On Sunday, while most of Twitter was watching the Women’s World Cup – an amazing game from start to finish – one of the world’s most notorious security firms was being hacked.
Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.
Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.
Feels poetic.
We’re getting a lot of important “hacks” lately for humanity as a whole: Snowden, then Sony, and now “Hacked Team” (
). These are important in that they expose the dirty underbelly of government and corporate spying and bribery (euphemistically called “lobbying”).
The sad part is that even with everything that has come to light in recent years nothing has been or will be done to actually protect peoples privacy. That’s just the harsh reality of todays world. At best all people can hope for are crumbs that give them a false sense of security. But then when has the game ever not been rigged?
ilovebeer,
In my opinion a large part of the problem is that the business models of today just don’t align themselves with consumer privacy interests. Corporations don’t need to store our data unencrypted in their silos, but then they can’t monetize our data. We have a whole web generation that’s been exchanging their privacy for ad sponsored “free services”. It’s not clear that these trends could be reversed. It’s not so much a technical problem, but lets face it most of the worlds successful tech companies want to mine our data to target more lucrative ads.
How does the one possibly follow from the other?
It’s clearly true that businesses don’t need to encrypt customer data but it’s completely unclear to me how this implies that they can’t generate revenue from that data.
Google encrypts the user data it stores and seems to have no difficulty making a dime on it.
They only encrypt the data so an attack from an insider or outsider doesn’t get them access to the data.
Google first gets your cleartext data and does the encryption and holds the keys.
In this case encryption doesn’t add anything for user privacy.
You never have privacy unless you control the stack, from beginning to end. Get over it. You’ve just as much privacy for your personal data online as you do in any other public forum, or when purchasing something in a store. Low tech hacks work just as well as high tech ones do. If you want privacy, keep it in your own controlled environment. Everyone is yammering on and on about privacy online, yet they don’t stop to think (at least in this country) when they pay for a meal with their credit card by sticking it in the little booklet and letting the restaurant staff run it (yes, in the states we still do that). They take your card, run it, and… what else? Hint: a whole blazing lot of fraud comes from this. Or how about the ridiculous wellness program we have now where the doctors have to ask you some of the most invasive questions you’ll ever be asked, and you’re fined if you don’t answer?
Privacy online is dead simple. Privacy in the real world is what we should, and don’t, worry a damn about.
I’m actually very aware of my ‘offline’ privacy.
For example I usually pay with cash.
And if I didn’t need to be available for my work I would turn off my phone a lot of the time.
(maybe even remove the battery, I obviously have phone you can actually do that with)
My phone doesn’t have wifi enabled all the time like some people.
I also know where the CCTV camera’s in my city are (or where I usually go) and what roads to avoid so I’m not recorded all the time.
But I’m clearly not the average consumer. 🙂
Edited 2015-07-07 12:24 UTC
darknexus,
Privacy should matter in any private context (online or not), but there are two challenges: NSA/government interference (aka Lavabit) and ad sponsored datamining that diametrically opposes privacy.
Edited 2015-07-07 14:25 UTC
Which means you have to trust them, and you can’t. THerefore, encryption is no guarantee of privacy. Therefore, you only have control over your own privacy… on your own stack.
I never said encryption didn’t work. You read that out of what I actually said, which is that you have no control over your privacy on any system but your own, because you have no idea how company X is using their encryption.
darknexus,
This is what I objected to in your first post “You never have privacy unless you control the stack, from beginning to end. Get over it.” Maybe it’s just the wording, but that seems to imply that you don’t have privacy unless you control the endpoints and everything in between, which is false. The whole motivation for encryption is that you can’t control the whole stack, just the end points. If we can agree on this, then great
We, as an industry, are solving at least some of the problems and this does increase user/customer privacy.
Lots of protocols are getting encryption and easier to deploy encrypted protocols. Basically moving to an Internet of encrypted protocols. This prevents the kind of bulk-surveillance the NSA is doing.
This does leave us with the 2 other big things:
– companies still get the data of their customers. This isn’t just companies like Google and advertising companies. This also includes cloud providers like Amazon Web Services (AWS).
– metadata. When you have your data encrypted you still leak for example 2 IP-addresses (sending/receiver).
And metadata is a real problem too. Bruce Schneier says is best:
[..] it’s “only metadata.” [..] This might fool the average person, but it shouldn’t fool those of us in the security field. Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance. [..]
An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject’s home, office, and car. He would eavesdrop on his computer. He would listen in on that subject’s conversations, both face to face and remotely, and you would get a report on what was said in those conversations.
[..]
Now imagine that you asked that same private detective to put a subject under constant surveillance. You would get a different report, one that included things like where he went, what he did, who he spoke to—and for how long—who he wrote to, what he read, and what he purchased.
[..] So when the president [Obama] says that it’s only metadata, what you should really hear is that we’re all under constant and ubiquitous surveillance.
https://www.schneier.com/essays/archives/2014/03/metadata_surveillan…
I have a hard time taking any company with the name “Hacking Team” seriously.
This will help you with your problem:
https://twitter.com/Viss/status/617950211239837696/photo/1
🙂
O M F G! That is so effin hilarious! It’s not too surprising, though. Just the other day, I was at Lowes getting some plywood cut for some repair work I needed. The cutter had a pad you used to enter a password to turn it on, and I told my dad “What do you wanna bet the password is ‘1234’?”
The guy starts entering ‘4321’ over and over, then calls someone else to verify he’s using the right password. After he hangs up, he enters ‘1234’ and cuts the plywood for me. BTW, ‘4321’ would have been the SECOND password I would have guessed.
With a surprised voice, so the cutter guy can hear it: “That’s the stupidest combination I’ve ever heard in my life! That’s the kinda thing an idiot would have on his luggage.” And make sure someone else adds: “That’s amazing! I’ve got the same combination on my luggage!”
But wait, it gets even better! David, the CEO, writes:
We might use PGP. But I sceptical about encrypted communications with (potential) partners; we don’t have anything to hide.
Context: https://twitter.com/CDA/status/618091657146290176
To all businesses out there: If you don’t make your clients, your partners, your pricing and your bank account’s content public, you have something to hide. And only those who are criminal have something to hide! And especially when you are planning to work for “democratic” governments, you better have nothing to hide. Or else. 🙂
Edited 2015-07-07 21:12 UTC
Retarded Exec: “We have NOTHING to hide!”
Yeah, it’s not like credit card info of customers should be secret, right? And I’ve never seen a company with trade secrets.
Good thing PGP can’t be used for important things like signing emails that might be nice for business correspondence from a “security” company.
Yes, that pretty much restores my confidence in their competence.
Now let’s go ahead and continue trusting our governments who bought many nice toys from that company. They’ll use it for our good, they promise! They are certified!
In the Trend Micro blog, headline “Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak”, we can find this:
Most of the leaked information covered Hacking Team’s business practices, which seemingly contradict their official statements on who they sell their products to. However, the leak also included the tools provided by the company to carry out attacks, and this included several exploits targeting Adobe Flash Player and Windows itself.
The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.
One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.†This Flash exploit has not yet been given the CVE number.
And updated:
Based on our ongoing investigation, we believe that this zero-day vulnerability from this leak has been used in an attack we’ve been tracking recently. We will be providing additional information in another blog entry soon.
Source: http://blog.trendmicro.com/trendlabs-security-intelligence/unpatche…
And this is our tax money at work:
https://cdn.arstechnica.net/wp-content/uploads/2015/07/hacking-team-…
It’s not even funny anymore…
Feels pathetic.