RISKS-LIST: Risks-Forum Digest Tuesday 13 September 2022 Volume 33 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.44>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
The Search for Dirt on the Twitter Whistle-Blower (Ronan Farrow via PGN) Twitter's testimony today (Lauren Weinstein)
GM's Cruise Recalls Self-Driving Software Involved in June Crash (WiReD)
Be afraid of the Internet of Everything (Gabe Goldberg)
Samsung denies Social Security numbers involved in latest breach
(The Record by Recorded Future)
Careless Errors in Hundreds of Apps Could Expose Troves of Data (WiReD)
Timing of Artemis launch may depend on emergency detonation system
(WashPost)
Artemis I launch scrubbed again, new attempt may not come till October
(The Washington Post)
Four vulnerabilities discovered in popular infusion pumps, WiF batteries
(The Record via WashPo)
Extreme California heat knocks key Twitter data center offline (CNN)
How criminals are using jammers, deauthers to disrupt WiFi security cameras
(Kiara Hay via Steve Stroh via Dewayne Hendricks via Dave Farber)
Apple and eSIM (Rob Slade)
Apple's recent iPhone security fix puts spotlight on transparency
(USA Today)
How Human Traffickers Force Victims Into Cyberscamming (ProPublica)
Iranian authorities plan to use facial recognition to enforce new hijab law
(The Guardian)
Cloudflare drops KiwiFarms (The Washington Post)
BBC report that UK Court IT system puts justice at risk (BBC)
The 1,000 Chinese SpaceX engineers that existed only on LinkedIn
(MIT Technology Review)
Sky Cuts Queen Elizabeth II-Related Jokes From 'Last Week Tonight With John
Oliver' in UK (Hollywood Reporter)
Facebook has no idea where to find your data (DJC)
Facebook and Google, they're SO public spirited... (Gabe Goldberg)
Super-rich preppers' planning to save themselves from the apocalypse
(The Guardian)
Major telecoms sign deal to keep some phone services running during future
outages (CBC Canada)
Israel: Health Ministry website faces cyberattack, oversea access blocked
(I14 News)
Groove.cm Breaks the Internet (Paul Robinson)
This $30 mouse jiggler makes it look like you're working when you're not
(CNBC)
Obsessively watching the news can make you mentally and physically sick
(Study Finds)
Re: High Seas Deception: How Shady Ships Use GPS to Evade International Law
(John Stewart)
Re: Hand-counting elections riskier than computer counts?
(Craig Cottingham)
Re: Honda Clocks Are Stuck 20 Years In The Past; There Isn't A Fix
(Steve Bacher)
Re: 3D gun printing operation busted in Calgary (Henry Baker)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 13 Sep 2022 10:14:37 -0700
From: Peter G Neumann <neumann@csl.sri.com>
Subject: The Search for Dirt on the Twitter Whistle-Blower (Ronan Farrow)

[Re: Mudge, the L0pht, and whistle-blowing, RKSKS-33.41 --
Peiter "Mudge" Zatko's journey from hacker to Twitter whistleblower]

Ronan Farrow, *The New Yorker*, 13 Sep 2022 https://www.newyorker.com/news/news-desk/the-search-for-dirt-on-the-twitter-whistle-blower

Many of Peiter (Mudge) Zatko's former colleagues have received offers of payment for [dirty] information about him.

On 23 Aug, a Slack chat for former employees of the payments company Stripe began filling with accounts of strange queries about an ex-colleague. <https://www.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html>
<https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitte r-whistleblower/> ``I'm getting inundated with paid interview requests,''
one of the former employees, Dan Foster, wrote. Another, Marty Wasserman,
later posted that he'd received a similar message via e-mail. ``Hi Marty,
Hope you're having a great week!'' the message read. ``I'm currently
working on a project regarding leadership in tech, and my client is hoping
to speak to an experienced professional about a particular individual you
may have worked with.'' The message requested a 45-60 minute compensated
phone consultation. Wasserman was suspicious of the timing. ``Preeeettyy
sure this is regarding Mudge,'' he wrote, pasting it in the Slack chat with
his former colleagues. ``Hard pass.''

