The Daily Parker

Politics, Weather, Photography, and the Dog

Foreign intelligence's best asset

The unsurprising news that President Trump tweeted about something that his son found out only minutes before back in June shows just how foreign governments can use his impulsiveness and stupidity to play him:

Seeing Assange prompt a Trump tweet, via Don Jr, is I suspect only the first and clearest of many examples. Who told Trump what? In a lot of cases Trump’s tweets will likely tell us. Trump’s October 12th Wikileaks tweet was totally opaque until we found out about Don Jr’s DMs with Assange a few minutes before. Trump’s tweets are impulsive, immediate, unvarnished. They amount to realtime surveillance of what he was thinking and what he knew at key points of the campaign. They just require the fruits of the ongoing investigations to decipher what they mean.

Some day, we'll find out (perhaps through a Truth & Reconciliation Committee) just how badly this man has hurt the country.

My favorite article of the day

I'm chilling in my hotel room on the second day of my trip, not sure how much longer I'll remain awake. (Waking up at 5am sucks, even more so when it's 4am back home.) This is a problem in that I need to write some code before tomorrow.

So I've spent a few minutes perusing the blog feeds and news reports that came in today, and I have a favorite. The favorite is not:

No, though all of those brought little flutters of joy to my heart, the story that London is going to make Oxford Street a pedestrian utopia by 2020 really got my interest. Since I have never driven a car anywhere in Zone 1 and have no intention of ever doing so, I think blocking 800 meters of Oxford Street to cars is fookin' brilliant.

Links to read on the plane

I'm about to fly to San Antonio for another round of researching how the military tracks recruits from the time they get to the processing center to the time they leave for boot camp (officially "Military Basic Training" or MBT).

I have some stuff to read on the plane:

OK, off to K20. Or K18. Or wherever my plane has got to.

 

Strangest office building I've ever been in

Imagine the largest office building (in land area) you've ever been in, add a small shopping mall, four food courts, and the security that demonstrates exactly how silly and ineffectual airport security is, and that's the Pentagon.

I'm in a little island that's like an anti-SCIF (Secure Compartmented Information Facility). We're in the one unclassified office in the ring, complete with unclassified Internet service, and because of that, behind two steel doors and in a Faraday cage. And it's literally the only place we're allowed to take pictures, which is sad because every hallway in the building is a museum exhibit. It's weird.

That, and we can't go to the bathroom without an escort, makes this a very strange day indeed.

Also, it's like an ongoing pop quiz in uniform insignia recognition. And I'm still having problems with upper enlisted ranks.

Home tomorrow, after a visit to a military facility outside Baltimore.

Link round-up

I've got a lot going on today, with a final rehearsal tonight before Saturday's dress for Carmina Burana (get tickets here) and two business trips in the next 10 days. But there are a few articles to note in today's media:

Back to work now.

What does Tinder know about you?

Via Bruce Schneier, a British reporter requested her data dossier from Tinder. As with so many other things in life, she was shocked, but not surprised:

The dating app has 800 pages of information on me, and probably on you too if you are also one of its 50 million users. In March I asked Tinder to grant me access to my personal data. Every European citizen is allowed to do so under EU data protection law, yet very few actually do, according to Tinder.

With the help of privacy activist Paul-Olivier Dehaye from personaldata.io and human rights lawyer Ravi Naik, I emailed Tinder requesting my personal data and got back way more than I bargained for.

Some 800 pages came back containing information such as my Facebook “likes”, my photos from Instagram (even after I deleted the associated account), my education, the age-rank of men I was interested in, how many times I connected, when and where every online conversation with every single one of my matches happened … the list goes on.

What will happen if this treasure trove of data gets hacked, is made public or simply bought by another company? I can almost feel the shame I would experience. The thought that, before sending me these 800 pages, someone at Tinder might have read them already makes me cringe.

Tinder’s privacy policy clearly states: “you should not expect that your personal information, chats, or other communications will always remain secure”. As a few minutes with a perfectly clear tutorial on GitHub called Tinder Scraper that can “collect information on users in order to draw insights that may serve the public” shows, Tinder is only being honest.

But as Schneier points out, "It's not [just] Tinder. Surveillance is the business model of the Internet. Everyone does this."

