Welcome to WTF News!
I ‘m starting a new segment for this blog called WTF News. Don’t worry, it won’t be a political segment per se, it will focus on digital and data driven WTF news. which in and of itself is political, but let’s see if we can tease that out.
This week we’ll discuss an out of control oil fire in Texas, how the cloud makes it easy to nuke a datacenter, Facebook shenanigans, and a service sold to law enforcement that is built on commercial scans of your car’s license plate.
The Oil Refinery Fires that no one knows about
First up in WTF News: Two oil refineries in the US caught fire last weekend, and this wasn’t really reported in the national news for a few days. The impact to the environment in Houston is so bad that the Texas Attorney General is suing the company in charge of safety at the plant in Deer Park. Not only is the benzene impacting air quality, a dam at the plant failed and the Coast Guard had to close a busy channel because of the danger. Oh, and the fire flared up again yesterday.
What’s the root cause? Why isn’t this making national news?
Fired IT guy eliminates former employer’s AWS infrastructure
According to Naked Security, an IT guy was fired after a month. He had already stolen another admin’s credentials, and he used them to rm -rf 23 AWS servers, with obvious detrimental impact to the company. According to the Register, he got a 2 year jail sentence.
They didn’t have 2FA. Did theyt have a plan to follow once an employee was terminated? That is hard to tell, but it bears repeating, even if your infrastructure is completely in the cloud, you own your data! Protect it like you would if it were on-premises. If you don’t know how to do that, I can connect you with someone who can.
Also, I can’t be the only person who is curious about the culture at that company. Was it the guy, or the culture? I couldn’t find any tips on that. Is there a UK site that is similar to GlassDoor?
Facebook stored passwords in plain text for years
Why does Facebook do these things? Because they can. This story is from Krebs on Security.
According to the report, not only were the passwords in plain text, they were also searchable by employees. According to the article:
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers.
Krebs on Security
… between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.
ZDnet reports that the passwords may have ended up unecrypted if they were associated with a crash report. But why did employees build apps that logged the data? Or was that part of the crash report? This is further proof that cloud hygiene is hard.
Boeing’s safety update delayed because of the government shutdown
Salon reported on a a WSJ report that the software updates that could have prevented the second Airbus Max 8 crash were delayed when the government teams Boeing needed to work with were furloughed.
Combine that with the news that Boeing had safety fixes that were only available as an upcharge, a picture of what important to Boeing emerges. And that picture doesn’t’ seem to include passenger safety.
ICE bought access to commercial license plate scans, using it to deport immigrants
This story via @VeraMBergun. and prompted this Twitter thread from me.
According to BuzzFeed:
Immigration and Customs Enforcement (ICE) and Department of Homeland Security (DHS) officials received when they entered into a contract with Thomson Reuters at the end of 2017 for access to Vigilant Solutions’ license plate reader database. The agreement gave more than 9,000 ICE personnel access to privately collected license plate scans from the 50 most populous metro areas in the US, as well as millions more scans from local law enforcement.
The information for the license plate data comes from commercial sources such as cameras from parking garages or repossession companies. The other source is law enforcement cameras that scan license plates.
Buzzfeed
I want to focus on “Vigilant Solutions’ license plate reader database”. Vigilant Solutions develops software to help law enforcement develop leads and solve crimes. They help law enforcement “do more with less” by providing a LPR (license plate reader) cameras to scan license plates, score and search the records. They are stored in a database in Virgina. Vigilant claims to be the only company that enhances this data with private license plate scans. Here is how their website describes their commercial data:
Even without LPR cameras, you can benefit by using our Commercial Data. We are the only LPR provider that can offer over 5 billion nationwide detections and over 150 million more added monthly.
Vigilant Solutions Product Page
How is Vigilant getting this private data? According to this 2018 press release, one method is sharing data.
Vigilant Solutions Press Release
Vigilant Solutions announces today that it has reached an agreement with Plate Locate to sublicense Vigilant’s patent portfolio in return for Plate Locate granting Vigilant the ability to enable law enforcement to have greater access to commercially-generated license plate reader (LPR) data via its hosted LEARN® analytic software to assist in law enforcement investigations.
Vigilant Solutions also hosts the Digital Recognition Network. They capture this information in public, and since you drive your car around in public, they assert you have no right to privacy:
These cameras simply automate a process that has been done manually for years – capturing publicly visibly and publicly available information. Because the camera is photographing license plates in public locations visible for all to see, there is no expectation of privacy in the data we collect. We take those images and the data associated with them and leverage our analytics to deliver DRNsights, solutions for Auto Finance, Insurance and Auto Recovery.
https://drndata.com/company/
Vigilant Solutions, DRN Network, and Plate Locate have all been acquired by Motorola Solutions and its parent company, Vaas International Holdings, apparently to complement Motorola Solutions Command Central Software Suite. Here’s the sales pitch for that software:
In an increasingly complex criminal world, the more decisions are supported by data, the more justified and successful they’ll be. Unfortunately, the analysis required to make sense of your data, even at a very surface level, can be a manual, time-consuming process.
Motorola Solutions Command Central Software Suite Product Page
A company has found a way to aggregate all scans of our license plate. It is now part of a software suite that is sold to law enforcement agencies. One of the more chilling benefits on that product page:
Direct Time and Resources More Effectively
Anticipate incidents 3x more accurately than with traditional hotspotting using targeted-area crime prediction. This empowers officers to proactively engage with the community and prevent crime.
Motorola Solutions Command Central Software Suite Product Page
This is chilling to me when I think about the Ferguson protests, the protests in Baton Rouge, and the Dakota Access Pipeline (#noDAPL) protests. Large scale legal protests, led by people of color, that were violently suppressed. The officers certainly “proactively engaged” with the community, but it wasn’t in the name of keeping the peace.
What will it take for us to fight back against the surveillance that is being built on our private information? Are we ok as IT professionals in building and supporting these types of apps? What are the ethical considerations here?