Via Bruce Schneier, Ars Technica describes in painful detail how computer repair people snoop and steal people's data all the time:
If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt.
Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.
The amount of snooping may actually have been higher than recorded in the study, which was conducted from October to December 2021. In all, the researchers took the laptops to 16 shops in the greater Ontario region. Logs on devices from two of those visits weren’t recoverable. Two of the repairs were performed on the spot and in the customer's presence, so the technician had no opportunity to surreptitiously view personal data.
In three cases, Windows Quick Access or Recently Accessed Files had been deleted in what the researchers suspect was an attempt by the snooping technician to cover their tracks. As noted earlier, two of the visits resulted in the logs the researchers relied on being unrecoverable. In one, the researcher explained they had installed antivirus software and performed a disk cleanup to “remove multiple viruses on the device.” The researchers received no explanation in the other case.
In all, the findings from the study were:
• Privacy policies and the practice of communicating protocols and controls to protect customers’ data do not exist across service providers of all sizes.
• Service providers largely (10/11) require “all access” to the device, even when it is unnecessary.
• Technicians often snoop on customers’ data (6/16) and sometimes copy those to external devices (2/16).
• Technicians who violate privacy often do so carefully to not generate evidence (1/6) or remove such evidence (3/6).
• A significant proportion of broken devices (26/79, 33 percent) are not repaired due to privacy concerns. For the devices that get repaired, device owners are concerned about threats to their privacy but do not use the proper controls to protect their data.
The results likely confirm what many more experienced computer users already know: that their data is vulnerable to snooping or copying any time they surrender their device to an untrusted or unknown individual, particularly when the individual has their login password. But for a much larger percentage of people wanting to recover crucial data on a broken device, the findings are likely a wake-up call with few, if any, good solutions.
Another way to look at it: do you trust your locksmith?
Cassie and I took a 33-minute walk at lunchtime and we'll take another half-hour or so before dinner as the temperature grazes 14°C this afternoon. Tomorrow and each day following will cool off a bit until Wednesday, the first official day of winter, which will return to normal.
Meanwhile...
- As every lawyer who paid attention predicted, Justice Clarence Thomas's (R) opinion in New York State Rifle and Pistol Association v Bruen last summer articulated a Republican policy platform while providing absolutely no useful guidance.
- Jamelle Bouie points to that particular justice, along with his brother-in-arms Samuel Alito (R), as great reasons to institute term limits on the Supreme Court.
- Looks like House Minority Leader Kevin McCarthy (R-CA), plans to take his 5-seat majority out for a spin come January. Can't wait. (Remember, the Republican Party wants you to think the US Government is a joke. Pay no attention to that man behind the curtain!)
- Robert Wright reminds everyone that Ukraine's interests differ from those of the EU, NATO, and the US, which puts Ukrainian president Zelensky's behavior regarding the accidental missile detonation in Poland in context.
- Julia Ioffe reminds everyone that the Pentagon's and White House's strategies also differ from one another.
- Now that I've moved, I need to update my drivers license, which means finally getting a Real ID. I mean, other than my passport or passport card. (Oooo, maybe I can get a CAC?)
- Toronto gave up a few dozen parking spaces to make room for sidewalk cafes, only to discover that the restaurants made 49 times more money than the parking spaces.
- The US faces a critical shortage of bomb-sniffing dogs.
- Thousands of cranes have migrated through Chicago in the last few days, and wow, are they loud.
Finally, Amazon's ads really have gotten to the point where it's "a tacky strip mall filled with neon signs pointing you in all the wrong directions."
And in just a few hours, I will tuck into this:
I may run out of mason jars though...
Josh Barro explains the FTX collapse in simple terms:
[T]his is not a technology story, because FTX was not a technology company. Sure, FTX’s business relied on technology, but so do most businesses. FTX has an app; so does Fidelity, and so does Chipotle, and that doesn’t make them tech companies. FTX was a brokerage, and there were two things that set them apart from a regular brokerage. One is that they dealt principally in nonsense financial products with no underlying economic value, and the other is that the owners either lost or stole the customers’ money and then lied about their resulting insolvency.
Because cryptocurrency assets have no fundamental economic value — unlike stocks and bonds, they do not reflect a claim on the cash flows of some business creating real value in the economy — there can be no such thing as fundamentals-based investing in them. When people invest in crypto, they out themselves as marks for scammers who might believe any nonsense about what something is worth. And therefore it’s the least surprising thing in the world that someone would open up a crypto exchange, offer implausible interest rate terms in order to hoover up billions in customer deposits from the gullible masses, and then misappropriate the proceeds.
