Mac OS High Sierra Turns on User Tracking by Default Again

Apple – I’m disappointed in y’all for adding/enabling “significant locations” to my laptop in the latest update to Mac OS High Sierra. “Frequent Locations” as it is called in IOS, being added to laptops is just as bad as when you added to the iPhone. It can put people in danger. And at a time when we are having a national debate on the predatory behavior of so many people. 

Readers – Has your laptop said “You were just at xyz yesterday. Why not submit a rating?” Yup. That. 

How to turn off Significant Locations

 

Step 1 – In Settings go to Security and Privacy

location services tracking
Turn off location tracking but not all of location services

After unlocking it Step 2

Frequent Locations is NOT needed and unsafe
Frequent Locations is NOT needed and unsafe

Step 3

The Map Showing Every Place You Go – Clear History First

Step 4 – After Clearing History

Clearing History Will Prompt You to Reconsider

Step 5 – Uncheck Frequent Locations

Uncheck Frequent Locations After History is Cleared

Why is turning of significant locations important? Because if your laptop gets stolen and it’s not encrypted and / or uses a weak password, then they get to know every place you frequent (like your home, work, gym, grocery store, you name it. Even how long you stay there.

Company issued laptop? Your boss could learn you are interviewing. Or that your sick day was really just a day to go to the beach.

Victim of domestic violence? That person could track every place you go, like to a shelter or the authorities. And they probably have access to your computer.

Have nothing to hide? Maybe some of your friends don’t want their address stored in your laptop for advertisers to cross reference.

Traveling? Authorities in another country could determine the location of your family and friends for coercion. And at the border people can now be compelled to turn over their social media logins. You may think you have nothing to hide, but if you care for others, then you owe it to them to maintain reasonable privacy.

Tracking people has far more down sides than up sides.

And Apple – burying those tracking settings where normal humans can’t find them to protect themselves isn’t cool. It just makes phishing scams easier and literally threatens people’s lives if abused. Please stop.

NSA tools release to Dark Web Date 2014 (likely earlier imho)

Kaspersky tools removal update. But keep reading – it gets better:

http://www.mcclatchydc.com/news/politics-government/congress/article180707721.html

Now for the punchline – They’ve documented that Kaspersky, a Russian company close to Putin, was hacked by Israel. Kaspersky security researchers have confirmed the NSA hacking tools existence when they discovered it in the spring of 2014. The article;

http://www.businessinsider.com/russia-kaspersky-lab-nsa-spy-us-computer-2017-10

In a statement, the company (Kaspersky) said it stumbled on the (NSA) code a year earlier than the recent newspaper reports had it (ed: Comey stated summer 2015), in 2014. It said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious.

And it further states, again from the article:

Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.

Kaspersky later responded via email to a question by Reuters to confirm that the company had first discovered the so-called Equation Group programs in the spring of 2014.

So a Russian antivirus software found a zip file with NSA hacking tools in 2014. Hacking tools that target Microsoft and other business software, again, in the Spring of 2014. Confirmed by Israeli Security researchers who hacked Kaspersky.

Now, what they found was a compressed, portable, easily emailed or traded via email even as nobody else had the signatures to detect. A zip file.

A zip file.

For those unfamiliar with the industry, by the time an exploit is being traded in a 7 z it’s long been in the wild. That is the commodity phase of the economic curve.

The economics of the dark web have been researched and are well documented (hint: look at DEFCON and Blackhat presos from a few years back.)

If you are a reporter or security researcher – keep digging. Basic economics say it had to have been being traded early 2013 for high bids with a quick pricing decline as is typical with shrink wrap software.

It remained unpatched. Every company using common business software was, and probably still is, an open book. A trivial metasploit script and your movies, your directional drilling tech, your seismic data, patents, medical history, your porn habit, email, fb, you name it, was and probably still is wide open.

Bottom line: My opinin is the timeline of the NSA hacking tools being released is 2013. If not earlier. (But I’ll stick with my mid-2013 estimated release to the wildebeasts estimate.) NSA let them into the wild as discovered by Russians (current media puts this at 2014) who were then hacked by our allies Israel. Israel then reported this to the US.

And we did nothing. Think about it.

Just add that up and you get Russia hacking US companies and associations using our own tools paid for by YOU. NSA hacking tools discovered and reported to the US by our allies in Israel. 2014 or earlier.