Hours earlier, CNN and *The Washington Post* had reported that Twitter's
former head of security, Peiter (Mudge) Zatko, had filed a whistle-blower disclosure to federal agencies, accusing the social-media platform of
reckless security practices. Zatko's sweeping claims, if proven, could aid
Elon Musk in his attempt to terminate his forty-four-billion-dollar
agreement to acquire Twitter, a legal fight with implications of billions of dollars for investors. The dozens of e-mails and LinkedIn messages received
by people in Zatko's professional orbit appeared to be mostly from research-and-advisory companies, part of a burgeoning industry whose clients include investment firms and individuals jockeying for financial advantage through information. At least six research outfits -- Gerson Lehrman Group (G.L.G.), AlphaSights, Mosaic Research Management, Ridgetop Research,
Coleman Research Group, and Guidepoint -- approached former colleagues of Zatko's at Stripe, Google, and the Pentagon research agency DARPA. All
offered to pay for information, sometimes noting that the compensation would
be high or apparently unrestricted. At least two investment firms, Farallon Capital Management L.L.C. and Pentwater Capital Management L.P., also sought information from individuals close to Zatko.

[It's a long and ugly story, truncated for RISKS. PGN]

https://www.cnn.com/2022/09/12/tech/twitter-data-center-california-heat-wave/index.html

"The restrictions highlight the apparent fragility of some of Twitter's most fundamental systems, a problem Peiter "Mudge" Zatko, Twitter's former head
of security who turned whistleblower, had raised in a disclosure sent to lawmakers and government agencies in July. In his whistleblower disclosure, first reported by CNN and The Washington Post, Zatko warned that Twitter had "insufficient data center redundancy" that raised the risk of a brief
service outage or even the prospect of Twitter going offline for good.
"Even a temporary but overlapping outage of a small number of datacenters
would likely result in the service [Twitter] going offline for weeks,
months, or permanently," according to Zatko's whistleblower disclosure. (Twitter has criticized Zatko and broadly defended itself against the allegations, saying the disclosure paints a "false narrative" of the
company.) News of the data center outage comes a day before Zatko is due to testify before the Senate Judiciary Committee."

https://www.cnn.com/2022/09/12/tech/peter-zatko-twitter-whistleblower-hearing-walkup/index.html
https://www.washingtonpost.com/technology/2022/08/24/twitter-whistleblower-senate-hearing/

Twitter agreed in June to pay roughly $7 million to the whistleblower whose allegations will be part of Elon Musk's case against the company, WSJ
reported Thursday, citing people familiar with the matter. https://www.wsj.com/articles/twitter-agreed-to-pay-whistleblower-7-million-in-june-settlement-11662661116

------------------------------

Date: Tue, 13 Sep 2022 11:01:49 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Twitter's testimony today

Twitter whistleblower Peiter Zatko will testify before the Senate about
his allegations of security failures at the social network, the Senate Judiciary Committee announced on Wednesday.

``MMr. Zatko's allegations of widespread security failures and foreign
state actor interference at Twitter raise serious concerns. If these
claims are accurate, they may show dangerous data privacy and security
risks for Twitter users around the world,'' said Sens. Richard J. Durbin (D-Ill.) and Charles E. Grassley (R-Iowa), the chair and top Republican on the Senate Judiciary Committee.

In my quick review so far of the "Mudge" testimony today, I've seen no
obvious red flags concerning the sort of user data collected. These seem reasonable and in line with the @Twitter TOS.

Of more concern is the allegation of "unlimited" access to this @Twitter
data by engineers without case-based need to know, and if that access was properly logged and monitored.

I am less concerned about allegations of large numbers of failed attempts to login to @Twitter corp systems -- that's pretty much standard hacking
attempts -- the real issue is how many (if any) *succeeded* at gaining
access.

