Cybersecurity Roundup: June 4, 2019

This week Facebook says use of Facebook forfeits its users’ right to privacy, NYT insults researchers while the NSA disputes the NYT’s claims about EternalBlue, Google won Facebook’s CTF and pranked Facebook in the process, and more.


Talk about consent issues

This past week, Facebook has been in court trying to avoid accountability over the Cambridge Analytica disaster on two fronts that are turning into separate, serious scandals all on their own.

In Delaware Chancery Court, a one-day trial resulted in Vice Chancellor Joseph Slights delivering a 57-page decision last Thursday finding a “credible basis” to believe that Facebook board members committed wrongdoing related to data privacy breaches. The judge ordered Facebook to turn over emails and “other records concerning how the social media company handles data privacy” to its shareholders. I hope we get to see those.

“Shareholders sued Facebook last September to obtain records related to Cambridge Analytica and other breaches,” reported Reuters, “and said that upon finding wrongdoing, they might sue company officers and directors through a so-called derivative lawsuit.” In other words, if we’re going to talk about what finally destroys Facebook, it may very well come from the company tearing itself apart.

At the same time, Facebook argued in a different court against the class-action lawsuit brought against it stemming from Cambridge Analytica on behalf of Facebook’s users, who claim the company invaded their privacy by allowing third parties to harvest millions of users’ personal information.

Just three months after Mark Zuckerberg announced Facebook’s “pivot to privacy,” and then told the world last month that “The future is private” (but couldn’t keep a straight face while doing so) the company’s lawyers told a federal court there is “no expectation of privacy” on Facebook. Further, Facebook’s attorneys claimed that users had consented to sharing their information with Cambridge Analytica.

“Facebook didn’t deny that users’ data was exposed to third parties,” reported Law360. “Instead, it focused on trying to convince Judge Chhabria that there is “no expectation of privacy” on Facebook or any other social media platform.” As usual, Facebook blamed users for what the company did with their data:

The judge said it appears to contradict Facebook’s and its executives’ own claims that they are working to protect users’ privacy and data.
But Snyder said users consented to the sharing of their information. “There is no invasion of privacy at all, because there is no privacy,” he argued.
Snyder said Facebook provided ample notice to users, telling them it can’t control what third parties do with their data when they share the information with friends. Not only is that common sense and common law, he argued, but sharing something with 100 people forfeits one’s right to privacy.

Perhaps users have an expectation of privacy on Facebook because it literally has privacy settings. Or because users have little understanding or direct knowledge about what private information Facebook collects on them, and gives every random company in the world access to. Or because Facebook has pulled countless bait-and-switch tricks on users to collect that data, like taking user phone numbers for two-factor security purposes and then giving those numbers to third-party data dealers — without telling users.


Uh, enjoy the show?

Perhaps you remember last week’s item about the city of Baltimore being crippled by ramsomware, the NYT running a dramatic (and slightly plagiarized) headline pinning attribution on NSA’s EternalBlue tool, infosec saying it was probably wrong, and everyone arguing. Good times.

To the surprise of no one who has been around the bitter queens of infosec for ten minutes, that drama escalated over the weekend. Yet to the surprise of some, the NSA literally went on the record and said NYT was wrong — and the person or persons holding Baltimore hostage for 13 bitcoins (“Robbinhood” — seriously guys!?) jumped into the mix.

When we left the scene of the arguments last week, NYT’s Nicole Perloth was arguing with Dave Aitel on twitter, and she had doubled-down on saying it was super definitely EternalBlue, while Aitel said her piece was fear-mongering and dishonest. Researcher Dave Maynor chimed in saying, “The MS-2017-010 exploit in use is not Eternal Blue. It’s a new exploit written post Microsoft patch. It’s a fundamental flaw in your story and highlights you our your editors desire to cash in on clickbait rather than tell the accurate story.”

