Tech News - Security

"Technology, in general, and computer science in particular, have been hyped up to such an extreme level that we've ignored the importance of not only security but broader notions of ethical computing." -James Mickens We like to think that things are going to get better. That, after all, is why we get up in the morning and go to work, in the hope that we might just be making a difference, that we’re working towards something. That’s certainly true across the technology landscape. And in cybersecurity in particular, the belief that you’re building a more secure world - even if it’s on a small scale - is an energizing and motivating thought. However, at this year’s USENIX Conference back in August, Harvard Professor James Mickens attempted to put that belief to rest. His talk - titled ‘Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible?’ - was an argument for scepticism in a field that is by nature optimistic (not least when it has a solution to sell). So, what exactly does Mickens have against keynote speakers? Quite a lot, actually: he jokingly calls them people who have made bad life decisions aand poorrole models. Although his tongue is firmly in his cheek, he does have a number of serious points. Fundamentally, he suggests developers do not invest time in questioning anything since any degree ofintrospection would “reduce the frequency of git commits”. Mickens argument is essentially thatsoftware developers are deploying new systems without a robust understanding of those systems. Why machine learning highlights the problem with computer science today Mickens stresses that such is the hype and optimism around modern technology and computer science  that the field has largely forgotten the value of scepticism. In turn, this can be dangerous for issues such as security and ethics. Take Machine Learning for instance. Machine learning is, Mickens sayss  “the oxygen that Silicon Valley is trying to force into our lungs.” It’s everywhere, we seem to need it - but it’s also being forced on us, almost blindly, Using the example of machine learning he illustrates his point about domain knowledge: Computer scientists do not have a deep understanding of the mathematics used in machine learning systems. There is no reason or incentive for computer scientists to even invest their time in learning those things. This lack of knowledge means ethical issues and security issues that may be hidden at a conceptual level - not a technical one - are simply ignored. Mickens compares machine learning to the standard experiment used in America since 8th grade: the egg drop experiment. This is where students desperately search for a solution to prevent the egg from breaking when dropped from 20 feet in the air. When they finally come up with a technique that is successful, Mickens explains, they don’t really care to understand the logic/math behind it. This is exactly the same as developers in the context of machine learning. Machine learning is complex, yes, but often, Mickens argues, developers will have no understanding as to why models generate a particular output on being provided with a specific input. When this inscrutable AI used in models connected with real life mission critical systems (financial markets, healthcare systems, news systems etc) and the internet, security issues arise. Indeed, it begins to raise even more questions than provide answers. Now that AI is practically used everywhere - even to detect anomalies in cybersecurity, it is somewhat scary that a technology which is so unpredictable can be used to protect our systems. Examples of poor machine learning design Some of the examples James presented that caught our attention were: Microsoft chatbot Tay- Tay was originally intended to learn language by interacting with humans on Twitter. That sounds all good and very noble - until you realise that given the level of toxic discourse on Twitter, your chatbot will quickly turn into a raving Nazi with zero awareness it is doing so.  Machine learning used for risk assessment and criminal justice systems have incorrectly labelled Black defendants as “high risk” -  at twice the rate of white defendants. It’s time for a more holistic approach to cybersecurity Mickens further adds that we need a more holistic perspective when it comes to security. To do this,, developers should ask themselves not only if a malicious actor can perform illicit actions on a system,  but also should a particular action on a system be possible and how can the action achieve societally-beneficial outcomes. He says developers have 3 major assumptions  while deploying a new technology: #1 Technology is Value-Neutral, and will therefore automatically lead to good outcomes for everyone #2 New kinds of technology should be deployed as quickly as possible, even if we lack a general idea of how the technology works, or what the societal impact will be #3 History is generally uninteresting, because the past has nothing to teach us According to Mickens developers assume way too much.  In his assessment, those of us working in the industry take it for granted that technology will always lead to good outcomes for everyone. This optimism goes hand in hand with a need for speed - in turn, this can lead us to miss important risk assessments, security testing, and a broader view on the impact of technology not just on individual users but wider society too. Most importantly, for Mickens, is that we are failing to learn from mistakes. In particular, he focuses on IoT security. Here, Mickens points out, security experts are failing to learn lessons from traditional network security issues. The Harvard Professor has written extensively on this topic - you can go through his paperon IoT security here. Perhaps Mickens talk was intentionally provocative, but there are certainly lessons - if 2018 has taught us anything, it’s that a dose of scepticism is healthy where tech is concerned. And maybe it’s time to take a critical eye to the software we build. If the work we do is to actually matter and make a difference, maybe a little negative is a good thing. What do you think? Was Mickens assessment of the tech world correct? You can watch James Mickens whole talk at Youtube UN on Web Summit 2018: How we can create a safe and beneficial digital future for all 5 ways artificial intelligence is upgrading software engineering “ChromeOS is ready for web development” – A talk by Dan Dascalescu at the Chrome Web Summit 2018

Yesterday, Microsoft Azure and Office 365 users had trouble logging into their accounts. The problem for this is a multi-factor authentication issue which prevented users to sign into their services. The outage started at 04:39 UTC, yesterday, with Azure Active Directory users struggling to gain access to their accounts when multi-factor authentification (MFA) was enabled. The issue continued for almost seven hours. A notice confirming the outage was put up on Office 365’s service health page stating, “Affected users may be unable to sign in”. The impact of this outage is specific to any user who is located in Europe, Middle East and Africa (EMEA) or Asia Pacific (APAC) regions. According to Azure’s status page, “Engineers have explored mitigating a back-end service via deploying a code hotfix, and this is currently being validated in a staging environment to verify before potential roll-out to production. Engineers are also continuing to explore additional workstreams to expedite mitigation.” Azure engineers said that they are also developing an alternative code update to resolve the connectivity issue between MFA and the cache provider. Pete Banham, cyber resilience expert at Mimecast, reported to CBR in an email statement, “With less than a month between disruptions, incidents like today’s Azure multi-factor authentication issue pose serious productivity risks for those sticking to a software-as-a-service monoculture.” He further added, “No organization should trust a single cloud supplier without an independent cyber resilience and continuity plan to keep connected and productive during unplanned, and planned, email outages. Every minute of an email outage could costs businesses hundreds and thousands of pounds.” According to Office 365 status page, "We've observed continued success with recent MFA requests and are taking additional actions in the environment in an effort to prevent new instances of this problem. Our investigation into the root cause of this problem is ongoing and maintained as our highest priority." To know more about this news in detail, head over to Techcrunch. Monday’s Google outage was a BGP route leak: traffic redirected through Nigeria, China, and Russia Worldwide Outage: YouTube, Facebook, and Google Cloud goes down affecting thousands of users Basecamp 3 faces a read-only outage of nearly 5 hours

