- At a Nov 2017 Google talk, Frank Abagnale (of Catch Me if You Can) warned of cyber-crime everywhere. He should know, as he's been working on cyber-crime at the FBI for the past 40 years.
- Brazil payments system was hacked, and $3 billion was stolen
- Facebook's "accidental" data breach means that 50 million profiles were used to engineer campaigns in favor of Trump and Brexit. (Users taking a "personality test" hit an "I agree" button that gave the app developers access to their data plus data on all their friends.) I say "accidential" because it wasn't: "...there wasn’t a hack or breach of Facebook’s security. The company’s business model is to collect, share and exploit as much user data as possible; all without informed consent. Cambridge Analytica may have violated Facebook’s terms of service, but Facebook had no safeguards in place to stop them... Facebook presents itself to the public as a social network, when addressing the advertising industry, it is very clear about the fact that it’s a surveillance system."
- Browsers have been hijacked to run programs, mine crypto etc.
- A British man lost £25,000 in cryptocurrencies when he bought a used but insecure "hardware wallet" off eBay.
- India's biometric identification system is being abused
- The Dutch government is screening the DNA of hundreds of citizens in the hope of finding criminals.
- Smart homes are more likely to spy on you than help you
- Migrants getting losing money to scammers posing as government officials
- China is banning people with "low social credit" from taking planes or trains.
In this review, I will go over some highlight from the book, but I will also give some advice on what you should do to prepare yourself and protect yourself, even if you do not read the book.
Some highlights and thoughts
- Governments and businesses, hackers and criminals are relentlessly innovating to use technology to accomplish their goals. In most cases, these goals are not your goals, so you may be victimized as they exploit their power.
- Anti-virus software misses 95 percent of malware. Your computer may say "green" even when it's compromised.
- Greater connectivity means greater vulnerability. Systems that were secure for decades may be compromised by adding VOIP phones. Internet-connected printers might send your scans to China, etc.
- Multiple over-lapping software and hardware installations in houses and cars mean multiple points of vulnerability, especially when these systems need to communicate with each other. "All of these software bugs and security flaws have a cumulative effect on our global information grid, and that is why 75 percent of our systems can be penetrated in mere minutes. This complexity, coupled with a profound laissez-faire attitude toward software bugs, has led Dan Kaminsky, a respected computer security researcher, to observe that today `we are truly living through Code in the Age of Cholera'" [p 353].
- The Internet of Things promises to enable unprecedented levels of crime, mischief and just plain failure, as vendors are far more focussed on capturing market share than on protecting consumers from vulnerabilities. "Goodman’s law says that the more data you produce and store, the more organized crime is happy to consume" [p 86]. Frank Abagnale (both above and in this book) says that it's 100x easier today to commit the crimes he did 50 years ago.
- Google has no 800-number for users, as they are the product. Their 800-number is reserved for advertisers because Google makes 90 percent of its money from advertisements. (Facebook, likewise, was far more interested in $100,000 from Russian agents than in protecting the integrity of American elections.)
- Google was charged with violation of privacy when its "Streetview" cars grabbed private wifi codes, emails and photos as well as taking photos of the street. Facebook is tracking you across all websites with the Facebook like button, even when you're not logged in, even if you have no Facebook account. LinkedIn owns your data, your network, your CV, in perpetuity.
- All this data is sold, combined with other data and re-sold by data brokers: "Acxiom, Epsilon, Datalogix, RapLeaf, Reed Elsevier, BlueKai, Spokeo, and Flurry -- most of us have never heard of these companies, but together they and others are responsible for a rapidly emerging data surveillance industry that is worth $156 billion a year" [p 66].
- Free dating websites (OKCupid, Tinder) are not trying to find you love. They are selling your private information to anyone with a credit card. "Data brokers make money when they sell data, not when they protect it" [p 90].
- US privacy laws will not protect you, as social networks are considered "public spaces." Facebook has 2 billion users. Of these, 600,000 accounts are compromised every day. Kids are 50x more likely to be victims of identify theft. Their credit may be ruined years before they turn 18.