Who needs privacy?

Republican Illinois governor Bruce Rauner, the best governor we have right now, vetoed a bill that would have required companies to get affirmative consent from consumers before selling their geolocation data:

“The bill is not overreaching,” said Chris McCloud, a spokesman for the Digital Privacy Alliance, a Chicago-based nonprofit advocating for state-level privacy legislation. “It is merely saying, ‘If you’re going to sell my personal geolocation data, then just tell me upfront that’s what you are going to do so I can make a decision as to whether I want to download this app or not.’ ”

The Federal Trade Commission has issued general guidance, and there are a variety of industry self-regulatory codes of conduct, from automakers to online advertisers, but federal law does not provide clear geolocation privacy protection.

The online advertising industry increasingly depends on tracking consumers to serve up lucrative and effective targeted ads. Data collection enables advertisers to learn everything from your search habits and recent purchases to where you travel, often in real time.

Remember: you're the product, not the customer. And that's how Republicans like it.

Welcome (and overdue) feature in Chrome

The January release of Google Chrome will prevent videos from auto-playing:

Starting in Chrome 64, which is currently earmarked for a January 2018 release, auto-play will only be allowed when the video in question is muted or when a "user has indicated an interest in the media."

The latter applies if the site has been added to the home screen on mobile or if the user has frequently played media on the site on desktop. Google also says auto-play will be allowed if the user has "tapped or clicked somewhere on the site during the browsing session."

"Chrome will be making auto-play more consistent with user expectations and will give users more control over audio," writes Google in a blog post. "These changes will also unify desktop and mobile web behavior, making web media development more predictable across platforms and browsers."

I mean, really. The more advertisers annoy the shit out of us, the less effective it will be effective.

The second-most disgusting thing you'll read today

While not quite as viscerally grotesque as a 140-tonne fatberg, new details about the failures at Equifax that led to its massive data breach are still pretty disgusting:

Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.

As the security community processes the news and scrutinizes Equifax's cybersecurity posture, numerous doubts have surfaced about the organization's competence as a data steward. The company took six weeks to notify the public after finding out about the breach. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities. And as security journalist Brian Krebs first reported, a web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Equifax took the platform down on Tuesday. But observers say the ongoing discoveries increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.

(Emphasis mine.)

Whenever people conservatives say that private industry is better at solving problems than government, I just think about some of the companies I've worked for, stir in crap like this, and laugh out loud.

Predictable and sad

Credit reporting agency Equifax reported last week that thieves had made off with 143 million customer records:

According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active cards, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud. The hack, which the company says took place in late July, put as many as 143 million consumers -- or half the U.S. population -- at risk.

The person, who requested anonymity to discuss the ongoing investigation, said the web application the attackers used to breach Equifax’s corporate network granted access to both the credit card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver’s license numbers and other sensitive information, Equifax said Thursday in a statement.

Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.

“You would expect these guys to have compartmentalized this data far enough away from a web server -- that there would not be any way to directly access it,” said Tim Crosby, senior consultant with security-assessment firm Spohn.

Knowing how large companies work, and knowing about the diffusion of responsibility principle, and having a healthy belief in the power of governments to correct for bad incentives, I can't say I'm surprised. Neither is the Atlantic's Ian Bogost:

There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare.

Of course Equifax, as would be expected of a normally-functioning American corporation, bungled the response:

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

The solution many people recommend is to freeze your credit reports—for a fee, multiplied by 4 to make sure you get all of the credit-reporting agencies. (Everyone has heard of Equifax, TransUnion, Experian...and Innovis. You've heard of Innovis, right? The one that doesn't offer a free annual report?)

Almost immediately, a team of lawyers including a former Georgia governor filed a class-action lawsuit. So have a group of plaintiffs in Oregon. We can also expect an action from the SEC relating to at least three Equifax managers selling their stock right before the announcement.

This situation is why we have government. The incentives for credit-reporting agencies run directly counter to the incentives of the hundreds of millions of people whose data they store. (You're not Equifax's customer; commercial enterprises are.) Without government regulation and higher liabilities for data breaches, this will just keep happening. But that's not "business-friendly," so the right-leaning American and British governments will dither for another few years until someone publishes the leaders' own data. Because their incentives are bad, too.