The Secret Service is scrambling to prove that its agents are, too, competent and know better than to poke USB sticks in things.
As you probably know, a Chinese woman was caught at President Donald Trump’s Mar-a-Lago resort with four cellphones, nine thumb drives, a laptop and an external hard drive, as well as multiple passports and so on. In the initial reportage of this, there was a throwaway line about the Secret Service discovering that the USB stick had malware –not just malware, but “malicious malware,” because that’s worse — by putting it in one of their computers and then yanking it out again.
Because that always works.
“Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing,” wrote the Miami Herald. “He stated that when another agent put Zhang’s thumb drive into his computer, it immediately began to install files, a ‘very out-of-the-ordinary’ event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich testified.”
Predictably, the Internet had kittens about how insecure that was and didn’t the Secret Service know better than to poke strange USB sticks in things?
At this point, the Secret Service started protesting. No, no, no, the Secret Service guy didn’t put the USB stick in his own laptop! He knows better than that! He meant to do that! It was a separate laptop with nothing in it and not hooked up to the Internet!
“A law enforcement source tells me that investigation was conducted according to protocol: A Secret Service agent loaded the drive onto a stand-alone computer that was segregated from government networks and watched as it did what malware is supposed to do — infect files and try to steal information,” writes Joseph Marks in the Washington Post.
Okay, says the security community. If that’s the case, and he did it on purpose, then why did he yank it out again, as if in a panic? Why didn’t he leave it in to finish seeing what the malware would do?
“In a lab, you want that malicious behavior to happen to its full level of badness so you can study how it operates,” Jake Williams, founder of the cybersecurity company Rendition Infosec, told Marks. “If he yanked the USB drive out to prevent further contamination, that’s highly indicative this wasn’t in a lab.”
There hasn’t been an answer to that one. “The Secret Service declined to comment about the disconnect between the agent’s actions and what cybersecurity experts described as standard procedure when investigating malware, citing the ongoing investigation,” Marks writes.
Incidentally, the head of the Secret Service, Randolph Alles, has lost his job, but we’re told that that was happening anyway and wasn’t related to this. “Alles was asked to plan his departure prior to Zhang’s arrest, two people familiar with the matter said,” writes Fortune. Oh, good. That’s reassuring.
It should really go without saying at this point: Don’t poke strange USB sticks in things.
Could it be? Is World Backup Day actually dead?
I had speculated on this last year, noting that the site’s Facebook and Twitter pages hadn’t been updated in a year, and the text on the site’s web page had no specific dates on it. This year, not only are the Facebook and Twitter pages still not updated, but I got a timeout connection on the page.
Though, at least, it wasn’t a 404, “this site is for sale,” or a porn site using the same address. Thank goodness for small favors.
But on today of all days!
As you may recall, World Backup Day started in 2011 as a way to encourage people to back up their data, with the thought that they would be protected from any sort of problem based on April Fool’s Day. Each year, it was a fairly reliable source of tips and tricks, sales on storage equipment, and somewhat dubious statistics. Not to mention World Backup Day t-shirts. And to think that we’ll never again hear the Backing Up song. Sigh.
It’s not terribly surprising. In 2012, 4500 people pledged to do backups. By 2013, it was down to 1800 people, though it did spring up to more than 2800 in 2015. But not long after that, it seemed that World Backup Day wasn’t even saying anymore how many people had taken the World Backup Day pledge.
The operative part is, use *something*. Dubious as the statistics may be, in this day and age of big data, losing data tends to be bad, and expensive, and keeping data tends to be good. And while of course their goal is to encourage you to use *their* products, the basic recommendations they offer are valid for any backup solution.
Backup up data regularly, and making sure that your backups work and can actually be used for recovery, is also important. Backing up your data once a year on World Backup Day probably doesn’t help much. To be particularly safe, have an offsite backup as well.
If you haven’t developed a backup strategy by now, this is a good time to do it, because a number of vendors in the market are having sales, whether it’s on backup services, hard disk drives, or SD cards.
