CNBC shows how not to handle a security screwup
As articles go, Tuesday’s CNBC piece trying to cobble together the Apple/FBI fight with interactive clickbait — a little box where readers should enter their password to test its hackability — was a stretch.
Worse, the story, called “Apple and the construction of secure passwords,” hinged entirely on encouraging people to do something no one should ever, ever do. Namely, enter a password anywhere except the proper login page. CNBC, it seems, was trying to teach its readers about security.
Beneath the article’s interactive box to test your password, CNBC’s disclaimer read, “This tool is for entertainment and educational purposes only” and assured users that “no passwords are being stored.”
worried about security? enter your password into this @CNBC website (over HTTP, natch). what could go wrong pic.twitter.com/FO7JYJfpGR
— Adrienne Porter Felt (@__apf__) March 29, 2016
For security professionals, this entire setup was like dangling a New York strip steak in front of a pack of peckish zombies. It didn’t take long for hackers to poke at CNBC’s password checker to see what was going on.
It wasn’t pretty. Running a free, simple tool called mitmproxy (as in, “man in the middle”), security researcher Ashkan Soltani captured exactly what CNBC’s password tester was sending from each user’s browser.
Holy crap: @cnbc now sends your test passwd to all 3rd parties when you hit enter @__apf__https://t.co/rOQuvJ4KE2 pic.twitter.com/diRjcvJ919
— ashkan soltani (@ashk4n) March 29, 2016
When someone entered a password into the text box and hit the button, a lot more was going on than a test. The password was being sent over the site’s http (unencrypted) connection to CNBC’s third-party partners, such as ScorecardResearch and SecurePubAds (DoubleClick).
After posting the findings on Twitter, a researcher who works on Let’s Encrypt (free, easy https for websites) joined the dogpile. He added that — inexplicably — CNBC was also saving the passwords to a Google Docs spreadsheet when the user hit “submit.”
@__apf__ @CNBC @googledocs pic.twitter.com/37iOtvgSxg
— Kaney (@riking27) March 29, 2016
If you’re looking at this page like I just clopped up on a sparkly unicorn while serenading you with Lady Gaga’s “Telephone” on a kazoo, let me reframe that vision to a unicorn that has chainsaws for legs — because peak WTF hadn’t yet been reached. At this point in the disaster, hackers and infosec passersby on Twitter started actively @ replying CNBC and the article’s author, CNBC data journalist Nicholas Wells. People were overwhelmingly angry at CNBC and calling for the password tool’s removal.
But rather than respond directly to researchers or critics, CNBC deleted the entire page without a peep. The article was removed and the page left as “not found,” all without leaving a note in its place explaining what happened to the content. The CNBC Twitter account removed its original tweet about the article in an attempt to pretend like nothing happened. On top of it all, the article’s author made his Twitter account private.
Woo! @cnbc pulled their ‘How Secure is your Password’ (that we send all over the web) story https://t.co/rOQuvJ4KE2 pic.twitter.com/Q5Q8LMykT8
— ashkan soltani (@ashk4n) March 29, 2016
According to ad-industry platform Thalamus, CNBC.com gets around 6.6M unique visitors a month and 204M monthly page views. While it’s unknown how many people were affected by this incident, it’s safe to say that some people seriously need to be told by CNBC to change their passwords, ASAP.
It goes without saying that this “password tester” should never have been made — and no one should have been told to use it.
It’s also a sign of the times, one that CNBC and its brethren need to heed. Gone are the days when companies like CNBC can slap “we don’t save your data” on something that saves data and expect no one to notice. Look, CNBC: If you’re going to pretend to teach your readers about security and you muck around with people’s lives using a half-assed little clickbait novelty without consulting security professionals, then you’re going to have your ass handed to you.
@ashk4n @packetchef @CNBC @__apf__ best Phishing site ever!
— William Reyor (@OpticOpticfiber) March 30, 2016
@ashk4n @CNBC @__apf__ hell of a way to build an attack dictionary
— jsl (@delayfx) March 29, 2016
It’s a huge example of how not to behave after you screw up when it comes to security. If CNBC and Wells really wanted to behave as though security reporting mattered or that they cared about the sanctity of their readers’ lives, then this would have been a great time to update the article with what went wrong and why it’s important that people understand what happened.
It’s not that hard to do the right thing. Like this:
“The original version of this article contained our password-strength tool. We have removed the tool because it had security problems, and we’ve rethought this whole thing, with the input of information-security professionals (for which we are grateful).
“We at CNBC want to tell you that you should never, ever put your password anywhere except where it belongs. Never put it in a ‘password checker’ or any other place it shouldn’t go — no matter how safe anyone says it is. Our password tool went wrong not only by encouraging you to enter a password in the first place but also because our site uses “http” (you can see it in the address bar) instead of “https,” an encrypted connection, which is safer. We also regret storing the passwords and the fact that we run code on our site’s pages that sends entered information (and other user behaviors) to our third-party partners.
