It's time to opt out of Windows Recall

Holy cow, what a nightmare:

Microsoft is not giving up on its controversial Windows Recall, though says it will give customers an option to opt in instead of having it on by default, and will beef up the security of any data the software stores.

Recall, for those who missed the dumpster fire, was announced on May 20 as a "feature" on forthcoming Copilot+ Windows PCs. It takes a snapshot of whatever is on the user's screen every few seconds. These images are stored on-device and analyzed locally by an AI model, using OCR to extract text from the screen, to make past work searchable and more accessible.

The ultimate goal for Recall is to record nearly everything the user does on their Windows PC, including conversations and app usage, as well as screenshots, and present that archive in a way that allows the user to remind themselves what they were doing at some point in the past and pull up relevant files and web pages to interact with again. The archive can be searched using text, or the user can drag a control along a timeline bar to recall activities.

But security testers have raised doubts about the safety of recorded information and have developed tools that can extract these snapshots and whatever sensitive information they contain. The data is for now stored as an easy to access non-encrypted SQLite database in the local file system.

"Dumpster fire" doesn't even begin to describe it.  It's easy to imagine all sorts of ways that this would violate laws (e.g. storing healthcare PII unencrypted is a HIPAA violation).

Never mind what sort of reindeer games hackers might get up to - after all, Windows has historically been so difficult for viruses and malware to invade, amirite? 

If you're still using Windows, you should configure it to opt out of Recall.  Or upgrade to Linux.  All the cool kids are.

Is the Signal secure messaging platform actually secure?

A competitor claims that it's not:

Telegram CEO Pavel Durov issued a scathing criticism of Signal, alleging the messaging service is not secure and has ties to US intelligence agencies.

...

Durov made his remarks on his Telegram channel on Wednesday, pushing a variety of points against the rival messenger app, including alleging it has ongoing ties to the US government, casting doubt over its end-to-end encryption, and claiming a lack of software transparency, as well as describing Signal as "an allegedly "secure" messaging app.

...

The Register could not find public reports of Signal messages leaking due to faulty encryption. We also have reached out to the company and will update accordingly. 

I'm not sure what to think here, other than the US Intelligence Community is doing no favors for US tech businesses, and hasn't for a long, long time.  This sort of accusation will get some traction, whether it is true or not.

 

 

Remember the FISA renewal vote?

You know, the one today?  Guess what?

It's actually got new stuff in it - and you are now required to spy for Uncle Sam.

Yes, you. But fear not, Citizen: NSA no doubt will be responsible in how they use this.

Judge issues restraining order keeping DOE from tracking bitcoin miners

Interesting:

Earlier this month, the US Department of Energy (DOE) announced its intention to gather basic information about the energy consumed by bitcoin mining. In making the decision, the DOE noted that the share of bitcoin mining happening in the US has shot up by a factor of over 10 just within the last three years, leaving the activity consuming as much electricity as a fairly populous state....

Albright's decision to issue the injunction is based largely on the fact that the DOE's decision to delay going forward with the survey was voluntary and could be rescinded at any time.

But he went beyond that by saying that the mining companies were likely to succeed on the merits of their case. In general terms, he noted that the DOE relied on its ability to enact emergency measures, and those are only applicable if there's a risk of public harm. The DOE will likely try to make the case that elevated carbon emissions and electricity costs both count as public harms, so Albright is suggesting that he's unlikely to find those compelling.

Ah, Climate Change.  Is there anything it can't do?  Except in west Texas, where the Judge doesn't buy the whole "Climate Emergency means more Government" thing.

 

So which stores use facial recognition technology to track you when you shop there?

Interesting.   There are a lot of surprises on this list, both stores I expected to use this tech who say they won't, and stores I expected not to who do.

(via)

Big Pharmacy chains turn over medical into to police without warants

Hey, you can trust the Government, right?

All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation.

...

They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.

All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records, which can include the prescription drugs a person used or uses and their medical conditions. Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and does not require review or approval by a judge.

This sure seems like a violation of HIPAA, not to mention that pesky Fourth Amendment.

(via)

Signal to leave UK rather than backdoor their crypto

Well done:

Onstage at TechCrunch Disrupt 2023, Meredith Whittaker, the president of the Signal Foundation, which maintains the nonprofit Signal messaging app, reaffirmed that Signal would leave the U.K. if the country’s recently passed Online Safety Bill forced Signal to build “backdoors” into its end-to-end encryption.

