WYSK: 09/23/22

This Week: OGT: Sea Turtles; 1. Amazon Drivers; 2. Augury Collection; 3. Fat Leonard; 4. Uber Hack.

WYSK: 09/23/22

What you should know from the week of 09/23/22:

  • One Good Thing: Sea Turtles increase in Florida;
  • Amazon Drivers: Amazon workers harmed during heat wave;
  • Augury Collection: Broker buys your browsing data from Internet Service Providers and then sells it to the DoD, and others;
  • Fat Leonard: On the trail of corruption and bribery within DoD;
  • Uber Hack: Criminal teenagers continue to highlight the lax nature of security at major companies.


One Good Thing: Sea Turtles

Sea Turtle Boom Astonished Volunteers in Florida With Best Nesting Season on Record
Volunteers counting the nests have been left ‘astonished’ and ‘ecstatic,’ and the reptiles’ fecundity this year.

From flooding in Pakistan, to drought in China and Europe, to fires and hurricanes in North America, the impacts of climate change feel grim and constant. And indeed it is an issue we need to address and prepare for.

But there is good news despite the major headlines:

Turtle counting teams have recorded the biggest nesting season on the Southwest Florida beaches of Bonita, Vanderbilt, and Naples, as well as Marco and Keewaydin Islands.

The area has more than double the amount of sea turtle nests that it did in 2005.

“We’ve never seen numbers like this,” Principal Environmental Specialist for Collier County Maura Kraus told the Marco Eagle newspaper. “And they are hatching really, really well. I had some underwater a long time and they still hatched.”

Amazon Drivers:

As California sizzles, Amazon drivers feel the heat over metrics
Amazon delivery workers say they feel pushed beyond safe limits by the retail giant’s strict metrics amid unprecedented heatwave

Amazon obsesses over worker performance metrics in an attempt to get the maximum possible value out of a given unit of worker. But often—and seemingly increasingly so—Amazon's desire for efficiency harms workers. Avi Asher-Schapiro reported in Reuters this week about how this happened during high temperatures in California:

Just two hours into his shift delivering packages for Amazon late last month, Alonzo was hit by a wave of exhaustion.
Temperatures in Temple Hill, California, were forecast to hit a record 112 degrees Fahrenheit (44 Celsius) that day, and it felt even hotter inside the non-airconditioned compartment where he had to load packages into his van.
"I'd never felt that hot before in my life," he said. "I started to bleed from my nose, and was told to take a 15-minute break," said the 25-year-old, who asked not to give his full name.
...
Another [Delivery Service Partner] DSP manager in Ventura County California, who also requested anonymity, said nearly half of the station's 30 drivers had vomited from heat-related stress in recent weeks - and that the route reductions and additional breaks offered by Amazon were insufficient.

Just to be clear, despite how Amazon tries to spin a focus on worker care, Amazon should not get any kudos for requiring breaks for workers when they start to bleed. A system where 'spontaneously bleeding from orifices' is the trigger point for requiring a whole 15-minute break is a broken system. But it isn't an accidental system, but the result of an intentional and highly-refined series of actions taken to improve profits for Amazon.

An Amazon spokesperson responded with:

"We communicate to our DSPs regularly that drivers should never make a delivery if they feel unsafe or unwell, and they're empowered to return to station if at any time they feel their health or safety is in jeopardy."

However DSP managers have noted that, while workers might be permitted to slow their delivers, they will still be punished for it and potentially lose their jobs:

In early September, one of the delivery drivers at his location had to stop work halfway through her shift because she had heat stroke. The following week, her performance rating was down nearly 20%, the manager said, speaking on condition of anonymity.
Workers whose scores get too low risk not being scheduled for new shifts, losing their jobs, or missing out on promotions.

A key driver of this seems to be that Amazon is managing people as units of labor rather than as human beings:

"The problem with algorithmic management is that it's really too rigid to respond to extreme situations like a heatwave," said Valerio De Stefano, a law professor at York University, who specializes in technology and labor.


Augury Collection:

Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data
The “Augury” platform includes highly sensitive network data that Team Cymru, a private company, is selling to the military. “It’s everything. There’s nothing else to capture except the smell of electricity,” one cybersecurity expert said.

Fascinating reporting from VICE's Joseph Cox:

Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard.
The material reveals the sale and use of a previously little known monitoring capability that is powered by data purchases from the private sector. The tool, called Augury, is developed by cybersecurity firm Team Cymru and bundles a massive amount of data together and makes it available to government and corporate customers as a paid service.
... the sale of the tool still highlights how Team Cymru obtains this controversial data and then sells it as a business, something that has alarmed multiple sources in the cybersecurity industry.

“The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day,” a description of the Augury platform in a U.S. government procurement record reviewed by Motherboard reads. It adds that Augury provides access to “petabytes” of current and historical data.
Team Cymru says on its website that its solution provides “access to a super majority of all activity on the internet.”

This is concerning, but mainly serves to highlight the importance of encrypted internet traffic (e.g. HTTPS and end-to-end encrypted messaging and email). That doesn't solve the issue, since metadata can still be collected, but it does reduce the potential harm.

Augury also contains so-called netflow data, which creates a picture of traffic flow and volume across a network...
Team Cymru obtains this netflow data from ISPs; in return, Team Cymru provides the ISPs with threat intelligence. That transfer of data is likely happening without the informed consent of the ISPs’ users. A source familiar with the netflow data previously told Motherboard that “the users almost certainly don’t [know]” their data is being provided to Team Cymru, who then sells access to it.

