Hello beings of the Steemitosphere, welcome to @personz 's yearly round up of the year in security! At least that is my review of the patchy saved articles from the year š
still, let's look back into the sands and / or mists of time to remind ourselves of the perils of this brave new digital world we inhabit.
https://media.giphy.com/media/xUOxf23OGRF34s5Og0/giphy.gif
## Timeline
<table><tr>
<td><a href="https://www.rollingstone.com/culture/features/how-baltimore-police-use-military-technology-to-track-you-w458136">1</a></td>
<td><a href="https://blog.mozilla.org/blog/2017/01/06/fighting-back-against-unlawful-warrants-and-indefinite-gag-orders-to-protect-internet-privacy-and-security/">2</a></td>
<td><a href="https://www.wired.co.uk/article/privacy-move-dark-web-ip-bill">3</a></td>
<td><a href="https://threatpost.com/hello-kitty-database-of-3-3-million-breached-credentials-surfaces/122932/">4</a></td>
<td><a href="https://www.digitalmusicnews.com/2017/01/10/eu-internet-filtering/">5</a></td></tr><tr>
<td><a href="https://nakedsecurity.sophos.com/2017/01/10/the-spy-sorry-the-fridge-who-loved-me/">6</a></td>
<td><a href="https://www.theverge.com/2017/1/27/14412014/dataminr-twitter-firehose-foreign-pitch-canada-azerbaijan-surveillance-pdf">7</a></td>
<td><a href="https://arstechnica.com/information-technology/2017/10/as-us-launches-ddos-attacks-n-korea-gets-more-bandwidth-from-russia/">8</a></td>
<td><a href="https://theoutline.com/post/1192/google-s-featured-snippets-are-worse-than-fake-news">9</a></td>
<td><a href="https://thehackernews.com/2017/03/android-malware-apps.html">10</a></td></tr><tr>
<td><a href="http://www.wdsu.com/article/your-android-smartphone-may-have-arrived-with-malware/9122734">11</a></td>
<td><a href="https://edition.cnn.com/2017/02/03/africa/internet-shutdown-cameroon/index.html">12</a></td>
<td><a href="https://www.techdirt.com/arti2cles/20170322/11002236978/encryption-workarounds-paper-shows-why-going-dark-is-not-problem-fact-is-as-old-as-humanity-itself.shtml">13</a></td>
<td><a href="https://www.technologyreview.com/s/604087/the-dark-secret-at-the-heart-of-ai/">14</a></td>
<td><a href="http://www.r3cev.com/blog/2017/4/17/identity-is-an-edge-protocol">15</a></td></tr><tr>
<td><a href="https://arstechnica.com/information-technology/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/">16</a></td>
<td><a href="https://tutanota.com/blog/posts/internet-history-sell-out">17</a></td>
<td><a href="https://www.theguardian.com/technology/2017/may/02/facebook-executive-advertising-data-comment">18</a></td>
<td><a href="https://www.theguardian.com/technology/2017/may/31/facebook-photos-children-parenting">19</a></td>
<td><a href="http://www.news.com.au/technology/online/security/hackers-are-offering-to-sell-the-medicare-details-of-australians-on-the-dark-web-government-confirms/news-story/c475b1cbc963648c191a1eaceba4b12b">20</a></td></tr><tr>
<td><a href="https://www.engadget.com/2017/07/30/virginia-court-politicians-block-social-media/">21</a></td>
<td><a href="https://securityaffairs.co/wordpress/61539/breaking-news/openai-gym.html">22</a></td>
<td><a href="https://motherboard.vice.com/en_us/article/ywwbvw/ethereums-biggest-hacking-problem-is-human-greed">23</a></td>
<td><a href="https://spreadprivacy.com/how-to-remove-google/">24</a></td>
<td><a href="https://torrentfreak.com/the-pirate-bay-website-runs-a-cryptocurrency-miner-170916/">25</a></td></tr><tr>
<td><a href="https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/">26</a></td>
<td><a href="http://www.bbc.com/news/technology-41580850">27</a></td>
<td><a href="https://www.nytimes.com/interactive/2017/10/13/opinion/sunday/Silicon-Valley-Is-Not-Your-Friend.html">28</a></td>
<td><a href="https://medium.com/@jamesbridle/something-is-wrong-on-the-internet-c39c471271d2">29</a></td>
<td><a href="https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/">30</a></td>
</tr></table>
## Happenings
A discussion of some of the above, by topic, not in chronological order.