And you can always remember the World Backup Day pledge: “I solemnly swear to backup my important documents and precious memories on March 31st. I will also tell my friends and family about World Backup Day – friends don’t let friends go without a backup.”
Maybe that explains what happened to the site: It got hacked and they didn’t do backups.
In what is sure to be the most exciting incident involving international accounting you’ll hear about all year, HP is suing Autonomy founder and CEO Mike Lynch for what it says is the way he deceived the U.S. company about the U.K. company’s profitability before its 2011 purchase.
As you may recall, the Autonomy-HP merger – officially the sixth-worst merger and acquisition of all time – HP chairman and CEO Leo Apotheker (who was fired later that year) paid $11.1 billion to acquire Autonomy, a European e-discovery company. By the following year, HP claimed that Autonomy had cooked its books to overvalue itself, wrote down the purchase a a $9 billion loss, and sold off the company’s remaining assets in 2016.
The companies have seemingly been in court ever since. They started with a shareholder lawsuit, which HP settled in 2015 for $100 million. Former Autonomy CFO, Sushovan Hussain, was found guilty in May on 16 counts of wire and securities fraud. HP also had a $5 billion civil suit scheduled to go to trial in London in 2019, a countersuit by former Autonomy CFO for $160 million, and an appeal by Hussain. Most recently, in November, actual criminal fraud charges were filed against Lynch, and were added to last week.
It’s the $5 billion civil suit that’s going on now. Basically, the arguments are the same as they ever were: HP says Autonomy pumped up its value, and Autonomy says that HP doesn’t understand British accounting and is trying to overcome its own incompetence at not successfully integrating the company.
But oh, the details.
“Robert Miles QC, representing Lynch, told the court that the US firm HP had taken an ‘aggressive approach designed to protect Meg Whitman [who took over as CEO after Apotheker] and others in HP.’ The case is an attempt to find someone to blame for HP’s business struggles,” writes Jasper Jolly in the Guardian.
That included contact with then prime minister, David Cameron, and letters to multiple coalition government cabinet members of the time, including chancellor George Osborne, business secretary Vince Cable and defense minister Philip Hammond, Jolly writes.
For its part, HP’s attorney Laurence Rabinowitz said that “Autonomy had engaged in “revenue-pumping” by encouraging customers to buy its products in exchange for buying goods from them that it did not need, restructuring deals to produce upfront license fees, and covertly selling pure hardware not even programmed with its software at a loss,” write Georgina Prodhan and Paul Sandle for Reuters.
Lynch’s lawyer countered that Lynch wouldn’t have done that because he had an executive position within HP. “The case that we’re now hearing being advanced entails that Dr Lynch must have been monumentally dim and, as you’ll see, there’s no chance that he is,” Prodhan and Sandle quote Miles as saying.
Professional soccer is even involved, because Autonomy sponsored the Tottenham Spurs and allegedly involved it in fraud. “Autonomy who sold software to Spurs for internal usage allegedly included a clause allowing the club to assign or share licence rights in the purchase order even though the firm knew that Spurs were not going to become a software licensor,” writes a website that follows the team. “The claimants further allege that Autonomy backdated a £3.9m-plus-VAT fee for providing Tottenham with software licences to June 2010, and that Spurs had ‘had no comprehension as to what they had purchased,’ with an agenda for a meeting in July 2010 between Autonomy and the club including ‘a look at/understanding of what we have purchased.’”
Other customers allegedly used in that way included the UK Ministry of Defense and the UK Serious Fraud Office – presumably the reason for the letters to UK government officials — Bank of America, and the BBC, according to the Irish Times.
And his emails. “On the first day of a civil trial in London, HP cited an email from Lynch to his senior management team about a contract with the U.S. Department of Veteran Affairs. He said: ‘If there is any problem I WANT TO KNOW ABOUT IT IN A F—ING MILLISECOND from all of you,’” writes Jonathan Browning in Bloomberg.
“Rabinowitz also referred to another email sent by Lynch to a sales representative in August 2010, which read: ‘You ever send me an email like this again AFTER the event and you are f****** toast, I swear if I could squeeze down a telephone line to California you would get to know directly how the f*** I feel about this,’” writes Stefan Boscia for the Daily Mail.
