Privacy / Security

by Cam Wilson in Crikey  

“I thought it would be really funny if a stranger came over asking to do a poo,” explained Will. They never did, and about a year ago Will moved out.

Recently, Will had a look to see if Big Dumpers was still marked on Google Maps. It was. He was getting monthly emails about the performance of his business with information on how many people had viewed it or clicked to see its phone number.

But looking at the app’s listing for the “business”, Will spotted something that he didn’t find as funny. Like many other businesses, Google Maps showed a “Popular times” graph depicting how popular the location is using information provided by Google users who’ve agreed to let the app access their geolocation data. 9AM on Thursday was a busy time for Big Dumpers, according to Google Maps, but completely empty later in the day. 

What clicked in Will’s mind is that he had inadvertently created a public tracker of when people were in his share house — almost certainly without their knowledge. Will quickly voluntarily “closed” his business on Google but the listing remained up afterwards.

After being informed of the exploit by Crikey, founder of Australian information security company DVULN Jamieson O’Reilly said that his review of Google’s technical material corroborated Will’s understanding of the situation.

“My gut tells me you could list any place as a business then if the residents had opted in to location services you could totally use it to measure someone’s patterns,” he said.

in Ars Technica  

The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability. When fastenings are too loose, they risk causing the device to overheat and start fires. When too tight, threads can fail and result in torques that are too loose. The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999. The NEXO-OS, the firmware running on devices, can be controlled using a browser-based management interface.

Nozomi researchers said the device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place.

by Benjamin Mako Hill 

A few years ago, I was surprised to find out that my friend Peter Eckersley — a very privacy conscious person who is Technology Projects Director at the EFF — used Gmail. I asked him why he would willingly give Google copies of all his email. Peter pointed out that if all of your friends use Gmail, Google has your email anyway. Any time I email somebody who uses Gmail — and anytime they email me — Google has that email.

Since our conversation, I have often wondered just how much of my email Google really has. This weekend, I wrote a small program to go through all the email I have kept in my personal inbox since April 2004 (when Gmail was started) to find out.

for Ars Technica  

The timeline around a stable channel rollout is worded kind of strangely. The company says: "We expect it will take at least a month to observe and stabilize the changes in pre-stable before expanding the rollout to stable channel Chrome, where it will also gradually roll out over time. The exact timing may vary depending on the data collected, and during this time, we will keep you informed about our progress." It's unclear what "data" Google is concerned with. It's not the end of the world if an extension crashes—it turns off and stops working until the user reboots the extension. Maybe the company is concerned about how many people Google "Firefox" once their ad-blocker stops working.

[…] 

Google's sales pitch for Manifest V3 is that, by limiting extensions, the browser can be lighter on resources, and Google can protect your privacy from extension developers. With more limited tools, you'll be more exposed to the rest of the Internet, though, and a big part of the privacy-invasive Internet is Google. The Electronic Frontier Foundation called Google's description of Manifest V3 "Deceitful and Threatening" and said that it's "doubtful Mv3 will do much for security."