------------------------------

Date: Mon, 5 Sep 2022 01:50:13 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: GM's Cruise Recalls Self-Driving Software Involved in June Crash
(WiReD)

After two people were injured in the incident, Cruise blocked its robot vehicles from making left turns for several weeks before issuing a software update.

https://www.wired.com/story/gms-cruise-recalls-self-driving-software-involved-in-june-crash

...seems following J. Edgar Hoover's orders:

Mr. Schott is a retired special agent. His expose of the bureau includes the peccadillos of J. Edgar Hoover (who ordered that any vehicle he rode in make
no left turns, hence the title) and the fruitcakes that rose to the rank of supervisor and/or above.

https://books.google.com/books/about/No_Left_Turns.html?id=NZraAAAAMAAJ

------------------------------

Date: Mon, 5 Sep 2022 00:23:37 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Be afraid of the Internet of Everything

Ovens with eyes, a chameleon of a fridge, and other electronic
eccentricities at IFA (Fierce Electronics)

Samsung, for example, announced at its press conference Thursday that 100%
of its major appliances would come with WiFi by 2023, while other firms
might as well have been competing to see which one could put the least
likely gadget part a touchscreen? a camera? into a given category of
appliance.

https://www.fierceelectronics.com/iot-wireless/ovens-eyes-chameleon-fridge-and-other-electronic-eccentricities-ifa

------------------------------

Date: Fri, 9 Sep 2022 12:03:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Samsung denies Social Security numbers involved in latest breach
(The Record by Recorded Future)

The company said it collects information like Social Security numbers "to
help deliver the best experience possible with our products and services."

https://therecord.media/samsung-denies-social-security-numbers-involved-in-latest-breach/

Wait, what?

------------------------------

Date: Sun, 11 Sep 2022 21:59:32 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Careless Errors in Hundreds of Apps Could Expose Troves of Data
(WiReD)

Researchers found that mobile applications contain keys that could provide access to both user information and private files from unconnected apps.

Researchers from Broadcom's Symantec Threat Hunter team published findings
on Thursday about the prevalence of hard-coded authentication credentials lurking in the cloud services that underlie hundreds of mainstream
apps. These login credentials are often meant to give the app access to a single file or service, like a mechanism for an app to display public images from a company's website or run text through a translation service at a
user's request. But in practice, the researchers found, these same
credentials often grant access to all files stored in a cloud service, like company data, database backups, and system control components. And when multiple apps have been created by the same third-party development firm or incorporate the same publicly available software development kits (SDKs),
these static authentication tokens may even grant access to the
infrastructure and user data of multiple, unconnected apps.

All of this means that if an attacker discovered these access tokens, they could potentially unlock massive and disparate troves of sensitive data all
by finding one key under one doormat.

https://www.wired.com/story/mobile-apps-cloud-credentials-exposed

------------------------------

Date: Thu, 8 Sep 2022 00:28:35 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Timing of Artemis launch may depend on emergency detonation system
(WashPost)

The system, which is designed to destroy the SLS rocket if it veers off
course and threatens population centers, needs to be recharged every few
weeks

The problem for NASA is that can only be done in the rocket's assembly building, meaning they would need to perform the arduous work of rolling the 322-foot-tall rocket off the pad, where it is now, back to the building four miles away â a journey that can take about eight hours each way.

https://www.washingtonpost.com/technology/2022/09/07/artemis-launch-nasa-detonation-system/

The risk? No suitable extension cord.

------------------------------

Date: Sun, 4 Sep 2022 19:08:08 -0400 From: Gabe Goldberg <gabe@gabegold.com> Subject: Artemis I launch scrubbed again, new attempt may not come till
October (The Washington Post)

CAPE CANAVERAL, Fla. It may be several weeks before NASA can attempt to
launch its massive Space Launch System moon rocket after it was unable to control what agency's officials described as a large, unmanageable hydrogen leak that forced them to cancel a second flight on Saturday.

