e dot dot dot
a mostly about the Internet blog by

November 2018
Sun Mon Tue Wed Thu Fri Sat
       
 


Kid Tracking 'Smart' Watches, Like Most IOT Devices, Prove Not So Smart, Easy To Hack

Furnished content.


We've long noted how the painful lack of security and privacy standards in the internet of (quite broken) things is also a problem in the world of connected toys. Like IOT vendors, toy makers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.When this problem is studied, time and time again we're shown how most modern, internet-connected toys can be fairly easily hacked and weaponized. Granted since we haven't even gotten more pressing security and privacy problems tackled (like the vulnerability of our critical infrastructure), problems like Barbie's need for a better firewall tend to fall by the wayside.Another recent case in point: A location-tracking smartwatch worn by thousands of children has proven... you guessed it... rather trivial to hack. The MiSafes Kid's Watcher Plus is a "smart watch for kids" that embeds a 2G cellular radio and GPS technology, purportedly to let concerned helicopter parents track their kids' location at all times. But security researchers at UK's Pen Test Partners have issued a report calling the devices comically unsecure. As with many IOT devices, the researchers found that the devices and systems they rely on did not encrypt any of the data being transmitted:

"I proxied the iOS app through Burp and could see that the traffic was not encrypted. Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children. Profile pictures, names, gender, date of birth, height, and weight all transmitted across the internet in cleartext."
The researchers were quick to note that the only check the system's API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, allows an attacker to return the watch location and device_id associated with that family. Since the watch updates the GPS coordinates to the API every five minutes, it provides a hacker near real-time insight into your kid's location. Worse, spoofing a caller ID would let said theoretical attacker covertly listen in on your kids, or contact them... while pretending to be you:
"The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used crazycall.net to spoof the Caller ID to a test watch. Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch. As shown below, the child would think that it was their Dad that was calling. Would a child do what they were asked if a call came in like this?
Yeah, that's not creepy at all.Of course like so many IOT devices, MiSafes' child-tracking smartwatches, which have been on the market in since 2015, are made by a Chinese company that had no interest responding to inquiries by security researchers. And being sold at around £9 ($11.50) per pop, there's certainly no incentive for its makers to suddenly start dramatically improving their security and privacy standards. It's another reason why efforts to standardize the inclusion of security and privacy problems in product reviews is something we all need to get behind, since it's abundantly clear legislation and regulation alone can't really address the problem.

Permalink | Comments | Email This Story


Read more here

posted at: 12:04am on 21-Nov-2018
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



SoundCloud Troll Getting DMCA Takedowns Shows The Weakness Of Notice And Takedown Systems

Furnished content.


Much has been written at this point about the problems with various "notice and takedown" policies, including in the DMCA. Much of the problems arise from the DMCA's requirement that service providers "expeditiously" remove infringing material upon notice, which naturally leads to platforms erring on the side of removal versus taking a hard -- and manual -- look at the material in question to see if it's really infringing. This results in all kinds of takedowns of speech that is not infringing, typically as a result of human error, a dispute over the actual ownership of rights, a lack of recognizing fair use, or, perhaps most often, an automated system for sending DMCAs simply screwing up.But another weakness in the notice and takedown policy is in how much power it places in the hands of trolls and bad actors to simply fuck with people. This can be seen in action in the case of one SoundCloud troll getting all kinds of music taken down by pretending to be a rights holder.

