behind Us and The Revolution Can Begin!

On September 15th, the Ethereum blockchain officially switched its consensus mechanism to proof-of-stake instead of the energy-consuming proof-of-work. The Ethereum foundation estimates energy consumption to decrease by 99.95% (Full story in TechCrunch).

The proof-of-stake relies on various "authorities" on the chain having "a skin in the game". Every block receives approval from "validators" who bought a large amount of Ethereum as a "stake". New transactions such as mining need approval from two-thirds of the validators. In opposition, proof-of-work was based on the ability to solve complex hashing calculations using brute-force algorithms.

Ethereum is now the front-runner to become the blockchain of the future. The environmental impact for now seems mitigated. Contrary to BitCoin, Ethereum provides smart contract and non-fungible tokens (NTF) services. It is not purely speculative. Polygon has already built a platform and ecosystem on top of Ethereum's infrastructure to allow developers to create decentralized apps (dapps).

I expect all games and social media in the next 1-2 years to offer NFT-based features.

🐶This week's rant: Quiet Quitting Boggles Google's Mind

In my early twenties, I was an animator in museums. I'd put a Nouvelle-France disguise on and build wampums with school kids. It was amazing. I was employed by the City. When groups were not visiting, I was cleaning the rooms and prepped the next activities. It involved calling in the blue-collar workers to fix broken stuff.

I don't know about other places, but "City Blue-Collar Workers" in Quebec are the go-to cliché for "Lazy Over-Unionized People", as in: "If you work too fast you'll force everybody to work more". And boy did I meet some individuals with that mentality!

Why am I telling this story? Because there is such a thing as employees acting in bad faith. Remote work does enable them to go unnoticed. When Google, the biggest tech company in the world, starts panicking about employees "quiet quitting", I try to see both employees and management's points of view.

Google CEO Sundar Pichai recently cracked down on initiatives that allowed employees to allow 20% of their time on "passion projects" and cut half of its innovation incubator's budget. He then went public against coasters, declaring "Resting and Vesting" to be over.

I previously reported my strong dislike for "employee monitoring systems" that feel straight from the Soviet Union. Many see bringing back employees to the office so middle managers can look over the employees' shoulders as a saving grace. But the data tells another story altogether.

My favourite article of the week came from the a.team which conducted a large survey of 581 tech leaders about their feelings on the future of work. 44% of respondents have lost top performers during the "Great Resignation". The model has now shifted to "integrated" teams compromised of full-time employees and fully remote independent workers. Too much surveillance and employees will simply quit, then come back as consultants for twice the payout!

The balance is very hard to find. On one hand, you have disengaged employees coasting and filming Tiktoks on "quiet quitting". On the other, you have enterprises struggling to provide a stimulating environment whose knee-jerk response is to "bring things back to the way they used to be".

Google has decided that it was more important to their bottom line to risk alienating their better employees for the sake of stopping the coasting epidemic. Given everybody lines up to work for them, the risk does not appear costly. Most businesses cannot afford this.

The only solution I see is to triple down on the employees who remain engaged. And I am not only talking about salary! Incentivize good behaviours with social capital: awards, prizes, etc. Social pressure people into engagement! And automate boring, repetitive tasks when you're at it.

Trust me, I have been working in information security long enough to know the carrot works much better than the stick.

This puppy agrees.