“For better password security, use a password manager that can strengthen and remember them for you. We urge everyone who used our password tool to change any of the passwords you entered immediately. For all of this we are truly sorry. “
Too bad the above text is just a fantasy.
You see, CNBC didn’t just step in a pile of password-security idiocy in the street; it tracked it onto the carpet of public awareness by simply refusing to acknowledge this happened at all. The media giant isn’t returning requests for comment or answering questions for us or any of the outlets that have covered this epic fail. The article’s author, with his private Twitter account, appears to be ignoring requests for comment.
For me, it reveals a bright line between people who “get” security and people who don’t. Because the people who get it understand that security and accountability are inseparable.
DJI goes after Yuneec with patent infringement suit
Drones are a mainstream item in today’s tech world, and two rival UAV makers are heading to court. DJI filed a patent infringement lawsuit in California against Yuneec for violating two of its patents. The company claims that Yuneec is selling products that infringe on one or more patents it holds regarding target tracking and an “interchangeable mounting platform.” DJI seeks stop any sales of products that make use of its intellectual property.
“DJI welcomes competition, but is committed to protecting its intellectual property,” a press release on the filing explained. “Friday’s filing is a response to safeguard that investment, to protect customers and partners and to promote genuine innovation in this promising area.”
Last August, Yuneec launched its 4K Typhoon drone to take on DJI’s Phantom 3 Professional. Back at CES, the company revealed the Typhoon H what employs Intel tech to keep it from running into things. Obstacle avoidance is also a key feature for DJI’s new Phantom 4. DJI’s complaint doesn’t get specific about which of the Chinese company’s models infringe on its patents, only that its “products and technology” are the alleged culprits.
Virtual reality and pornography: An X-rated debate
The true test of virtual reality is upon us. As the consumer version of the Oculus Rift rolls into homes across the globe, the world is watching intently to see if this is truly virtual reality’s moment. But what will be its killer application? Will our basest desires drive adoption as they have with previous mediums? Or has porn been dethroned as a technological kingmaker? Executive Editor Christopher Trout and Managing Editor Terrence O’Brien argue the finer points of VR porn.
Terrence O’Brien
Here’s the uncomfortable truth that most people refuse to swallow: If virtual reality is going to take off, it’s going to be on the wings of pornography. It’s not going to be clever PlayStation games or films from major movie studios that make VR mainstream. It’s going to be companies like Kink.com, Naughty America and Pornhub that convince every household they need a VR headset. That is, as long as the manufacturers are smart enough to stay out of the way. HTC or Oculus don’t need to embrace the porn industry necessarily, but they need to not actively try and defeat it. Just look at what happened to poor Betamax when Sony decided it wanted nothing to do with pornography. The industry embraced VHS and the rest is history.
Obviously, there were other factors at play, but the fact that the format embraced by the porn industry ended up winning the war is no coincidence — it has a history of picking the winner. It wasn’t that long ago that the industry coalesced around Blu-ray, partially thanks to it’s larger capacity. I’m sure you don’t need to be reminded how that turned out: HD-DVD became a historical footnote and Blu-ray was crowned the standard for high-def media. At least for as long as physical media remained relevant.
Christopher Trout
Let’s talk about those “other factors.” First, off, the evidence supporting porn’s influence on tech is shaky at best, but as we all know, people love to watch other people fuck and the porn industry has always been an early adopter. Still, assuming everything you say is true, porn isn’t what it used to be.
Now, when the war over Betmax and VHS was going strong, the porn industry was still in its nascent stages. It was new and provocative. It was part of the cultural zeitgeist. Jackie Kennedy even famously admitted to seeing Deep Throat, probably the biggest adult film of all time. It was released just three years before Betamax.
The industry had its boom. And it’s been through its bust. Porn today looks nothing like it did in the days of physical media. When DVDs were the gold standard, people were still buying porn and they cared about the quality. Those were also the days when people bought CDs and either cared about the sound of their music, or were just buying what the labels were selling. As we’ve learned in the internet age, quality isn’t at the top of people’s minds. If we can get it for cheap or free, we’re down. That goes double for porn. VR is too expensive to produce to give away for free.
Cheap, even free, porn is in abundant supply today. Porn’s studio system, like much of establishment media, finds itself competing with amateurs. Production value and creativity have suffered as a result. There is no “Deep Throat” for the online generation, and in order for consumers to buy into what could be a very expensive and high-friction experience, they’re going to have to see something new and spectacular. Something mind-blowing. That’s what VR is supposed to be. It’s supposed to transport you. No one wants to be transported into a generic, cheaply made POV video. And that’s most of what’s being produced right now.
