Saturday, December 21, 2019

Simple changes to Amazon’s Ring could protect users from hacks

In the wake of news last week that a hacker was able to watch and communicate with an 8-year-old girl in Mississippi by using an Amazon Ring camera her parents had installed in her bedroom, the smart security device company downplayed the incident and deflected the blame from itself. “Rest assured, we’ve investigated these incidents and did not find any indication of an unauthorized intrusion or compromise of Ring’s systems or network,” Ring wrote in an email sent to users a few days after the highly publicized incident. Yet some Ring customers across the country have reported similar hacks of their smart cameras and video doorbells. Ring’s defense misses the point and is a disservice to its customers. Yes, it’s important to know that the hack wasn’t a breach of Ring’s internal systems, but that is unlikely to prevent such hacks from continuing to happen. Rather than dismissing the incident and putting the blame on users, the company could roll out a simple change that privacy experts have long advocated for on just about any service or product that requires a login: mandatory two-factor authentication. The hacker was able to access the camera with a username and password found in an online database of previously compromised login information (you can check to see if your logins have been compromised by going to haveibeenpwned.com). The ability to connect to a Ring camera from anywhere is a feature the company touts, though it’s supposed to be available only to the device owners and the people they choose. Ring suggested in its email that consumers practice better password security by not reusing passwords, updating their passwords regularly, and by enabling two-factor authentication, a process that requires users to supplement their username and password with an extra piece of information, usually a personal code generated by their phone, in order to log in.



Ring’s advice is sound. People should absolutely set up two-factor authentication on their devices, and should also check to see whether any of their logins have been compromised by going to haveibeenpwned.com. But expecting consumers to take these precautions on their own rarely works. One study found that less than one-third of Americans use two-factor authentication, and more than half have never even heard of it. Most people simply go with the easiest thing possible: the username and password they actually remember — the one they’ve used before. It’s ironic that a product that unrealistically inflates users’ fear of crime is itself less than secure. These issues, of course, are not unique to Ring. “Ring isn’t a camera; it’s an internet-connected computer that happens to have a camera on it,” Brian Vecci, field CTO at data protection and analytics company Varonis, told Recode. “Any internet-connected computer is vulnerable to attack.” Ring is a mass-market, highly popular device that’s likely showing up under trees and in shiny gift wrap across the country this holiday season, despite warnings from consumer groups of the product’s various privacy issues, including the inadvertent sharing of the location of Ring devices without permission and police handing over Ring footage to ICE and other law enforcement agencies, as well as the ongoing potential for hacking. Ring could make consumers do the right thing and mandate two-factor authentication, or perhaps assign its own unique passwords. It could require confirmation from device owners before allowing new sign-ons. It could also better detect suspicious behavior like multiple login attempts or logins from strange locations. This is, of course, a trade-off. “Security is often in contrast to convenience,” Vecci said. “Ring could hypothetically require using a fingerprint reader every time, but no one would use it. They’re trying to balance convenience with security.” Small inconveniences, however, are preferable to big violations of personal privacy.

Over 267 Million Facebook User Data Leaked on Dark Web

According to reports, more than 267 million Facebook users IDs, phone numbers, and names have been exposed to the Dark Web. Reported by Comparitech and security researcher Bob Diachenko, info was found in a database that was accessible without the use of a password, with researchers believing the data was gathered as part of an illegal scraping operation or Facebook API abuse. Although this database was exposed for nearly two weeks, Diachenko reported it to the service providing managing its IP address. According to Engadget, a spokesperson has stated: “We are looking into this issue, but believe this is likely information obtained before changes we made in the past few years to better protect people’s information.”



Earlier in September, a security researcher found a similar database with 419 million records connected to Facebook accounts. 50 million accounts were hacked last September due to hackers exploiting a “vulnerability” in Facebook’s “View As” feature. Of course, prior to that, Facebook exposed 87 million users’ data to Cambridge Analytica, sparking a scandal that saw CEO Mark Zuckerberg summoned to Washington to testify before both the House Committee on Energy and Commerce and the Senate Judiciary and Commerce committees. In other tech news, Apple has entered the satellite business in order to beam data directly to your devices.

Netflix’s The Witcher is a dark, funny, and faithful adaptation of the fantasy series

You learn nearly everything you need to know about The Witcher hero Geralt (Henry Cavill) a few minutes into the first episode. The titular witcher — a work-for-hire monster hunter with some helpful superpowers — is first seen in a swamp, nearly killed by a giant spider monster, beaten and almost drowned. In the next scene, Geralt heads to a local pub for information on his next quest, only to be subjected to ridicule and scorn from villagers who are scared of his supernatural nature. Ultimately, he’s saved from a barroom brawl thanks to a helpful young woman, who very quickly becomes a romantic partner. The Netflix adaptation captures the enigmatic hero perfectly. He’s struggling to survive in a world that hates him, stubbornly sticking to a moral code that forces him into dangerous situations. He’s gruff and sarcastic, always down for a fight, impossibly charming, and frequently irresistible. It’s a premise that worked well in book and video game form — and now it’s one of the best series on Netflix. As a TV show, The Witcher is particularly refreshing in an era full of nihilistic fantasy stories inspired by Game of Thrones. Yes, the show gets brutal at times. The wonderfully choreographed fight scenes are extremely violent, as is one very particular and hard-to-watch magical transformation.



