A new bill to address “malicious” drones is headed to congress

A new article on GCN says the White House has sent a bill directly to congress that “would allow the Departments of Homeland Security and Justice to use technology to detect, disrupt communications, seize or take down drones deemed to pose a malicious threat” as they are “concerned about drones being used for terrorism and more general criminal activity”.

While this sounds like the beginnings of a common-sense law on the surface, there’s one paragraph that just might warrant a red flag.

“The legislation would effectively set up a temporary restricted airspace around these “sensitive missions” and require DHS and DOJ to notify unmanned aerial systems operators of the temporary restriction.”

A big flag. On fire.

So in other words, the White House would like a create a law that sends out occasional warnings to drone pilots along the lines of “whatever you drone people do, don’t fly over here. Not right here at these specific GPS coordinates. And definitely not from this time all the way to this time. And don’t forget to tune in to this public channel for future updates.”

Establishing a permanently restricted airspace is one thing. Creating a temporarily restricted airspace and advertising it to the public at large is just screaming for attention.

This law might have had a slim chance of working if drones were already regulated and a system was in place to tie drones and their operators together, but right now, drones are still in their “wild wild west” phase.

On a related note, even though the Wright brothers’ plane first took flight in 1903, it wasn’t until 1927 that the first federal pilot license was issued.

The GCN article on the proposed “don’t look in this direction” drone bill is here.

Amazon Echo devices keep 60 seconds of recordings. The big question – is this in perpetuity?

For several years, Amazon had been telling the tech world their Echo home devices don’t “…actually do anything with your voice until you say their “wake word,” which is usually just … ‘Alexa’”

There was a big story that threatened to poke a hole in that narrative. Specifically, that an Amazon echo device’s recordings were needed to solve a murder case.

Amazon initially pushed back against releasing the recorded data, claiming “the First Amendment’s free speech protection applies to information gathered and sent by the device”, but eventually agreed to release the data after “after the user… consented to the disclosure”. The murder case was eventually dismissed, but there was never any explicit information on how much data Amazon handed over to the police regarding the investigation or what the data entailed.

The core issue remains. How exactly would an Echo device be useful in solving a murder case if it remains “off” until it is activated by the “wake word”? Why would the police want an Echo’s supposedly limited recordings?

A new finding in a very interesting tweet from Matteo ( @geminiimatt ) a few days ago might shed some light on that discrepancy.

On examining the extracted data from an Amazon Echo device…


Amazon Echo devices keep 60 seconds of recording and stores it “in the cloud”.

In their Alexa Terms of Use page, section 1.3 states very clearly that “Amazon processes and retains your Alexa Interactions, such as your voice inputs, music playlists, and your Alexa to-do and shopping lists, in the cloud to provide and improve our services.”

What is not stated at all is the length of retention or what happens to the data once it arrives “in the cloud”.

With this new finding that Echo devices keep 60 seconds of recording, and combined with Amazon’s admission they do “retain” Alexa interactions, I think it is time to ask a few questions.

Off the top of my head…

  1. Is this data stored in perpetuity?
  2. Is there any way for any person to review the data sent from an Echo device?
  3. Who has authority to review data sent from an Echo device?
  4. Is there a backup of this data?
  5. Is this data “mined”?
  6. How is this data secured?
  7. Is this data shared with any other party outside of Amazon?

Here’s my “worst case” thinking. Amazon pulls 60 seconds from an Echo device and uploads it to the cloud. Then “deletes” the previous 60 seconds on the local device and starts a new 60 second pull. The data uploaded from the local Echo device to the Amazon servers is never deleted on the Amazon servers. The data is stored forever, stamped by device name, location, wifi username and password, and sqlllite database contents. Every 60 seconds on every Echo device.

If this isn’t the case, if Echo devices really do just wait for the “wake word” and the findings by the community and the beliefs of the police are in error, a clear and detailed statement from Amazon on the Echo’s data retention would go a long way.

Personally, I’m still wondering why Amazon Dash buttons have embedded microphones.

Amazon is deleting uploads to their music storage service on April 30th

Not an April fools post. Late last week, Amazon announced they are “retiring” their online music storage service.

Up until this email, Amazon allowed users to upload up to 250 songs to their “personal cloud library” for streaming or downloading. For some reason, Amazon has decided to kill this feature on April 30th of this month.

Customers who uploaded music to their Amazon services have until April 30th to login to their Amazon music page, navigate to their settings page, and select KEEP MY SONGS.

Here is a copy of the email I received from Amazon…

—-

Amazon Music is retiring the Music Storage service, which allows customers to upload and store up to 250 songs in a personal cloud library. Our records indicate you have uploaded one or more songs through your Amazon account in the past.

