Public Service Internet monthly newsletter (Sept 2021)

Metaverse

We live in incredible times with such possibilities that is clear. Although its easily dismissed seeing the lack of coverage for facebook whistleblower sophie zhang, thinking about those batteries and yet another data breach.

To quote Buckminster Fuller “You never change things by fighting the existing reality. To change something, build a new model that makes the existing model obsolete.

You are seeing aspects of this with seeing twitter crop bias bug bounty, the discussion about removing the landline and the social dilemma free on youtube for a month.


Tech Crunch gets on the moving train

Ian thinks: Reading this, I can’t really take Techcrunch seriously, because for every one of these startups focused on privacy and security. Theres at least 20 more startups covered the opposite. Maybe its just me?

Envisioning the future of social media

Ian thinks: This interview with Ethan Zuckerman is full of some great points to get you thinking, I find it hard to disagree with Ethan especially around using affordances and setting up small town based on Mastodon.

Values not eyeballs please

Ian thinks: Its always interesting to hear from experts in the space, on the work you are involved in. Its a really good read especially if you haven’t come across the Human Values, which also has new podcast interviews.

Apple cares about your privacy?

Ian thinks: I do find it so ironic, Apple making a song a dance about their privacy changes but their own browser Safari, not including any strong level of privacy? Of course Apple are in privacy hot water for much more too.

What is really behind Only Fans new policy? and its Uturn?

Ian thinks: There is a important question about the platform and who has influence over the platform. As this twitter thread says, you really need to think about the platform & infrastructure,

The dystopia which is the metaverse

Ian thinks: There is so much talk about the metaverse but few looking at the privacy, security, infrastructure and trust within this space. Till then I can’t help but think Vice is kind of right.

Its started with a MP3 player

Ian thinks: Dan Hon’s rant starts with a want and spans the internet media ecosystem, pointing out so many of the problems we all know too well.

Blackhat & Defcon happened, here’s the scary flaws

Ian thinks: I always love seeing what comes out of these security events. You can also watch the full videos from Blackhat and Defcon online here.

Web Monetization showcase

Ian thinks:The webmon showcase is a nice summary of some of the projects which came out of the Grant for the web initiative

Mozilla thumbs down Facebooks claims about Ad Observer

Ian thinks: Its so interesting to see Facebook’s concerns around Ad observer squashed in one post by the privacy first Mozilla. This is deeply concerning behavior, what is Facebook worried about?


Find the archive here

Shadow profiles and my Heritage security breach

Shadow profile

I received a email from have have I been pwned that my email address and password had been exposed in breach from My Heritage.¬† Most breaches are somewhat worry-some but as I don’t use the same passwords because I have a password manager with lengthy random passwords; its less of a problem.

MyHeritage Statement About a Cybersecurity Incident

What was shocking about the myheritage breach for me, was that I have never logged in to or used myheritage ever. If I had an account, I would have an entry in my password manager. To confirm this I have requested my data via GDPR.

I believe a member of my large family entered my email address and then added details about me into myheritage, therefore creating a shadow profile for me to log into. It makes sense, as others in the family can fill in details they have for me. So the password which was leaked isn’t even set by me, but rather auto generated by myhertiage? The only way I could get access to the account was via a password reset. Once in I deleted my account straight away, but I thought about it some more.

The leaked/breached password and login would give the buyer access to any information my family member entered including date of birth, relationships with other members of the family, etc.

If I’m right this is deeply troubling and a worrying precedent!

Zoosk data breach? Or something else?

Sell the data?

I recently got a message from you’ve been pwned, suggesting that its likely some of my personal data has been leaked via dating site Zoosk.

In approximately 2011, an alleged breach of the dating website Zoosk began circulating. Comprised of almost 53 million records, the data contained email addresses and plain text passwords. However, during extensive verification in May 2016 no evidence could be found that the data was indeed sourced from the dating service. This breach has consequently been flagged as fabricated; it’s highly unlikely the data was sourced from Zoosk.

I had a idea what fabricated meant, but I had a little read…

What is a “fabricated” breach?

Some breaches may be flagged as “fabricated”. In these cases, it is highly unlikely that the breach contains legitimate data sourced from the alleged site but it may still be sold or traded under the auspices of legitimacy. Often these incidents are comprised of data aggregated from other locations (or may be entirely fabricated), yet still contain actual email addresses of unbeknownst to the account holder. Fabricated breaches are still included in the system because regardless of their legitimacy, they still contain personal information about individuals who want to understand their exposure on the web. Further background on unverified breaches can be found in the blog post titled Introducing “fabricated” breaches to Have I been pwned.

Sold or traded!

People laughed ages ago about the idea of selling user data but lets say dating site z had lost a lot of the market due to new players in the space. They needed to stay a float, prove to their investors they are still profitable? User data would be a useful resource for revenue… Of course this is illegal but you would cover your tracks… right! Make it look like “hackers!”

The example Tony Hunt uses is Justdate.com as a example

There’s a whole other discussion to be had about what causes a bundle of data to be fabricated and called a breach in the first place. Attempts to monetise the data by selling the alleged breach, extortion of the company involved or just simple big-noting by individuals seeking notoriety are all feasible explanations for many of the fabricated breaches I see. For now, the important thing is that if your data is circulating in one of these dumps, there’s now a way to know about it.

To be clear I’m not saying Zoosk is doing this, but someone is certainly pointing the finger.