It was a week of could have beens and still coulds in security. We took a long look at a plan to stop rogue drones that might work great, if it's ever legal. We looked at how Trump should spend that extra $54 billion on defense, if he insists. And we looked at Google's end-to-end encryption hopes for Gmail, which appear to have faded over the last three years. Oh, also, some rogue stuffed bears made a great case against the Internet of Toys.
Elsewhere, Amazon's defending Alexa's right to privacy in court, while the Army hopes to defend against China's naval build-up by converting an existing weapons system into a ship-killing missile. Mass spying isn't nearly as effective as law enforcement hypes it up to be. As for your nightmare fuel, a Slack bug could have turned into everyone's worst nightmare, medical devices are the next big security nightmare, as is email. As, again, are a bunch of adorable, internet-connected stuffed animals.
But wait! There’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.
The internet of things' gaping insecurities were bad enough when they applied to security cameras and connected cars. Now we’re inflicting them on our children. Motherboard reported this week that toy company Spiral Toys left two million messages recorded by its digital teddy bear brand Cloudpets exposed in a vulnerable online database, such that anyone could find the messages with the IoT search engine Shodan and listen to the messages. Worse still, the breach also included 800,000 of the devices’ credentials, like emails and passwords, not all of which were strongly hashed, according to security researcher Troy Hunt. Researchers who spoke to Motherboard also believe the data may have been accessed by malicious hackers, given that it had been overwritten twice—a sign that it might have been locked up by ransomware to extort the company. Next Christmas, maybe stick with the kind of teddy bear that doesn’t have an IP address.
It’s been a busy month for Google’s Project Zero. Not only did Google elite team of security researchers reveal a Cloudflare flaw that nearly broke the internet last week, but they’ve now dropped a zero day in Microsoft’s Edge Browser and Internet Explorer—before Microsoft has had a chance to patch it. On Monday, Project Zero researcher Ivan Fratric published a “high severity” flaw in the browsers that in some instances would allow an attacker to run malicious code on a user’s machine when they visited a carefully crafted website, though Fratric was careful not to describe exactly the conditions necessary to exploit the flaw. The browser bug marks the second time in two weeks that Project Zero has outed a Microsoft zero day, following a Windows flaw one of its researchers revealed a week before. Google promises to give companies 90 days to fix the vulnerabilities its Project Zero team finds, but in both cases Microsoft failed to patch its bugs within that three-month window.
Silicon Valley investor Peter Thiel’s cozy relationship with President Trump is more than ideological. Now software created by Palantir, the data-mining firm Thiel co-founded, will be used by Immigrations and Customs Enforcement to help round up the millions of undocumented immigrants Trump has promised to deport. The Intercept revealed Thursday that ICE in 2014 gave Palantir a $41 million contract to create and maintain an intelligence system it calls Investigative Case Management or ICM. That tool, set to go into use in September, is designed to connect the dots in a vast collection of personal data collected about potential deportation targets, according to the Intercept. Government funding records describe Palantir's software as "mission-critical" for ICE. Although Palantir's deal to create ICM precedes Thiel's public support for Trump's presidency—which has included seven-figure donations and speaking on his behalf at the Republican National Convention—it nonetheless demonstrates how Thiel may also personally profit from Trump's election.
While police body cameras have been valuable tools to verify police accounts of incidents, FastCo takes a look at the ways in which they're also evolving in ways that could undermine privacy. The latest in body cam tech includes features like face recognition and even artificial intelligence. While they're implemented in the name of safety, they raise questions about whether body cams are in the service of the communities they monitor, or are just another way to surveil them.