“We would leave the U.K. or any jurisdiction if it came down to the choice between backdooring our encryption and betraying the people who count on us for privacy, or leaving,” Whittaker said. “And that’s never not true.”

The Online Safety Bill, which was passed into law in September, includes a clause — clause 122 — that, depending on how it’s interpreted, could allow the U.K.’s communications regulator, Ofcom, to break the encryption of apps and services under the guise of making sure illegal material such as child sexual exploitation and abuse content is removed.

"Child sexual exploitation".  Oooooh kaaaaay.  No doubt the UK.Gov is very concerned indeed at getting access to Prince Andrew's communications with Jeffery Epstein.  Or something.

(via)

 

Data privacy in cars is basically non-existent

This is not surprising, but a systematic analysis from the Mozilla Foundation shows that no car company takes data privacy seriously - and Tesla tops the list of shame by having serious shortfalls in each of the five key privacy areas.  Most of the other big names (Ford, Mercedes, BMW, the GM stable) have issues on four.

Here are some highlights:

Some not-so-fun facts about these rankings:

• Tesla is only the second product we have ever reviewed to receive all of our privacy “dings.” (The first was an AI chatbot we reviewed earlier this year.) What set them apart was earning the “untrustworthy AI” ding. The brand’s AI-powered autopilot was reportedly involved in 17 deaths and 736 crashes and is currently the subject of multiple government investigations.

• Nissan earned its second-to-last spot for collecting some of the creepiest categories of data we have ever seen. It’s worth reading the review in full, but you should know it includes your “sexual activity.” Not to be out done, Kia also mentions they can collect information about your “sex life” in their privacy policy. Oh, and six car companies say they can collect your “genetic information” or “genetic characteristics.” Yes, reading car privacy policies is a scary endeavor.

• None of the car brands use language that meets Mozilla’s privacy standard about sharing information with the government or law enforcement, but Hyundai goes above and beyond. In their privacy policy, it says they will comply with “lawful requests, whether formal or informal.” That’s a serious red flag.

• All of the car brands on this list except for Tesla, Renault, and Dacia signed on to a list of Consumer Protection Principles from the US automotive industry group ALLIANCE FOR AUTOMOTIVE INNOVATION, INC. The list includes great privacy-preserving principles such as “data minimization,” “transparency,” and “choice.” But the number of car brands that follow these principles? Zero. It’s interesting if only because it means the car companies do clearly know what they should be doing to respect your privacy even though they absolutely don’t do it.

So what do you do when choosing a new ride?  Some ideas come to mind ...

(via)

For Sale: NASA Security Van

Low mileage.  Serious inquiries only.

Extra bonus points if you install a WiFi router and set the SSID to "NSA Surveillance Van 117" ...

(via)

Zoom reserves the right to spy on your calls

Their new Terms Of Service say that they have the right to listen in on your calls and use them to train their AI.  Their execs say that they'd never do that, honest you guys.

Allrightee, then.

(source)

TETRA Police Radios have a cryptographic backdoor

Hmmmmm:

Most interestingly is the researchers’ findings of what they describe as the backdoor in TEA1. Ordinarily, radios using TEA1 used a key of 80-bits. But Wetzels said the team found a “secret reduction step” which dramatically lowers the amount of entropy the initial key offered. An attacker who followed this step would then be able to decrypt intercepted traffic with consumer-level hardware and a cheap software defined radio dongle.

Looks like the encryption algorithm was intentionally weakened by intelligence agencies to facilitate easy eavesdropping.

There's an old saying that while there may be friendly foreign governments, there are no friendly foreign Intelligence Agencies.  Or domestic ones either, seemingly.

Even if you're a LEO.  Note that this makes secure police communications problematic.  Not cool.

10 years after Snowden

Edward Snowden released his bombshell revelations ten years ago.  These showed that there was mass government spying on US citizens by US intelligence agencies; it also showed without a doubt that General Clapper perjured himself before the US Senate when he denied that this was the case.

Ten years later, Snowden is a refugee from the US Government, and Gen. Clapper is free as a bird (and guilty as sin).  This tells you much about how much trust to put in the US Government.

