Tech Friday with Dave Hatter -September 11th 2020 - SPONSORED BY INTRUST IT


  • Another huge Patch Tuesday from Microsoft’s for August:
    • For the August 2020 Patch Tuesday Microsoft released patches for 129 security bugs, another one of the largest ever
    • This includes 23 critical flaws, 105 important and one moderate
    • Microsoft said that none of these bugs are currently being exploited in the wild
    • The most dangerous flaw allows an attacker to take over Microsoft Exchange server just by sending a specially crafted email on Exchange Server 2016 and 2019
    • Automox product manager Justin Knapp said "the broad use of Microsoft Exchange across business users and a high CVSS score of 9.1 indicates that this patch should be prioritized high on the list"
    • The patches are for a wide range of products, including Windows, Edge, Internet Explorer, Visual Studio, SQL Server,ASP.NET, Office, Exchange Server, and OneDrive
    • "That brings us to seven straight months of 110+ CVEs" said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI)
    • "It also brings the yearly total close to 1,000. It certainly seems like this volume is the new normal for Microsoft patches" - Childs
    • Install the patches as soon as you can
    • View the full list here:https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Aug
  • Facebook and other sites use "Dark Patterns" to manipulate you:
    • Facebook has weathered many privacy and security scandals and paid a $5 billion fine last year for making "deceptive claims about consumers’ ability to control the privacy of their personal data"
    • The Electronic Frontier Foundation (EFF), a premier organization fighting for privacy, coined the term "Privacy Zuckering" for situations where "you are tricked into publicly sharing more information about yourself than you really intended to"
    • Despite lots of bad press and large fines, Privacy Zuckering and other shady tactics remain continue online
    • This is especially true on social media where they make massive amounts of money collecting, analyzing and selling your data
    • If you're not paying with money, you're paying with data. You're NOT the customer, you're the product
    • And despite making noises about caring about your privacy, controlling on these sites can be more confusing than ever
    • For instance, a Twitter pop-up tells users "You’re in control", then asks to enable personalized ads that will "improve which ones you see" Or, you can "keep less relevant ads"
    • Facebook did something similar in 2010 when they allowed users to opt-out of partner sites that collect information, but warned those the did with "Are you sure? Allowing instant personalization will give you a richer experience as you browse the web"
    • Facebook also warned about opting out of facial recognition with "If you keep face recognition turned off, we won’t be able to use this technology if a stranger uses your photo to impersonate you."
    • The term "dark patterns" was coined to define this attempt to manipulate your choices in the favor of the organization collecting the data
    • Dark patterns are everywhere online. Purdue researcher Colin Gray said they are especially bad "when you’re deciding what privacy rights to give away, what data you’re willing to part with"
    • Gray and his team identified five types of dark patterns: obstruction, nagging, sneaking, forced action, and interface interference
    • Sadly, all five often appear in privacy options that attempt to nudge you into choices that help the platform, rather than protect your privacy
    • While sites like Facebook and Twitter purport to give users more granular control of their privacy, they use dark patterns. In some instances, defaults are often set with less privacy in mind
    • Dark patterns are typically most prevalent when users try to leave a platform
    • Gray said their research shows most people don’t see the manipulation. He said that one study showed that "when people were primed ahead of time with language to show what manipulation looked like, twice as many users could identify these dark patterns", so awareness is key
    • US Senators Deb Fischer and Mark Warner introduced The Deceptive Experiences to Online Users Reduction Act (DETOUR) which would make it illegal for sites to implement dark patterns around the collection of personal data
    • Senator Fischer said "Misleading prompts to just click the OK button can often transfer your contacts, messages, browsing activity, photos, or location information without you even realizing it"
  • Many of the dating apps are leaking user data to advertisers:
    • Norwegian Consumer Council (NCC) testing found that some well known dating apps are sending personal data to advertising companies
    • This may be in violation of privacy laws such as the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act
    • Tinder, Grindr and OKCupid were among the dating apps collecting and sharing data such as the gender, age, IP address, GPS location and information about the device in use
    • This information is being sold to advertising and behavior analytics platforms owned by Google, Facebook, Twitter and Amazon among others
    • In some cases, these apps sent information including sexual orientation and dating interests
    • OKCupid was found to share information about drug use and political orientation
    • 10 apps were tested in late 2019
    • The report found 135 different 3rd party companies got information from these apps
    • Nearly all of 135 are advertising or analytics companies including Twitter-owned MoPub, Google-owned DoubleClick, and Facebook.
    • Sadly, this is not new. Grindr experienced a data breach in early 2018 that included GPS data, even if the user had opted out of providing it and the reported HIV status of the user.
    • A Guardian reporter who is a frequent user of Tinder got their personal data file in 2017 and found it was 800 pages!
    • Civil rights groups including the ACLU and the Electronic Privacy Information Center (EPIC) have sent a letter to the FTC and Congress asking for a formal investigation into these practices