### Spying and intel!
The police are at it again - [spying on you](https://www.rollingstone.com/culture/features/how-baltimore-police-use-military-technology-to-track-you-w458136) in case you might commit a crime. This year Baltimore saw it's streets turned increasingly into the testing ground for spy technology formerly reserved for war zones. The most recent addition is aerial surveillance, coupled with cellphone and face tracking tech. Just to keep you safe. Of course.
Meanwhile the UK government has been ramping up [spying on it's own citizens](https://www.wired.co.uk/article/privacy-move-dark-web-ip-bill), especially conversations between lawyers and clients, and journalists and their sources. That's right, it's the kind of now forgotten Investigatory Powers Bill, or Snoopers Charter. In a nutshell "The IP Bill makes bulk interception - tapping and storage of phone calls, emails and other communications - explicitly legal." People in the UK, did you all forget about this? It has been pretty quiet on the news about this since early 2017. But rest assured, it hasn't gone away.
Kaspersky Lab, the Russian anti-virus and general consumer security tools company, continued to be accused (using the usual MSM implications) [of being in the pay of the Russian government](http://www.bbc.com/news/technology-41580850). There's plenty to be suspicious about but really it shows us just how vulnerable we are to closed source security software which we grant full access to our system. How do you know you can trust Norton, McAfee or whatever other software you use. Stay frosty! āļø
Is the use of public data spying? Well technically no, it's intelligence. Collating the large amounts of public data that we all (very stupidly) volunteer and using this to supplement government intelligence is a growing industry. This year Datamir entered into a potential [conflict of interest](https://www.theverge.com/2017/1/27/14412014/dataminr-twitter-firehose-foreign-pitch-canada-azerbaijan-surveillance-pdf) in allegedly selling it's comprehensive, government grade services to Azerbaijan. However the allegation was denied. What is clear however is that features such as "geographic political analysis" have the potential to be misused to target and track individuals on the basis of their political affiliation. This is bad news for all you libertarians and anarchists out there as more and more you are lumped in with domestic terrorists.
### Attacks from / to governments, companies or peoples!
North Korea was the subject of a DDoS attack from the US, [but was rescued thanks to Russia!](https://arstechnica.com/information-technology/2017/10/as-us-launches-ddos-attacks-n-korea-gets-more-bandwidth-from-russia/) Do you still say this isn't the new Cold War? "Russian telecommunications provider TransTelekom (Š¢ŃŠ°Š½ŃŠ¢ŠµŠ»ŠµŠŠ¾Ģm) began routing North Korean Internet traffic" in February in response to the massive cyberwarfare attack by the US. With everything that going on with "Rocket Man" this made everyone very nervous at the time.
There was a pretty large breach of [government health data on citizens in Australia](http://www.news.com.au/technology/online/security/hackers-are-offering-to-sell-the-medicare-details-of-australians-on-the-dark-web-government-confirms/news-story/c475b1cbc963648c191a1eaceba4b12b) when Medicare card numbers were discovered to be available for sale on the so-called "dark web".
[The government of Cameroon shut down the internet of the English speaking region in March](https://edition.cnn.com/2017/02/03/africa/internet-shutdown-cameroon/index.html) - again - after a series of protests "that resulted in violence", the much touted reason for such measures. Why should you care? It could happen to you too, far easier than you think.
But don't get too angry at the political class! In March a federal court in Virigina ruled that [politicians can't block people on social media](https://www.engadget.com/2017/07/30/virginia-court-politicians-block-social-media/). As if it wasn't hard enough to make a difference / raid the coffers of a nation.
Mozilla joined other major tech companies is [criticizing the US government](https://blog.mozilla.org/blog/2017/01/06/fighting-back-against-unlawful-warrants-and-indefinite-gag-orders-to-protect-internet-privacy-and-security/) for issuing gag orders and eroding internet privacy. Mozilla has a long history of working for users on these issues and their voice was good to hear in this debate.