“In another email, when Hussain was attempting to take leave, Lynch wrote to his finance chief: ‘Thank you for your threat to take five weeks off between now and the [year end]. Please do that and you will see the consequences … Sushovan I am sick of dealing with this shit from people … do what the fuck you like,’” writes Simon Goodley in the Guardian, which is brave enough to spell out the f-word.
Expect a lot more of this. The case is expected to last until the end of the year, and Lynch himself isn’t expected to testify until July, Prodhan and Sandle write. Not only that, but court hearings may last until 8 pm to accommodate the testimony of people in the U.S., such as former Autonomy CFO Sushovan Hussain, who was convicted of fraud associated with the case.
Every few years, someone hits the papers—or, in this day and age, the Internet – by going out to eBay or Craigslist, buying a bunch of old computers, and checking out what data is still available on them.
This year, it was Josh Frantz, a senior security consultant for Rapid7, a security firm, and who writes a blog post every couple of months for them.
Instead of hitting up eBay and Craigslist, Frantz did it by simply going around to all the refurbished computer dealers in his Wisconsin town – 31 of them, he reports – and buying up whatever equipment they had that included storage. That consisted of 41 computers, 27 removable storage media, 11 hard disks, and 6 cell phones, for a total of $600.
Then Frantz developed or obtained software that systematically went through each one – helpfully providing the links so other people wishing to duplicate his feat could do the same.
“Whenever I brought a computer back, I booted it up to see whether it was bootable and whether it required a password to log in,” Frantz writes. ”I wrote a script in PowerShell that would run through and index all the images, documents, saved emails, and conversation histories through instant messengers. It would then zip it up nice and organized on the desktop, and I would pull it off with a USB drive (I know, you were expecting something much fancier).”
(Frantz is a funny guy. According to his LinkedIn profile, he just recently was promoted to senior security consultant, from security consultant. “I do the same thing as before, but this title makes me feel older,” his profile notes.)
Finally, Frantz wrote up the results. Altogether, the process took him six months.
Frantz’ operative point was to demonstrate that such companies, despite their promises, don’t always wipe storage the way that some of them claim. In fact, of the 85 devices, only two of them were properly wiped, and only three were encrypted, he writes. He did end up having to spring for $50 in chargers from eBay to charge the old cell phones, he notes.
(Interestingly, his blog post was apparently originally called “Exfiltrating Remaining Private Information from Donated Devices,” but as published, it was called “Buy One Device, Get Data Free: Private Information Remains on Donated Tech.”)
For the flash drives and other memory cards, Frantz plugged them in. It would have been ironic if one of them had been infested with malware, which could turn this into another treatise on “Don’t Poke USB Sticks in Things,” but if that happened, he didn’t say so.
Having downloaded the data, Frantz then wrote other programs to look for useful kinds of data. “I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs,” he writes. “I then used PowerShell to go through all documents, emails, and text files for the same information. You can find the regular expressions I used to identify the personal information here. Despite the fact that OCR is not 100% accurate and there could have been data I couldn’t extract from images by themselves or within PDFs, I can verify that the regular expressions used for Social Security numbers, credit cards, dates of birth, and driver’s license numbers were fairly comprehensive.”
Altogether, Frantz found more than 200,000 images, 3,000 documents, and almost 150,000 email messages on the storage devices. That included 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit card numbers, 6 driver’s license numbers, and 2 passport numbers, he writes.
Frantz didn’t report on whether he found any bitcoin or other cryptocurrency on the storage devices, so the guy who accidentally threw out $7.5 million on bitcoin on his hard drive is apparently still safe.
This isn’t just a U.S. problem. Last year, researchers in the U.K. performed similar tests, writes Anna Tobin in Forbes. “Two-thirds of second-hand memory cards left in mobile phones and tablets sold on the second-hand market in the UK still retained personal data from their former owners,” she writes. “Over a four-month period, the research team purchased one hundred used SD and micro SD memory cards from eBay, traditional auctions, second-hand shops and other sources. Most of the cards were found in resold smartphones and tablets and some came from second-hand cameras, SatNav devices and drones.”
