STE WILLIAMS

Eddie Raymond Tipton, the former Hot Lotto security director who was convicted of running a malware-generating luck factory to scam his own lottery for $14.3m, is looking at up to 25 years in jail.

On June 29, the Iowa attorney-general’s office announced that Tipton had pleaded guilty to the felony charge of ongoing criminal conduct for his role in a multimillion-dollar lottery rigging scheme involving seven winning lottery tickets in five states.

Others in his ring of lottery ripper-offers have also been netted. Eddie’s brother, Tommy Tipton, pleaded guilty to conspiracy to commit theft, a Class D felony, and agreed to a state-recommended two-and-a-half month jail sentence on a serious misdemeanor theft charge.

Robert Clark Rhodes II, 46, of Sugarland, Texas, was previously arrested on charges of conspiring to influence the winnings of the Hot Lotto prize with the intent to defraud, falsely utter, pass or redeem a lottery ticket. The multistate lottery association itself is also in the hot seat: it’s facing multiple lawsuits filed by aggrieved lottery players who say their chances of hitting the jackpot were squelched by the association’s feeble security.

As we reported in April 2015, some people are born lucky. Some people make their own luck.

Some people insert their luck via self-deleting malware on a thumb drive, thereby ensuring that the state Hot Lotto lottery will spit out a number that wins them a sweet jackpot.

That’s how Eddie Tipton did it: he slipped his luck-generating thumb drive into the highly locked-down lottery number generating computer at the Multi-State Lottery Association (MUSL).

He had been the security director for the MUSL, a nonprofit organization made up of lottery departments in 37 states. The association is responsible for the software, equipment and technological wizardry behind multimillion-dollar jackpots.

As MUSL security director, Tipton designed, programmed and maintained software for computerized random number generators used to select winning lottery numbers in many states. Tipton’s position gave him access to the electronic brains behind the 16-state Hot Lotto game: two computers housed in what the HoustonPress describes as “the glass-walled chamber of an otherwise bland, beige-brick shoebox of a building next door to a giant Goodwill store in Urbandale, Iowa”.

Bland it may have been, but it’s the scene of quite the crime. A crime that the HoustonPress called…

…the most ballsy, brazen and ultimately ridiculous lottery-rigging mystery ever – a convoluted mess involving shady offshore tax shelters, the Royal Canadian Mounted Police, a bigfoot hunter and, ultimately, a best friend’s betrayal.

Court documents have described the glass-enclosed nerve center of the operation as a room that could only be entered by at least two people at a time, and which was monitored by a video camera. Evidence pointed to a surveillance camera having been tampered with so that it only recorded one second of footage per minute. Investigators suspect that would have given Tipton the time he needed to insert a USB thumb drive into MSLA’s computer and upload a malicious DLL file.

According to Bleeping Computer, investigators said that the DLL was almost identical to the original – except that it had been tweaked with two code blocks that enabled Tipton to hijack the standard random number generator (RNG) algorithm and produce predictable winning numbers if the lottery draw took place on three days of the year (May 27, November 22, and December 29), on two particular days of the week (Wednesdays or Saturdays), and after a certain time of day (after 20:00).

The DLL also contained code that would trigger self-delete after a certain period of time. Investigators lucked out when they found that one of those files had failed to self-delete.

Tipton’s tinkering with the random number generator spanned the states of Iowa, Wisconsin, Colorado, Oklahoma, Texas and Kansas. In June, he pleaded guilty in Wisconsin to theft by fraud and a computer crime charge for defrauding the Wisconsin Lottery in 2007, when he and an accomplice pocketed more than $783,000 for a Wisconsin Megabucks jackpot.

But it was the $14.3m Iowa win that brought his winning streak to a screeching halt. In December 2011, Crawford Shaw, a New York attorney, showed up a year after the lottery ticket purchase, mere hours before it was set to expire, and tried to redeem it on behalf of a mysterious company incorporated in Belize.

But given that Iowa state rules stipulate that lottery winners be made public, the winnings were never released, and authorities’ suspicions were aroused.

Shaw would turn out to be only one of a string of men who tried to cash the $14.3m ticket on behalf of an anonymous party.

Tipton was nailed by a surveillance video taken in a QuickTrip near Interstate 80 after it had been released by police and Tipton – who was in fact banned by his employer from buying lottery tickets – was recognized it in by an employee of the MUSL.