In September, Goldman Sachs estimated that almost $9 billion dollar revenue is coming to Apple from Google for being the built-in search engine on Apple’s Safari web browsers. Till then, Apple had never talked about its revenue stream from Google. However, last week, Tim Cook, CEO, Apple participated in an interview by Axios on HBO. In the interview, he was asked if he agreed of taking billion dollars from Google. He casually replied to the question stating, “I think their (Google’s) search engine is the best”. He also admitted that Apple-Google partnership was not "perfect." He further defended Apple’s multi-billion dollar deal with Google search by talking about the additional security measures that Apple has added to Safari to "help" users better navigate the Google search engine. These include private web browsing and an intelligent tracker prevention. He stated in the interview, "Look at what we've done with the controls we've built in. We have private web browsing. We have an intelligent tracker prevention, What we've tried to do is come up with ways to help our users through their course of the day. It's not a perfect thing. I'd be the very first person to say that. But it goes a long way to helping." Apple has been quite vocal about not selling targeted advertisements based on user information. Cook has criticized Google, Facebook, and other social media platforms for mishandling user privacy. He has claimed that Apple’s business model depends on selling hardware such as smartphones and tablets and that they are very particular about user privacy. Last month, Cook had also given a speech at a privacy conference in Brussels where he mentioned his concerns on privacy in various social media platforms. He had also called for new digital privacy laws in the United States. His concerns involved, users' personal data collection by companies, data manipulation, and lack of surveillance. People on the internet are not much in favor of this news. Twitter users are raising eyebrows on Cook’s casual statement and the fact they are taking millions of dollars from Google even if they disagree with its policies in the first place. https://twitter.com/b_fung/status/1064552025864765441   https://twitter.com/christianring/status/1064614295395282947 Apple was previously using Bing as its default browser in 2017. However, the company switched to Google because it faced consistency issues with Bing. It’s still not sure if the main reason to switch to Google was the company’s expectations of consistent results or the multi-billion deal! You can see a snippet of Tim Cook’s interview on Axios. Newer Apple maps is greener and has more details A kernel vulnerability in Apple devices gives access to remote code execution Gaël Duval, creator of the ethical mobile OS, /e/, calls out Tim Cook for being an ‘opportunist’ in the ongoing digital privacy debate

Microsoft had planned to bring ads to the Mail App in Windows 10. It also has an entire support page dedicated to ads on mail. But last week after the backlash from the people, Frank X. Shaw, the Head of Communications at Microsoft claimed on Twitter that ads on the Mail app were not intended to be tested broadly. Though it has been turned off now. https://twitter.com/fxshaw/status/1063518403036557312 According to Microsoft, the ads will appear for all users. Even if one doesn’t use a Microsoft email service like Outlook and only have Gmail, Yahoo, G Suite, or other third-party accounts, the ad will still be visible until one purchases an Office 365 subscription. The team at Microsoft is having a pilot running in Brazil, Canada, Australia, and India to get user feedback on ads in Mail. These ads will be visible on Windows Home and Windows Pro but not on Windows EDU or Windows Enterprise. Microsoft chooses Interest-based advertising for its users Windows generates an advertising ID for each user on the device. When the advertising ID is enabled, both Microsoft apps and third-party apps can access and use the advertising ID. It is similar to the websites that access and use a unique identifier stored in a cookie. Mail app uses this ID to provide more relevant advertising to users. Also, the Mail app may use the demographic information to make ads more relevant to the users. This is possible for the users who have logged into Windows with a Microsoft Account. Users can turn off interest-based advertising at any time. If a user turns off the interest-based advertising, the user will still see ads but they won’t be relevant to the interests. As per the Support page of Microsoft, these interest-based ads do not check the user’s emails to display ads. Microsoft does not use personal information, like the content of the email, calendar, or contacts, to target the users for ads. Microsoft doesn’t use the content in the mailbox or in the Mail app. But privacy is still a concern while referring to Microsoft. As per a report by Privacy Company, Microsoft collects and stores users personal without any public documentation. Microsoft systematically collects data about the individual use of Word, Excel, Outlook, and PowerPoint without letting users know. Since the data stream is encoded, Microsoft does not offer any choice to switch off the data collection, or ability to see what data has been collected. For example, Microsoft collects information about events in Word, when you use the backspace key a number of times in a row, which probably means you do not know the correct spelling. But also the sentence before and after a word that you look up in the online spelling checker or translation service. Microsoft‘s use of the telemetry data is one of the biggest concerns of the report as Microsoft is regularly pushing more and more services off-premise. Data Protection Impact Assessment (DPIA) show that the new methods like Microsoft cloud, in SharePoint, OneDrive, Office 365 come with high data protection risks for data subjects. The blog states that Microsoft has already made commitments to make adjustments to its software to accommodate privacy concerns, e.g. a telemetry data viewer tool and a new “zero-exhaust setting.” Privacy Company outlines six high risks for data subjects The unlawful storage of classified/sensitive/special categories of data, both in metadata and in subject lines of the e-mail. The incorrect qualification of Microsoft as a data processor, instead of a joint controller. Insufficient control over factual data processing and sub-processors. The lack of purpose limitation, both for the processing of historically collected data and the possibility to dynamically add new types of events The transfer of diagnostic data outside of the European Economic Area (EEA), while the current legal ground for Office ProPlus is the Privacy Shield and the validity of this agreement is subject of a procedure at the European Court of Justice. The indefinite retention period of diagnostic data and also the lack of a tool to delete historical, diagnostic data. The Privacy Company recommends admins of the enterprise few measures to lower the privacy risk for employees and other users. It suggests to not use SharePoint Online / OneDrive. It advises to not use the web-only version of Office 365. The company also suggests using a stand-alone deployment without Microsoft account for confidential/sensitive data. Read more about the news on the DPIA’s pdf. Microsoft amplifies focus on conversational AI: Acquires XOXCO; shares guide to developing responsible bots Microsoft fixes 62 security flaws on Patch Tuesday and re-releases Windows 10 version 1809 and Windows Server 2019 Microsoft announces container support for Azure Cognitive Services to build intelligent applications that span the cloud and the edge

