Most people have heard of the Game of Thrones, George R.R. Martin’s masterpiece filmed and shown by HBO. Its final season will come in 2019 and the air is filled with teasers, speculated spoilers and optional fan made false trailers. Yet have you heard of the game of pawns? This goes directly towards the entire Australian Encryption Bill. I spoke about it 2 days ago in ‘Clueless to the end‘, where we are introduced to the misrepresented views of Peter Dutton. On how he plays the system on getting the FAANG group to help him a little, which is exactly what the FAANG group is unwilling to do. In addition to what I wrote there is the voice of Paul Brookes, chair of Internet Australia. He gave us: “it is important for law enforcement to find ways to improve their capabilities for intercepting criminal activities through the communications sectors, “they must not do so via hastily enacted legislation which fails to consider the legitimate concerns and advice of global technology experts, and carries the very clear risk of creating more problems than it solves”“, in this Paul is right and the issue is growing on other settings too. In the last three days we have been made privy to: ‘Hackers stole millions of Facebook users’ highly sensitive data — and the FBI has asked it not to say who might be behind it‘. Optionally because they cannot unsubstantiated blame Russia again, yet in the much larger setting it seems that they do not have a clue. In addition, we see evolving today: ‘PS4 Users Are Claiming That Malicious Messages Are Breaking Their Consoles‘. The last one seemingly has a solution as reported by Kotaku: “It does seem that the exploit is purely text-based, so changing your PlayStation messenger privacy settings should prevent it from happening. You can do that by going to Account Management in your console Settings, heading to the Privacy Settings submenu, and changing Messaging settings to “Friends Only” or “No One,” meaning that only your pre-selected friends or no one at all can message you“. Two attacks, the second one without knowing the extent of the attack in a setting that could not have been prevented by the encryption bill, the fact that the authorities have been grasping in the dark gives a very clear view on how short the authorities are on the ability to stop these events. All the BS short-sighted attempts to access data whilst the entire communication system is flawed beyond belief shows just how clueless the governmental players have become.
So as this week is likely to be about: “It appears to be the worst hack in Facebook’s 14-year history“, many will all go into the blame game against Cambridge Analytical, ye the foundation is that the internet was always flawed, and again we see a setting where the failing of non-repudiation is at the core of certain events. A setting where ““access tokens” – essentially digital keys that give them full access to compromised users’ accounts“, done through hacks into vulnerabilities into a setting of ‘authentication’, where the optional ‘non-repudiation’ might have optionally prevented it. That basic flaw has been around for over a decade and the tech companies are unwilling to fix it, because it makes them accountable in several additional ways.
In a setting where you and you alone could have done certain things, is stage against the setting of someone with the claimed authority has staged the deletion of all you created. That is the stage we are in and the damage is increasing. As more and more vulnerabilities are brought to light, the lack of actions are beyond belief.
The NPR reported something interesting that the initial sources did not give me. They give us: “the hack exploited three separate bugs in Facebook’s code. No passwords were compromised, but the hackers were able to gain “access tokens” that let them use accounts as though they were logged in as another person“, as far as I can speculate, non-Repudiation might not have allowed that, making non-repudiation a much larger priority for social media than ever before. The fact that the data captures are getting larger makes the change also a lot more important. If the value of Facebook is data, keeping that secure should be their first priority, the Encryption bill would also be a void part if non-repudiation becomes an actual part of our lives. The dire need of Common Cyber Sense is seen everywhere and we need to give less consideration to people who cannot keep their Common Cyber Sense.
You see, the issue is becoming a lot more important. The fact that these accounts are now sold on the dark web, with the by-line: “If sold individually at these prices, the value of the stolen data on the black market would be somewhere between $150m and $600m“, we are certain that this will get a lot worse before there is any improvement. It is my personal view that actively seeking a non-repudiation setting will hasten that process of making your data more secure.
It is in addition the setting that the Dream Market offers, which by the way is useless. The Chinese vendor offering the data, could in the end merely be an expelled student from any US university living in Dublin, there is at present no way to tell who Chernobyl 2550 actually is.
Finding and exploiting three bugs in Facebook gets you optionally half a billion, the governments are that far behind and there is no indication that they will catch up any day soon. When going back to the Facebook setting, we also saw “Facebook said third-party apps and Facebook apps like WhatsApp and Instagram were unaffected by the breach“, yet another source gives us: ‘WhatsApp Bug Allowed Hackers To Hack Your Account With Just A Video Call’ (at https://www.valuewalk.com/2018/10/whatsapp-bug-video-call-fixed/) implying that Facebook users are in a lot more peril then shown from the different media. We are given: “A security researcher at Google’s Project Zero discovered a strange bug in WhatsApp that allowed hackers to take control of the app if they just knew your phone number. All they had to do was placing you a video call and getting you to answer it. Though the WhatsApp bug was disclosed only on Tuesday, Google researcher Natalie Silvanovich had discovered and reported it to the Facebook-owned company back in August“. So even as it seems that Facebook is not giving us ‘faulty’ information; the mere fact on the existence of the flaw as seen with: “She disclosed the WhatsApp bug to the public only after the company fixed it via a software update. Silvanovich wrote in a bug report that heap corruption could occur when the WhatsApp app “receives a malformed RTP packet.” The bug affects only the Android and iOS versions of WhatsApp because they use the Real-time Transport Protocol (RTP) for video calling” is showing a dangerous setting where a number of failings within this year alone gives rise to the flaws in security and proper testing of apps and the stage of security is failing faster than we should be comfortable with.
So even as CBS News was all about hacking elections last week, giving us: “These cyber-attackers are driven by a variety of motivations, says Andrea Little Limbago, the chief social scientist at data security firm Endgame. “As long as attackers find it in their best interests or find the motivation to want to have some sort of effect … they’re going to think about what they could do with that access,” she says. “Especially China, Russia, and Iran.”“, the failing we see that there is a flaw in the system, it is not merely on pointing at the wrong players, it is about the flawed setting that some systems were breached in the first place. The larger setting is not the hack, it is access and the need for non-repudiation is growing at an alarming rate, in a setting where none of the players are ready to accept non-repudiation, we see a faulty authentication approach and that is the cost of doing business. So when you consider it a sign of the times, consider that I personally witnessed a bug that Whatsapp showed over 27 years ago, when a financial package on DEC VAX/VMS has something called Ross Systems. An intentional illegal action would crash your terminal program and leave any user in the VAX/VMS system with supervisor rights, with total access to every file on the server and every drive. Would it be nice if certain lessons were learned over a quarter of a century?
That is the issue sand the opposition of those who want to push out new features as soon as possible and that danger will only increase in a 5G setting, so when your mobile becomes your personal data server and someone does get access to all your credit card and health data, you only have yourself to blame, good luck trying to sue the technology companies on that. Actually that is exactly what Google is facing with class actions against both the Pixel and Pixel 2 at present. Should they lose these, then the ante goes up, because any case involving flawed data security, when flagged as inappropriately dealt with could cost Google a lot more than they are bargaining for, and it is not just Google, Apple, and Facebook will be in equal settings of discomfort.
If only they had properly looked at the issues, instead of seeking the limelight with a new fab. In the end, are we mere pawns to them, to be exploited and under secured for their short terms needs of clicks and sales pitches? What happens when it falls? They will still get their golden handshakes and a life without complications for decades, what are we left with when our value in data is sold on?
We are merely pawns in a game and no one wants the throne, they merely want to be the second fiddle and walk away overly rich (or own the Iron Bank), we enabled this, and we get to live with the fallout that comes next, all because non-repudiation was too hard for these players.