Category: Jeff Lanza’s Blog

WIRED CONNECTION

One advantage of Apple’s updated migration feature is that you can also use a cable to transfer the data. If you’ve got especially slow Wi-Fi, a wired connection may make the transfer faster, although ironically, during my test, it increased the download time from a little under six minutes (using the wireless method) to nine minutes and 40 seconds. However, if you’re having any trouble with the wireless transfer, this could be a good alternative.

For a wired connection, you’ll need a Lightning to USB 3 camera adapter and a Lightning to USB cable.

• As with the wireless method, start up your new phone and go through the initial questions until you get the invite to transfer data from another phone.
• As before, put your old phone near your new one and make sure both phones are plugged in.
• Connect the Lightning to USB 3 camera adapter to your old phone. Connect the Lightning to USB cable to your new phone. Join the two cables together using the adapter. Power the adaptor through its Lightning port.
• After that, follow the same directions as above, including using the camera to find the pattern, and answering all the setup questions.
• You’ll know that the phones are using the wired setup because once the transfer starts, there will be a small “cable” between the two phone icons on the screen.

Whichever method you choose, enjoy your new iPhone.

https://www.wired.com/story/power-grid-cyberattack-facebook-phone-numbers-security-news/

This week saw some aftershocks from recent revelations about a large-scale iOS hacking campaign. Brokers of so-called zero day exploits—the kind that companies haven’t yet patched—have started charging more for Android hacks than iOS for the first time. And Apple finally released a statement that both criticized Google’s characterization of the attacks and downplayed the significance of the targeted surveillance of at least thousands of iPhone owners.

We took a look at a bug in Supermicro hardware that could let hackers pull off a USB attack virtually. Google open-sourced its differential privacy tool, to help any company that crunches big data sets invade your privacy less in the process. And speaking of privacy, we detailed the 11 settings you need to check on Windows 10 to preserve yours.

And while it feels like forever ago that Jack Dorsey’s Twitter account got hacked, it’s worth revisiting exactly how it happened. (Twitter this week closed the texting loophole at the heart of it.) We also took a look at Jeremy Renner’s content moderation woes. Bet you weren’t expecting to see that sentence in your lifetime.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.

Hackers Hit the US Power Grid With a Cyberattack

Let’s not overplay this: There was no blackout, and it’s not even clear that it was a specifically targeted attack. But hackers did use firewall vulnerabilities to cause periodic “blind spots” for grid operators in the western US for about 10 hours on March 5. It’s the first known time a cyberattack has that kind of disruption—which, again, did not affect the actual flow of electricity—at a US power grid company. The incident was originally referenced in a Department of Energy report in April, but only in vague terms. A new North American Electric Reliability Corporation document described it in more detail, including the type of vulnerabilities that let hackers compromise the web portals in question. No need to panic about this incident specifically, but given the extent to which Russia and others continue to probe the power grid, it’s an unsettling reminder that weaknesses are out there.

A security researcher found a database containing 419 million or so phone numbers associated with Facebook accounts, yet another in a long string of Facebook losing control of the sensitive data with which you entrust it. Facebook told TechCrunch that the data set is “old,” which isn’t especially useful, for the obvious reason that most people don’t change their phone numbers very often.

Through public records requests, Motherboard has determined that when you give your name and address to the DMV, some of those agencies will sell it to private investigators. Several DMVs told Motherboard that at least they don’t also sell user photos and Social Security numbers, which, thanks? But they do sell records for as little as a penny. And all of this is somehow legal! Something else to fume about the next time you’re in line for a registration renewal.

According to court documents uncovered at Forbes, federal investigators have requested that Apple and Google turn over information about people who downloaded a gun scope app Obsidian 4. That’s at least 10,000 on the Google Play Store alone. It’s part of a broader look into potential breaches of weapons export regulations, but privacy advocates have raised understandable concerns over the many thousands of totally innocent people who would be caught up in such a sweeping request.

Beloved internet comic XKCD had its fan forums breached recently; 560,000 usernames, email addresses, and IP addresses were taken. That makes it a relatively small hack in the grand scheme of things, but still disappointing that someone chose that as a target. XKCD is great, leave it alone!

https://www.economist.com/the-economist-explains/2019/08/07/what-is-a-deepfake

SUSAN SONTAG understood that photographs are unreliable narrators. “Despite the presumption of veracity that gives all photographs authority, interest, seductiveness,” she wrote, “the work that photographers do is no generic exception to the usually shady commerce between art and truth.” But what if even that presumption of veracity disappeared? Today, the events captured in realistic-looking or -sounding video and audio recordings need never have happened. They can instead be generated automatically, by powerful computers and machine-learning software. The catch-all term for these computational productions is “deepfakes”.

The term first appeared on Reddit, a messaging board, as the username for an account which was producing fake videos of female celebrities having sex. An entire community sprung up around the creation of these videos, writing software tools that let anyone automatically paste one person’s face onto the body of another. Reddit shut the community down, but the technology was out there. Soon it was being applied to political figures and actors. In one uncanny clip Jim Carrey’s face is melded with Jack Nicholson’s in a scene from “The Shining”.