Last week, hackers attempted to extort ProtonMail by alleging a data breach with no evidence. One of the alleged hackers named, AmFearLiathMor has written in the message that, “We hacked Protonmail and have a significant amount of their data from the past few months. We are offering it back to Protonmail for a small fee if they decline then we will publish or sell user data to the world.” ProtonMail is one of the largest secure email services developed by CERN and MIT. The team at ProtonMail clarified, “We have no indications of any breach from our internal infrastructure monitoring.” Though, with further investigation, the team traced the source of the rumors on 4chan, a simple image-based bulletin board, where anyone can post comments and share images anonymously. The claims there included: CNN employees use ProtonMail and refer to the American people as prostitutes. Michael Avenatti uses ProtonMail and has a BDSM fetish. Private military contractors used ProtonMail to discuss circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica. Rampant pedophilia among high ranking government officials who use ProtonMail. ProtonMail's team said, “We believe that this is a hoax and failed extortion attempt, and there is zero evidence to suggest otherwise.”  For example, the criminals claimed that ProtonMail is vulnerable because the company doesn’t use SRI (Subresource Integrity), but this claim is baseless because it doesn't use any third party CDNs (content delivery networks) to serve the web app. ProtonMail only uses web servers that specifically eliminate the potential attack vector. The team said, “We are aware of a small number of ProtonMail accounts which have been compromised as a result of those individual users falling for phishing attacks (this is why we encourage using 2FA). However, we currently have zero evidence of a breach of our infrastructure.” As per the report by BleepingComputer, the hackers might send $20 in bitcoin to the one who would spread the word about this hack using #Protonmail on Twitter. People have given a mixed reaction to this news. Many are just scared and do not wish to take any risks and suggest to change the password. https://twitter.com/ProtonMail/status/1063392853014048768   https://twitter.com/crytorekt1/status/1063452592792051713 The team said, “The best way to ensure that they (criminals) do not succeed is to ignore them.” As a lot of users find this platform secure, this alleged hacking news, which is probably false, has still managed to create some impact on the users. The latest announcement on the Read recipients feature by the company could be a small distraction but is it enough to move the attention from the hacking news? https://twitter.com/ProtonMail/status/1063485043660734464 Read more about this news on Reddit. A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News Cathay Pacific, a major Hong Kong based airlines, suffer data breach affecting 9.4 million passengers Timehop suffers data breach; 21 million users’ data compromised

On Wednesday, New York Times published a report on Facebook that raised questions on the company's way of dealing with the controversies surrounding it, disinformation, the way it treats competitors and critics. The report scathingly pointed out how Facebook denied and deflected the blame it faced, time and again- listing a series of issues faced by the company which affected its users right from 2015. In response to this report, Facebook released a statement on Thursday pointing out inaccuracies in the report by the New York Times. Further on a press call yesterday, Mark Zuckerberg planned, to discuss how the social network manages problematic posts and its community standards. He also released a “community standards” transparency report, on the very same day, listing the actions proactively taken to take down illicit accounts and the struggles that the company still faces. However, the almost 90 minute call mainly ended up focusing on discussions around the New York Times story and what Facebook intends to do in its aftermath. Mark Zuckerberg’s call with the reporters “The reality of running a company of more than 10,000 people is that you’re not going to know everything that’s going on” -Mark Zuckerberg, Facebook’s chief executive and chairman On Thursday, Mark Zuckerberg held a conference call with reporters of top media firms like USA today, Bloomberg, ABC news, Wired and many others to discuss Facebook's latest transparency report, which lists how the company caters to its community standards that govern content on its platform. While addressing questions on how he and Facebook’s COO, Sheryl Sandberg,  dealt with the issues listed in the New York Times report, Mr. Zuckerberg defended the social network, Ms. Sandberg and his own record. In response to the Russian interference, he acknowledged that the company was slow to act, but did not hinder investigation at any point. He stated: "I've said many times we were too slow to spot Russian interference, to suggest we weren't interested in knowing the truth or wanted to hide what we knew or wanted to prevent investigations is simply untrue." This was aligned to Facebook’s board statement on Thursday where the board acknowledged that the two executives responded slowly to Russian interference on Facebook and that directors had pushed them to act faster, but “to suggest they knew about Russian interference and either tried to ignore it or prevent investigations into what had happened was grossly unfair.” As for hiring a PR firm- Definers- who reportedly diverted attention from Facebook’s problems to its rival companies issues, Zuckerberg repeatedly said that he had only learned of Facebook's work with Definers from the NYT report and Sandberg was also previously unaware of the relationship. When asked who was aware, Zuckerberg simply said  "someone on our comms team must have hired them." "As soon as I read it, I looked into whether this is the type of firm we want to be working with, and we stopped working with them," he added. "We certainly never asked them to spread anything that wasn't true." However, as COO, Facebook's corporate communications team is under the purview of Sandberg. In a statement on Facebook late Thursday, Ms. Sandberg  wrote: “I did not know we hired them or about the work they were doing, but I should have.” During the call, Zuckerberg mentioned that Facebook will soon create an independent oversight body to adjudicate appeals on content moderation issues. This analogous to a Supreme court, will be created sometime next year and attempt to bring a balance between the right to free speech while keeping people safe around the world. A Blueprint for Content Governance and Enforcement On Thursday, Facebook released its second transparency report listing its advances in proactively identifying hate speech, and the first numbers for bullying, harassment, and child sexual exploitation takedowns .The report emphasizes the company's efforts to remove bad content before users ever see it, while fielding an ever-growing number of requests from governments. In line to establishing an independent body to govern content moderation issues, he wrote “I believe independence is important for a few reasons. First, it will prevent the concentration of too much decision-making within our teams. Second, it will create accountability and oversight. Third, it will provide assurance that these decisions are made in the best interests of our community and not for commercial reasons.” Some interesting statistics to note from this report are: From July to September of 2018, Facebook took down far more pieces of unacceptable content. It removed 2.1 million and 8.7 million pieces of content from the category of bullying and harassment and child sexual exploitation and nudity, respectively. It removed 1.23 billion pieces of spam and closed 754 million fake accounts in the past quarter. Facebook says these are mostly spam, although it’s periodically removed accounts linked to political propaganda campaigns. Facebook removed 15.4 million pieces of violent content between June and September of 2018. Facebook has also become better at removing this content before users report it, claiming to proactively find more than 96 percent of the material, compared to around 71 percent last year. Facebook is still fielding government requests for user data, which has increased around 26 percent between the last half of 2017 and the first half of 2018. Facebook has made progress at deploying thousands of newly hired reviewers and artificial-intelligence tools, to enforce its community standards more aggressively. They have managed to catch 95 percent of nudity, fake accounts and graphic violence before users report it to Facebook. Public’s Reaction The New York Times reported that, in Washington, Republicans and Democrats threatened to restrain Facebook through competition laws. They also plan to open investigations into possible campaign finance violations. Shareholders ramped up calls to oust Mr. Zuckerberg as Facebook’s chairman while activists filed a complaint to the Federal Trade Commission about the social network’s privacy policies and condemned Ms. Sandberg, the chief operating officer, for overseeing a campaign to secretly attack opponents. Mr. Zuckerberg said on the conference call that he was not willing to step down as chairman. Jessica Guynn, a reporter for USA Today, started an interesting thread on twitter where she stresses on the point that Mark Zuckerberg is denying allegations in the Times story and instead is stressing on solutions to divert people’s attention from the problems. https://twitter.com/jguynn/status/1063148779212169216 Jessica also proded Mark on the topic of being the right person to lead Facebook. To which he replied “ We are doing the right things to fix the issues. I am fully committed to getting this right.” You can head over to the New York Times for a complete coverage of this news. What is Facebook hiding? New York Times reveals Facebook’s insidious crisis management strategy Facebook shares update on last week’s takedowns of accounts involved in “inauthentic behavior” Emmanuel Macron teams up with Facebook in a bid to fight hate speech on social media