The rocket is billions of dollars over budget and years behind schedule, and
by some estimates, each launch will cost between $2 billion and $4 billion.
In creating the rocket, Congress dictated that it recycle engines and technology from the space shuttle program, which first flew in 1981 and was developed in the 1970s.

Unlike the rockets used by SpaceX to launch astronauts to the International Space Station, which return to Earth to be used again, the Space Launch
System is not reusable.

------------------------------

Date: Fri, 09 Sep 2022 13:21:47 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Four vulnerabilities discovered in popular infusion pumps, WiFi
batteries (The Record via WashPo)

https://therecord.media/four-vulnerabilities-discovered-in-popular-infusion-pumps-wifi-batteries/
via https://washingtonpost.com/politics/2022/09/09/china-complaints-about-us-spying-are-laughable-many/.

"The four bugs revolve around the secure decommissioning of Wireless Battery Modules (WBMs). Medical devices typically contain network credentials or
other private information that should be removed before a device is
transferred to a new user.

"Heiland told *The Record* that the vulnerabilities offer attackers
information about the network but none of them can be exploited over the Internet or at great distances. Hackers would need to be within at least
WiFi range of the affected devices, and in some cases, the attacker would
need to have direct, physical access."

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=FRN

From the FDA's TPLC platform product code FRN -- Infusion Pump reveals 64 recalls between 01JAN2017 and 31AUG2022. Nearly half (31 of 64) the recalls occurred between 01JAN2020 and 31AUG2022. 23 of the 31 recalls in this range are Class I, meaning high risk. The FDA's Class I recall definition: "A situation where there is a reasonable chance that a product will cause

serious health problems or death." (See https://www.fda.gov/medical-devices/medical-device-recalls/what-medical-d evice-recall).

Of the 31 infusion pump recalls in the 2020-2022 range, 7 are attributed to Baxter devices: 3 Class I and 4 Class II recalls. More than 500K infusion
pumps in aggregate are recall subjects. The TPLC page identifies 19 manufacturers of infusion devices, common among hospitals and outpatient clinics.

------------------------------

From: the keyboard of geoff goodfellow <geoff@iconia.com>
Date: Tue, 13 Sep 2022 14:25:37 -0700
Subject: Extreme California heat knocks key Twitter data center offline
(CNN)

Extreme heat in California has left Twitter without one of its key data centers, and a company executive warned in an internal memo obtained by CNN that another outage elsewhere could result in the service going dark for
some of its users.

Twitter, like all major social media platforms, relies on data centers,
which are essentially huge warehouses full of computers, including servers
and storage systems. Controlling the temperature in those centers is
critical to ensuring the computers don't overheat and malfunction. To save
on cooling costs, some tech companies have increasingly looked to place
their data centers in colder climates; Google, for example, opened a data center in Finland in 2011, and Meta has had one center in northern Sweden
since 2013.

``On September 5th, Twitter experienced the loss of its Sacramento (SMF) datacenter region due to extreme weather. The unprecedented event resulted
in the total shutdown of physical equipment in SMF,'' Carrie Fernandez, the company's vice president of engineering, said in an internal message to
Twitter engineers on Friday. [...]

https://www.cnn.com/2022/09/12/tech/twitter-data-center-california-heat-wave/index.html

------------------------------

Date: Sat, 10 Sep 2022 04:54:29 +0900
From: Dave Farber <farber@gmail.com>
Subject: How criminals are using jammers, deauthers to disrupt WiFi security
cameras (Kiara Hay via Steve Stroh via Dewayne Hendricks via Dave Farber)

Kiara Hay, WXYZ, 6 Sep 2022 https://www.wxyz.com/news/how-criminals-are-using-jammers-deauthers-to-disrupt-wifi-security-cameras

(WXYZ) A new warning is being issued for anyone who uses wireless security cameras like "Ring" to protect their home.