Multiple bass music artists have alleged that their tracks have been removed from SoundCloud for wrongful copyright claims. Working under an account by the name "Dr Egg," an unknown user reportedly made copyright violation claims against multiple artists, which these artists are claiming resulting in the removals. In the SoundCloud platform, uploads can be taken down for copyright violations if SoundCloud receives an email making a claim against the track. A copyright violation occurs when someone uses a sample or part of a song that was already copyrighted by another artist or company. Currently, it only takes one claim to have a track removed and it may be reinstated if the claim is proven false. According to reply emails from SoundCloud to the artists in question, "Dr Egg" used email addresses that pointed to Moonboy (moonboycreator@outlook.com) and Too Vain(toovain@outlook.com) to make these strikes. The user appears to have falsified Moonboy's (Jaime Madsen) signature and used his name on the copyright infringement claims. Moonboy made a video on Twitter to speak out against the fraud.
That the policy can be weaponized for nihilistic mayhem in this way at all is a clear signal that changes need to be made. That this doesn't happen constantly is not a defense of the policy. Good internet policy is not that which can be easily subverted by impersonating another person, because that happens all the time on the internet. And, when coupled with platforms being incentivized only in the direction of quick takedown of art and speech, that causes a massive speech issue that would make the founding fathers go into a rage.In this case, SoundCloud did manage to get the uploads in question restored.
A spokesperson on behalf of SoundCloud has responded to EDM.com with the following statement:"Our takedown notification process is designed to respect copyright, and it is our policy to review all infringement claims per the guidelines outlined in our Help Center. Upon review, we have determined these copyright claims are not valid, and are happy to report we’ve reinstated all affected content."
Which is all well and good, but we still have a problem. And I'm pretty sure the impetus for that problem can be found in the very first line of SoundCloud's statement: "Our takedown notification process is designed to respect copyright...". You may notice that there is no mention of speech and art in the statement at all. This is, again, because all of the incentives in the DMCA's notice and takedown provisions push platforms to favor copyright over art -- which is anathema to the principles of free speech.

Permalink | Comments | Email This Story


Read more here

posted at: 12:04am on 21-Nov-2018
path: /Policy | permalink | edit (requires password)

0 comments, click here to add the first



November 2018
Sun Mon Tue Wed Thu Fri Sat
       
 







RSS (site)  RSS (path)

ATOM (site)  ATOM (path)

Categories
 - blog home

 - Announcements  (0)
 - Annoyances  (0)
 - Career_Advice  (0)
 - Domains  (0)
 - Downloads  (3)
 - Ecommerce  (0)
 - Fitness  (0)
 - Home_and_Garden  (0)
     - Cooking  (0)
     - Tools  (0)
 - Humor  (0)
 - Notices  (0)
 - Observations  (1)
 - Oddities  (2)
 - Online_Marketing  (0)
     - Affiliates  (1)
     - Merchants  (1)
 - Policy  (3743)
 - Programming  (0)
     - Bookmarklets  (1)
     - Browsers  (1)
     - DHTML  (0)
     - Javascript  (3)
     - PHP  (0)
     - PayPal  (1)
     - Perl  (37)
          - blosxom  (0)
     - Unidata_Universe  (22)
 - Random_Advice  (1)
 - Reading  (0)
     - Books  (0)
     - Ebooks  (0)
     - Magazines  (0)
     - Online_Articles  (5)
 - Resume_or_CV  (1)
 - Reviews  (2)
 - Rhode_Island_USA  (0)
     - Providence  (1)
 - Shop  (0)
 - Sports  (0)
     - Football  (0)
          - Cowboys  (0)
          - Patriots  (0)
     - Futbol  (0)
          - The_Rest  (0)
          - USA  (0)
 - Technology  (1055)
 - Windows  (1)
 - Woodworking  (0)


Archives
 -2024  March  (170)
 -2024  February  (168)
 -2024  January  (146)
 -2023  December  (140)
 -2023  November  (174)
 -2023  October  (156)
 -2023  September  (161)
 -2023  August  (49)
 -2023  July  (40)
 -2023  June  (44)
 -2023  May  (45)
 -2023  April  (45)
 -2023  March  (53)
 -2023  February  (40)


My Sites

 - Millennium3Publishing.com

 - SponsorWorks.net

 - ListBug.com

 - TextEx.net

 - FindAdsHere.com

 - VisitLater.com