What did NOT happen was responsible reporting to vendors like Microsoft who only patched it when the Shadow Brokers released it on github in 2017.  Thus from 2014 (or earlier), our allies, our foes, and our own security agencies did nothing to protect US intellectual property, infrastructure, companies, jobs, and people.

Noodle that one.

…. this story will continue to unfold. And if you are an investigative journalist, maybe ask around the community politely regarding who’s zoo had the code and when.

Update;  http://www.theregister.co.uk/2017/10/25/kaspersky_nsa_keygen_backdoor_office/

The FBI confirms NGOs and Associations are Targets of Russian Hackers

James Comey Testimony on Russian Hackers Targeting Nonprofits and NGOs
James Comey Testimony on Russian Hacking Includes Acknowledgement of Russians Specifically targeting NGOs and Nonprofits

Growing Tendenci – The Open Source AMS, has been eye opening. I didn’t realize fully why our clients were constantly being attacked. Even behind all of our firewalls, scanners, ACLs, malware, rootkit detection, antivirus, third party scanners, multifactor, use of Honeypots, we don’t store credit cards, and then still even more custom security measures we’ve developed in house.

I mean seriously, it’s not like you’re going to scan a site we host and not have it logged and inspected and blocked aggressively when possible. Nothing is hack proof obviously. But our security practices are  FAR beyond the norm.

I didn’t have the luxury of questioning the motive. We do.

When necessary, we have engaged authorities for assistance. So it was interesting to see this from former FBI Director James Comey’s testimony:

Source: http://www.politico.com/story/2017/06/08/full-text-james-comey-trump-russia-testimony-239295

BURR: Okay. When did you become aware of the cyber intrusion?

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

BURR: And in that time frame, there were more than the DNC and the D triple C that were targets?

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Let me repeat that last part for emphasis in case anyone who works with Associations and Non Profits needs some ammo to take back to their board about why they can’t host for $10 a month on a cheap hosting site.

COMEY: The first cyber — there was all kinds of cyber intrusions going on all the time. The first Russian-connected cyber intrusion I became aware of in the late summer of 2015.

COMEY: Correct, a massive effort to target government and nongovernmental, near governmental agencies like nonprofits.

BURR: What would be the estimate of how many entities out there the Russians specifically targeted in that time frame?

COMEY: It’s hundreds. I suppose it could be more than 1,000, but it’s at least hundreds.

Those words should weigh heavily on people in the NPO/NGO sector. It is worthy of mention to everyone using an AMS system. To be secure, you need to be able to inspect your own code if you host with us or somewhere else. Please do so with Tendenci at https://github.com/tendenci/tendenci/  . Security is a process, not a magic pill.

The motives for these attempted hacks are above my pay grade. Just know if you feel you are being targeted, well, it isn’t paranoia if they really are out to get you. And they really are out to get you.

And please don’t click that link in your email. Please. Just don’t do it.

Stay vigilant my friends.

PS – two other facts I can add. I can personally confirm it was in the hundreds just based on our client base. This does NOT mean they breached, but targeted? Yes. And second, by my estimations it started in earnest in 2013, not 2015.

PPS – and now we start the count down before they take my blog offline with DDOS again. Whoever “they” is. All I see is a matrix at this point… and I’m ok with that oddly enough. Because if the Zombie apocalypse is real in downtown SF, then everything else is possible too.

Disclaimer: This post is NOT about the President. Or about former FBI Director Comey’s testimony as it relates to our elected Zombies on both sides who vote party over the people they represent.  No, this post is about a small part of Comey’s testimony that relates to Associations and Nonprofits. It applies if they use Tendenci or not. Whatever the motive of the Russian hackers, the fact is that associations and nonprofits are being singled out for attacks. This is a fact of your current reality.

Flixster Forces People on Weekly Email “by default”?

Flixsterdefaultsignup
I received a link to take a movie quiz on Flixster.com from a friend. Which takes you to a login page that reads:

By default,
Flixster will send you a weekly update on new movies and the occasional site
announcement. You can unsubscribe at any time.

So they are *by default adding me to a mailing list*?  And then *forcing me to later unsubscribe*. This is bad netiquette. It’s like a cop arresting you first and then asking what happened later. An assumption of guilt. Why?

The second issue with this is in a world of cats and dogs, micro-conversions such as clicking a checkbox to add yourself to a newsletter is a good thing. It is a conscious choice by the consumer to interact with your brand. Yes you won’t force as many people into your mailing list. But you will be doing the right thing. And making a better brand impression.