Terrence
This is true, that the industry has changed. But what hasn’t changed is its ability to propel the adoption of new technology. Sure, porn helped push the adoption of Blu-ray as a media standard, but it’s also behind what ultimately relegated Blu-ray to a niche product: streaming video. It wasn’t Netflix or Skype that first brought on-demand and live streaming video into people’s homes; it was porn. It was the industry responsible for a large percentage of all streaming video in the early days, which is part of why it was targeted by lawsuits from Acacia Research in 2003. Some of the first plug-in free video? Delivered by porn sites. And all of this goes double for live streaming video. Camgirls and other sex-industry performers were pioneers in the field of live streaming and live chat. That expensive teleconferencing system in your office uses technology that was pioneered by pornographers.
But it goes beyond video. Much of the internet is powered by technology that may not have been invented by the porn industry, but was pushed forward by it. In the early ’90s the idea of using your credit card to buy something online was pretty far-fetched. It was Electronic Card Systems that really pioneered online transactions in the mid ’90s. And ECS’s first big partners weren’t Amazon or Pets.com; they were porn sites. People felt more comfortable, more anonymous buying their porn on the internet, and so online payments took off — not powered by our desire to read books or buy second-hand shoes, but by our desire to watch naked strangers touch themselves and each other.
Some even argue that the adoption of broadband was spurred in large part by the public’s desire to consume porn. In 2003, Nielsen credited adult content and file-sharing services (at the time, largely music) as the driving force behind broadband adoption in Europe.
Christopher
That was 2003, just years before the porn industry hit the skids. Streaming media and piracy had a profoundly negative effect on adult entertainment’s establishment in the mid-2000s, and it’s never been the same. The big Hollywood studio-style business, trading in big names and big budgets, was rapidly replaced by amateur shaky-cam clips and churn-and-burn gonzo productions. Then the Great Recession hit. I felt the effects on the porn industry first-hand when I lost my job at a small studio that wasn’t ready for rapid economic and technological change. The same thing played out across the industry. Some studios handled it better than others, but the establishment was largely overthrown.
What we lost in that transition is the money and expertise to produce high-quality media. I don’t doubt that broadband adoption may have been spurred on by porn, but it also changed the medium itself. The internet has proved that people will get off no matter how grainy, shaky or short the clip as long as they don’t have to pay for it. That sort of thing doesn’t have a place in VR.
I’ve seen more VR porn than most, and I can tell you there’s not much out there. What little there is, isn’t very good. Skewed perspectives and shoestring budgets result in low-res, 180-degree X-rated house-of-mirrors experiences. And those pornographic freak shows are coming from big names like Naughty America and Virtual Real Porn. With porn’s biggest players today, video services like Pornhub and YouPorn, trading in free and pirated clips, you have to ask yourself where the game-changing content is going to come from. VR production is still too complicated and expensive for amateurs and fast-and-dirty content farms.
VR porn won’t take off until the means of production are democratized. And that likely won’t happen until the technology has had its make-it-or-break-it moment. If you ask me, VR is the chicken here. Porn may or may not be the egg, but it’s not worth betting the farm on.
Terrence
The porn industry will never again reach the absurd heights it did from the mid-’90s to the mid-aughts, when budgets for high-profile adult films measured in the hundreds of thousands or, occasionally, the millions. But this shift toward shaky-cams and POV porn is actually the kind of content perfectly suited for VR. Pornography these days isn’t about big budgets or elaborate fantasies; it’s about living vicariously through another. And that experience becomes all the more immersive and stimulating through a VR headset.
VR films are more complicated and expensive to produce than simply giving an actor a camcorder to hold while he has sex. But it’s not prohibitively expensive for any reasonably profitable porn studio. A few GoPros, a 360-degree mount and software to stitch it all together can be had for a couple of thousand dollars.
But why even bother laying out that much money?
For a few hundred bucks a gonzo pornographer could pick up something basic like a 360fly or a Samsung Gear 360. And, as you so rightly point out, the internet has proved that people will get off no matter how grainy, shaky or short the clip is. And that extends to VR.
Christopher
I think you’re underestimating the amount of skill and effort that go into producing VR. And what a boner killer a poor VR experience can be. It’s one thing to have a shaky cam of a perfectly normal-looking human body, but bad VR production can make your homemade sex tape look like a freak show expose.
All of that aside, VR and the open internet are two very different things. The latter has, in recent years, been referred to as a basic human right; the former is an expensive, restrictive toy. If you want to compare the two, we’re going to end up going down a privilege-and-access rabbit hole, and that’s an entirely different argument. In any case, I’ve dedicated my weekend to finding the one man-on-man VR porn experience that won’t make me feel like I’ve been transported into the Village People’s new Ripley’s Believe it or Not Las Vegas revue.