To keep, download, and play your uploaded songs at no extra cost, simply open a web browser, go to your Music Settings and click the “Keep my songs” button to direct us to save your music to the cloud. Otherwise your uploaded songs will be removed from your library on April 30, 2018.

Your Amazon Music digital purchases will continue to remain securely stored for playback and download — no further action is required to retain those. These changes will not impact your ability to stream Prime Music or Amazon Music Unlimited.

QNAP NAS users: QFinder update now collects usage information

If you use QFinder or QFinder Pro as part of your QNAP NAS management, the
most recent version of the app (QNAP Qfinder Pro 6.3.0) now collects information on your NAS usage.

You can click CANCEL and not OK at the legalese screen after the software installs, but it isn’t immediately apparent if this exempts you from the new TOS or is just a “close window” action.

Following is the “Consent to User Information Collection” that appears after the application updates. (The concerning parts I placed in bold.)


Consent to User Information Collection

Thank you for using QNAP Systems, Inc. (hereinafter referred to as the “Company”) products. To provide a better user experience, the Company will collect usage-related information when you use Qfinder Pro (hereinafter referred to as the “Product”), as detailed below:

Purpose

User information and user behavior helps the Company to better understand user habits and preferences. The Company collects such information to improve the Product and services to meet the needs of users and to improve the overall service quality.

Information Collected

The information collected includes (but is not limited to):

Operating system information, device identification codes, country and language settings, computer model, firmware version and other basic information.

App-related information including: version information, update and shutdown time, usage frequency, and usage time.

User preferences: device settings, product configuration, usage time of the application and hardware.

Other relevant but non-personal information.

Use of information

With your agreement, the aforementioned information will be automatically collected and sent back to the Company. The Company will analyze the collected information to identify improvements that can be made to future products and services. The Company has effective mechanisms and procedures to protect the security of the information collected and shall only use the relevant information internally.

Disclaimer
The Company hereby disclaims all warranties including express or implied warranties of merchantability or fitness for any particular purpose in connection with this consent or in any manner whatsoever. In addition to the foregoing, the Company shall not be held accountable for any direct, indirect, special, incidental or consequential damages, such as loss of profits, loss of data, equipment use or functional damage, interruption of business and events of a similar nature, regardless prior notice exists for such occurrence or not.

Flickr is shutting down their photo books and wall art services

Flickr announced earlier today they “are transitioning our photo book offering to Blurb and shutting down our wall art offering.”

“Beginning October 16, 2017 you will be able to connect your Flickr account to Blurb’s online photo book-making tool… you have until December 1, 2017 to complete any in-progress wall art or photo book orders. After December 1, 2017, you will not be able to access the Flickr wall art tool or the Flickr photo book tool and your progress will be lost.”

As for reprints, “you will need to go to your Flickr Wallet before December 1, 2017. After December 1, 2017, we will remove the wall art and photo book order history. You can manage your new orders on Blurb’s website.”

The Flickr forum for questions on this migration is here. This shutdown will NOT affect “regular” Flickr users or photos hosted on their service. Only the Photo Book and Wall Art sections will be discontinued.

Microsoft Groove is shutting down. Download your music before December 31st

In a late night email I just received, Microsoft announced it is shutting down their Groove music service as part of their upcoming merger with Spotify.

If you have any albums or singles through their service, you have until December 31st to download them before they are deleted.

From the email…

“Groove Music is excited to announce that we’re partnering with Spotify to bring you the world’s largest music streaming service. On December 31, 2017, the option to stream, purchase, and download music from Groove Music will be discontinued. After December 31, 2017, you’ll still be able to listen to your purchased music if it has been downloaded.”

“Keep your current music collection intact by downloading to your devices any albums and tracks that you’ve already purchased. You can download your purchased music through the Groove Music App until December 31, 2017.”

“To download your music, open Groove, go to your music collection and select the Purchased filter. Right-click or press and hold your music files and select Download from the menu.”

CDMaST Phase 2 is going to change naval warfare

I’m constantly amazed at the level of tech we are achieving in a relatively short period of time. The “future” is coming fast, and sometimes in ways that even the best of science fiction didn’t anticipate.

Case in point – the CDMaST Phase 2 project from DARPA. Long story short, the idea behind this project “revolves around real-time secure networks of manned and unmanned aircraft, surface ships, and submarines able to attack and defend vast areas of the world’s oceans to hold enemy ships and submarines at risk over wide contested areas.”

The CDMaST project wouldn’t be the only line of defense. The project “would augment aircraft carrier battle groups and manned submarines with networked manned and unmanned systems of systems (SoS) that work collaboratively to control the seas.”

Imagine hundreds or thousands of drone-based ships in the ocean, playing basic defense and surveillance “over ocean areas as large as a million square kilometers”. This 24/7 armada would “hold the line” so to speak, and keep the Navy’s “12 aircraft carriers, 52 attack submarines, and 18 ballistic- and cruise-missile submarines” on a more focused and as-needed basis.