ZTE Corporation, a Chinese multinational telecommunications company, is assisting Venezuela to create a system that can monitor citizen behavior through a new identification card named ‘Fatherland Card’. A few years ago, in 2008, Venezuelan President Hugo Chávez sent some officials to China, to learn the workings of China’s national identity card program. According to Reuters, “Chávez, wanted help to provide ID credentials to the millions of Venezuelans who still lacked basic documentation needed for tasks like voting or opening a bank account.” 10 years after the trip to China, Venezuela has rolled out a brand new smart-card ID known as the ‘carnet de la patria’ or ‘fatherland card’. This smart ID transmits data about cardholders to computer servers. The card is linked by the government to subsidize food, health and other social programs for the daily needs of the Venezuelans. According to Reuters, “Venezuela last year hired ZTE to build a fatherland database and create a mobile payment system for use with the card, according to contracts reviewed by Reuters. A team of ZTE employees is now embedded in a special unit within Cantv, the Venezuelan state telecommunications company that manages the database.” Problems with the Fatherland card Some Venezuelan citizens and human-rights groups believe that Fatherland card is a tool for Chávez’s successor, President Nicolás Maduro for monitoring the population and allocate scarce resources to his loyalists. Héctor Navarro, one of the founders of the ruling Socialist Party and a former minister under Chávez said, “Venezuelans with the cards now have more rights than those without.” Per Reuters, “In a phone interview, Su Qingfeng, the head of ZTE’s Venezuela unit, confirmed ZTE sold Caracas servers for the database and is developing the mobile payment application. The company, he said, violated no Chinese or local laws and has no role in how Venezuela collects or uses cardholder data. We don’t support the government. We are just developing our market.” To encourage the adoption of the Fatherland card, the government has granted cash prizes to cardholders for performing civic duties, like rallying voters. It has also given one-time payouts, such as awarding moms enrolled in the card a Mother’s Day bonus of about $2. Fatherland card's hack and the handover to Cantv Maduro introduced the cards in December 2016. In May 2017, hackers broke into the fatherland database. The hack was carried out by anonymous anti-Maduro activists known as TeamHDP. The group’s leader with the Twitter handle @YoSoyJustincito, said, “the hack was extremely simple and motivated by TeamHDP’s mission to expose Maduro secrets." During the hack, TeamHDP took screenshots of user data and deleted the accounts of government officials, including Maduro. The president later appeared on television scanning his card and receiving an error message: “This person doesn’t exist.” According to Reuters, “Screenshots of the information embedded in various card accounts, shared by TeamHDP, included phone numbers, emails, home addresses, participation at Socialist Party events and even whether a person owns a pet. People familiar with the database said the screenshots appear authentic." “Soon after the hack, Maduro signed a $70 million contract with Cantv and a state bank for ‘national security’ projects. These included the development of a “centralized fatherland database” and a mobile app to process payments, such as the discounted cost of a subsidized food box, associated with the card”, according to Reuters. Héctor Navarro, a Socialist Party founder, and former government minister said, “It’s blackmail. Venezuelans with the cards now have more rights than those without. In July 2017, the ownership of the Fatherland card was transferred to Cantv from Soltein, the project documents show. A team of a dozen ZTE developers began bolstering the database’s capacity and security, current and former Cantv employees said. Among other measures, ZTE installed data storage units built by U.S.-based Dell Technologies Inc. Dell spokeswoman Lauren Lee said, “ ZTE is a client in China but that Dell doesn’t sell equipment to ZTE in Venezuela. Dell reviewed its transactions in Venezuela and wasn’t aware of any sale to Cantv, either." “Dell is committed to compliance with all applicable laws where we do business,” Lee said in an email. “We expect our customers, partners, and suppliers to follow these same laws.” “In May, Venezuela held elections that were widely discredited by foreign governments after Maduro banned several opposition parties. Ahead of the vote, ruling party officials urged voters to be grateful for government largesse dispensed via the fatherland cards. They set up ‘red point’ kiosks near voting booths, where voters could scan their cards and register, Maduro himself promised, for a ‘fatherland prize’, said the Reuters report. An internal Cantv presentation from last year said the system can feed information from the database to ministries to help generate statistics and take decisions. After the vote, government offices including Banco Bicentenario del Pueblo, a state bank, sent Cantv lists with employees’ names to determine whether they had voted, according to the manager who helped set up the servers. Mariela Magallanes, an opposition lawmaker who headed a commission that last year investigated how the fatherland card was being linked to the subsidized food program, said, “With personal data now so available, some citizens fear they can lose more than just their jobs. The government, the commission said in a report, is depriving some citizens of the food boxes because they don’t possess the card. The government knows exactly who is most vulnerable to pressure." To know more about this news in detail, head over to the complete coverage on Reuters. Read Next Security Vulnerabilities identified in Washington, Georgia, and North Carolina’s voting systems A Twitter video shows how voting machines used in 18 states can be hacked in 2 mins “Instead of data scientists working on their models and advancing AI, they are spending their time doing DeepOps work”, MissingLink CEO, Yosi Taguri [Interview]