### Hackers!
Hello Kitty fan? [Your user credentials may have been stolen!](https://threatpost.com/hello-kitty-database-of-3-3-million-breached-credentials-surfaces/122932/) Remember the MongoDB configuration exploit? Another casualty was fans of the emotionless Japanese kitten.
Is human greed a hacking attack vector? According to Vice's Motherboard, [it is](https://motherboard.vice.com/en_us/article/ywwbvw/ethereums-biggest-hacking-problem-is-human-greed). We all know that you need to be careful with ICOs. The ecosphere is full of charlatans, clowns and simply those who's ideas will never come to fruition. Motherboard says
> Basically, ICOs are a perfect nexus of human greed, a flurry of money changing hands in a short time frame, and a weak security vector: a website. How could a hacker resist exploiting them? [...]
> The most recent example of this phenomenon happened on Monday morning. Around 8 AM EST, Enigma, a project on ethereum currently engaged in an ICO pre-sale, breathlessly announced that their website, mailing lists, and Slack account had been compromised. But it was too lateāpeople had already sent nearly 1,000 ether to an account controlled by the hackers.
When so much many is flying around, we need to be on our guard and check who we trust with our money. Handing over funds to an ICO is a risky business, make sure you get a trusted security audit on the one's you support.
### Clandestine crypto-mining
Both [The Pirate Bay](https://torrentfreak.com/the-pirate-bay-website-runs-a-cryptocurrency-miner-170916/) and [CBS's Showtime](https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script/) websites were caught with crypto-mining Javascript code embedded in their pages without user knowledge or agreement. We even had our very own "storm in a tea cup" over this with @dragosroua 's Steem.supply website [here](https://steemit.com/steemit/@dragosroua/a-few-clarifications-about-steem-supply-browser-mining). What is clear is that people want to know if their CPU cycles are being used to mine crypto, and an opt in solution is the best.
### "Going Dark"
The idea of "going dark" came up several times on my radar, and [this Tech Dirt](https://www.techdirt.com/articles/20170322/11002236978/encryption-workarounds-paper-shows-why-going-dark-is-not-problem-fact-is-as-old-as-humanity-itself.shtml) piece makes the argument that it's "as old as humanity itself". This is based on the idea that law enforcement can't mind read - yet. The implication is that the best and final way to keep your secrets secret is to keep them upstairs only.
### AI
AI could be the new special sauce in malware creation. At the famous DEF CON hackers conference this year a group from [Endgame demonstrated a malware generation engine](https://securityaffairs.co/wordpress/61539/breaking-news/openai-gym.html) that made small changes to existing malware to outrun detection. 16% of the generations passed malware detection. The battle continues.
### Privacy
Should you post pictures of your kids online? [The Guardian says no.](https://www.theguardian.com/technology/2017/may/31/facebook-photos-children-parenting) Focusing on Facebook, they say
> What is certain is that Facebook runs on an erratic emotional economy ā partly driven by love, partly driven by, if not spite, exactly, then something murkier than good will. Why throw your kidās face into that mix?
However the piece closes with the rejoinder "Something about it just never feels right." This isn't good enough for me at all, and the reasons given in the discussion are largely very self obsessed. My own reading is that you owe it to your children to allow them to make the decisions of how their likeness is to be used online. They will inhabit a world for far longer with far more network dangers than you can imagine. Get them off to the right start.
Naked Security wrote a fantastic [think piece](https://nakedsecurity.sophos.com/2017/01/10/the-spy-sorry-the-fridge-who-loved-me/) about the privacy risks of the burgeoning IoT, or Internet of Things, market. They put it:
> After all, if your hairbrush strokes, or the semi-random movements you make subconsciously while asleep, should end up collected, collated, sold to the highest bidder, shared, breached and then sold again on the undergroundā¦
> ā¦how would that compromise your privacy, safety or security?