He also provides some rules of thumb for dealing with cryptocurrencies, the first being, "any crypto-related business is a scam." Quite so.
I'm just finishing up a very large push to our dev/test environment, with 38 commits (including 2 commits fixing unrelated bugs) going back to last Tuesday. I do not like large pushes like this, because they tend to be exciting. So, to mitigate that, I'm running all 546 unit tests locally before the CI service does the same. This happens when you change the basic architecture of an entire feature set. (And I just marked 6 tests with "Ignore: broken by story X, to be rewritten in story Y." Not the best solution but story Y won't work if I don't push this code up.)
So while I'm waiting for all these unit tests to run, I've queued all this up:
- House Speaker Nancy Pelosi (D-CA) announced today that she will step down from her party leadership role when the 118th Congress meets on January 3rd.
- This came on the heels of a loser Florida retiree trying to get his old job back. Tina Nguyen looks at who might challenge the loser retiree for the same job. One thing I know: this won't end well for the Republican Party.
- Maybe that's why 12 Republicans in the US Senate crossed party lines to vote on moving the Same-Sex Marriage bill forward?
- Aaron Gordon investigates why American transit projects cost so much more than any other country's (hint: they have stronger anti-corruption laws).
- And yet, Washington got a Metro line to Dulles after waiting only 60 years, just slightly longer than we in Chicago's Ravenswood neighborhood have waited for the inbound Metra platform to open.
- Speaking of corruption, Kelsey Piper got a phone call from Sam Bankman-Fried, the guy who made a couple billion in crypto go *poof* last week, so he could clear the air. On the record. With pending litigation. (Seriously, who's his dealer?)
- For no reason anyone can determine, certainly not the recent dismissal of half its workforce including the only engineers who know where the bolts go, Twitter has experienced some intermittent problems with its multifactor authentication setup. Even better, "a researcher contacted Information Security Media Group on condition of anonymity to reveal that texting 'STOP' to the Twitter verification service results in the service turning off SMS two-factor authentication." Oh my!
- Speaking of that dying company, Elon Musk has done his utmost to hasten the exodus of engineering talent by giving everyone until (checks watch) two hours from now to choose a lifetime of misery or a three-month severance. Because we software engineers do our best work for narcissists with whips. (There simply isn't enough popcorn in San Francisco for this shit show.)
- Sadly, Republican speechwriter and Washington Post columnist Michael Gerson has died at 58. I didn't agree with him much, but he remained one of the sane ones till the end.
Finally, one of Chicago's last vinyl record stores, Dave's in Lincoln Park, will close at the end of this month. The building's owner wants to tear it down, no doubt to build more condos, so Dave has decided to "go out in a blaze of glory."
All right...all my tests passed locally. Here we go...
I'm running all 538 unit tests in my real job's application right now after updating all the NuGet packages. This is why I like automated testing: if one of the updated packages broke anything, tests will fail, and I can fix the affected code. (So far they've all passed.)
This comes after a major demo this morning, and a new feature that will consume the rest of the sprint, which ends next Monday. Oh, and I have two opera rehearsals this week. Plus I have to vote tomorrow, which could take 15 minutes or two hours.
So it's not likely I'll have time to read all of these:
Regardless, I'm setting an alarm for just past 4am to see the total lunar eclipse tonight. NOAA predicts 17% sky cover, so I should get a good view of it. Unless I go back to sleep.
Man-shaped bag of feces Alex Jones may be "done saying I'm sorry," but a Connecticut jury suggests he should have tried just one more time:
The conspiracy theorist Alex Jones must pay $965 million to the families of eight Sandy Hook shooting victims and an FBI agent who responded to the attack for the suffering he caused them by spreading lies on his platforms about the 2012 massacre, a Connecticut jury found on Wednesday.
Jones had already been found liable by a judge after refusing to hand over critical evidence before the trial began, and this six-member jury was only asked to decide how much Jones should pay.
During closing arguments, Christopher Mattei, a lawyer for the families and agent, suggested that Jones should be ordered to pay at least $550 million, saying that the host's Sandy Hook content got an estimated 550 million views from 2012 to 2018.
“I’ve already said I’m sorry hundreds of times, and I’m done saying I’m sorry,” Jones said.