Using freely available software, researchers were able to recover scans of passports, intimate photos, pornography, contacts lists and identification numbers, Tobin writes.
“Of the 100 cards assessed it was found that 36 percent had not been wiped at all,” Tobin writes. “29 percent had been formatted in an attempt to erase, but the data could still be recovered with the right know-how; 2 percent had had their data deleted, but it was found to be recoverable; 25 percent had been properly wiped using a data erasing tool that overwrote the entire storage area so that nothing could be recovered; 4 percent could not be accessed as they were damaged; and, 4 percent had no data present, but the reason for this could not be ascertained.”
The good news, sort of, is that for most criminal hackers, the expense and work that Frantz went through wouldn’t be worth it for most of them. “Researching further, I realized just how cheap it is to buy people’s information on the Darknet,” he writes. “Social Security numbers only fetch around $1 apiece, while full documents (dox) fetch around $3 each. Data leakage/extraction is so common that it has driven down the cost of the data itself. I saw several dumps of Social Security numbers on the Darknet for even less than $1 each. No matter how we calculate the value of the data gathered, we would never recoup our initial investment of around $600.”
Frantz went on to list a number of ways to fairly reliably destroy hard disk drives, ranging from hammers to thermite. And lest you think he was kidding about the thermite, he included a video of it as well.
No doubt you’ve heard the advice to keep at least one of your backups off-site. One company is taking that advice really seriously: It’s planning to store one on the moon.
The Israeli spacecraft Beresheet took off recently, and its cargo includes a 30-million page archive of human knowledge, etched onto a nickel disc the size of a DVD, writes Corey Powell for NBC News. The lunar lander – its name is Hebrew for “in a beginning” or “genesis” – is also the first-ever non-government-owned moon lander. If it is successful, Israel will become just the fourth country to land something on the moon.
“The Lunar Library, as the archive is known, constitutes a ‘civilization backup’ to help ensure that our distant descendants never lose humanity’s collective wisdom,” Powell writes. The project was spawned by the Arch Mission Foundation, a Los Angeles-based nonprofit. “The foundation is building a space-based archive designed to survive for 6 billion years or more — a million times longer than the oldest written records in existence today.”
Previous efforts included the Isaac Asimov Foundation trilogy in the glove compartment of an Elon Musk Tesla in solar orbit, and a digital copy of the English Wikipedia in earth orbit, both last year. And, not to put too fine a point on it, Arch is pronounced “Ark.” Get it?
So what sort of knowledge did the foundation think was worth preserving? “Included in the Lunar Library’s more than 200 gigabytes of data are the entire English-language version of Wikipedia; tens of thousands of fiction and nonfiction books; a collection of textbooks; and a guide to 5,000 languages along with 1.5 billion sample translations between them,” Powell writes.
Oddly, they didn’t specify which books, other than the ones included in Project Gutenberg and the Internet Archive at the time. “The matter of who exactly gets to be humanity’s representative to the stars has become a hot matter of debate in recent years, as advanced communication technologies have made it possible to beam all sorts of information including electronic dance music and Doritos commercials, into space,” writes Peter Hess in Inverse, adding that “while the Library is ostensibly a comprehensive accounting of human history and knowledge, it admittedly comes from a particular perspective,” noting that it includes the culture and history of Israel, songs, and drawings by children. “SpaceIL also included a photo of Ilan Ramon, an Israeli fighter pilot and the first and only Israeli astronaut, who died in the 2003 Space Shuttle Columbia disaster,” added Sebastian Kettley in the Express.
History used to be written by the victors. Now it’s written by the people who send up spacecraft.
That said, how does the technology work? It was created by a company called Nanoarchival. “All of that information is etched onto 25 stacked nickel disks, each just 40 microns (about 1/600th of an inch) thick,” Powell writes. The top part of the Lunar Library’s disc, which can be read with a 100-power microscope, is engraved with tiny images of books and other documents explaining human linguistics, along with instructions about how to build a player to read the library beneath, he explains. The remaining documents require a 1000-power microscope.
