New app helps you identify IoT devices around you, tells you what data they collect

Researchers at Carnegie Mellon have come up with this new IoT Assistant app (available for both iOS and Android) that will supposedly inform you about what Internet-connected smart devices are around you at any point in time, and what kind of information they might be collecting.

“Because of new laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), people need to be informed about what data is collected about them and they need to be given some choices over these processes,” says Professor Norman Sadeh, a CyLab faculty member in Carnegie Mellon’s Institute for Software Research and the principal investigator on the project. “We have built an infrastructure that enables owners of IoT technologies to comply with these laws, and an app that takes advantage of this infrastructure to empower people to find out about and control data collected by these technologies.”

I've downloaded the app myself, and I plan on adding my own smart home devices to their database, just to see what I can find. I don't know how well it will actually work, but I'm certainly intrigued by the idea.

New infrastructure will enhance privacy in today’s Internet of Things [Daniel Tkacik / CyLab, the Carnegie Mellon University Security and Privacy Institute] Read the rest

Zappos Data Breach consolation might be the most egregious one yet

Back in 2011, I signed up for a Zappos account so I could buy pants for a wedding I was in. Then I returned them because they didn't fit. I ended up buying them at the local Macy's instead (although I bought the wrong shade of grey, oops).

That should have been the end of my relationship with Zappos. Until I received this email the other day:

Zappos put me at risk by exposing my data. And the best mea culpa they can offer is "Here's a discount so you can help us to increase our Q4 revenue!" That might be even pathetic than the $125 offering from Equifax. Equifax may have exposed more personal information, but unless I plan on buying a $2,000 pair of John Lobb boots from Zappos—thus giving $1800 back to the company that just screwed over my data—then I'm basically getting nothing.

To be clear, Zappos offer here has only been preliminarily approved by the court in charge of the settlement. If enough people say, "I'm not paying you to pay me financial damages," the judge may change their mind. But I wouldn't hold my breath. If the only consequence to expose customer data is increasing Q4 revenue, then there's never going to be any incentive for any company to give a shit about the personal information of the people who keep them in business. And that's not a healthy economy.

Image: Patrick Kitely/Flickr Read the rest

NASA got hacked

It seems that we can't have nice, unhacked things. According to Gizmodo, someone has hacked NASA's personnel database to gain access to social security numbers and other personal information of the space agency's staff.

News of the security breach was only disseminated via memo to NASA's employees on December 18th, despite the fact that the agency became aware of the hack back on October 23rd.

From Gizmodo:

According to the memo, NASA is working with federal investigators to determine the extent of the breach and who might be responsible. It said that servers were accessed that contained the personal information of employees that worked at the agency between July 2006 and October 2018. The message was sent to inform employees to take the necessary precautions to prevent possible identity theft. It seems that investigators still haven’t narrowed down the employees who may have been effected, however the agency promised to notify individuals as that information becomes available.

When contacted for comment by Gizmodo, a NASA spokesperson could not say exactly how many employees’ information was potentially exposed, but they did confirm that the agency “does not believe that any agency missions were jeopardized by the intrusions.”

If anyone knows who's responsible for the hack, they're keeping their mouths shut about it. Hacking's so hot right now -- the breach could have been pulled off by anyone from a code-savvy lone-acting lady at a coffee shop to a high-falootin' government sponsored collective in Eastern Europe. Also, China. It'll be interesting to see what, if anything, is done with information that was obtained during the hack. Read the rest