Huawei Equipment Backdoor Found in HiSilicon Chips

Hardware researcher Vladislav Yarmak found a Huawei equipment backdoor used in video recorders and security cameras.

To be clear, this security vulnerability is said to be present in the software HiSilicon provides with its system-on-chips to customers. These components, backdoor and all, are then used by an untold number of manufacturers in network-connected recorders and cameras.

It’s not a major threat, or anything people need to fret about, it’s just another indicator of Huawei’s piss-poor approach to security.

AKA do not let Huawei build your 5G infrastructure.

Amazon’s Ring Surveillance App is Loaded With Trackers

Not only are Ring doorbell cameras used as surveillance, but the app itself too. Like many apps, it’s loaded with third-party trackers and analytics tools. The EFF examined the Android app.

As we’ve mentioned, this includes information about your device and carrier, unique identifiers that allow these companies to track you across apps, real-time interaction data with the app, and information about your home network. In the case of MixPanel, it even includes your name and email address.

Privacy, Parenting, and Monitoring Your Kids’ Electronics

Wired is publishing a series on parenting, and this article is written by a father who monitors his teens’ electronics.

Later, after discovering my daughter had secreted a contraband Chromebook in her room to watch late-night Friends, all devices would be sequestered in the master bedroom overnight.

And this rule was above all else: The devices all belong to me and my wife, and we are entitled to see anything and everything on them.

I didn’t get a cell phone until I was in college, so my parents didn’t have to worry about me blasting my teenage cringe online. At the same time, this guy sounds like the type to physically remove the door to his kid’s room so they can’t hide from him.

Clearview AI Helps Law Enforcement With Facial Recognition

In a long read from NYT, Kashmir Hill writes about a startup called Clearview AI that works with law enforcement on facial recognition.

You take a picture of a person, upload it and get to see public photos of that person, along with links to where those photos appeared. The system — whose backbone is a database of more than three billion images that Clearview claims to have scraped from Facebook, YouTube, Venmo and millions of other websites — goes far beyond anything ever constructed by the United States government or Silicon Valley giants.

Techno Artist Curtis Wallen Created a ‘Clandestine Communication Network’

Curtis Wallen’s latest project, called Proposition For An On Demand Clandestine Communication Network, tells people how to avoid surveillance and make a secret phone call.

This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?” he says. Still, Wallen believes PropCom could theoretically keep users’ activities hidden. It’s hard, he emphasizes, but not impossible.

He basically uses a prepaid burner phone, a Faraday bag, and an encrypted phone number. I hope he bought the phone from a place that doesn’t use cameras or facial recognition, because that could help trace him.

VICE Tests Amazon Ring’s Security, and it’s Not Good

Journalists at VICE tested the security of Amazon Ring security cameras, and they call it “awful.”

Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in—entirely common security measures across a wealth of online services.

School Surveillance: How Millions of Kids are Spied On

When we hear the word “surveillance” we usually think about the NSA, or perhaps tech companies like Facebook and Google. What we probably don’t think about is school surveillance used to spy on kids.

The new school surveillance technology doesn’t turn off when the school day is over: anything students type in official school email accounts, chats or documents is monitored 24 hours a day, whether students are in their classrooms or their bedrooms.

Tech companies are also working with schools to monitor students’ web searches and internet usage, and, in some cases, to track what they are writing on public social media accounts.

Should You Warn Your Guests About Smart Devices?

David Murphy asks if people are morally obligated to inform their guests that their home contains smart devices like HomePod, Amazon Alexa, and Google Home. Given the fact that these devices can listen to you, should you post a sign in your house that says, “Warning: This Area Under Surveillance?”

If you’re simply sporting a smart speaker, I think announcing its presence is less of a deal—overkill, really. But if a camera is recording me at any point, and that’s something you can view later, I think it’s the friendly thing to do to let me know before I start gossiping…or worse.

What do you mean by worse??

Your Kids' Photos Power Surveillance Technology

The New York Times has a nice feature out today about how a mother found photos of her kids in a machine learning database.

None of them could have foreseen that 14 years later, those images would reside in an unprecedentedly huge facial-recognition database called MegaFace. Containing the likenesses of nearly 700,000 individuals, it has been downloaded by dozens of companies to train a new generation of face-identification algorithms, used to track protesters, surveil terrorists, spot problem gamblers and spy on the public at large. The average age of the people in the database, its creators have said, is 16.

I can’t imagine the gross feeling you get when you see your kids in a database like this.