Admittedly, this has some limitations, noted Arch Mission Foundation co-founder Nova Spivack in an interview in Scientific American. ”It must be a lifeform that’s at least as intelligent as we are and that has eyes and can see in the visible spectrum,” he said. “If it’s a microbial civilization that’s so small that these things look like planets to them, that’s obviously not going to work.”
A library on the moon is just the start, Powell writes. “The goal is to flood the solar system with other versions of the Lunar Library: in caves and mountains on Earth, on other locations on the moon, on Mars and in deep space,” he writes. Just in case we lose the backup on the moon, or it doesn’t make it there safely; there were some early glitches. It’s scheduled to land April 11.
It wasn’t that long ago that I first heard about being able to get a terabyte on a laptop – which, of course, made me immediately want one – and it was even less time ago that I actually got one: 2013, to be exact. Not long after, in 2014, SanDisk announced an SD card that could hold half a terabyte.
You can probably see where this is going.
Yes, it’s true. Now, suddenly everyone is announcing one-terabyte SD cards.
At the risk of dating myself, I remember when getting a 10 MB hard disk drive cost as much and was the same size as the PC itself.
Shipping dates vary, with Lexar’s orderable – though not shippable until March 9 – for $399. Lexar was also the first to announce, in January.
Other companies that have announced them include SanDisk – now owned by Western Digital – and Micron – now run by the founder of SanDisk, and who helped arrange SanDisk’s merger with Western Digital. SanDisk’s will be released in April for $449.99, and Micron’s will be “priced competitively” and released during the second quarter.
Incidentally, someone has already gone to the trouble of calculating the bandwidth of a pigeon carrying these SD cards. As you may recall, there is a time-honored tradition of using carrier pigeons to carry data from one place to another, dating all the way back to teeny-weeny microfilm cameras during World War II. And whenever a major new storage medium comes out, people like to figure out what the new bandwidth number would be, whether the device is being carried in a station wagon or by a pigeon.
What it boils down to is that in the time it takes for a terabyte to be transferred over a 1GB Internet connection, a pigeon could fly almost 36,000 kilometers – further if you had a racing pigeon. “Because the distance is more than half of Earths circumference, sending 150 TB of bulk data between any two points is now faster than a gigabit connection,” writes the person who did the calculation.”If you use the competitive 160 Km/h speed, you can go around the globe once before the gigabit completes.”
This is, of course, making certain assumptions, such as:
- Ignoring the time it takes to write/read SD cards
- Instantaneous pigeon swap
- Each pigeon operates at peak performance from start to end
- No packet drop (actually literally in this case)
- The 1GBit/s connection we compare this against is perfect (no delay, no packet drop, full speed)
As the poster himself admits, “I’ve got way too much time and not enough pigeons.”
Before you get too excited and start popping 1TB SD cards into every SD slot you have, make sure the device you’re using knows how to handle them. A few years ago, I got a new state-of-the-art gigundo SD card—probably 64 GB or so by then – and while my camera pretended to play nicely with it, it lost all the pictures I took on it. A terabyte of pictures would be an awful lot to lose
For the states that don’t have year-around legislatures, this is typically the time of year when their legislatures are in session. And that makes it silly season, when legislators propose laws that sound good to them without thinking through all the ramifications.
Interestingly, a number of them this year have to do with storage.
In Texas, the Legislature is trying to figure out whether the state’s data should be stored on-site in its own data centers, or in the cloud. Running the data centers used to cost $278 million every two years; now, it costs $489 million, according to Edgar Walters of the Texas Tribune.
Now, like many big companies facing the same situation, the state is considering moving to the cloud, Walters writes. “Proponents say hiring such a firm to be the official keeper of much of the state’s data could save millions of dollars and modernize vulnerable government tech infrastructure,” he writes. ”But detractors say the current setup is working fine and that any kind of structural change would be laborious, expensive and potentially risky.”