New York University researchers have found a way to generate artificial fingerprints that can be used to create fake fingerprints. They do this by using a neural network. They have presented their work in a paper titled DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution. The vulnerability in fingerprint sensors Fingerprint recognition systems are vulnerable to dictionary attacks based on MasterPrint. MasterPrints are like master keys that can match with a large number of fingerprints. Such work was done previously at feature level, but now this work dubbed as DeepMasterPrints has much higher attack accuracy with the capacity to generate complete images. The method demonstrated in the paper is Latent Variable Evolution which is based on training a Generative Adversarial Network (GAN) on a set of real fingerprint images. Then a stochastic search is then used to search for latent input variables to the generator network. This can increase the accuracy of impostor matches assessed by a fingerprint recognizer. Small fingerprint sensors pose a risk Aditi Roy, one of the authors of the paper exploited an observation. Smartphones have small areas for fingerprint recording and recognition. Hence the whole fingerprint is not recorded in them at once, they are partially recorded and authenticated. Also, some features among fingerprints are more common than others. She then demonstrated that MasterPrints can be obtained from real fingerprint images or be synthesized. With this exploit, 23% of the subjects could be spoofed in the used dataset at a 0.1% false match rate. The generated DeepMasterPrints was able to spoof 77% of the subjects at a 1% false match rate. This shows the danger of using small fingerprint sensors. For a DeepMasterPrint a synthetic fingerprint image needed to be created that can fool a fingerprint matcher. A condition was that the matcher should also match that fingerprint image to different identities in addition to realizing that the image is a fingerprint. The paper presents a method for creating DeepMasterPrint using a neural network that learns to generate fingerprint images. A Covariance Matrix Adaptation Evolution Strategy (CMA-ES) is used for searching the input space of the trained neural network. The ideal fingerprint image is then selected. Conclusion Partial fingerprint images can be generated that can be used for launching dictionary attacks against a fingerprint verification system. A GAN network is trained over a dataset of fingerprints, then LVE searches the latent variables of the generator network for a fingerprint image that maximize the matching chance. This matching is only successful when a large number of different identities are involved, meaning specific individual attacks are not so likely. The use of inked images and sensor images show that the system is robust and independent of artifacts and datasets. For more details, read the research paper. Tesla v9 to incorporate neural networks for autopilot Alphabet’s Waymo to launch the world’s first commercial self driving cars next month UK researchers have developed a new PyTorch framework for preserving privacy in deep learning

Today has been Facebook’s worst day in its history. As if the plummeting stocks that closed on  Wednesday at just $144.22.were not enough, Facebook is now facing backlash on its leadership morales. Yesterday, the New York Times published a scathing expose on how Facebook wilfully downplayed its knowledge of the 2016 Russian meddling of US elections via its platform. In addition, it also alleges that over the course of two years, Facebook has adopted a ‘delay, deny and deflect’ strategy under the shrewd leadership of Sheryl Sandberg and the disconnected from reality, Facebook CEO, Mark Zuckerberg, to continually maneuver through the chain of scandals the company has been plagued with. In the following sections, we dissect the NYT article and also loo at other related developments that have been triggered in the wake of this news. Facebook, with over 2.2 billion users globally, has accumulated one of the largest-ever repositories of personal data, including user photos, messages and likes that propelled the company into the Fortune 500. Its platform has been used to make or break political campaigns, advertising business and reshape the daily life around the world. There have been constant questions raised on the security of this platform and all credit goes to the various controversies surrounding Facebook since well over two years. While Facebook’s response to these scandals (“we should have done better”) have not convinced many, Facebook has never been considered ‘knowingly evil’ and continued enjoyed the benefit of the doubt. The Times article now changes that. Crisis management at Facebook: Delay, deny, deflect The report by the New York Times is based on anonymous interviews with more than 50 people, including current and former Facebook executives and other employees, lawmakers and government officials, lobbyists and congressional staff members. Over the past few years, Facebook has grown, so has the hate speech, bullying and other toxic content on the platform.  It hasn't fully taken responsibility for what users posted turning a blind eye and carrying on as it is- a platform and not a Publisher. The report highlights the dilemma Facebook leadership faces while deciding on candidate Trump’s statement on Facebook in 2015 calling for a “total and complete shutdown” on Muslims entering the United States. After a lengthy discussion, Mr. Schrage (a prosecutor whom Ms. Sandberg had recruited)  concluded that Mr. Trump’s language had “not violated Facebook’s rules”. Mr. Kaplan (Facebook’s Vice President of global public policy) argued that Mr. Trump was an important public figure, and shutting down his account or removing the statement would be perceived as obstructing free speech leading to a conservative backlash. Sandberg decided to allow the poston Facebook. In the spring of 2016, Mr. Alex Stamos (Facebook’s former security chief) and his team discovered Russian hackers probing Facebook accounts for people connected to the presidential campaign along with Facebook accounts linked to Russian hackers who messaged journalists to share information from the stolen emails. Mr. Stamos directed a team to scrutinize the extent of Russian activity on Facebook. By January 2017, it was clear that there was more to the Russian activity on Facebook. Mr. Kaplan believed that if Facebook implicated Russia further,  Republicans would “accuse the company of siding with Democrats” and pulling  down the Russians’ fake pages would offend regular Facebook users as having been deceived. To summarize their findings, Mr. Zuckerberg and Ms. Sandberg released a  blog post  on 6th September 2017. The post had little information on fake accounts or the organic posts created by Russian trolls gone viral on Facebook. You can head over to New York Times to read in depth about what went on in the company post reported scandals. What is also surprising, is that instead of offering a clear explanation to the matters at hand, the company was more focused on taking a stab at those who make statements against Facebook. Take for instance , Apple CEO Tim Cook who criticized Facebook in an MSNBC interview  and called facebook a service that traffics “in your personal life.” According to the Times, Mark Zuckerberg has reportedly told his employees to only use Android Phones in lieu of this statement. Over 70 human rights group write to Zuckerberg Fresh reports have now emerged that the Electronic Frontier Foundation, Human Rights Watch, and over 70 other groups have written an open letter to Mark Zuckerberg  to adopt a clearer “due process” system for content takedowns.  “Civil society groups around the globe have criticized the way that Facebook’s Community Standards exhibit bias and are unevenly applied across different languages and cultural contexts,” the letter says. “Offering a remedy mechanism, as well as more transparency, will go a long way toward supporting user expression.” Zuckerberg rejects facetime call for answers from five parliaments “The fact that he has continually declined to give evidence, not just to my committee, but now to an unprecedented international grand committee, makes him look like he’s got something to hide.” -DCMS chair Damian Collins On October 31st, Zuckerberg was invited to give evidence before a UK parliamentary committee on 27th November, with politicians from Canada co-signing the invitation. The committee needed answers related to Facebook “platform’s malign use in world affairs and democratic process”. Zuckerberg rejected the request on November 2nd.  In yet another attempt to obtain answers, MPs from Argentina, Australia, Canada, Ireland and the UK  joined forces with UK’s Digital, Culture, Media and Sport committee requesting a facetime call with Mark Zuckerberg last week. However, in a letter to DCMS, Facebook declined the request, stating: “Thank you for the invitation to appear before your Grand Committee. As we explained in our letter of November 2nd, Mr. Zuckerberg is not able to be in London on November 27th for your hearing and sends his apologies.” The letter does not explain why Zuckerberg is unavailable to speak to the committee via a video call. The letter summarizes a list of Facebook activities and related research that intersects with the topics of election interference, political ads, disinformation and security.  It makes no mention of the company’s controversial actions and their after effects. Diverting scrutiny from the matter? According to the NYT report, Facebook reportedly expanded its relationship with a Washington-based public relations consultancy with Republican ties in October 2017 after an entire year dedicated to external criticism over its handling of Russian interference on its social network. The firm last year wrote dozens of articles that criticized facebook’s  rivals Google and Apple while diverting focus from the impact of Russian interference on Facebook  It pushed the idea that liberal financier George Soros was behind a growing anti-Facebook movement, according to the New York Times. The PR team also reportedly pressed reporters to explore Soros' financial connections with groups that protested Facebook at Congressional hearings in July. How are employees and users reacting? According to the Wall Street Journal, only 52 percent of employees say that they're optimistic about Facebook's  future . As compared to 2017, 84 percent were optimistic about working at Facebook. Just under 29,000 workers (of more than 33,000 in total)  participated in the biannual pulse survey. In the most recent poll conducted in October, statistics have fallen-  like its tumbling stock market - as compared to last year's survey. Just over half feel Facebook was making the world a better place which was at 19 percentage last year. 70 percent said they were proud to work at Facebook, down from 87 percent, and overall favorability towards the company dropped from 73 to 70 percent since last October's poll. Around 12 percent apparently plan to leave within a year. Hacker news has comments from users stating that “Facebook needs to get its act together” and “are in need for serious reform”. Some also feel that “This Times piece should be taken seriously by FB, it's shareholders, employees, and users. With good sourcing, this paints a very immature picture of the company, from leadership on down to the users”. Readers have pointed out that Facebook’s integrity is questionable and that  “employees are doing what they can to preserve their own integrity with their friends/family/community, and that this push is strong enough to shape the development of the platform for the better, instead of towards further addictive, attention-grabbing, echo chamber construction.” Facebook’s reply on the New York Times Report Today, Facebook published a post in response to the Time’s report, listing the number of inaccuracies in their post. Facebook asserts that they have been closely following the Russian investigation, along with reasons for not citing Russia’s name in the April 2017 white paper. The company has also addressed the backlash it faced for the “Muslim ban” statement by Trump which was not taken down. Facebook strongly supports Mark and Sheryl in the fight against false news and information operations on Facebook.along with reasons  for Sheryl championing Sex Trafficking Legislation. Finally, in response to the controversy to advising employees to use only Android, they clarified that it was because “it is the most popular operating system in the world”. In response to hiring a PR team Definers, Facebook says that “We ended our contract with Definers last night. The New York Times is wrong to suggest that we ever asked Definers to pay for or write articles on Facebook’s behalf – or to spread misinformation.” We can’t help but notice that again, Facebook is defending itself against allegations but not providing a proper explanation for why it finds itself in controversies time and again. It is also surprising that the contract with Definers abruptly came to an end just before the report went live by the Times. What Facebook has additionally done is emphasized about improved security practices at the company, something which it has been talking about everytime they face a controversy. It is time to stop delaying, denying and deflecting. Instead, atone, accept, and act responsibly. Facebook shares update on last week’s takedowns of accounts involved in “inauthentic behavior” Emmanuel Macron teams up with Facebook in a bid to fight hate speech on social media Facebook GEneral Matrix Multiplication (FBGEMM), high-performance kernel library, open sourced, to run deep learning models efficiently