It’s a show where — shock! — the bad guys are usually humans, not monsters. What makes The Witcher feel different, though, is in the details. These stories aren’t full of people being awful for the sake of it; they’re making choices based on love or survival, and then things go wrong. What makes The Witcher so compelling is how it delves into these gray areas, exploring why people do what they do. By the end, you’ll have some measure of sympathy for almost everyone, no matter how irredeemable they might seem at first. Crucially, The Witcher has a sense of humor. It’s not all dark and dire. Jaskier (Joey Batey) frequently plays the comedy relief, following Geralt around despite not being welcome, in order to turn Geralt’s exploits into song, sometimes breaking the fourth wall in the process. “There I go again,” he says at one point, “just delivering exposition.” When he meets the witcher for the first time, the bard tells him “I love the way you just sit in a corner and brood.” Meanwhile, Geralt’s quietly sarcastic nature is on full display. He can cut through any situation, no matter how awkward or horrible, with a frustrated “fuck.” And one of the show’s most dramatic sex scenes is accompanied by a playful jig and gawking onlookers making jokes. The Witcher could’ve very easily turned out wrong. It’s not hard to misinterpret what it is that actually makes the series interesting, but the TV adaptation gets it. The Witcher is funny, intense, and uncomfortable, and it balances out those disparate emotions almost perfectly. Yes, it stars Henry Cavill in a bad white wig, but you’ll forget about all of that as soon as he starts talking.

One of Amazon’s first employees says the company should be broken up

Paul Davis literally helped build Amazon.com from scratch. Now he says it’s time to tear it apart. Davis, a computer programmer who was Jeff Bezos’ second hire in 1994 before the shopping site even launched, told Recode on Friday that the company should be forced to separate the Amazon Marketplace, which allows outside merchants to sell goods to Amazon customers, from the company’s core retail business that stocks and sells products itself. His reasoning? He’s troubled by reports of Amazon squeezing and exploiting the merchants who stock its digital shelves in ways that benefit Amazon, the company, above all else. Davis’ concerns come as Bezos’ company has come under increased scrutiny from politicians, regulators, and its own sellers, in part over the power it wields over small merchants who depend on the tech giant for their livelihoods. “There’s clearly a public good to have something that functions like the Amazon Marketplace. … If this didn’t exist, you’d want it to be built,” Davis said. “What’s not valuable, and what’s not good, is that the company that operates the marketplace is also a retailer. They have complete access to every single piece of data and can use that to shape their own retail marketplace.” Davis is referring to how Amazon uses data from its third-party sellers to benefit its core retail business, whether it be by scouring these merchants’ best-sellers and then choosing to sell those brands itself, or to create its own branded products through similar means. “They’re not breaking any agreements,” he added. “They’re just violating what most people would assume was how this is going to work: ‘I sell stuff though your system [and] you’re not going to steal our sales.’” Davis’ comments appear to be one of the first times that an early Amazon employee has called for the company to be broken up. Earlier this year, US presidential candidate Elizabeth Warren argued for the same.




And both the US House of Representatives and the Federal Trade Commission are scrutinizing Amazon’s business practices to determine if they are anticompetitive, including its dealings with the hundreds of thousands of merchants who are the backbone of Amazon’s unmatched product catalogue. An Amazon spokesperson sent Recode a statement, which read in part: “Sellers are responsible for nearly 60% of sales in our stores. They are incredibly important to us and our customers, and we’ve invested over $15 billion dollars this year alone—from infrastructure to tools, services, and features—to help them succeed. Amazon only succeeds when sellers succeed and claims to the contrary are wrong. Sellers have full control of their business and make the decisions that are best for them, including the products they choose to sell, pricing, and how they choose to fulfill orders.” Davis’ comments to Recode came after he posted an online comment alongside a New York Times article earlier this week about the challenges sellers face while doing business on Amazon. “For nearly 2 decades Amazon has used its control of its marketplace to strengthen its own hand as a retailer,” Davis wrote. “This should not be allowed to continue.” The Times article highlighted various ways that Amazon allegedly puts pressure on the merchants who are responsible for nearly 60 percent of all Amazon physical product sales, including burying their listings if they are selling the same product for less elsewhere and making it hard for brands that don’t advertise on the site from showing up at the top of search results. (Recode spotlighted similar complaints from sellers in an episode of the Land of the Giants podcast series this summer.)

Apple Will Reward $1.5 Million USD Bounty to Anyone Able to Hack an iPhone

Apple has opened its bug bounty program to all security researchers, offering folks up to $1.5 million USD if they are able to find security vulnerabilities. The previously invite-only bug program offers a bigger cash bounty the more specific the vulnerability, up to $1 million USD (approximately £767,000 EUR) for a “zero-click kernel code execution with persistence and kernel PAC bypass.” An additional $500,000 USD (approximately £383,000 EUR) will be offered if the issue in question is a vulnerability Apple didn’t know about or a unique occurrence to a specific developer or public beta. Apple’s Security Bounty page also clarifies “the issue must occur on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration and, where relevant, on the latest publicly available hardware.”



Hackers must also disclose the issue to Apple first before the official Apple security advisory is made public. “Reports lacking necessary information to enable Apple to efficiently reproduce the issue will result in a significantly reduced bounty payment,” the Apple requirements notes, “if accepted at all.” To get a chance of the big bucks, hackers will have to provide not only enough information for Apple to be able to reproduce the issue at hand but also a “reasonably reliable exploit.” Although Apple agrees to still pay under these circumstances, the payout will be no more than half of the maximum bounty rate. If you’ve hacked an iPhone, send an Apple Product Security PGP Key encrypted message will all videos, cash, logs, diagnoses, etc. to product-security@apple.com.