A judge has ordered Tipton to pay $1.4m in restitution, while his brother is facing a payment of $800,000. This is the amount authorities have managed to prove the two were able to cash in from fraudulently winning lottery tickets.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vnL8E2uBdIQ/

Earlier this year, Russian cybercriminals started hawking around a new $500 (£385) tool called “Katyusha Scanner” that automates searching for and exploiting SQL injection (SQLi) vulnerabilities on websites.

Sad to report, it’s proved popular in the underground, say the researchers who discovered it for sale, requiring paying customers to do little more than configure a server running the open-source Arachni web application scanner, normally a tool for pen-testing good guys.

So far, none of this is terribly newsworthy. Using vulnerability application scanners in this way has been around for years, while SQL injection has been at the top of the OWASP Top 10 worry list since its earliest days.

But Katyusha (the name comes from a second world war rocket launcher beloved of Russian nationalists) does have several telling innovations that make it worth paying attention to, the first of which is that the entire process is controlled and monitored using the Telegram encrypted messaging platform.

Customers can upload targets sites for it to scan and be told about any vulnerabilities found in a neatly packaged, easily understood report. Katyusha also helps with the exfiltration of compromised data, helpfully supports lots of database types and can even be wielded to brute-force login credentials. It does a bit of everything.

It’s akin to PlayStation hacking – except this isn’t a game and non-technical cybercriminals can do all of this from a smartphone app as well as a browser. This is quite an advanced way to re-purpose Telegram even if the KillDisk and TeslaCrypt ransomware pioneered command and control using its API.

Why Telegram? It might be easier to ask why not. Granted, it provides privacy but that’s not usually a problem with command and control. More likely, it’s just a platform with powerful features that cybercriminals already use.

Another theme is throughput. The tool has been purchased only 10 or 15 times but given that customers can start by scanning 500 websites using it, the damage level could rise alarmingly over the next few weeks.

At this point, Naked Security should really issue a stern warning about avoiding SQLi attacks in the first place, which involves being careful with dynamic database queries from the user side.

There is a bundle of advice out there, most of it years old and, in too many cases, completely ignored. As Recorded Future notes:

Common defenses against SQL injection attacks include using parameterized statements as opposed to concatenating strings in code, using object relational mapping frameworks to generate SQL statements, proper escaping of special string characters in input parameters, and sanitizing inputs that appear suspicious.

Plug this sort of yawning gap and the criminals behind Katyusha would have to earn their living some other way.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/4uBpFjoHF8w/

Dark web marketplace AlphaBay’s closure last week followed an international law enforcement operation and multiple raids, it has emerged. It has also been reported that a key suspect who was arrested in the raids has died in custody.

The world’s biggest online drug bazaar dropped offline on 5 July, sparking fears that its administrators had disappeared taking a swag bag of digital currency with them, pulling an “exit scam” like other dark web marketplace kingpins before them.

The Wall Street Journal reports that a Canadian suspected of running AlphaBay was arrested in Thailand on 5 July following an international police operation involving authorities in the US and Canada as well as Thailand. Alexandre Cazes, the 26-year-old who had been accused of being the site’s admin, was found dead in a Thai jail cell on Wednesday, the WSJ adds.

The Bangkok Post reported that Cazes had been resident in Thailand for about eight years and had a Thai wife. Thai authorities said they’d seized four Lamborghini cars and three upmarket residences with a combined value of $11.7m (400 million Thai Baht). US authorities had apparently been seeking to extradite Cazes at the time of his death.

The AlphaBay marketplace disappeared in the early hours of Wednesday, 5 July. Redditors quickly voiced fear that an exit scam had taken place amid estimates that up to $3.7m in digital currency was tied up in the marketplace and might have been stolen. Assurances were made by purported AlphaBay admins that the outage was due to an unannounced security update on its servers, an assurance that rang ever more hollow the longer AlphaBay was unavailable.

AlphaBay took on the mantle from the infamous Silk Road before it to become the largest marketplaces on the dark web.

Dark web shoppers and traders often assume exit scams are taking place when dark web marketplaces go offline. Alternative explanations can including anything from DDoS attacks from competitors, law enforcement actions to unannounced site maintenance. Threat intelligence experts reckon that other darknet marketplaces will grow to fill the gap left by AlphaBay’s demise.

Avi Kasztan, chief exec of Sixgill, predicted that “Dream Market” is likely to become the next major player on the dark web.