There are two excellent retrospective articles about this: The Register walks us through much of the narrative about the who, what, and when of the last ten years.  Highly recommended.  Here's the TL;DR:

"Ten years have gone by," since the first Snowden disclosures, "and we don't know what other kinds of rights-violating activities have been taking place in secret, and I don't trust our traditional oversight systems, courts and the Congress, to ferret those out," Wizner said. "When you're dealing with secret programs in a democracy, it almost always requires insiders who are willing to risk their livelihoods and their freedom to bring the information to the public."

Bruce Schneier has a fascinating piece from the perspective of someone who was involved with the disclosures.  Also highly, highly recommended.  Schneier is a security big wig, and so there's a fair amount of security industry inside baseball.  For example:

I ended up being something of a public ambassador for the documents. When I got back from Rio, I gave talks …at the IETF meeting in Vancouver in November 2013. (I remember little of this; I am reconstructing it all from my calendar.)

What struck me at the IETF was the indignation in the room, and the calls to action. And there was action, across many fronts. We technologists did a lot to help secure the Internet, for example.

And this prediction from your humble host has stood the test of a decade:

The two highlighted items really get to the heart of why the security industry is so angry about what the NSA has been doing.  They spent years establishing a relationship of trust with the industry and researchers.  Then they exploited that trust for personal gain at the expense of everyone else.

While I don't at all want to minimize the horrific crime of child abuse, that will give you a bit of the flavor of how the security industry looks at Ft. Meade now.  It was a rape, a rape of those who had trusted them as teacher and protector.

This is going to cause enormous problems for NSA.  I simply don't see how anyone will ever want to cooperate with them outside a public forum.  Nobody who values their reputation will be willing to be accused of slipping an NSA mickey into a crypto library.

And nobody on a standards body will ever again listen to NSA recommendations for changes to algorithms.  As a matter of fact, those recommendations will make the hair on the back of people's necks stand up, and lots of people will start to reverse engineer the NSA's math to see what games they're playing.

The last ten years have sure been a wild ride.

Big drop in FBI warrantless searches in 2022

It seems that this is related to increased oversight:

Warrantless searches of US residents' communications by the FBI dropped sharply last year – from about 3.4 million in 2021 to 119,383 in 2022, according to Uncle Sam.

But that is still likely tens of thousands more people than should have been caught up in the FBI's domestic surveillance efforts, according to advocates for reform of Section 702 – the legislative instrument that allows warrantless snooping.

The numbers mentioned above were revealed in the annual Office of the Director of National Intelligence report, released at the end of last week. The report came just after Congress held a subcommittee hearing on Section 702 surveillance authority.

This seems to be the pertinent detail:

Additionally, over the past year the FBI implemented new processes around Section 702 searches, including mandatory query training and "enhanced approval requirements for certain 'sensitive' queries, such as those involving domestic public officials or members of the news media."

It also now requires FBI agents to "opt-in" if they wish to run a search against Section 702-acquired data, instead of having queries run against this data by default.

Well good.

Be careful with Ring doorbell video cameras

Police warrant orders man to surrender video from camera inside his home:

Last year, around the Thanksgiving holiday, Ohio businessman Michael Larkin received a request for video from his Amazon Ring security system from Hamilton city police.

He complied, providing video from his doorbell camera that was stored on Ring's servers. After balking at further demands, he subsequently learned that authorities had bypassed the need to get his consent by presenting Ring with a search warrant for video from several of his Ring cameras, including one that covered an indoor area of his home.

According to Politico, Larkin received a notice from Ring that the tech biz had received a warrant and was required to turn over video from numerous cameras, without giving the owner with any say in the matter.

I expect that this won't just happen with Ring video devices.  If you have these sorts of cameras, you might want to make sure they're only recording video of outdoors. 

Quote of the Day: Eye of Sauron edition

Tacitus muses on the algorithms that Google uses for suggesting new Youtube videos.  Unlike all the breathless stories about how "the AI is alive", he's not impressed.  He thinks he does a fair job of intentionally confusing the algorithms:

Back in the early days of the internet I used to salt my profiles with various fake information just to see if I would get ads in Portuguese, spam email from tailors in Denmark, stuff related to Icelandic scrimshaw art. The only entry on the above list that might still be carrying over would be the Bossa Nova music! I of course have all "notifications" turned to the OFF setting but another account in the household did not. Maybe that's where gardening came from.