A Detroit woman said her Ring camera didn't capture the moment her car was stolen from the front of her house, and one local expert said it's because crooks are becoming more tech-savvy.

Earlier this month, the woman said her car was stolen from her driveway, and when she went to review her Ring camera footage, she realized hours were missing.

Chris Burns, the owner of Techie Gurus, said security cameras that use WiFi
to record are more about convenience than security. That's because WiFi can easily be disrupted, preventing the camera from capturing who is around your home, and criminals are catching on.

"If you're relying on wireless as a security thing, you're looking at it wrong," Burns said. "Wireless signals are easy to jam or block."

Those crooks can use this like a WiFi jamming device, or a deauther, which
can be the size of an Apple Watch.

A deauther will overwhelm a WiFi system, forcing the WiFi camera to stop recording if you stand close enough. The accessory only costs about
$10-$50. A jammer on the other hand will cost anywhere between $150 to
$1,000.

They're also highly illegal, so jammers are more difficult to find, but a powerful jammer can prevent an entire street from recording on WiFI security cameras with the switch of a button.

A spokesperson from Ring sent a statement saying, "Like any wifi-enabled device, WiFi signal interference may affect Ring device performance. If customers are experiencing issues with connectivity, we encourage them to
reach out to Ring Customer Support."

How can customers protect themselves? [...]

[My neighborhood has been experiencing sweeps at 3am through entire
streets, trashing cars that are unlocked, with one theft of a car in
the driveway with a covering Ring camera, which was just recovered by
the police 20 miles away -- with its catalytic converter removed. PGN]

------------------------------

Date: Sat, 10 Sep 2022 07:09:59 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Apple and eSIM

In its new line of iPhones, Apple will be doing away with physical SIM
cards, moving instead to a system it refers to as eSIM. This will be a software version of identification of the phone handset, and will be
modifiable in order to change to new providers.

https://lite.cnn.com/en/article/h_724d3eee26f0e2ace20a65a9ff82e6c3

For some, this will be convenient. Therefore, I predict that a) this will
lead to some interesting new attacks on iPhones, and b) that criminals will come up with ways to fake or spoof the eSIM and therefore 1) use other
people's accounts, 2) use random accounts and numbers for spam calls, and
3) create entirely new versions of "burner" phones.

Apparently the eSIM has been around for a few years, now, so presumably it
has been tested. But rolling it out for all new phones will increase
market penetration, and therefore the attempts to break it ...

[An E-SOP fable? PGN]

------------------------------

Date: Mon, 5 Sep 2022 00:20:26 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Apple's recent iPhone security fix puts spotlight on transparency
(USA Today)

When Apple shipped a set of security patches for iPhones, iPads and Macs on August 17, it notified users with its customary, generic language: ``This update provides important security updates and is recommended for all
users,''

But users who clicked through Apple's update-advisory page to see
descriptions of individual fixes got a more alarming cybersecurity story.

"Processing maliciously crafted web content may lead to arbitrary code execution," a description of iOS 15.6.1 and iPadOS 15.6.1 states. "Apple is aware of a report that this issue may have been actively exploited."

Translation: Visiting the wrong web site can put malware on your device, and
it looks like attackers are already using this vulnerability.

https://www.usatoday.com/story/tech/columnists/2022/08/31/apples-iphone-security-fix-protocol-questions/7933986001/

------------------------------

Date: Tue, 13 Sep 2022 17:56:14 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How Human Traffickers Force Victims Into Cyberscamming
(ProPublica)

Human Trafficking'sNewest Abuse: Forcing Victims Into Cyberscamming

Tens of thousands of people from across Asia have been coerced into
defrauding people in America and around the world out of millions of
dollars. Those who resist face beatings, food deprivation or worse.

https://www.propublica.org/article/human-traffickers-force-victims-into-cyberscamming

------------------------------

Date: Fri, 9 Sep 2022 12:52:16 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Iranian authorities plan to use facial recognition to enforce new
hijab law (The Guardian)

Government says it will use technology on public transport in crackdown on womenâs dress

The Iranian government is planning to use facial recognition technology on public transport to identify women who are not complying with a strict new
law on wearing the hijab, as the regime continues its increasingly punitive crackdown on womenâs dress.