Dream Market has operated in the shadows of AlphaBay over the last year gaining traction over recent months to become the second largest market on the darknet. It specialises in offering drugs, counterfeit items, stolen data, fraudulent products, and more.

Threat intelligence firm Digital Shadows adds some AlphaBay users were so fond of their former haunt that they have created a new iteration of the marketplace, dubbed GammaBay. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/14/alphabay/

+Comment Devon and Cornwall Police is launching its drone-equipped aerial surveillance team today.

The flying spy team was first established two years ago on a trial basis and has now been made a permanent unit within DC Police. Its remit is to provide the same sort of aerial surveillance that the force helicopter provided but at a cheaper cost.

The squad is equipped with six DJI Inspire 1 drones fitted with HD zoom cameras capable of beaming thermal imaging data back to ground-based cops. Its operators are all trained to Civil Aviation Authority standards.

DC Police hopes to have 40 trained operators and 18 drones on strength by the start of 2018, according to the BBC.

Each of the unmanned aerial vehicles costs around £2,000 each, according to the police.

“Drones will aid officers as part of missing person searches; crime scene photography; responding to major road traffic collisions; coastal and woodland searches and to combat wildlife crime,” said Chief Superintendent Jim Nye, who is responsible for the drone squad, in a canned statement. “Drones can even help police track and monitor suspects during a firearm or terrorist incident, as it will allow officers to gain vital information, quickly, safely, and allow us to respond effectively at the scene.”

+Comment

Sky News quoted privacy lawyer Charlotte Harris asking, rhetorically: “How many individuals who aren’t part of an investigation will be affected by this?”

The answer, inevitably, will be “lots”. Police forces in general are delighted at the explosion in surveillance capabilities that modern technology affords them, adopting the “snoop on them all, the courts can sort the innocent from the guilty later” approach. Legal controls on police use of images, including those gathered from drones, are so weak and poorly enforced as to be meaningless in practice.

For example, while the High Court ruled in 2012 that the Metropolitan Police’s policy of never deleting anything from its ever-enlarging custody mugshot database was illegal, the capital’s finest just blew a raspberry at Lord Justice Richards and ignored him – with the Home Office happily egging them on over a period of years and even making excuses for police defiance of the court.

This is not to suggest that Devon and Cornwall Police takes the same cavalier attitude towards obeying the law that their colleagues in the Big Smoke do. A force press release from 2015 reveals the sort of everyday images and video that their drones collect, while carefully omitting any zoomed-in or thermal images of the sort that would infringe the privacy of the innocent.

Sussex Police also has a drone unit, complete with a commendably clear QA page on what they are, what kit is fitted to them, how they are used and a privacy impact assessment. The force has, it says, worked with the Surveillance Commissioner in developing its policy and processes for using drones and footage obtained from them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/14/devon_cornwall_police_drone_unit/

Managing an IT department at the best of times can be a struggle, and managing a security team has its own special challenges.

But whatever you do, don’t put an engineer, even your best, in charge, unless their people management skills are as good as their infosec knowhow.

“All my staff are basically volunteers,” Mike Murray, VP of intelligence for mobile security biz Lookout, told The Register this week. “The people are all so highly competent and completely in demand. I know any person on my team could have four jobs at the end of the day if they asked for it.”

Murray will be giving a talk on managing IT staff at the Las Vegas BSides security conference, and has over a decade’s worth of experience in managing these most picky of staff members. The biggest mistake he sees companies making is also one of the most common – finding the best team member and making them the boss.

The skill sets required to be a good security engineer bear very little relation to those needed for managing a department, but some businesses insist on following procedure. Appointing them boss, Murray said, almost always ends in failure.

Thankfully companies are now recognizing this, he said, and are running twin career tracks in IT security. Those who want to slip into a suit and manage can do so. There are also a lot of distinguished engineers making as much money as a VP and still getting down and dirty with security code.

For those managing security teams there are two key mistakes to avoid, Murray said. The first – an error he himself made early in his career – is to not manage enough and just trust that it’ll all work out. It’s tempting to think that such highly skilled individuals could work on their own, but guidance needs to be given.

The other mistake is to go too far in the other direction – to micromanage and go fully corporate. Nothing is going to get your staff demoralized and moving on like making them fill out timesheets, he said.

“It’s a different mindset – my people go home and code for fun. You don’t get a company accountant going home and doing spreadsheets for fun,” he said. “You need to let people get on with the job in a way that allows them to get the maximum amount done in an atmosphere in which they are most comfortable.”