- Mobile devices are extra-vulnerable because users do not want to read fine print and apps can easily access other data on the phone. It only takes one rogue app ("Free game!") to open the door to your bank accounts or your company's "secure" wifi system. "Today 89 percent of employees are accessing work-related information on their mobile phones, and 41 percent are doing so without permission of their companies... more and more corporate information is at risk thanks to point-and-click spyware attacks against mobile devices" [p 111]
- Thieves and terrorists can use the GPS coordinates in photos to target you or your house (as happened in Afghanistan). Governments can use your phone's IMEI-identifier to penalize you for participating in a protest (as happened in Ukraine).
- Yelp, eBay, Amazon and TripAdvisor are not only allowed to change ratings for companies that pay (good ratings) or not (bad ratings), but their sites are filled with fake ratings designed to rip you off. (Another reason to ban adverts.)
- Automated banking and air traffic control systems can be spoofed or hacked to steal your banking credentials and crash planes, respectively.
- China's 2 million "online propaganda workers" direct online discussions where the party wants them. Facebook's algorithms serve the same function: to push your attention where its profitable, not where you would want it, if you were in charge of your online life. How would you know you're being manipulated? You don't.
- Cyber criminals are not lacking opportunities but footsoldiers. With more people, they could steal 1,000x more. Underemployed but entitled youth are thus vulnerable to recruitment. (The guy behind Cambridge Analytica's theft of 50 million Facebook accounts, above, was 24 at the time.)
- Technology makes it easier to recruit: "Crime, Inc. uses freemium pricing, gamification, crowdsourcing, crowdfunding, reputation engines, just-in-time manufacturing, online training, and swarms for distributed project management in pursuit of the long tail of crime victims around the world" [p 193].
- Technology is making it easier for hackers to go after
thousandsmillions of people at a time. In the past only banks needed to worry about robbers because a robber needed a big reward to justify their risk and expense. Now it's possible for someone to "rob" millions with a few clicks and network of bots to attack. "The computing and Internet crime machine has been built. With these systems in place, the depth and global reach of Crime, Inc.’s power mean that crime now scales, and it scales exponentially. Yet for as bad as this threat is today, it is about to become much worse, as we hand Crime, Inc. billions of more targets for them to attack as we enter the age of ubiquitous computing and the Internet of Things" [p 221]
- RFID identity cards and credit cards can be hacked, duplicated and used within minutes. At the moment, victims are often protected by fraud insurance, but that won't last if losses mount.
- Don't use the "public cable" to charge your phone. Hackers have already created cables that will inject a virus into your phone.
- Your laptop will not be attacked as it's not the weakest point in your home network. "Baby cameras, thermostats, toilets, lamps, and bathtubs [and other IoT devices bring] privacy and security risks. Many such systems use no authentication or encryption when communicating between an appliance, your mobile device, and the home system... attackers can now use the weight and strength of our own overgrown connections to defeat us. In effect, we’ve wired the world but failed to secure it—a decision we may well come to regret, especially as we begin connecting the human body itself to the Internet." [p 248&260]
- The technology already exists to build cheap drones that can target and kill people based on biometric identification. The video at the link is fiction, the technology is not.
- The "2008 Genetic Information Nondiscrimination Act makes it illegal for employers to fire or refuse employment based on genetic information. Though GINA applies to health insurance, it does not protect against insurance companies’ using genetic testing information to discriminate when writing life, disability, or long-term-care insurance policies" [p 336].
- It's possible to fabricate genetic evidence based on stored DNA data. Even worse, criminals can recreate polio, ebola or Spanish Flu for around $1,000. WMDs at a discount.
- There's a need to re-align incentives. "The engineers, coders, and companies that create today’s technologies have near-zero personal and professional responsibility for the consequences of their actions. It’s time to change that... These overreaching, entirely one-sided “agreements” [terms of service] should not absolve the companies that author them of all liability pertaining to how they keep and store our data. If they choose to keep every single bread crumb they can possibly gather on our lives, then they should be responsible for the consequences" [p 354-6].
- "A cyber CDC [Centers for Disease Control] could go a long way toward counteracting the technological risks we face today and could serve a critical role in improving the overall public health of the networks driving the critical infrastructures of our world [p 370]. The US government's US Digital service is trying to help, but they cannot protect you.