On the other hand, so is sticking with the current system, Walters writes. The data center contract could eventually increase to $1.5 billion. Plus some of the systems are out of date. “The state keeps roughly 70 servers running on a Windows 2003 operating system that is no longer supported by Microsoft,” he writes. “Because those servers host ‘mission critical’ information, they must be housed at the state’s data center but kept isolated from other servers — and Microsoft charges a ‘bounty’ to provide basic support.”
Part of the issue is that some legislators want to ensure that the data stays in Texas, while others are concerned that the company that currently runs the data centers is French. In addition, “the state has sunk massive amounts of money to build and maintain its facilities in Austin and San Angelo,” he writes. (See sunk-cost fallacy.)
Politicians are not always experts, and sometimes when they are, it can be worse. In North Carolina, a legislator who’s a retired police chief wants to expand the use of license plate readers throughout the state.
The purpose of the bill, which would allow electronic license tag readers to be placed along and operated from the right of way of state-maintained roadways. is to give law enforcement a network of license plate readers across the state in situations such as the search for missing children or kidnapping victims, writes Paul Johnson in the High Point Enterprise. “The license plate readers wouldn’t be used for traffic enforcement purposes, such as monitoring for speeding,” he writes.
Because in that case, people would totally be okay with law enforcement having a record of everywhere they drove along state highways, right?
Needless to say, the N.C. chapter of the American Civil Liberties Union has raised concerns about the bill – a previous version of which had already passed the House but not the Senate, Johnson writes.
In Nevada, where drivers aren’t supposed to use their cellphones while driving, a proposed bill would let police ask for the cellphone after a crash if they believed the driver was using the cellphone when the accident happened. And if the driver says no? They lose their license for 90 days, writes Jared Gilmour in the News Tribune.
“The legislation would only allow officers to scan phones for data indicating ‘evidence of use’ and would bar police officers from ‘intentionally accessing or viewing any other content,’” Gilmour writes.
Because, again, in that case everyone would totally be fine with that.
That bill is being considered on Friday, March 1.
Finally, in Arizona, a bill was submitted that would have required anyone who needs to be fingerprinted for a job to submit a sample of their DNA – and, to add insult to injury, pay a $250 processing fee. The bill would have included people such as teachers, police officers, and child day care workers, as well as parent school volunteers, real estate agents, and foster parents, writes Bree Burkitt for the Arizona Republic.
“The Department of Public Safety would maintain the collected DNA alongside the person’s name, Social Security number, date of birth and last known address,” Burkitt writes. ”Any DNA in the database could be accessed and used by law enforcement in a criminal investigation. It could also be shared with other government agencies across the country for licensing, death registration, to identify a missing person or to determine someone’s real name. It could also be provided to someone conducting ’legitimate research.’”
Fortunately, the bill has since been amended to cover only people who work with the disabled. As you may recall, Arizona is the state where a woman in a coma recently gave birth to a baby, which turned out to have been fathered by an attendant.
Hopefully, state legislative sessions should be over soon.
Note to self: When you’re doing your backups, make sure you have them on a different place than your production network.
That’s a lesson learned the hard way by VFEmail.net, a worldwide email service provider, which recently lost not only its subscribers’ email messages, but also all its backups, because they were all on the same network.
“We have suffered catastrophic destruction at the hands of a hacker, last seen as firstname.lastname@example.org,” noted the VFEmail.net website. “This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”
The exact details are sketchy, because the people running VFEmail.net are, naturally, kind of busy trying to put it back together. Thus far they’ve found a single offline backup dating from August 2016, so, hurray, VFEmail.net users are now only missing their last two-and-a-half years of email messages.
But apparently someone hacked into the system and zapped not only the primary mail servers, but the backups as well. Speculation, and there’s plenty, is that it was either an inside job or someone – perhaps even a foreign government – thinking there was something incriminating on the server and deleting everything on it, just in case.