Inventor builds super creepy ‘Scarlett Johansson’ robot
Ricky Ma, an inventor and maker, has spent the last year and a half building a robotic starlet from scratch on the balcony of his Hong Kong apartment. He recently unveiled the Mark I, a $50,000 prototype modeled after… well, he wouldn’t specify to Reuters but come on, that’s obviously Scarlett Johansson. The robot is comprised of a 3D-printed skeleton supporting the various electronic and mechanical bits with everything wrapped in a pliable silicone skin.
While it may look eerily like her, the Mark I does not possess her acting chops. The robot currently only offers a set of canned phrases and movements in response to verbal commands, though that’s still really impressive considering that Ma is completely self-taught.
“I figured I should just do it when the timing is right and realise my dream,” Ma told Reuters. “If I realise my dream, I will have no regrets in life.” Ma hopes to sell his prototype to an investor and use the funds to build more and better robots.
Source: Reuters
SETI to begin searching older star systems for sentient life
The Search for Extraterrestrial Intelligence (SETI) Institute haven’t had any luck finding signs of alien life so far, but it could just be that they’re looking in the wrong place. To date, SETI has only searched around younger stars like our own but the Institute on Friday announced that it will expand its search to include older, red dwarf stars as well.
Red Dwarfs — not to be mistaken for white dwarfs — make up a vast majority of stars in the Milky Way galaxy, roughly 75 percent of them in fact, according to SETI Institute astronomer, Seth Shostak. And the fact that they are far older than our Sun means that the planets orbiting them have had plenty of time to develop intelligent civilizations.
Using the Allen Telescope Array in Northern California, the Institute figures that its red dwarf survey should take about two years to complete. “We’ll scrutinize targeted systems over several frequency bands between 1 and 10 GHz,” Institute scientist Gerry Harp said in a statement. “Roughly half of those bands will be at so-called ‘magic frequencies’ — places on the radio dial that are directly related to basic mathematical constants. It’s reasonable to speculate that extraterrestrials trying to attract attention might generate signals at such special frequencies.”
Via: Huffington Post
Source: SETI Institute
Jeff Bezos’ Blue Origin will launch its rocket a third time
Jeff Bezos’ rocket company has already shown its product is reusable, but if it’s going to launch “space” tourism, it will have to fly many times. As such, Blue Origin is working fly the New Shepard rocket for the third time on Saturday. According to Bezos, this time the engine will restart fast “just” 3,600 feet above the ground, leaving little room for error on its trip home from the edge of space. Plus, the company’s previous tests have only been revealed after the fact, so that’s another change. Still, we’re not expecting any kind of SpaceX-style livestream, but Bezos says there will be drone cameras in place to get an aerial view of the flight. Whether or not it all works as planned, there should be some exciting footage to share so check back here tomorrow.
Working to fly again tomorrow. Same vehicle. Third time. #LaunchLandRepeat @BlueOrigin pic.twitter.com/e1ZfYAibK2
— Jeff Bezos (@JeffBezos) April 1, 2016
Pushing the envelope. Restarting BE-3 fast @ high thrust, just 3600 ft from ground. Impact in 6 sec if engine doesn’t restart & ramp fast.
— Jeff Bezos (@JeffBezos) April 1, 2016
Also, a new more efficient RCS algorithm on the Crew Capsule. Big performance win if it works. #LaunchLandRepeat @BlueOrigin
— Jeff Bezos (@JeffBezos) April 1, 2016
We’ll have drone cameras in the air and hopefully will get good aerial footage to share. #LaunchLandRepeat @BlueOrigin
— Jeff Bezos (@JeffBezos) April 1, 2016
Source: Jeff Bezos (Twitter)
Walmart Offering $100 Discount on All iPhones, Including New iPhone SE
Starting today, Walmart is offering $100 off its selection of Apple iPhones, including the iPhone 6s, iPhone 6s Plus, and newly released iPhone SE, making the already affordable device available at an even lower price point.
The discount applies to iPhones purchased through AT&T, Verizon, and Sprint and is available on devices bought using a monthly installment plan. The discounted price will be reflected through each customer’s cell phone bill, with the monthly payments lowered by an appropriate amount.
Customers who want to purchase an iPhone eligible for the discount will need to do so in store, as AT&T, Verizon, and Sprint iPhones are not sold online. Walmart plans to offer the $100 off deal through the end of June.
In other deal news, Belkin.com is offering a 25 percent discount on all of its products through the end of the day with the promo code IMNOFOOL, and Best Buy is offering solid discounts on the 12-inch Retina MacBook, MacBook Air, and Retina MacBook Pro dropping prices by up to $300.
For a full list of this week’s deals and discounts, make sure to check out our dedicated deals roundup, which is updated on a daily basis with new accessories, significant deals, and app discounts. It also contains a price list for all of Apple’s major products and is an excellent resource for finding the best deal on a Mac or iPad.
Related Roundup: Apple Deals
Discuss this article in our forums
AIVAnet 