A group of researchers recently disclosed seven additional attacks in the Spectre and Meltdown families. These seven attacks are said to impact the AMD, ARM, and the Intel CPUs to a certain extent. The researchers have presented an execution of these attacks in detail, in their research paper titled, ‘A Systematic Evaluation of Transient Execution Attacks and Defenses’. 2 Meltdown and 5 Spectre variants found The 7 newly found attacks include 2 new Meltdown variants namely, Meltdown-PK, and Meltdown-BR. It also includes 5 new Spectre mistraining strategies for Spectre-PHT and SpectreBTB attacks. The researchers said that these 7 new attacks have been overlooked and not been investigated so far. The researchers successfully demonstrated all seven attacks with proof-of-concept code. However, experiments to confirm six other Meltdown-attacks did not succeed. The two new Meltdown attacks include: Meltdown-PK - bypasses memory protection keys on Intel CPUs Meltdown-BR - exploits an x86 bound instruction on Intel and AMD The other Meltdown attacks  which the researchers tried and failed to exploit targeted the following internal CPU operations: Meltdown-AC - tried to exploit memory alignment check exceptions Meltdown-DE - tried to exploit division (by zero) errors Meltdown-SM - tried to exploit the supervisor mode access prevention (SMAP) mechanism Meltdown-SS - tried to exploit out-of-limit segment accesses Meltdown-UD - tried to exploit invalid opcode exception Meltdown-XD - tried to exploit non-executable memory Source: A Systematic Evaluation of Transient Execution Attacks and Defenses In order to understand the Spectre-type attacks, the researchers proposed a categorization based on, first, the prediction mechanism exploited, and second, the mistraining mechanism. Here researchers propose to combine all attacks that exploit the same microarchitectural element: Spectre-PHT: Exploits the Pattern History Table (PHT) Spectre-BTB: Exploits the Branch Target Buffer (BTB) Spectre-STL: Exploits the CPUs memory disambiguation prediction, specifically store-to-load forwarding (STLF) Spectre-RSB: Exploits the Return Stack Buffer (RSB) According to ZDNet, “Based on the experiments, the researchers found three new Spectre attacks that exploit the Pattern History Table (PHT) mechanism and two new Spectre attacks against the Branch Target Buffer (BTB).” PHT-CA-OP PHT-CA-IP PHT-SA-OP BTB-SA-IP BTB-SA-OP Defenses for these new Spectre and Meltdown attacks For each of the Spectre and Meltdown attack types, the researchers have categorized the defenses into three and two categories respectively. For Spectre-type attacks, the defense categories are: Mitigating or reducing the accuracy of covert channels used to extract the secret data. Mitigating or aborting speculation if data is potentially accessible during transient execution. Ensuring that secret data cannot be reached. For Meltdown-type attacks, the defense categories are: Ensuring that architecturally inaccessible data remains inaccessible on the microarchitectural level. Preventing the occurrence of faults. The researchers in the paper said, “We have systematically evaluated all defenses, discovering that some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked. Hence, we need to think about future defenses carefully and plan to mitigate attacks and variants that are yet unknown”. To know more about these newly found attacks in detail and the related experiments, head over to the research paper written by Claudio Canella et al. Intel announces 9th Gen Core CPUs with Spectre and Meltdown Hardware Protection amongst other upgrades NetSpectre attack exploits data from CPU memory SpectreRSB targets CPU return stack buffer, found on Intel, AMD, and ARM chipsets