A defiant Jones said he believed Sandy Hook was a hoax when he spread his lies. “I legitimately thought it might have been staged and I stand by that. I don’t apologize for it.”
News reports suggest he can afford it—barely. And of course, he'll just make up more vile shit that the MAGA folks will eat, because we're at that point in an historic cycle of stupidity. Maybe this means the cycle could end soon? I hope so.
I'm movin' out. A lovely young couple have offered to buy Inner Drive World Headquarters v5.0, and the rest of the place along with it. I've already gotten through the attorney-review period for IDTWHQ v6.0, so this means I'm now more likely than not to move house next month.
Which means I have even less time to read stuff like this:
Finally, American Airlines plans to get rid of its First Class offerings, replacing them with high-tech Business Class and more premium coach seats. I'd better use my miles soon.
I've had two parallel tasks today, one of them involving feeding 72 people on Saturday. The other one involved finishing a major feature for work. Both seem successful right now but need testing with real users.
Meanwhile, outside my little world:
- The XPOTUS seems to have backed himself into a corner by lying about "declassifying" things psychically, after the Special Master that he asked for called bullshit. Greg Sargent has thoughts.
- Pro Publica reported on Colorado's halfway-house system that sends more people back to prison than it rehabilitates.
- The Navy has begun its court-martial of Seaman Recruit Ryan Mays, accused of lighting the fire that destroyed the USS Bonhomme Richard in 2020.
Finally, Ian Bogost (and I) laments the disappearance of the manual transmission.
Writing as a guest of James Fallows, former defense official Jan Lodal outlines how subparagraph (d) of the Espionage Act should be a slam-dunk in prosecuting the XPOTUS:
This paragraph makes a straightforward action a crime: namely, failing to return classified documents if properly directed to give them back. No proof of the level of classification, or the intentions of the document holder, or the content of the documents, is required. Just a simple question, did he or she give them back or not.
This section of the Espionage Act does not require that prosecutors access or cite individual documents to prove the crime. It requires only that there were any classified documents in the boxes that Trump did not return. On that there is no doubt. It was settled by the release of the Department of Justice (DoJ) Affidavit authorizing the Mar-A-Lago document seizure.
Trump’s violation of this Subparagraph (d) of the Espionage Act could not be clearer. Unlike all other crimes being considered for prosecution, Subsection (d) requires no probing of intent or consequence. It defines as criminal a clear process violation—“failing to return” classified documents when properly asked to do so.
Given our politics and our jury system, keeping the legal actions against Trump simple is better for now. Prosecution for other offenses after getting an initial conviction will then be more likely to succeed. DOJ should take this path to reduce the risk that obfuscation and assertions of inapplicable rights and privileges by a former president could override the fragile rule of law in our constitutional democracy.
Having watched the DOJ build its case, and knowing that Attorney General Merrick Garland takes things slowly and deliberately, I expect to see this charge sooner rather than later. But I also suspect that the DOJ wants to build the most comprehensive case it can. We'll see.
The Washington Post Fact Checker digs deep into the allegations of mishandling classified material against former Secretary of State Hillary Clinton and finds, nah, she good:
The Justice Department investigation of classified documents found at former president Donald Trump’s Mar-a-Lago Club has brought inevitable comparisons to the controversy over Hillary Clinton’s private email server that she used while secretary of state. The FBI investigation into her emails arguably tipped the close 2016 presidential election to Trump.
During the contest between Trump and Clinton, we wrote 16 fact checks on the email issue, frequently awarding Pinocchios to Clinton for legalistic parsing. But in light of the Trump investigation, Clinton is trying to draw a distinction between Trump’s current travails and the probe that targeted her.
As shown in an FBI photo of some of the documents seized from Trump, many have clear markings indicating they contained highly sensitive classified information. Clinton, in her tweet, suggests none of her emails were marked classified. That’s technically correct. Whether those emails contained classified information was a major focus of the investigation, but a review of the recent investigations, including new information obtained by the Fact Checker, shows Clinton has good reason for making a distinction with Trump.
In other words, [two] State Department probes under Trump knocked Clinton for maintaining a private server for State Department communications — but did not hold her responsible for mishandling classified information.
Of course, all the Benghazi and email server hearings that Clinton had to endure had nothing at all to do with their subject matters, because the current Republican Party doesn't care at all about substance. Everything they do is performance, for political points. And they've been at that so long, in fact, that many Republicans can't fathom that the probe of the XPOTUS's mishandling of classified material has nothing to do with political points and everything to do with the damage that he did to national security.