The FCC used to have rules in place that prevented Internet Service Providers (Comcast/XFINITY, Cox, Verizon, etc) from selling your browsing data. But in 2017 Congress repealed those consumer-protecting rules under the bizarre justification that ISPs were being unfairly harmed since companies like Google weren't held to the same standard (an obviously superior solution would have been to extend consumer protections, rather than eviscerate them).

As a result, Team Cymru's actions are extremely unlikely to run afoul of any regulations in the US, and since the Government is merely purchasing a capability from the free market, there is likely to be little legal difference between the DoD buying a wrench and the DoD buying this kind of data.

It is not clear where exactly Team Cymru obtains the PCAP and other more sensitive information, whether that's from ISPs or another method.

If Team Cymru obtains the PCAP data solely from passive listening points around the world that they set up, then this is of course disturbing but not actually deeply concerning from a civil liberties standpoint (other than that it exposes the fact that the internet remains woefully insecure). But if Team Cymru is obtaining PCAP data wholly or in part from ISPs and other businesses, then this becomes a much more distressing issue. Unfortunately we'll just have to wait and see.


Fat Leonard:

Manhunt: We Reveal Fat Leonard’s Location
We’ve got a big reveal today in Whale Hunting. Just over two weeks after Leonard Francis – aka “Fat Leonard,” a corrupt U.S. military contractor -- went on the run, and the U.S. Marshals Service put a $40,000 bounty on his head, we’ve tracked him down. We’re not

Tom Wright from Whale Hunting wrote about Fat Leonard's escape from US custody (and the New York Times reported on his subsequent recapture in Venezuela while boarding a flight to Russia).

A very quick primer for those who have so far been blissfully unaware of the exceedingly gross 'Fat Leonard':

Leonard Francis was a Malaysian efense contractor. He bribed Navy officers by giving them money, orgies/prostitutes, and other gifts. The officers in turn provided Leonard with classified information on US Navy movements. He is also alleged ('alleged' because I don't actually want to dig deeply into this story) to have recorded Navy officers engaging in orgies, and may have used that to pressure officers into providing classified information. We know that Leonard used the data to win more government contracts, but we don't know what else he did with the data, and it is quite possible he provided information to foreign governments for gain  as well. Certainly morality would not have stopped him from doing so.

This went on for years before being broken as big scandal, complete with high-level coverups. He was and is an extremely gross and untrustworthy human being.

Leonard was arrested and started cooperating with the government. Unfortunately, the story doesn't end there.

On the order of Judge Janis Sammartino, who was set to sentence Leonard in federal court in San Diego on Thursday,he was allowed out of jail to home detention in late 2017 due to his health(Leonard has been suffering from renal cancer).
Under those arrangements, Leonard was responsible for paying his own private security to ensure he didn't flee (I know!). But for several days leading up to his escape, neighbors saw U-Haul removal vans at the residence. (Where was the security?)
...
Pretrial Services were alerted that Leonard had tampered with his bracelet. They contacted his attorneys, who made a house visit, but couldn't get in. The lawyers called the police, who finally entered the residence via an unsecured courtyard door around 2 p.m. – or a full seven hours after Leonard had escaped.

The tale of Fat Leonard exposes a few notable things:

  • The nature and scale of corruption and bribery in the DoD,
  • Coverups within DoD and government,
  • Failures within our Justice system.

To be clear, the Department of Defense and the Department of Justice are necessary agencies of the US Government, and filled with many dedicated and honorable people who are not merely patriots seeking to defend the interests of the US, but upstanding people who want to improve the world.

However, not everyone in those departments fit that mold, and hiding or ignoring the evil that also exists within the Departments is not only a disservice to the important work of the Departments and their good employees, but dishonoring to the high ideals of justice, rule of law, and transparency that are foundational to this country. Too often we fall short of those ideals, and it is critical to swiftly and transparently to correct our failures when we do.


Uber Hack:

https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell

Jon Porter from The Verge reported on the recent hack of Uber.

Uber says it’s investigating a “cybersecurity incident” amidst reports that the company’s internal systems have been breached. The alleged hacker, who claims to be an 18-year old, says they have administrator access to company tools including Amazon Web Services and Google Cloud Platform. The New York Times reports that the ride-hailing business has taken multiple internal systems, including Slack, offline while it investigates the breach.
...
“This is a total compromise, from what it looks like,” Curry told the NYT. “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life.”

This isn't the first breach that has hit Uber, you may recall that Uber was breached back in 2016, and handled it by quietly paying the hacker to keep the breach secret.

It appears, however, that 'the time of his life' ended rather quickly; with news coming about a week later that City of London police "arrested a 17-year-old teenager from Oxfordshire on suspicion of hacking."

The expectation so far is that this hacker is the one who breached Uber, and is allegedly the ringleader of Lapsus$, which is basically a criminal band of precocious kids who breach companies and then ask to be paid in return for exercising discretion in what they release.

These kids' actions aren't defensible, but if a bunch of teenagers doing the internet-equivalent of joyriding and vandalism can pose such a threat to private companies, we have a much larger problem than just these kids.

Our collective response to intrusions must mature beyond a whack-a-mole approach, and actually progress to holding our multi-billion dollar companies to some more reasonable standards of security.


💡
Have you liked this content and want more? Subscribe today!

Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts.

Photo by Tamara Gak on Unsplash