And the deletions were reportedly very thorough, in a way that couldn’t be recovered. “At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost.. Strangely, not all VMs shared the same authentication, but all were destroyed,” noted the VFEmail.net Twitter handle. “This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”
Ironically, VFEmail.net was originally set up in response to an email virus. “VFEmail started in 2001 by Rick Romero in direct response to the ‘ILOVEYOU’virus,” notes the company’s website. “At the time, anti-virus was not integrated into email systems. After writing a set of batch files to integrate Norton AntiVirus Corporate Edition A/V scanning into Mercury/32 on Windows, Rick turned his attention to helping regular users and local small businesses avoid email-based viruses. VFEmail started with a single FreeBSD server, and thanks to Rick’s broad and extensive IT experience, frugal purchasing, and long-term planning, VFEmail has grown into the site you see today. While other services have shut down, or been exposed as not delivering on their promises, VFEmail keeps chugging along.”
The few numbers of servers may have been part of the problem. The company offered free as well as paid email accounts, and consequently wanted to save money. “We strive to build an economical and redundant system, to provide our users with as much uptime as possible,” the website continues. “As mentioned, VFEmail started with a single machine, but over time we’ve built out, adding systems for load balancing/failover and separating services. Most recently we’ve made use of Virtual Machines in order to keep hardware acquisitions at a minimum, in those cases where it would not impact performance. By separating vital functions, upgrades, updates, and system problems can quickly and easily be isolated from the rest of the system and provide you with uninterrupted accessibility.”
Yeah, well, not so much.
It all just goes to show that simply making a single backup is not enough. The rule of thumb some people use is 3-2-1: three copies of the data, two of them onsite but one of them offline, and one of them offsite. (Not to mention, checking the backups periodically to make sure you can actually recover from them.) While that requires a lot of hard disk drives and coordination, it at least protects against the majority of problems.
We’ve written before about the challenges in storing bitcoin, and how if you’re not careful, you can lose access to $7.5 million by accidentally throwing the hard drive containing the cryptographic key away. We’ve also written about how people can lose access to data when someone dies without revealing passwords.
Now we’ve got a story of both. Or do we?
It all started on December 9, when Gerald Cotten, CEO of crypto exchange QuadrigaCX, died. The result is that his widow Jennifer Robertson said the company owes its customers some $190 million, and the company has filed for creditor protection because it says it doesn’t have access to the majority of its bitcoin. His death was announced January 14.
Cotten was admirably conscious about security, writes Doug Alexander in Bloomberg. “The laptop, email addresses and messaging system he used to run the 5-year-old business were encrypted,” he writes. “He took sole responsibility for the handling of funds and coins and the banking and accounting side of the business and, to avoid being hacked, moved the ‘majority’ of digital coins into cold storage,” which was not connected to the Internet. He also reportedly had a USB key that was also encrypted.
Apparently, this actually happens more often than people like to admit, writes Michael Kaplan in the New York Post. In addition to James Howells, who accidentally threw away the wrong hard drive, there’s Matthew Mellon, whose family was reportedly unable to locate the cryptographic key required to retrieve as much as $1 billion in bitcoin, he writes, going on to describe several other cases – including, potentially, the guy who invented bitcoin itself. “Losing passwords is the kind of nightmare that haunts bitcoin investors,” he writes. ”In fact, there are an estimated 3 million bitcoins — totaling nearly $25 billion — lost because the retrieval codes have gone missing or the currency owners died without passing the codes onto their next of kin.”
According to the Wall Street Journal, as much as 20 percent of all bitcoin has been lost.
Now, however, there are all sorts of new wrinkles, like a new will that the CEO wrote a few days before he died, whether bitcoin had been moved out of the accounts, and suspicion about whether the company actually had that amount of bitcoin at all. It didn’t help that the company had had issues several times in 2018 with people not being able to gain access to the bitcoin they had on deposit with the company.
“To a lot of people it’s strange, because two weeks before his death he had left a will leaving what is said to be a plane, two houses, and $100,000 for the care of his two Chihuahuas,” Elvis Cavalic, an investor with the company, said in an interview with CBC Radio. “Why wasn’t there a conversation had over that if there was a conversation over the dogs?”