The secretary of Iran's Headquarters for Promoting Virtue and Preventing
Vice, Mohammad Saleh Hashemi Golpayegani, announced in a recent interview
that the government was planning to use surveillance technology against
women in public places following a new decree signed by the country's
hardline president, Ebrahim Raisi, on restricting women's clothing. [...]

https://www.theguardian.com/global-development/2022/sep/05/iran-government-facial-recognition-technology-hijab-law-crackdown

[This is a real LoJab. PGN]

------------------------------

Date: Sun, 4 Sep 2022 19:04:33 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Cloudflare drops KiwiFarms (The Washington Post)

The Company' CEO says the firm had detected imminent threats and that law enforcement could not keep up with them,

Cloudflare Chief Executive Matthew Prince, who this past week published a lengthy blog post justifying the company's services defending websites such
as Kiwi Farms, told *The Washington Post* he changed his mind not because of the pressure but a surge in credible violent threats stemming from the site.

âAs Kiwi Farms has felt more threatened, they have reacted by being more threatening, ``e think there is an imminent danger, and the pace at which
law enforcement is able to respond to those threats we don't think is fast enough to keep up.''

https://www.washingtonpost.com/technology/2022/09/03/cloudflare-drops-kiwifarms/

------------------------------

Date: Mon, 5 Sep 2022 10:42:10 +0100
From: Martyn Thomas <martyn@mctar.uk>
Subject: BBC report that UK Court IT system puts justice at risk

*An IT system is causing key information about court cases in England and
Wales to change or disappear and is putting justice at risk, the BBC has
been told.*

One legal adviser revealed how he entered a driving ban in the system,
called Common Platform, only to later discover the result had changed. ...

https://www.bbc.co.uk/news/uk-62722855

------------------------------

Date: Mon, 12 Sep 2022 17:21:36 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The 1,000 Chinese SpaceX engineers that existed only on LinkedIn
(MIT Technology Review)

LinkedIn users are being scammed of millions of dollars by fake connections posing as graduates of prestigious universities and employees at top tech companies.

If you were just looking at his LinkedIn page, you'd certainly think Mai Linzheng was a top-notch engineer. With a bachelor's degree from Tsinghua, China's top university, and a masterâs degree in semiconductor manufacturing from UCLA, Mai began his career at Intel and KBR, a space tech company,
before ending up at SpaceX in 2013. Having spent the past eight years and
nine months working in the human race to space, heâs now a senior
technician.

Except all is not as it seems.

Upon closer inspection, there are plenty of red flags: Despite having been
in the US for 18 years, Mai has written all his job titles, degrees, and company locations in Chinese. His bachelor's degree is in business
management, even though his alma mater, Tsinghua, only offers that degree to student athletes, and Mai was not one. Besides, the man in his profile photo looks younger than Mai's stated age. The image, as it turns out, was stolen from Korean influencer Yang In-mo's Instagram. In fact, none of the information on this page is true.

The profile of "Mai Linzheng" is actually one of the millions of fraudulent pages set up on LinkedIn to lure users into scams, often involving cryptocurrency investments and targeting people of Chinese descent all over
the world. Scammers like Mai claim affiliation with prestigious schools and companies to boost their credibility before connecting with other users, building a relationship, and laying a financial trap.

https://www.technologyreview.com/2022/09/07/1059067/chinese-spacex-engineers-linkedin-scam/

A cryptocurrency scam, I'm shocked and saddened. Oh, the humanity.