> The answer is that it might not, at least right now, but as more data gets collected, as computers get faster, and as data mining and matching techniques improveā¦
> ā¦data that has any sort of connection to you, no matter how vague it might seem, can be searched, sorted, collated and matched with other data sets to provide a profoundly detailed picture of where you go, what you do, when you do it, what your mood was like at the time, and much more.
They go on to say that security is not currently of a high enough focus in smart devices and I agree. The industry is still young and we have a long way to go. Part of that journey must be in consumers demanding higher security so spend your money wisely, respect the security and privacy of your family and visitors to your home.
### Data ownership
Germany privacy-centric email service Tutanota promoted an idea to [buy US politician's internet browser history](https://tutanota.com/blog/posts/internet-history-sell-out) in a blog post. This was a reaction against a Trump signed anti-privacy law.
> Instead of protecting their customers' privacy, the ISPs are now allowed to sell their customers's browsing history to the highest bidder. Adam McElhaney, a privacy activist, wants to fight the politicians with their own weapons: He plans to purchase the Internet histories of all legislators, congressmen, executives, and their families and make them [easily searchable here.](https://www.searchinternethistory.com/)
### Google / Android
In one of the more recent news items, from November, Google apparently [continues to collect user locations even when location data is turned off](https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/). Surprise surprise do I hear you say? Tisk tisk, do not become jaded dear reader, do not slip off into the dark night of fatalism. _This matters_.
> Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towersāeven when location services are disabledāand sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individualsā locations and their movements that go far beyond a reasonable consumer expectation of privacy.
> [...]
> According to the Google spokesperson, the companyās system that controls its push notifications and messages is ādistinctly separate from Location Services, which provide a deviceās location to apps.ā Android devices never offered consumers a way to opt out of the collection of cell tower data.
If that doesn't make you concerned, I don't know what will. Welcome to the slow erosion of privacy.
Android has never had the best security and it's been struggling along for years. Earlier this year we saw reports of malware being [preinstalled](https://thehackernews.com/2017/03/android-malware-apps.html) on Android phones, often due to [device fragmentation](http://www.wdsu.com/article/your-android-smartphone-may-have-arrived-with-malware/9122734), i.e. there's so many damn Android phones on the market it's hard to know what to trust.
DuckDuckGo released an opinion piece about [How to Live Without Google](https://spreadprivacy.com/how-to-remove-google/). What a strange situation we find ourselves in when this idea is so difficult to imagine.
> More and more people are also realizing the risk of relying on one company for so many personal services. If you're joining the ranks of people who've decided Google's data collection has become too invasive [...]
They suggest some services (included, ahem, their own) and it's a good list to get you started. To it I would add [Etherpad](http://etherpad.org/), a great open source shared document editor with infinite undo and innovative sharing facility.
In their role as the browser provider via Chrome, [Google stopped recognising Symantec signed HTTPS certs](https://arstechnica.com/information-technology/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/) causing a big kerfuffle and reminding us all how trust on the internet is established. These SSH certs are the systems by which payment transactions and other sensitive data transfers are made. It is a centralized system of trust which decentralized trust systems such as blockchain are poised to improve on in the coming years.
### Honorable mentions
_Items that are not explicitly related to security but are of concern._
The security of your kid's brains may be compromised by the [increasingly disturbing AI led YouTube video industry](https://medium.com/@jamesbridle/something-is-wrong-on-the-internet-c39c471271d2). We have AI creating mashups of popular shows such as Peppa Pig and Disney characters, which get increasingly disturbing as they recycle content and further off coherence. Then we have real live humans creating videos from AI scripts, then this eating itself in mashups ... it's a weird world and it looks like no human consciousness is in the driving seat.
## Competition
If you can show any of these sources to be #fakenews by showing a stronger case in a counter argument - with references - **I will give you 3 STEEM**, to the first 5 people who comment with this argument.
I recognize that not all of the sources are what you would call "reliable" and have vested interests in promoting the status quo.
## Finally, Happy New Year
As this year draws to a close, I want to thank you all - all of your who read my posts, engaged with me in comments (mostly on your own posts), who voted me, who flagged me, worked with and against me. We have all no doubt grown from this years instalment in the experiment of Steemit.
I raise a glass to you all! š„