“On the Quadriga sub-Reddit, rumour mixes with fact,” writes Don Pittis with CBC News. “One post claims that accounts of Quadriga’s litecoin, for which passwords were supposed to be lost, are showing activity. Others insist the millions never really were there and the trading platform was being used as a Ponzi scheme, where people were being paid out from new investors’ deposits.”
Meanwhile, the legal case is still going on.
Incidentally, the guy who threw away the hard disk with access to $7.5 million in bitcoin on it – which has been worth up to $75 million – is still trying to get access to the dump where he believes his hard drive ended up, Kaplan writes. He’s offered the dump 10 percent of the bitcoin’s worth if they let him go look for it, but so far, no dice. In the meantime, he considers the dump the “ultimate safe,” he writes.
Shocked, shocked as they were to learn that user cellphone location data was being sold, major cellphone service providers have pledged to stop the practice, for reals this time. At least, by March. For sure.
The major carriers had already pledged last year to stop selling location data, other than that for useful services that, for instance, helped customers with roadside assistance or fraud protection., writes Tali Arbel for the AP. However, when it was demonstrated that the data was still readily available, companies pledged to stop selling it to those providers, too.
“Last year we decided to end our arrangements with data aggregators, but assessed that the negative impacts to customers for services like roadside assistance and bank fraud alerts/protection that would result required a different approach,” Sprint said in a statement quoted by The Hill, in a nice show of passive aggressiveness. “We implemented new, more stringent safeguards to help protect customer location data, but as a result of recent events, we have decided to end our arrangements with data aggregators.”
In other words, when AAA can’t find you next time you’re on the highway with a flat, don’t blame us.
Shocked legislators, most of them Democrats, also wanted to know from the Federal Communications Commission about the meaning of all this, and demanded that FCC chair Ajit Pai show up and tell them. Oh, sorry, Pai said, in a fine show of passive aggressiveness himself. Can’t come by because of the government shutdown. I can only handle issues of immediate threat of life and limb. Let me know when the government’s open again.
This really all started in May of last year when the New York Times pointed out that cellphone location data was readily available through vendors. That’s what led to the vendors’ initial pledge to stop sharing such data.
“These aggregators, barnacles of the telecom industry, depend on cellular giants, like AT&T, Verizon, Sprint, and T-Mobile, for their livelihood,” intoned Robert Hackett in Fortune. “They sell data access to other companies, which sell them to others still. Phone holders have no choice but to opt-in. People’s devices beacon out to cell towers at all times, triangulating their positions, simply by virtue of being on the grid. There is no hiding; everyone’s back bears a target.”
If this seems like much ado about nothing, do you really want the data about how often you visit the liquor store, the legal marijuana dispensary, or McDonald’s to be available to your insurance company? Also, keep in mind that in some cases, location data is a matter of security. You may recall that a year ago, people were able to discover the locations of all sorts of secret military bases due to location tracking on Fitbits.
Cellphone location data is so important that, as you may recall, they made a federal case out of it. The Supreme Court’s Carpenter ruling – also, coincidentally, last June – was all about how law enforcement needed to get a warrant before going to a cellphone provider to get location data about a suspect. The issue of whether law enforcement can ask Google for anonymized cellphone location data near crimes and then use that as a basis for a warrant is also working its way through the courts.
Wouldn’t it be a lot easier for law enforcement just to go to a data aggregator that buys such location data wholesale from the cellphone providers, and get the data that way? (To be fair, those aggregators also asked for warrants, but according to the New York Times, they didn’t check them very carefully.)
And yes, it’s true that the typical consumer doesn’t realize that this is going on – though chances are they clicked on some multipage contract at some point that allowed companies to collect this data and sell it. Keep in mind that every few years someone freaks out upon discovering their Google location data.
No doubt this decision is actually making some companies sad. Location data was supposed to be one of the neat new things marketers could use, such as ads for “Hey, you’re about to pass by a Starbucks! Here’s a 10 percent coupon!” And some people would actually like that kind of service. Urban planners, among others, were also using location data to help them in their jobs.
Why it’s taking until March to stop selling this data, the companies aren’t saying, but presumably it has to do with contracts and such.