Mozilla has come up with a fun creepy product rater and guide to help people be aware of privacy issues by helping them shop safe products this holiday season. Their opening line - “Teddy bears that connect to the internet. Smart speakers that listen to commands. Great gifts—unless they spy on you. We created this guide to help you buy safe, secure products this holiday season.” Source: Mozilla When you click on a product, you can see a description, a creepiness rater, ‘a how likely to buy it’ option, and different privacy-related questions and answers. “It is a super fun poke by Mozilla at the overwhelming majority of the technology industry who treat privacy as a nuisance at best and as a non-event at worst,” said a hacker news user. It may be Mozilla’s way of illustrating their mission of being advocates for privacy. Read More: Is Mozilla the most progressive tech organization on the planet right now? Some people also disagreed with Mozilla’s jibe. “The page looks to be targeted at consumers, with the 'creepy' meter that changes as you scroll. However the PS4 and Xbox are considered 'A little creepy' and a sous vide cooker is listed as 'Somewhat creepy'. Despite the arguments made on the respective pages for why they are creepy (generally "Shares your information with 3rd parties for unexpected reasons") I don't think any consumer on the planet is going to consider any of those gifts even slightly creepy.” “This list definitely feels very shallow and disconnected from any deeper reasoning about specific security practices, business models, whether a net connection is actually required or not, etc. It's a popularity poll at best, and the actionable advice is minimal. It's a bit disappointing coming from Mozilla, at least to the extent that it's a wasted opportunity on something that the public is growing more aware of.” said a hacker news user. Most of the people agree that this is just for fun poll by Mozilla without any serious implications. Read more such hackernews comments. Also, have a look at Mozilla’s guide. Mozilla introduces new Firefox Test Pilot experiments: Price Wise and Email tabs. Mozilla shares how AV1, the new the open source royalty-free video codec, works. Mozilla pledges to match donations to Tor crowdfunding campaign up to $500,000.

Open Invention Network (OIN), a non-aggression patent community, announced an expansion in its patent non-aggression coverage by updating the freedom of action in a Linux System, last week. Patents provide organizations and individuals with the right to the invention and the right to exclude others from making, using, offering for sale, or selling the invention. This Linux System expansion enables “OIN to keep pace with open source innovation, promoting patent non-aggression in the core. As open source grows, we will continue to protect Linux and adjacent technologies through strategic software package additions to the Linux System” said Keith Bergelt, CEO of Open Invention Network. The recent expansion comprises 151 new packages, bringing the total number of protected packages to 2,873. “While the majority of the new additions are widely used and found in most devices. The update includes a number of key open source innovations such as Kubernetes, Apache Cassandra and packages for Automotive Grade Linux” said Boehm Open Invention Network was introduced by Mr. Mirko Boehm, OIN’s director for the Linux System definition to develop a non-aggression pact between companies (especially within the field of the Linux system definition). OIN practices cross-licensing of patents for the Linux system on a royalty-free basis. This zone of cross-licensing is called OIN’s Linux System, which comprises a list of fundamental Linux software packages. Patents owned by OIN are similarly licensed royalty-free to any organization that agrees to not assert its patents against the Linux System. Open Invention Network focuses on changing the current patent system in core Linux and other open source technologies as it is being abused by a lot of organizations, deteriorating innovation significantly. These non-aggression pacts or defensive patent tools by OIN help protect the signatories against the aggressive use of patents. A report by Dr. E. Altsitsiadis, for OpenForum Academy (OFA) stresses on these issues in the current patent system, as it mentions, that companies whose business model consists of buying up patents with a goal of taking anyone who infringes them to court have grown exponentially. Technology giants are engaged in massive legal battles. This leads to public resources getting held up in expensive lawsuits, as well as it poses a significant barrier to smaller innovators who don’t always have the capacity to cover these legal costs. Just last month, Microsoft joined the Open Invention Network, making 60,000 of its patents accessible to fellow members, to embrace the open source software and open source culture. “With this update to the Linux System definition, OIN continues with its well-established process of carefully maintaining a balance between stability and innovative core open source technology,” stated Boehm. For more information, check out the official OIN press release. Four IBM facial recognition patents in 2018, we found intriguing Four interesting Amazon patents in 2018 that use machine learning, AR, and robotics Four 2018 Facebook patents to battle fake news and improve news feed

Yesterday, on Microsoft's Patch Tuesday the company released its monthly security patches that fixed 62 security flaws. These fixes also included a fix for a zero-day vulnerability that was under active exploitation before these patches were made available. Microsoft also announced the re-release of its Windows 10 version 1809 and Windows Server 2019. Zero-day vulnerability CVE-2018-8589 Microsoft credited Kaspersky Lab researchers for discovering this zero-day, which is also known as CVE-2018-8589 and impacts the Windows Win32k component. A Kaspersky spokesperson told ZDNet, “they discovered the zero-day being exploited by multiple cyber-espionage groups (APTs).” The zero-day had been used to elevate privileges on 32-bit Windows 7 versions. This is the second Windows elevation of privilege zero-day patched by Microsoft discovered by Kaspersky researchers. Last month, Microsoft patched CVE-2018-8453, another zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor. However, in this month’s Patch Tuesday, Microsoft has not patched a zero-day that is affecting the Windows Data Sharing Service (dssvc.dll). This zero-day was disclosed on Twitter at the end of October. According to ZDNet, “Microsoft has published this month a security advisory to instruct users on how to properly configure BitLocker when used together with solid-state drives (SSDs).” Re-release of Windows 10 version 1809 and Windows Server 2019 As reported by Microsoft, the Windows 10 October 2018 update caused user’s data loss post updating. Due to this, the company decided to pause the update. However, yesterday, Microsoft announced that it is re-releasing Windows 10 version 1809. John Cable, the director of Program Management for Windows Servicing and Delivery at Microsoft said, “the data-destroying bug that triggered that unprecedented decision, as well as other quality issues that emerged during the unscheduled hiatus, have been thoroughly investigated and resolved." Microsoft also announced the re-release of Windows Server 2019, which was affected by the same issue. According to ZDNet, “The first step in the re-release is to restore the installation files to its Windows 10 Download page so that "seekers" (the Microsoft term for advanced users who go out of their way to install a new Windows version) can use the ISO files to upgrade PCs running older Windows 10 versions.” Michael Fortin, Windows Corporate Vice President, in a blog post, offered some context behind the recent issues and announced changes to the way the company approaches communications and also the transparency around their process. Per Fortin, "We obsess over these metrics as we strive to improve product quality, comparing current quality levels across a variety of metrics to historical trends and digging into any anomaly." To know more about this in detail, visit Microsoft’s official blog post. A Microsoft Windows bug deactivates Windows 10 Pro licenses and downgrades to Windows 10 Home, users report Microsoft announces .NET standard 2.1 Microsoft releases ProcDump for Linux, a Linux version of the ProcDump Sysinternals tool  