It’s brilliant.

Of course CDMaST is going to be target #A1 for hacking, and CDMaST is probably going to be the focus of some terrible movies when the mainstream media gets wind of this, but the idea that technology has reached the point of 24/7 global defense is astounding.

The article is on the Military and Aerospace website here.

DJI drones and tech banned from US Army for “operational risks”

In an article on Military and Aerospace Electronics, the US Army recently ordered all Army personnel “to cease all use of Chinese-made Dajiang Innovation drone products, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

“This guidance applies to all DJI UAS and any system that employs DJI electrical components or software including, but not limited to, flight computers, cameras, radios, batteries, speed controllers, GPS units, handheld control stations, or devices with DJI software applications installed.”

According to a sUAS article, this full stop shutdown might have something to do with DJI drones collecting “audio, visual and telemetry data on all flights across the globe. The details shared here are perhaps known to a limited number of the worldwide owners and users of the DJI technology.”

In other words, it looks like every DJI flght was copied to DJI / China’s HQ.

The actual Army memo and breakdown is on a sUAS news site, the sharing / data collection of DJI drones is on another sUAS page, and the ban is cross-confirmed on the UPI news site and the Military and Aerospace page.

The new bank heist – hacking Apple’s biometric datbases

Today Apple announced their new shiny shiny – the iPhone X.

<Nicholson Joker Voice> You thought the celebrity photo leak was bad? The Equifax hack terrorized? Wait until you get a load of the biometric hack. </Nicholson Joker Voice>

Apple swears “the detailed biometric data points that Face ID will use to identify individuals will stay local, stored on the phone and not remotely” BUT “face ID will work with third-party apps.

The gold mine of biometric data won’t be held in Apple’s Fort Knox, but shared “on the open road” with third parties?

Never mind Apple. Forget about trying to get into their billion dollar systems. If I was an evil mastermind, this would be by four-step plan…

  1. Wait and see what new app requiring the iPhone X facial recognition takes off in popularity
  2. Hack their low-secure angel-funded 20-people-in-the-whole-company database
  3. Sell the users’ biometric data on the dark web
  4. Profit

If I was an government employee evil mastermind, this would be by four-step plan…

  1. Create multiple new apps requiring iPhone X’s facial recognition (match the celebrity funny face, make your own emojis, group party chat, who’s the hottest, etc)
  2. Keep a master database of all faces using the app AND constantly scan everything the camera “sees” while running in the background
  3. Keep the users’ biometric data in my master database – create cross references of who the user associates with through matching biometric facial scans, their GPS locations, and who they have in their contact list (Apple already allows app access to GPS position and contact lists BTW)
  4. Profit in a very serious long-term way

Read Apple’s statement again. The biometric data points are not generated and deleted with every use. They are stored. On the local phone.

That stored information will be shared with third-party apps.

Biometric scans are a mathematical algorithm. Your facial patterns create an identifier unique to you. There’s no changing it. Once your unique biological mathematical algorithm is out in the open, there’s absolutely no way to put that genie back in the bottle. The last cornerstone of individual security will turn to dust.

I expect the first public-aware hack in two years.

Ask Mondelez how much a successful cyber attack costs

I’m that IT guy. No you can’t have Facebook at your work PC. No you can’t access the company Wi-Fi network with your personal device. No you can’t remote access the work servers from any PC you want to. No you can’t skip this month’s security training.

Know why I’m such a pain? Because one slip up on my part will bring the company crashing down.

Ask Mondelez, the snack maker that owns Oreos and Cadbury, what the cost of a successful cyber attack is. According to an article on Food Business News, it was an immediate $7.1 million loss, another $150 million in lost sales, and an ongoing “to be determined” repair cost.

Back in June, Mondelez got hit with the ransomware strain “Petya”. The effects were immediate and brutal. Production came to a complete stop, and the company scrambled for weeks trying to remove the ransomware infection from their company servers.

According to Food Business News, “The malware affected a significant portion of the company’s global Windows-based applications and its sales, distribution and financial networks across the company.”

“Although the company believes it has now largely contained the disruption and restored a majority of its affected systems, the company anticipates additional work during the second half of 2017 as the company continues to recover and further enhance the security of its systems. For the second quarter, the company estimates that the malware incident had a negative impact of 2.3% on its net revenue growth and 2.4% on its organic revenue growth. The company also incurred incremental expenses of $7.1 million as a result of the incident.”

The worst part? “In an Aug. 2 conference call with investment analysts, Irene Rosenfeld, chairman and chief executive officer, said Mondelez was not yet “back to normal.”

June. July. August. And an untold number of months to go.

Yes, IT guys like me are a royal pain. It’s not because we want to be. It’s because we know what will happen if a cyber attack is actually successful.