Writing for Bloomberg Businessweek, Paul Ford says Facebook's "not-a-breach" of personal information on 50 millions of its users is just the latest example of why it's time for a digital protection agency.
Read the rest
Facebook’s recent debacle is illustrative. It turns out that the company let a researcher spider through its social network to gather information on 50 million people. Then the Steve Bannon-affiliated, Robert Mercer-backed U.K. data analysis firm Cambridge Analytica used that data to target likely Trump voters. Facebook responded that, no, this was not a “breach.”
OK, sure, let’s not call it a breach. It’s how things were designed to work. That’s the problem.
How might a digital EPA function? Well, it could do some of the work that individuals do today. For example, the website of Australian security expert Troy Hunt, haveibeenpwned.com (“pwned” is how elite, or “l33t,” hackers, or “hax0rs,” spell “owned”), keeps track of nearly 5 billion hacked accounts. You give it your email, and it tells you if you’ve been found in a data breach. A federal agency could and should do that work, not just one very smart Australian—and it could do even better, because it would have a framework for legally exploring, copying, and dealing with illegally obtained information. Yes, we’d probably have to pay Booz Allen or Accenture or whatever about $120 million to get the same work done that Troy Hunt does on his own, but that’s the nature of government contracting, and we can only change one thing at a time.
This weekend, we learned that Discus -- the commenting system we once used here on Boing Boing -- suffered a breach in 2012 in which 17.5m user accounts (email addresses, signup names, account activity dates and some unsalted, weakly encrypted passwords) were stolen. Read the rest
Troy Hunt, proprietor of the Have I Been Pwned? service, has made 306,000,000 known-cracked passwords available as a download -- you can grab the set and make sure that yours isn't among them, as these cracked passwords are the ones that are likely being used by hackers when they do brute-force attacks against encrypted password files. Read the rest
Kids Pass is a service that offers discounts on family activities in the UK; their website makes several common -- and serious -- security problems that could allow hackers to capture their users' passwords, which endangers those users' data on other services where they have (unwisely) recycled those same passwords. Read the rest
Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers' data; undersecured it; and then failed to warn their customers that they were at risk. Read the rest
Spiral Toys -- a division of Mready, a Romanian electronics company that lost more than 99% of its market-cap in 2015 -- makes a line of toys called "Cloudpets," that use an app to allow parents and children to exchange voice-messages with one another. They exposed a database of millions of these messages, along with sensitive private information about children and parents, for years, without even the most basic password protections -- and as the company imploded, they ignored both security researchers and blackmailers who repeatedly contacted them to let them know that all this data was being stolen. Read the rest
Without an accurate census, it's virtually impossible to make good national policy, which is why so many countries make census participation mandatory (when former Canadian Prime Minister Stephen "Dumpster Fire" Harper made the long-form census optional, statisticians and policy wonks quailed) -- which is why the Australian government's decision to collect and retain -- for 10 years -- personally identifying information on census participants is such a big deal. Read the rest
Rosebuttboard.com is a forum for people whose sexual activities include inserting large items into their anuses; the site has been breached by a hacker, who now has details on over 100,000 of its users. Read the rest
Vtech is a ubiquitous Hong Kong-based electronic toy company whose kiddy tablets and other devices are designed to work with its cloud service, which requires parents to set up accounts for their kids. 4.8 million of those accounts just breached, leaking a huge amount of potentially compromising information, from kids' birthdays and home addresses to parents passwords and password hints. Read the rest