Google faced a major outage on Monday this week as it went down for over an hour, taking a toll on Google Search and a majority of its other services such as the Google Cloud Platform. The outage was apparently a result of Google losing control over the normal routes of its IP addresses as they instead got misdirected, due to a BGP (Border Gateway Protocol) issue, to China Telecom, Nigeria, and Russia. The issue began at 21:13 UTC when MainOne Cable Company, a carrier in Lagos, Nigeria declared its own autonomous system 37282 as the right path to reach 212 IP prefixes that belong to Google, reported ArsTechnica. Shortly after, China Telecom improperly accepted the route and further declared it worldwide, leading to Transtelecom and other large service providers in Russia to follow the same route. A networking and security company, BGPmon, who assesses the route health of networks, tweeted out on Monday that it “appears that Nigerian ISP AS37282 'MainOne Cable Company' leaked many @google prefixes to China Telecom, who then advertised it to AS20485 TRANSTELECOM (Russia). From there on others appear to have picked this up”. BGPmon also tweeted that redirection of IP addresses came in five distinct waves over a 74-minute period: https://twitter.com/bgpmon/status/1062130855072546816 Another Network Intelligence company, ThousandEyes tweeted how a “potential hijack” was underway. As per ThousandEyes, it had detected over 180 prefixes affected by this route leak, covering a wide range of Google services. https://twitter.com/thousandeyes/status/1062102171506765825 This led to a growing suspicion among many as China Telecom, a Chinese state-owned telecommunication company recently came under the spotlight for misrouting the western carrier traffic through mainland China. On further analysis, however, ThousandEyes reached a conclusion that, “the origin of this leak was the BGP peering relationship between MainOne, the Nigerian provider, and China Telecom”. MainOne is in a peering relationship with Google via IXPN in Lagos and has got direct routes to Google, that leaked into China Telecom. These routes then further got propagated from China Telecom, via TransTelecom to NTT and other transit ISPs. “We also noticed that this leak was primarily propagated by business-grade transit providers and did not impact consumer ISP networks as much”, reads the ThousandEyes blog. BGPmon further tweeted that apart from Google, Cloudflare also faced the same issue as its IP addresses followed the same route as Google’s. https://twitter.com/bgpmon/status/1062145172773818368 However, Matthew Prince, CEO, CloudFare, told Ars Technica that this routing issue was just an error and chances of it being a malicious hack was low .“If there was something nefarious afoot there would have been a lot more direct, and potentially less disruptive/detectable, ways to reroute traffic. This was a big, ugly screw up. Intentional route leaks we’ve seen to do things like steal cryptocurrency are typically far more targeted” said Prince. “We’re aware that a portion of Internet traffic was affected by the incorrect routing of IP addresses, and access to some Google services was impacted. The root cause of the issue was external to Google and there was no compromise of Google services,” a Google representative told ArsTechnica.   MainOne also updated regarding the issue on its site, saying, that it faced a “technical glitch during a planned network update and access to some of the Google services was impacted. We promptly corrected the situation at our end and are doing all that is necessary to ensure it doesn’t happen again. The error was accidental on our part; we were not aware that any Google services were compromised as a result”. MainOne further addressed the issue on Twitter saying that the problem occurred due to a misconfiguration in BGP filters: https://twitter.com/Mainoneservice/status/1062321496838885376 The main takeaway from this incident remains that doing business on the Internet is still risky and there are going to be times when it’ll lead to unpredictable and destabilizing events, that may not necessarily be ‘malicious hacks’. Basecamp 3 faces a read-only outage of nearly 5 hours GitHub October 21st outage RCA: How prioritizing ‘data integrity’ launched a series of unfortunate events that led to a day-long outage Worldwide Outage: YouTube, Facebook, and Google Cloud goes down affecting thousands of users

“Ensure the Internet is a global public resource… where individuals can shape their own experience and are empowered, safe and independent.” -Team Mozilla Yesterday, Firefox explained the idea behind Firefox Sync as well as how the tool was built keeping in mind user’s privacy. Because sharing data with a provider is a norm, the team found it important to highlight the privacy aspects of Firefox Sync. What is Firefox Sync? Firefox Sync lets a user share their bookmarks, browsing history, passwords and other browser data between different devices, and send tabs from one device to another. This feature re-defines how users interact with the web. Users can log on to Firefox with Firefox sync, using the same account across multiple devices. They can even access the same sessions on swapping devices. With one easy sign-in, Firefox sync helps users access their bookmarks, tabs, and passwords. Sync allows users logged on from one device to be simultaneously logged on to other devices. Which means that tasks that started on a user’s laptop in the morning can be picked up on their phone even later in the day. Why is Firefox Sync Secure? By default, Firefox Sync protects all user synced data so Mozilla can’t read it. When a user signs up for sync with a strong passphrase, their data is protected from both attackers and from Mozilla.  Mozilla encrypts all of a user’s synced data so that it is entirely unreadable without the key used to encrypt it. Ideally, even a service provider must never receive a user’s key. Firefox takes care of this aspect when a user signs into their Firefox account with a username and passphrase which are sent to the server. Traditionally, on receiving the username and passphrase at the server, it is hashed and compared with a stored hash. If a match is found, the server sends the user his data. While using Firefox, a user never sends over their passphrase. Mozilla transforms a user’s passphrase on their computer into two different, unrelated values such that the two values are independent of each other. Mozilla sends an authentication token, derived from the passphrase, to the server which serves as the password-equivalent. This means that the encryption key derived from the passphrase never leaves a user’s computer. In more technical terms, 1000 rounds of PBKDF2 is used to derive a user’s passphrase into the authentication token. On the server size, this token is hashed with scrypt so that the database of authentication tokens is even more difficult to crack. The passphrase is then derived into an encryption key using the same 1000 rounds of PBKDF2. It is domain-separated from the previously generated authentication token by using HKDF with separate info values. This key is used to unwrap an encryption key (obtained during setup and which Mozilla never see unwrapped), and that encryption key is used to protect a user data.  The key is used to encrypt user data using AES-256 in CBC mode, protected with an HMAC. Source: Mozilla Hacks How are people reacting to this feature? Sync has been well received by customers. A user on Hacker news commented how this feature makes “Firefox important”.  Sync has also been compared to Google Chrome since Chrome's sync feature collects their users' complete browsing histories. One user commented on how Mozilla’s privacy tools will make him “chose over chrome”. And since this approach is relatively simple to implement, users are also exploring the possibility of “implement a similar encryption system as a proof of concept”. In a time where respecting the privacy of a user is so unusual, Mozilla sure has caught our attention with its approach to be more “user privacy-centric”. You can head over to Mozilla’s Blog to know other approaches to building a sync feature for a browser and how Sync protects user data. Mozilla pledges to match donations to Tor crowdfunding campaign up to $500,000 Mozilla shares how AV1, the new the open source royalty-free video codec, works Mozilla introduces new Firefox Test Pilot experiments: Price Wise and Email tabs