Anyway, everyone kept arguing about it on twitter, because that is infosec’s day job now. Dave Aitel took a step and wrote a post (“Baltimore is not EternalBlue“) taking Perloth’s article to task in some fairly direct ways, but also brought drama to this particular contest of queens with at least one all-caps shouty sentence.

Not one to be upstaged, Perloth took to Twitter for a calm and rational response as befits the social media platform — wait, sorry. I forgot backwards day is every day on infosec twitter. She struck back at Aitel by calling his Blogspot post a “hit piece” — and then, in an excruciating display of privilege and childishness, Perloth finished her Twitter rant with a personal attack on Dave Aitel. 

How? Perloth said the NSA has a dartboard with Aitel's photo on it. Which is a terrible way of responding, but also a breathtaking example of how not to deal with criticism in a professional setting. It reminds me of companies that insult or threaten researchers for finding security problems. Like a sale on lace-fronts during drag season, this drew the attention of respected researchers who came out of the woodwork to say, um, Dave is correct.

Since the disastrous reporting had appeared in the New York Times, which everyone still never questions despite an increasingly lopsided track record in understanding the world around it, government officials requested briefings with the NSA based on Perloth’s insistent reporting. This caused the NSA to say no, we have no evidence supporting the claims in this article. ‘Twas not EternalBlue. Perhaps a PeriwinkleBlue? Or maybe an IntermittentBlue? According to CyberScoop, Senior NSA cyber adviser Rob Joyce said, “The characterization that there is an indefensible nation-state tool propagating ransomware is simply untrue.”

Meanwhile, Baltimore is still fucked and the hackers are taunting the mayor. SC Magazine notes:

Baltimore officials estimated at a city budget meeting on May 29 that the attack could cost the city $18.2 million. About $4.7 million has already been spent. The Baltimore Sun obtained a copy of the ransom note which contained an a la carte demand list asking for 3 bitcoins, about $17,600, to decrypt individual systems or 13 bitcoins, about $76,000, to decrypt all the city’s systems.

So that’s not frustrating at all.


Is anyone home at Blogger?

Does anyone still work at Blogger, or are there tumbleweeds rolling through some dusty abandoned offices somewhere? I ask because a fellow sex blogger made an unfortunate discovery this week: Blogger blogs that used now-defunct service Blogrolling are being hijacked by whoever is now running whatever smoking husk remains of the old service. 

Bacchus tweeted his discovery saying: “… every abandoned Blogspot blog that ever used Blogrolling has a little code hook installed that still phones home to that domain. And whatever mendacious asshole owns the domain now is sending out redirect/hijack code instead of the old blog listing code.”


CTF WTF 


Hacker KT posted the above image and tweeted, "LOL it turned out that Google’s CTF team won Facebook’s CTF (by solving ALL the challenges btw)!! And now they are trolling the #fbctf scoreboard by redirecting users to their Google CTF website…”


More to read:


Scary times online for anyone who is sex-positive

This past week I concluded a huge investigation with a report for Engadget on the organizations hoovering up money by being anti-sex content moderators — working with Palantir and funneling user data to law enforcement under the guise of fighting sex trafficking — for social media companies. 

Please read it, I’m incredibly proud of the work, thankful for everyone who assisted on the investigation as well as those who spoke with me, and really worried about what’s happening with big data and moralistic companies who don’t care about the effects of their “anti trafficking” initiatives. Google, Twitter, Facebook, Salesforce, and a whole bunch of companies are caught up in this mess. One upside: I got a prominent anti-trafficking org to admit on the record that sex workers exist, a first.

Link: Sex, lies, and surveillance: Something’s wrong with the war on sex trafficking.

Thank you for your support. If you’re not a patron yet, please consider a becoming a patron at any level to keep this little labor of love alive. Even $1 a month adds up to a meaningful difference in my life.

This week’s art (via imgur) should’ve accompanied the April 30 article, Facebook Messenger coming to Mac and Windows later this year (Macworld).

Main post image via Phreck on Twitter.

Tier Benefits
Recent Posts