One of the things you do have to get used to in managing security teams is that you’re no longer the smartest cookie in the room. Murray admitted that it has been at least seven years since he wrote a decent shellcode exploit and he expects his staff to be better than him.

However, you do need to have the basics down, he said. If a staffer is trying to tell you a two-day job could take a month, you need to have the tech chops to tell them they are bullshitting.

Staff aren’t transferable either, he said. Murray’s last job was doing IT security for GE Healthcare and he said that he didn’t bring any of his old staff with him. Likewise, he’d be unlikely to take Lookout staff with him at his next job, because security staff setups are individual to each company. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/14/managing_white_hats_at_work/

More than 750 domain names were hijacked through the internet’s own systems, registrar Gandi has admitted.

Late last week, an unknown individual managed to get hold of the company’s login to one of its technical providers, which then connects to no fewer than 27 other top-level domains, including .asia, .au, .ch, .jp and .se.

Using that login, the attacker managed to change the domain details on the official nameservers for 751 domains on a range of top-level domains, and redirect them all to a specific website serving up malware.

The changes went unnoticed for four hours until one the registry operators reported the suspicious changes to Gandi. Within an hour, Gandi’s technical team identified the problem, changed all the logins and started reverting the changes made – a process that took three-and-a-half hours, according to the company’s incident report, published this week.

Taking into account the delay in updating the DNS, the domain names had been hijacked for anywhere between eight and 11 hours, Gandi admits.

Ironically, one website impacted by the attack was Swiss information security company SCRT, which has written a blog post about the hijack of its website. It notes that all of its emails were also redirected during the attack, but fortunately whoever carried out the attack did not set up email servers to grab them.

The company said that “despite the fact that this incident was entirely out of our control,” it has since added extra security around its website and DNS, including:

• Preloading strict-transport-security into browsers to protect all visitors.
• Active monitoring of DNS resolution.
• Start talking to its registry (.ch) about how to detect a similar attack in future and act faster.
• Add DNSSEC for an extra layer of security.

Gandi meanwhile has reset all its logins and has launched a security audit of its entire infrastructure in an effort to figure out how its logins were stolen.

“We sincerely apologize that this incident occurred,” said its report. “Please be assured that our priority remains on the security of your data and that we will continue to protect your security and privacy in the face of ever-evolving threats.”

The incident comes in the same week that a botched back-end handover of the .io top-level domain enabled a security researcher to register four of the seven domain names acting as the nameservers for registry and potentially redirect tens of thousands of domains to a malicious website. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/swiss_domain_name_hijack/

A vulnerability hidden in Kerberos code for more than 20 years met its end in patches issued this week by Microsoft and several Linux vendors.

Having found the flaw three months ago in Heimdal, an open-source implementation of Kerberos, Jeffrey Altman, founder of AuriStor, and Viktor Dukhovni and Nicolas Williams from Two Sigma Investments, dubbed the bug Orpheus’ Lyre.

Just as the mythological Orpheus used his lyre to sneak past Cerberus, this errant bit of code can bypass Kerberos.

The vulnerability has to do with the way Kerberos handles authentication messages that combine both cryptographically protected data and unauthenticated plaintext. Affected implementations of Kerberos fetched metadata from unprotected key distribution center (KDC) tickets rather than encrypted KDC responses, something Altman characterized as a logic error.

The flaw could be used for credential theft and remote privilege escalation, though to exploit it, an attacker would have to have network access.

“The attacker needs to be on the network and to have control over a service principle that the client could communicate with,” said Altman in a phone interview with The Register. “As far as we know there are no exploits in the wild. But it certainly is exploitable and we consider it to be very serious.”

Altman said every Kerberos implementation needs to be checked for this issue. While efforts have been made to notify companies like Microsoft that rely on Kerberos, not every vendor can be expected to have fixed the vulnerability.

“Given how broadly Kerberos has been deployed over the last almost 30 years, it clearly is in a wide ecosystem with a lot of different vendors,” he said, adding that some affected code may never be fixed because the vendors no longer exist.

The Orpheus’ Lyre bug arose independently in multiple different Kerberos 5 implementations, including one by KTH Royal Institute of Technology in Sweden (Heimdal) and one by Microsoft.

“The frightening part about this bug is it wasn’t a bug in one or two implementations, it had been implemented over and over again,” said Altman.