------------------------------

Date: Tue, 13 Sep 2022 10:59:05 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Sky Cuts Queen Elizabeth II-Related Jokes From 'Last Week Tonight
With John Oliver' in UK (Hollywood Reporter)

https://www.hollywoodreporter.com/tv/tv-news/sky-john-oliver-last-week-tonight-queen-elizabeth-ii-jokes-1235219373/

------------------------------

Date: Thu, 8 Sep 2022 17:04:14 +0200
From: DJC <djc@resiak.org>
Subject: Facebook has no idea where to find your data

An article "Facebook Engineers: We Have No Idea Where We Keep All Your
Personal Data" by Sam Biddle has just appeared in "The Intercept": https://theintercept.com/2022/09/07/facebook-personal-data-no-accountability/

In a discovery hearing, two veteran Facebook engineers told the court that
the company doesn't keep track of all your personal data.

In March, two veteran Facebook engineers found themselves grilled about the company's sprawling data collection operations in a hearing for the ongoing lawsuit over the mishandling of private user information stemming from the Cambridge Analytica scandal.

The hearing, a transcript of which was recently unsealed, was aimed at resolving one crucial issue: What information, precisely, does Facebook
store about us, and where is it? The engineers' response will come as little relief to those concerned with the company's stewardship of billions of digitized lives: They don't know.

The admissions occurred during a hearing with special master Daniel Garrie,
a court-appointed subject-matter expert tasked with resolving a disclosure impasse. Garrie was attempting to get the company to provide an exhaustive, definitive accounting of where personal data might be stored in some 55 Facebook subsystems. Both veteran Facebook engineers, with according to LinkedIn two decades of experience between them, struggled to even venture
what may be stored in Facebook's subsystems....

Facebook's stonewalling has been revealing on its own, providing variations
on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In the March 2022 hearing, Zarashaw and Steven Elia, a software engineering manager, described Facebook as a data-processing
apparatus so complex that it defies understanding from within. The hearing amounted to two high-ranking engineers at one of the most powerful and resource-flush engineering outfits in history describing their product as an unknowable machine.

The special master at times seemed in disbelief, as when he questioned the engineers over whether any documentation existed for a particular Facebook subsystem. "Someone must have a diagram that says this is where this data is stored," he said, according to the transcript. Zarashaw responded: "We have
a somewhat strange engineering culture compared to most where we don't
generate a lot of artifacts during the engineering process. Effectively the code is its own design document often." He quickly added, "For what it's
worth, this is terrifying to me when I first joined as well."

The remarks in the hearing echo those found in an internal document leaked
to Motherboard earlier this year detailing how the internal engineering dysfunction at Meta, which owns Facebook and Instagram, makes compliance
with data privacy laws an impossibility. "We do not have an adequate level
of control and explainability over how our systems use data, and thus we
can't confidently make controlled policy changes or external commitments
such as âwe will not use X data for Y purpose,'" the 2021 document read.

If the article is to be believed -- and based on my reading of the latest
court documents, it's credible -- then it appears to me that Facebook has
no hope at all of complying with even the loosest of data privacy laws,
and certainly not the European GDPR, because they don't know exactly what
data they have on individuals, nor how it's used, nor where it's stored,
nor under what technical protections it falls.

But they sell it. Pete

------------------------------

Date: Fri, 9 Sep 2022 15:04:10 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Facebook and Google, they're SO public spirited...

I can tell from their massive print/TV ad campaigns in DC area touting how
hard they're working to protect everyone's online security. This raises the question, of course, of who's protecting us from them?

I wonder who the ads target -- citizens? Politicians? Can anyone believe
that they're anything but self-serving blather denying and distracting from what these companies do that we need to be protected from?

And, of course -- at least the Facebook ad -- repeating the message so often (as bad as local "Len the Plumber"!) is counterproductive, is irritating,
and makes one wonder why they're claiming good intentions so strongly. What could they be hiding?

------------------------------

Date: Wed, 7 Sep 2022 06:30:18 -0600
From: Matthew Kruk <mkrukg@gmail.com>

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)