Category: Data Management & Networks

Facebook admits it collects users’ audio data and has it reviewed

Data Management & Networks, General, Mobile Security, Networking, Social Media

Facebook pays hundreds of contractors to transcribe bits of audio taken from its users, according to a report in Bloomberg.

Disturbing enough, but get this: the people contracted by Facebook to do this … shady work have no idea what the purpose of such work is. These contractors, who spoke to Bloomberg on condition of anonymity lest they face some kind of disciplinary action, have no information about where the recordings come from, how they were collected, nor why Facebook wants them transcribed. They are simply given audio of Facebook users’ conversations and told to write it down.

After hearing of the practice, the Irish Data Protection Commission announced that it would be performing an investigation to see whether Facebook is in violation of the European Union’s privacy laws.

Caught red-handed (like Apple was in recent weeks), Facebook said it has already stopped the activity. Surprise, surprise. “Much like Apple and Google, we paused human review of audio more than a week ago,” the tech giant said, the operative word being “human.” In another surprise (not), Facebook claims its users consented to having their audio recorded and transcribed. I’m sure they did so freely, voluntarily and knowingly, and not because they didn’t understand the implications of such a policy.

Founder Mark Zuckerberg was grilled about this, and many other things, during his testimony to the US Congress in 2018. He didn’t have answers of the lawmakers then, but his company submitted a few after the fact. With regard to the audio collection, Facebook said it “only accesses users’ microphone if the user have given our app permission and if they are actively using a specific feature that requires audio.”

Here’s a question for Facebook: if this is such an innocuous thing, to which users are voluntarily submitting, why discontinue it? Maybe because, as Bloomberg reports, “Facebook hasn’t disclosed to users that third parties may review their audio.”

It’s high time people initiated a mass boycott of Facebook. The company needs us far more than we need it.

MoviePass left thousands of user card numbers exposed in unprotected database

Data Management & Networks, Digital Systems Technology, General, Mobile Security

MoviePass, a subscription-only move ticket service, exposed tens of thousands of its users’ credit card information due to insufficient security of a server, TechCrunch reports. The exposed database, discovered by cybersecurity company SpiderSilk, reportedly contained 161 million records, many of which included credit card numbers and other private information. TechCrunch explains:

“These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.”

The tech publication examined a sample of 1,000 of the aforementioned records and found that more than half showed MoviePass debit card numbers, expiration dates, account balances and the time of activation. Also contained in the records were personal credit card numbers, including expiration date and billing information (names and addresses).

MoviePass has since closed the database, which was accessible for months. TechCruch says it reached out to MoviePass with a number of specific questions but that the company’s only response was the following generic statement:

“MoviePass recently discovered a security vulnerability that may have exposed customer records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our customers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our customers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.”

SpiderSilk’s Mossab Hussein, the researcher who first discovered the vulnerable database, told TechCrunch that there is no excuse for MoviePass’ negligence in this scenario, which is one we keep seeing played out over and over again across the digital world.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” he said. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext—let alone the fact that the data set was exposed for public access by anyone.”

StockX hacked, millions of users affected

Data Management & Networks, Start Ups

Last week StockX, a website in which users buy and sell sneakers and fashion accessories according to a stock market-like structure, issued a bewildering statement indicating that it had been forced to reset customers’ passwords due to unspecified “system updates.”

“We recently completed system updates on the StockX platform,” a user notification announced. “To access your account, reset your password by clicking below.”

StockX was lying. Edging closer to the truth, a company representative later admitted that “StockX was recently alerted to suspicious activity potentially involving our platform. Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords.”

But as TechCrunch reports, that was a half-truth at best:

“An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data.

“In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.”

As proof, this anonymous person gave TechCrunch 1,000 of the stolen customer records. After directly contacting the customers, the website was able to confirm that the records were genuine.

“The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency,” TechCrunch reports. “The data also included the user’s device type, such as Android or iPhone, and the software version.”

Before publishing its story, TechCrunch reached out to StockX personnel, who declined to comment. “A non-attributable statement published late on Saturday confirmed our reporting, but the company did not answer our specific questions, including why it failed to inform customers when it first learned of the data breach and why it misled customers prior to our reporting.”

Founded in 2015, StockX is now valued at more than $1 billion. If it wishes to stay there, it should perhaps consider apprising customers of security breaches that put them at risk. Opacity and lack of accountability appear to be something of a principle among tech companies. How much longer will people put up with it?

Cloudflare drops 8chan following El Paso mass shooting

Data Management & Networks, Networking

Cloudflare, a leading internet infrastructure and security website, has announced that it’s kicking 8chan off its service after the mass shooting in El Paso, Texas which killed 20 people and wounded many others. According to media reports, the alleged shooter posted a racist “manifesto” on 8chan just minutes before opening fire inside a Walmart.

8chan is a forum where ultra-right-wing cranks can share their psychopathic views about race, religion, immigration and gender relations, among other things. Prior to El Paso, 8chan was serviced and protected by Cloudflare, which ensured the site wouldn’t be taken down as a result of distributed denial of service (DDoS) attacks.

In a blog post, Cloudflare CEO Matthew Prince explained the reasoning behind the company’s decision to pull the plug on 8chan, which Prince described as a “cesspool of hate.”

“Unfortunately, this is not an isolated incident,” he wrote. “Nearly the same thing happened on 8chan before the terror attack in Christchurch, New Zealand. The El Paso shooter specifically referenced the Christchurch incident and appears to have been inspired by the largely unmoderated discussions on 8chan which glorified the previous massacre. In a separate tragedy, the suspected killer in the Poway, California synagogue shooting also posted a hate-filled ‘open letter’ on 8chan.”

He continued:

“They [8chan] have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit.”

Prince also emphasized that booting websites off Cloudflare’s platform is not an easy decision to make, given the free speech implications involved. However, he stated that while his company puts up with plenty of questionable content, “we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services.”

None of which is to say that 8chan will suddenly vanish from the internet. Indeed, Prince points out that the site will almost certainly be picked up by another provider, just as the neo-Nazi Daily Stormer was upon being dropped by Cloudflare.

“They are no longer Cloudflare’s problem,” Prince said of the Daily Stormer, “but they remain the Internet’s problem.” Ditto for 8chan.