Tools for editing media manually have existed for decades—think Photoshop. The power and peril of deepfakes is that they make fakery cheaper than ever before. Before deepfakes, a powerful computer and a good chunk of a university degree were needed to produce a realistic fake video of someone. Now some photos and an internet connection are all that is required.

The production of a deepfake about, say, Barack Obama, starts with lots of pictures of the former president (this, incidentally, means that celebrities are easier to deepfake than normal people, as the internet holds more data that describe them). These photos are fed into a piece of software known as a neural network, which makes statistical connections between the visual appearance of Mr Obama and whatever aspect of him you wish to fake. If you want to go down the ventriloquist route and have Mr Obama say things that the man himself has never said, then you must direct your software to learn the associations between particular words and the shape of Mr Obama’s mouth as he says them. To affix his face onto another person’s moving body, you must direct the software to learn the associations between face and body.

To make the imagery more realistic, you can have the software compete with a copy of itself, one version generating imagery, and the other trying to spot fakes. This technique, known as a generative adversarial networks (GAN), is the purest form of deepfake, conjuring up images that are entirely unique, not just using machine learning to mash existing photos together. The image-generating software will keep improving until it finds a way to beat the network that is spotting fakes, producing images that are statistically precise, pure computational hallucinations—even if still dodgy to the human eye. The computer can generate images which are statistically accurate representations of a dog, for instance, while still not quite understanding the visual nuances of fur. Currently this lends GAN images a creepy edge, but that is likely to evaporate in future, as the technique improves.

The consequences of cheap, widespread fakery are likely to be profound, albeit slow to unfold. Plenty worry about the possible impact that believable, fake footage of politicians might have on civil society—from a further loss of trust in media to the potential for electoral distortions. These technologies could also be deployed against softer targets: it might be used, for instance, to bully classmates by creating imagery of them in embarrassing situations. And it is not hard to imagine marketers and advertisers using deepfake tools to automatically tweak the imagery in adverts and promotional materials, optimising them for maximal engagement—the faces of models morphed into ideals of beauty that are customised for each viewer, pushing consumers to make aspirational purchases. In a world that was already saturated with extreme imagery, deepfakes make it plausible to push that even further, leaving Ms Sontag’s “presumption of veracity” truly dead in the water.

https://www.clarionledger.com/story/news/2019/08/06/no-125-equifax-settlement-what-you-can-really-expect-bill-moak-consumer-watch/1927187001/

The ink was hardly dry on the press releases telling us we could get a check for $125 from the recent Equifax settlement when another put the brakes on the expectations of millions of Americans who were put at risk by the Equifax security breach. It just goes to demonstrate, once again, that you shouldn’t count your money until it’s actually in your wallet.

If you haven’t heard by now, don’t expect to get anywhere near that much (if anything) when checks are cut in January from the massive settlement.

Like many Americans, I took to my computer and logged into the settlement website when the cash payments were announced July 22. Sure enough, the website promised me, I would get $125 cash if I picked Door Number 1. Behind Door Number 2 was free credit monitoring. Unsurprisingly, most Americans just said, “Show me the money!”

But it wasn’t to be. Whether planners were optimistic, naïve or just took a shot in the dark, the $31 million set aside for actual cash payments was far too small to actually make the payments if more than 248,000 people filed claims. (By the way, $31 million is a drop in the proverbial bucket compared with the up to $700 million going to lawyers, government agencies and the few ordinary folks who can prove real damage.) The Federal Trade Commission hasn’t said how many have actually filed, but many sources indicate it’s already in the millions. And the agency no longer lists the $125 payment at the top of the claim form.

Simple math reveals that, if five million claims are filed, each check would be $6.20. The FTC has admitted that the average consumer’s check will be “nowhere near” the original $125 possibility.

Since the announcements, a torrent of complaints has erupted. “With just $31 million to be divided up by all the Americans who filed to receive their $125 check, Americans have the choice of receiving pennies for having their credit details spilled out online, or receiving virtually worthless credit monitoring,” said Sen. Ron Wyden, D-Oregon, in a statement. “Another clear failure by the FTC.”

But the FTC said there’s been a misunderstanding. “The option to obtain reimbursement for alternative credit monitoring, as set forth originally in the class action settlement, was never intended to be a cash payout for all affected consumers,” the agency said in a statement, and points out that the value of the credit monitoring being offered in the settlement is sold by Equifax for $1,200.

A lot more could happen with this story, depending on how many people file claims. It’s possible that the amount of reimbursement could be raised eventually and you’ll get your money, but that will take years.

If you can demonstrate you used your own money and time because of the breach, you can be reimbursed. Anything beyond 10 hours of time, however, must be documented. “You can still ask for reimbursement for any other credit monitoring you purchased after Sept. 7, 2017, or costs associated with credit freezes after that date, any losses due to identity theft, or any notary fees, long-distance phone call bills, postage, copying, or mileage involved in trying to deal with the fallout of the breach,” noted Slate’s Josephine Wolf.

If you’ve already filed a claim, you will likely be contacted soon by the company administering the settlement, offering you the opportunity to change your option and take out free credit monitoring after all. In light of this situation, some pundits suggest it might be a good alternative. And many experts suggest that freezing your credit for the near future is a good idea as well.