Tampering

That suggests the specification provided insufficient guidance. Altman, however, said the necessary information to build the code securely was there, it just didn’t scream at you. “A developer working in the security space should have enough of a clue to understand that fields sent in the clear can be tampered with,” he said.

Altman said that in hindsight, the bug could have been prevented by removing the unencrypted fields, which would force the use of the encrypted ones when constructing an authentication request.

At the same time, he doubts modern tooling and techniques would have caught the bug, “because there is no annotation language to describe what is trusted and what is not.”

Altman believes that the longevity of this particular vulnerability challenges the notion that open source code is magically more secure than closed source code. “The fact that this has been around for as long as it has been in open source, I think, is just one more case that should debunk the theory that open source programming is in some way more secure than closed source programming.”

Both open source and closed source implementations failed in this case. “Microsoft had more money and more automated tools, and they could not find it,” he said. “The open source community could have an infinite number of eyeballs looking at the code, but the reality is no one ever does.”

Altman recounted interviewing many years ago at both IBM and Microsoft. At IBM, he said, they proudly showed off the company library and advised him to start there before working on any code to avoid reinventing the wheel. At Microsoft, he said, “They were very proud of the fact that they wanted everyone to reinvent the wheel. They felt that would result in faster, better evolution.”

Noting that both he and Dukhovni have decades of experience with Kerberos, Altman credited Williams’ relative inexperience as the thing that helped reveal the flaw. He suggested junior developers, because of their greater inquisitiveness, would be more likely to find bugs like this, while also noting that awareness of their lack of seniority might make them reluctant to speak up.

Altman expects these sorts of bugs to continue to plague the open-source community because developers are often not compensated for their contributions.

“We will never be reimbursed for the cost to our lives and the lost time to our companies for having done this favor to the world,” he said. “As a society, we need to understand what the costs of this work are.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/13/kerberos_bug_dead_after_two_decades/

No such thing as ‘too small to hack,’ according to research from SMB security provider SiteLock.

The average website is attacked 22 times per day, according to findings released Wednesday by SiteLock, which specializes in security for small- to midsized businesses.

While most SMBs are not commonly targeted by highly sophisticated attacks, “what they do face is more attacks,” SiteLock president Neill Feather said in an interview with Dark Reading last month.

SMBs’ websites are often used by cybercriminals “as a vector for monetization,” he says.

And it isn’t just e-commerce sites. For example, blogs with active comment sections may be popular targets for spam, malvertising, and “resource theft,” according to the study. Twenty-one percent of the compromised sites – in SiteLock’s database of approximately 6 million – contained spam and 6% were being used to send automated attacks. 

Thirty-nine percent of the hacked sites were infected with shell programs, and 73% contained backdoors. 

For a small business, the material impact of these compromises can be dire, says Feather. “They’re in business one day, and the next day they’re not.” 

See more here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/study-backdoors-found-on-73--of-compromised-websites/d/d-id/1329340?_mc=RSS_DR_EDT

Panel of diversity pioneers will share their views and firsthand experience on how to make inclusion a priority in security.

It’s obvious cybersecurity has a diversity problem: just one-tenth of today’s cybersecurity workforce are minorities, and the the number of women has basically plateaued for the past few years at a meager 11%. 

Meanwhile, organizations struggle to fill positions on their security teams due to the well-documented talent gap.

The good news, however, is that some major companies and organizations are proactively working on creating a more diverse industry. They’re working on recruiting and retaining more women, minorities, and LGBTQIA security talent in order to create a more diverse and well-rounded profession.

That requires creating a culture of embracing, respecting, and understanding diversity of race, nationality, gender, and gender identity. It also involves a culture of inclusiveness, a concept that plays into the retention side of the equation. Just hiring women and minorities doesn’t necessarily equal diversity: the key is making them feel empowered and supported in their careers. Without that, their chances of staying in their jobs, or even the industry overall, is slim.

Those are just some of the topics we’ll explore in-depth during the “Making Diversity a Priority” panel discussion on July 26 at 3 p.m. PT during the Black Hat USA conference in Las Vegas. I’ll be moderating an accomplished – and diverse – panel of security leaders who are pioneering diversity efforts and programs both within their organizations and throughout the industry, as they foster and support new talent.

We’ll look at real-world and first-hand efforts to establish diversity in security, as well as just how organizations can build a more diverse security team and create a culture of inclusion.