But it seems to not matter. My efforts to punk the algorithms seem unnecessary, they autopunk themselves.

NSA: "No known problems" in Quantum Computing resistant ciphers

Story.  Bruce Schneier (a crypto heavy-hitter) says he believes them. 

I'm not so sure.  Long term readers will remember how the NSA subverted commercial grade encryption.  I wrote about it at some length here and here and here.  Each of these were pretty damning:

1. These were all independent attempts to undermine commercial crypto.  In other words, NSA has tried at least three times to break crypto so that they can ready whatever they want, whenever they want.
2. Each of these attempts is very well documented.  NSA's fingers were found in the cookie jar, without question.
3. NSA's public statements need to be very carefully parsed.  I was at the Black Hat security conference and listened to NSA Director Alexander assure everyone that NSA analysts didn't just go joy riding through the data bases of stuff they collect from you and me; it was only hours later that the disclosure came out that, well, yeah they do.

So is this crypto on the up and up from NSA?  I don't know.  I'm sure not a crypto mathematician but their track record on trustworthiness leaves me wondering if they know something that we don't - a something that is classified so that they're technically truthful when they say there are no "known" (err, and unclassified) weaknesses.

Man, I'm so old that I remember when the NSA crypto nerds were the good guys ...

They say it's not Fedposting

But it is.  Forewarned is forearmed. 

About that Chinese app that is spying on Olympic athletes?

It's not.  But a security researcher got a lot of publicity. 

The downfall of Czar Nicholas and the American Deep State

Big Country has a must-read post up.  Go read it now, then come back for my thoughts.  In it he lays out evidence that there is a three way power struggle going on between the Intelligence Community, the Pentagon, and the White House.  Peter adds some thoughts as well.

It reminds me of the last few years of Tsarist Russia: a war that was going poorly, indecisive leadership at the top that had no real idea what the citizens of the realm actually thought, and a fabulously corrupt and incompetent set of ministers who were more interested in looting the treasury than, you know, running their ministry.

And as to that last item, take a look at Joe Biden's cabinet (courtesy of J.Kb at Miguel's place).  It's deja vu all over again.  The last thing on any of these folk's mind is good governance.

And so, to BCE's post at the top.  The Biden Administration sure as shootin' ain't where the smart money is going to bet.  And so, on to the second of the three he calls out, the Dot Mil.  There are huge problems in our military, the biggest I've seen since the Vietnam days.  In a very disturbing way, the pathology is very similar: the senior officers give commands to a sullen and hostile enlisted force.  Back in the dark days of the '70s we had flag officers like Zumwalt (Navy) and Creech (TAC) who were able to reinstil discipline.  It sure doesn't look like the Perfumed Princes of the Pentagon are up to Zumwalt's (or Creech's) level.

And so I don't think that the smart money will bet on the Dot Mil, either.

So the Last Org Standing likely will be the Intel Community.  Heck, they already successfully overthrew a previous President, and guaranteed they have dirt on most of the players in Washington (Generals Petraeus and Flynn could not be reached for comment).

There really are only two questions.  First, how long will this take to play out?  The longer it goes on, the more damage the Republic takes (both externally and internally).  I can't say I'm optimistic that this will get sorted out soon.

Second, the Intel Community will want to rule from the shadows.  They are not Front Men - the acronym of one of the Three Letter Agencies was said to be "Never Say Anything".  Quite frankly, Joe Biden and Kamala Harris are the perfect empty suits for the Intel Community to stand up as "leaders" of the Republic - as they did last November.  The folks at Langley must be steaming mad that Biden isn't staying in his lane.  How this will play out is unknown, but unlikely to be pleasant for Joe, "Doctor" Jill, or Kamala.

Czar Nicholas came to a bad end in a basement in Yekaterinburg, along with his entire family.  Will our Checkists go this route to let the rest of Washington know they need to stay in their lanes, or will there still be more subtlety?  The nation wonders.

Don't trust Twitter

Twitter is asshole.  Pro tip: when your Twitter app asks you this, click "Don't Allow".

Here's a better Pro tip: delete the Twitter app from your phone because that bad boy is spying on you, and it looks like it wants to spy on everyone who lives with you.