Apple Blocks Spying Kazakhstan Root Certificate

The Kazakhstan government is trying to spy on citizens with a government-issued root certificate for websites. Apple, Google, and Mozilla are blocking it in their browsers.

The root certificate in question, labeled as “trusted certificate” or “national security certificate,” if installed, allows ISPs to intercept, monitor, and decrypt users’ encrypted HTTPS and TLS connections, helping the government spy on its 18 million people and censor content.

Once installed, the certificate allowed the Kazakh government to decrypt and read anything a user visiting popular sites—Facebook, Twitter, and Google, among others—types or posts, including intercepting their account information and passwords.

Amazon Requires Police to Promote its Ring Surveillance Cameras

As part of a secret agreement, Amazon requires that police “encourage adoption” of its Ring doorbell surveillance cameras.

Dozens of police departments around the country have partnered with Ring, but until now, the exact terms of these partnerships have remained unknown. A signed memorandum of understanding between Ring and the police department of Lakeland, Florida, and emails obtained via a public records request, show that Ring is using local police as a de facto advertising firm. Police are contractually required to “Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app.”

Trump Administration Talking About Banning Encryption

Politico reports that the Trump administration is in talks about banning encryption, or at least certain forms of it that law enforcement can’t crack.

The encryption challenge, which the government calls “going dark,” was the focus of a National Security Council meeting Wednesday morning that included the No. 2 officials from several key agencies, according to three people familiar with the matter…Senior officials debated whether to ask Congress to effectively outlaw end-to-end encryption, which scrambles data so that only its sender and recipient can read it…

Great. I can’t wait for Russia and China to intercept all of our insecure communications.

On Covering Up Your iPhone Selfie Camera

Jack Morse writes how we should cover up our phone’s selfie camera, but doesn’t spend much time telling us why. 90% of the article is about webcams on laptops. The only phone-related thing mentioned is the iOS FaceTime bug. Ultimately the choice to cover up the selfie camera is a personal one, but I wouldn’t worry too much about it.

This writer has used the Post-it Note technique for a few years, and it works wonders. While every now and then I get some weird looks from strangers or friends when they see that I cover my selfie camera, just like with laptop webcam covers it’s likely they’ll all be doing the same before too long.

Bluetooth Beacons Can Track You Inside Stores

Bluetooth beacons are small devices that some stores hide throughout the building. Apps on your phone can pick up the signals they emit and send information back.

In order to track you or trigger an action like a coupon or message to your phone, companies need you to install an app on your phone that will recognize the beacon in the store. Retailers (like Target and Walmart) that use Bluetooth beacons typically build tracking into their own apps. But retailers want to make sure most of their customers can be tracked — not just the ones that download their own particular app.

I bet iOS 13’s new Bluetooth controls will affect this.

How Surveillance Affects the Legal System: A Judge’s View

We often read about surveillance from the perspective of us, the users, or technology companies. Here is a judge’s view on it.

Congress is way behind in determining how far the police can go in using technology to invade people’s privacy, and many of the legal disputes arising from this collision have not reached the Supreme Court. For the public, as a practical matter, the rules of the road are being decided by prosecutors. Your privacy is not their highest priority.

I think that’s ultimately the heart of the matter: We have a technologically-inept government.

iPhones Aren’t Safe From Google’s Sensorvault Database

Google has a database called Sensorvault. It contains location data of users and shares it with law enforcement—if they have a warrant, of course. Apple honors lawful requests as well. But Jennifer Valentino-DeVries wonders whether the database is too broad.

Google would not provide details on Sensorvault, but Aaron Edens, an intelligence analyst with the sheriff’s office in San Mateo County, Calif., who has examined data from hundreds of phones, said most Android devices and some iPhones he had seen had this data available from Google…

“It shows the whole pattern of life,” said Mark Bruley, the deputy police chief in Brooklyn Park, Minn., where investigators have been using the technique since this fall. “That’s the game changer for law enforcement.”

U.S. Government Tracks Journalists in Database

A startling investigation by NBC 7 journalists reveals how the U.S. government tracks journalists through use of a database.

Documents obtained by NBC 7 Investigates show the U.S. government created a secret database of activists, journalists, and social media influencers tied to the migrant caravan and in some cases, placed alerts on their passports.

In fact, their own government had listed their names in a secret database of targets, where agents collected information on them. Some had alerts placed on their passports, keeping at least two photojournalists and an attorney from entering Mexico to work.

This is why private services like end-to-end encrypted messaging apps are so important. It’s bad enough if a foreign government is surveilling you. We don’t need our own government to do the same.