Here’s a sneak-peek at the distinguished panelists who will share their insights:

Aubrey Blanche, global head of diversity and inclusion for software firm Atlassian, as her title suggests works on diversity issues on a daily basis. Blanche will share her experience in establishing a diversity program that emphasizes the all-important element of inclusion.

Juliet Okafor is chair and strategic advisory board member for the International Consortium of Minority Cybersecurity Professionals, which among other things provides job placement programs and apprenticeships for minorities and women. Okafor has worked on programs that extend these opportunities for underrepresented groups.

Anthony Johnson, who is JP Morgan Chase Co.’s managing director of corporate investment bank information security, will share what a well-established diversity program looks like: JP Morgan Chase’s Johnson also is focused on outreach and strategies for filling the job pipeline with more diverse candidates.

Rick Howard, CISO at Palo Alto Networks and an advocate for diversity, recently worked in conjunction with the University of Alabama at Birmingham to introduce security to high schoolers with a Capture the Flag program that provides scholarship money. Howard brings to the diversity conversation the perspective of a security vendor.

That’s just a snippet of the expertise and experience these panelists will share. If you’ll be in Vegas for Black Hat USA, join us for this important and timely panel discussion, from 3-4 p.m. Pacific Time, in Banyan ABC at Mandalay Bay. the discussion will be followed by a QA session and an information networking reception on-site. There’s no registration required for this special event within Black Hat USA, which also is offering other diversity-related events during the week there.

Related Content:

• How Diversity Can Bridge The Talent Gap
• How To Empower Women In Security
• Women In Security Speak Out On Why There Are Still So Few Of Them
• Desperately Seeking Security: 6 Skills Most In Demand

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/black-hat-to-host-discussion-on-diversity/a/d-id/1329350?_mc=RSS_DR_EDT

Apart from being tech companies, what do Adobe, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr and WordPress have in common?

The answer is that privacy group the Electronic Frontier Foundation (EFF) this week awarded all of them a maximum five-star rating for disclosing, documenting and, in some cases, resisting government access to the growing volumes of data they hold on their hundreds of millions of users.

Companies awarded only four stars across the five criteria measured include Google, Apple, Facebook, LinkedIn, Microsoft and Yahoo. Below this we enter a netherworld of  companies (discussed below) given lower ratings where users should, presumably, start asking questions.

Anyone wanting more detail on the criteria can study the EFF’s explanation but the exercise can be best be summed up in the report’s title “Who has your back?”  To be clear, these are all measures of publicly stated policy and practice, not technology: this isn’t about how good a company’s encryption gubbins is.

The most interesting category (a new addition) is whether companies “promise not to sell out users”: in other words, not give up user data to intelligence agencies or third parties using some kind of quiet back channel.

This brings us to the meat of the report – which companies have been doing a bit of “selling out”, probably without anyone other than the EFF noticing it.

The obvious bad guys are telecoms companies – Verizon, Comcast, T-Mobile and ATT – awarded a derisory one star each. This is because:

When it comes to adopting policies that prioritize user privacy over facilitating government data demands, the telecom industry for the most part has erred on the side of prioritizing government requests.

This matters because every user needs a telecoms provider to connect to the internet. The fact they are accommodating to official surveillance (whether legally mandated or optional) is a far bigger deal than the fact that companies like Adobe and Dropbox aren’t.

More surprising is the under-performance (two stars) of WhatsApp, which has been at the centre of making hard-to-surveil encryption mainstream, much to the chagrin of governments across the world. No matter – it is lumped a “sell-out” offender just like the telcos, largely because its data-sharing policies are vague – interestingly, more more so than those of its parent company Facebook.

And how on earth did the ride-sharing Uber earn five stars? Most likely because the report measures behaviour in the last year, a period which (despite numerous controversies) Uber actually tightened its privacy settings and policies.

An apparent weakness of the the EFF’s report is its bias towards the US. In the past, this might have been seen as presenting an optimistic picture of privacy because it was assumed the US had better protections in place and a government interested in privacy.

No longer, indeed it is striking that the two countries that light up the global heat map of information requests are the US and the UK, both of which have turned against the presumption of privacy in the last five years.

Arguments rage about whether such intrusion is justified by threats such as terrorism, or even sustainable. Democratic governments depend on consent and public opinion can change rapidly.  Perhaps what matters most is simply that what is going on is noticed and documented by someone.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Lim_SYNxsrU/