During the past year, websites on at least 50 .gov and .mil subdomains have been advertising for viagra, pornography and sexual enhancement products. These ads are not just spam - in many cases they contain malicious redirects that target users with viruses and malware.
Talk Liberation is committed to providing equal access for individuals with disabilities. To view an accessible version of this article, click here.
As reported by Motherboard, the primary source of the problem is a zero-day vulnerability in a website editor called Laserfiche. The software is used by the US military and government agencies, including the Army, Navy and FBI.
Security researcher Zach Edwards of the firm Victory Medium reported the problem to Laserfiche, but the reaction from the company has been mixed. Edwards described the situation to Talk Liberation via email:
“When Laserfiche was confronted with these issues privately, their security team was extremely professional, created the patch and .exe program to clean compromised servers, and readily acknowledged that they had no concerns with the details being sent to a reporter to cover. But as soon as a significant news source was reaching out for comment, Laserfiche pretended that they had been unable to confirm the original research, even though their teams had spent countless developer hours working on patches and client fixes.”
Edwards also emphasized issues with US federal contracting, saying, “Laserfiche is a company used across hundreds of local, state and federal agencies, yet you won’t find a single mention of them as an approved FedRAMP vendor… What do you think that says about the technical contracting process in the United States?”
The vulnerability is still published on US government websites and patches have not been released for older versions of the software that are still in active use. Attackers have exploited Laserfiche to host malicious PDF files, which have a long history of being used in attacks by state and criminal actors.
Chrome is tracking you when you are AFK
The latest version of Chrome is raising serious privacy concerns as Google implements Idle Detection API, which notifies software manufacturers and their partners when the user is idle away from the keyboard or "AFK". According to TechSpot, the feature detects idle status through “a lack of keyboard or mouse use, activation of a screensaver, locking of the screen, or moving to a different screen.” The Idle Detection API is activated by default on Chrome 94 and is designed for multi-user applications including chat room applications and online games.
Apple and Mozilla are two companies which remain critical of this new feature. In a statement on GitHub, Mozilla web standards lead Tantek Çelik said:
“I consider the Idle Detection API too tempting of an opportunity for surveillance capitalism motivated websites to invade an aspect of the user’s physical privacy, keep longterm records of physical user behaviors, discerning daily rhythms (e.g. lunchtime), and using that for proactive psychological manipulation (e.g. hunger, emotion, choice.)”
Apple shares similar concerns. Software engineer for Apple’s WebKit Architecture team Ryosuke Niwa says, “There is an obvious privacy concern that this API lets a website observe whether a person is near the device or not.”
Facebook pays billions to regulators to get Mark Zuckerberg off the hook
Social media giant Facebook’s $5 billion dollar payment to the Federal Trade Commission (FTC) includes a provision which prevents the agency from suing the company’s CEO Mark Zuckerberg over the Cambridge Analytica data leak. Shareholders allege that Facebook’s board paid additional fines to the FTC to protect Zuckerberg, according to citations of internal discussions among Facebook’s board members.
According to the shareholders, in February 2019, the FTC notified Facebook’s lawyers that it was considering both Facebook and Zuckerberg as co-defendants in the Cambridge Analytica case. The FTC admitted in court that the fine would have been around $106 million but Facebook offered $5 billion to prevent Zuckerberg from being held liable.
According to Politico, the lawsuits suggest that Facebook has yet to overcome the Cambridge Analytica scandal as the company continues to deal with privacy and data breaches.
It is also alleged that Zuckerberg and Facebook’s Chief Operating Officer Sheryl Sandberg declined interviews with the firm auditing Facebook’s privacy compliance, PricewaterhouseCoopers (PwC), in light of the 2012 settlement with the FTC. In fact, it alleges Zuckerberg and Sandberg allowed other employees to provide dishonest statements to the auditors. Eventually, PwC determined Facebook did not implement a proper architecture to protect user data.
Prospect of undermining net neutrality excites British telecoms
The UK’s main mobile companies including Three, Virgin Media, O2, Vodafone and BT-EE, are voicing their support for a re-examination of the UK’s net neutrality legislation. The companies insist that the current regulations prohibit innovation and investment in new network infrastructure.
The UK’s Office of Communications, or Ofcom, has already begun to review the legislation in the post-Brexit era. According to MSN, British telecoms want a “pro-investment regulatory environment” that allows for 5G networks that can “generate new revenue streams”
Historically, the UK has adopted a self-regulatory approach in protecting the open Internet. This principle helped build the foundation for the EU’s own approach in 2016. The UK’s current regulation prevents Internet Service Providers (ISPs) from imposing strict regulations on Internet traffic. Additionally, it seeks to prevent ISPs from blocking legal content on Internet platforms.
However, following Brexit, the UK government has the ability to shape its own policies concerning net neutrality and Internet freedom, which has prompted enthusiasm among Britain’s largest telecom networks.
Apple will determine whether you are depressed
Mega corporation Apple has been working on a series of applications intended to monitor users' health. According to a report in the Wall Street Journal, Apple is teaming up with the University of California, Los Angeles, and Biogen Inc., a pharmaceutical company, to research stress, anxiety and depression in order to create new technology which measures “mild cognitive impairment.”