We have arranged things so that almost no one understands science and technology. This is a prescription for disaster. We might get away with it for a while, but sooner or later this combustible mixture of ignorance and power is going to blow up in our faces. [p 317]So, now that you've made it past a delude of fear (most of it justified), what can you do?
First of all, don't think that your innocence or obscurity will help you.
Some people are optimistic that man and machine can cooperate in symbiosis, but plenty of corporations are using machines to profit from you. Google and Facebook are giving "free" services in exchange for our data. Do you know how much they are collecting, and how much privacy and choice you are giving up? Read Weapons of Math Destruction to learn how the algorithms can ruin your life by putting you in the "wrong box" or giving you the wrong information. Forget spam, how about facing a computer that sets price to exploit your (assumed) income, a program that blocks your visa because you are in the "wrong club," or a denial of medical coverage because of who you slept with (your phone "slept" with theirs)?
|Remember how an innocent Mr Buttle was arrested|
because a fly fell into the arrest warrant for Mr Tuttle?
Governments can easily deny your rights in the name of "public interest," e.g., "If I were going to move the American people into a condition where they might accept restrictions on their encryption, I would first engineer the wide-spread deployment of a key escrow system on a voluntary basis, wait for some blind sheik to slip a bomb plot around it and then say, `Sorry, folks this ain't enough, it's got to be universal.'"
The (most recent) Facebook abuses have put a lot of attention on the EU's General Data Protection Regulation (GDPR), which will do far more than any US law to protect EU citizens. It goes into force on 25 May, and I look forward to seeing it enforced. The Dutch, meanwhile, [appear to] have voted against the SleepWet (Dragnet) law that will permit its intelligence services to monitor internet and mobile phone traffic without notifying anyone. That referendum vote is NOT binding, so the government plans to implement the law anyway. It's time for ALL people to switch to encrypted email (see PGP below), text messaging (see Telegram below), and TOR for internet browsing.
Second, don't assume "someone is taking care of it"
"Our legacy institutions are struggling, whether in education, health care, or law enforcement; technology is far outpacing the ability of government to respond. Until this point, much of the government’s approach to technological security has been merely window dressing and missed opportunities... Regrettably, the immune system protecting this global nervous system is weak and under persistent attack. The consequences of its failure cannot be overstated. As a result, it is time to start designing, engineering, and building much more robust systems of self-protection -- safeguards that can grow and adapt as rapidly as new technological threats are emerging into our world. Though it’s easy to focus solely on the abundant benefits technology brings into our lives, we ignore the accompanying risks at our own peril. -- p 350 and 378
So what can you do to protect yourself as well as reduce your contribution to the problem?
Follow the UPDATE protocol:
- Update your software frequently (After years of "let me decide," I switched mine to auto-update. I now use a Mac, which is more secure than Windows or Android because Apple puts more controls on what's available and how it's installed.
- Use a password manager and two-factor authentication for sensitive accounts (your email, bank, etc.)
- Download software from trusted sites. Beware of "free" software as well as torrents.
- Do not use your computer as the Administrator, to reduce the risk your "click" will compromise your system. I created an administrator account and removed admin privileges from my main account.
- Turn off wifi, bluetooth, etc. when you're not using them, as those services are like an open door.
- Encrypt your hard drive, phone, wifi connections
- Reduced my footprint: deleting old accounts, uninstalling old software and apps
- De-socialized: I quit Facebook last year and switched from WhatsApp (Facebook owned) to Telegram. I'm still on reddit and Twitter. Here's how to delete Facebook.
- Turned off monetization on YouTube and unlisted my personal videos
- Removed Google trackers from all my sites (except blogger, which hosts this one), as those cookies compromised people's privacy without giving me anything.
- Installed PGP [Pretty Good Privacy] if/when I want to communicate via encrypted email. I find that few people do this now, but I'll be ready for the future: "Any number of citizens armed with PGP and such of its relations as digital cash and anonymous Net remailers can simply vanish from the governmental radar... they can effectively resign from the community of the governed and enter a condition in which their actions ordered by conscience and culture alone."
- Learn to manage technology; don't work for companies that exploit
- Protect yourself (and your kids) by practicing digital hygiene
For all my reviews, go here.