The research projects with the two companies are separate. Apple’s partnership with Biogen is called “Pi,” while its partnership with UCLA is called “Seabreeze.” According to anonymous sources, the Wall Street Journal reports that sensor data collected by the iPhone could be used to detect behavior patterns consistent with anxiety and depression.
The UCLA collaboration project reportedly uses data gathered from iPhone cameras, keyboard, audio sensors and the Apple Watch. According to Gizmodo, this includes “facial expressions, speaking patterns, walking pace and frequency, typing speed, content, and a variety of other health metrics.” The data gathered is then compared to participants’ results on a questionnaire which seeks to map the participant’s emotional responses and stress levels. The Biogen partnership reportedly conducts research in a similar manner.
While the projects are in the early stages, Chief Operating Officer Jeff Williams, who supervises Apple’s health unit, is enthusiastic about the iPhone’s potential to detect depression and anxiety in Phone users at a time when the rates of both conditions are increasing, the Wall Street Journal reports.
Apple’s false sense of privacy
A former Apple engineer says the “Ask App Not To Track” button rolled out in April 2021 gives users a “false sense of privacy." According to the Washington Post, while users can click a button requesting the app to not track the users, some apps, like Subway Surfers, continue to violate user privacy, as revealed in a study by Lockdown Privacy.
According to the researchers in the study, when a user requests not to be tracked by Subway Surfer, for example, it sends an outside ad company, Chartboost, the user’s data including Internet address, storage information, volume and battery level. Advertisers can use this information to identify the iPhone and determine which apps are being used.
The “Ask App Not To Track” feature is part of Apple’s App Tracking Transparency initiative. According to its website, the initiative requires apps available on the App Store to “request user authorization to access app-related data for tracking the user or the device.” However, Lockdown Privacy’s investigation suggests that if one requests more privacy while using an app via this new feature, the user may in fact have their privacy violated even more.
The investigation found that tapping the “Ask App Not To Track” button did not change the total number of third-party trackers notified by the app. Lockdown co-founder and former Apple iCloud engineer Johnny Lin says the “Ask App Not To Track” feature is a dud.
Additionally, three of the apps investigated including Subway Surfers, Streamer Life! and Run Rich 3D collected data that allows for digital fingerprinting, a more invasive form of tracking.
US Court rules warrantless video surveillance violates the Constitution
In the case People v. Tafoya the Colorado Supreme Court ruled the three months of warrantless video surveillance outside a suspect’s home by law enforcement was in violation of the Fourth Amendment. The Electronic Frontier Foundation (EFF), The American Civil Liberties Union (ACLU) and the ACLU of Colorado filed an amicus brief in the case.
Following a tip about possible drug activity taking place at the home of Rafael Tafoya, police attached a surveillance camera to a utility pole which captured footage of Tafoya’s front yard, back yard and driveway day and night for more than three months. Law enforcement were able to surveil the location in real time and the footage collected was stored indefinitely and could be viewed at a later time.
During the trial, Tafoya argued to suppress any evidence collected from the surveillance camera citing it violated the Fourth Amendment; however the motion was denied. Tafoya was found guilty on drug trafficking charges, but a court of appeals later reversed the decision after determining the video surveillance violated Tafoya’s reasonable expectation of privacy.
The Colorado Supreme Court upheld the appellate court’s decision. According to the EFF, the court decision stated, “put simply, the duration, continuity, and nature of surveillance matter when considering all the facts and circumstances in a particular case.” In this case the court determined that “24/7 surveillance for more than three months” is in violation of a person’s reasonable expectation of privacy.
Panquake Update
The next generation, groundbreaking new social media service Panquake held its monthly delivery meeting for September. Panquake CPO Suzie Dawson accompanied by Panquake CSO Sean O’Brien, announced that “developers have successfully parsed and validated encrypted messages between users through the Panquake network.” This is the latest of several milestones for the new platform, which was merely an idea just nine months ago in January 2021.
Panquake is nearing the completion of its Phase 2 fundraising at 85%. Once the company reaches 100% for its funding on Phase 2 it can proceed to Phase 3, which will commence the delivery of the product by hiring customer service support, technical support and content moderation staff.
Dawson reiterated the importance of transparency during the fundraising and development process as Panquake adopted an unprecedented and unique approach by providing monthly updates on product development to the community. During the presentation, Dawson said:
“Every single meeting we have I am constantly saying, ‘we promised this,’ ‘we promised that,’ ‘we’re going to do this,’ ‘we’re going to do that,’ - exactly what we said. I’m always reminding the team about that. That stays front and central in our mind. Because those commitments to our users form the basis of our integrity.”
The next Panquake delivery meeting will be held on Saturday October 30, 2021.
That concludes Your Worldwide INTERNET REPORT for this week!
Remember to SUBSCRIBE and spread the word about this amazing news service.
This issue of Your Worldwide INTERNET REPORT was written by Taylor Hudak; Edited by Suzie Dawson and Sean O’Brien; Graphics by Kimber Maddox; with production support by David Sutton.
Talk Liberation - Your Worldwide INTERNET REPORT was brought to you by Panquake.com. We Don’t Hope, We Build!
© Talk Liberation CIC Limited. The original content of this article is licensed under a Creative Commons Attribution-ShareAlike 4.0 International license. Please attribute copies of this work to “Talk Liberation” or talkliberation.com. Some of the work(s) that this program incorporates may be separately licensed. For further information or additional permissions, contact licensing@talkliberation.com