CST 373 Week 8

Scrapbook 8 - Commercials Triggering In-Home Voice-Activated Software Devices

Burger King’s new ad forces Google Home to advertise the Whopper by Jacob Kastrenakes of The Verge (PDF archive)

Summary

This week there was a lot of controversy concerning the following Burger King commercial, which triggers Google's "personal assistant" to retrieve information about a Burger King burger.



The advertisement uses the voice command "Ok Google, what is a Whopper burger?" to have a Google Home device or Android phone read the first line of the Wikipedia page for a whopper burger. Prior to the release of the ad campaign, the Wikipedia article's first line was changed to read "The Whopper is a burger, consisting of a flame-grilled patty made with 100 percent beef with no preservatives or fillers, topped with sliced tomatoes, onions, lettuce, pickles, ketchup, and mayonnaise, served on a sesame-seed bun." It appeared to be edited by Burger King's Marketing Chief. This commercial is the first to intentionally trigger one of these voice command devices.

Reason Chosen

We've seen a lot of reports concerning accidental triggers of these kinds of voice-activated devices. Most have been unintentional up until this point. I find this relevant because I own two Amazon Echo devices that work the same way. My boyfriend had a friend over and noticed the device on our side table. He triggered it by saying "Alexa, order me 100 units of toilet paper." I have purchased toilet paper through Amazon in the past and when I did so, I ordered a box of 48 rolls. Alexa quickly responded saying she was ordering 100 boxes and it was going to total at somewhere around $2,000. It's concerning that it can be that easy to order something so large from a device like this. The easy ordering feature has now been disabled on my devices.

Ethical Implications and Personal and Social Values at Stake

This advertisement initially seems innocent but can quickly spiral out of control. First, as mentioned in the article, Wikipedia pages can be edited by everyone and Google will blindly read out the first sentence, under the assumption that it is okay to read (based on Wikipedia community guidelines). However, the articles could be edited after the release of these products to say horrible things that may not be appropriate for the listeners. It could place a lot of people in various ethical issue territories.

Similar advertisements will likely arise in the future. My family tends to leave the television on for our pets when we leave. I can easily imagine a case where an advertisement causes one of these devices to order something unapproved by the owner. I feel as if the companies producing the commercials are actually hacking their viewers and not just the device. It places their audience in a vulnerable state.

Source Credibility

Founded in 2011 under the Vox Media umbrella, The Verge was formed as a multimedia company to focus on technology and how it is becoming more relevant and prominent in our everyday lives.

Jacob Kastrenakes has been working as a News Editor for The Verge since 2012.

CST 373 Week 7

Scrapbook 7 - Cleverly Hidden Hacks

Booby-trapped Word documents in the wild exploit critical Microsoft 0-day by Dan Goodin of Ars Technica (PDF archive)

Summary

Initially reported by the McAfee security firm, a new 0-day attack was found that targeted Microsoft Word users. The attack was executed by the attacker emailing a malicious Word document to the targeted party, or parties. When the Word document was opened, it would connect to another server and download an HTML file (that appears to be of Microsoft's Rich Text Format type), which is then executed, as .hta is executable. This is what gave the attackers complete access to the victim's machine. Their trackers were covered to the victims by opening another regular appearing document of Word format once the code had completed executing. The execution downloaded code from various "well-known malware families." Reportedly, the first known attack was in January of this year (~4 months ago).

Reason Chosen

I find the idea of these commands, or similar, being run on my own computer based on my own actions unnerving and horrifying. It's also really interesting how clever the people that set up these attacks are. It's additionally notable, and a good reminder, that no matter the size and reputation of a company, they are not immune to these kinds of vulnerabilities.

Ethical Implications and Personal and Social Values at Stake

This attack worked on Windows 10, which is supposed to be the most secure Microsoft operating system known to date. Using this operating system may make users more comfortable with downloading unknown attachments from those on the internet. However, it is the now recipient's job to stay alert, not trusting anything sent by email. This can be a lot of pressure for those that use a computer and email with the assumption that nothing is going to target them directly. It may additionally be a burden for those that aren't familiar or are unaware of these kinds of attacks.

According to this article, Microsoft Word has a protected view option that will not allow the initial connection to be run and would prevent this attack from happening. It sounds like the best option, even after the patch has been applied to one's computer, to always default to opening new documents using this feature.

Source Credibility

Ars Technica is a publication geared toward those interested in technology. It was started in the late 1990s and has become a trusted source for technology and related policy news. Ars Technica was acquired by Advance, the parent company of Conde Nast, in 2008 and has since expanded to the UK.

Dan Goodin works as a Security Editor for Ars Technica. He holds a masters degree in journalism from UC Berkley and has been working in journalism for the last 15 years.

CST 373 Week 6

Scrapbook 6 - Forgotten Digital Accounts and Their Impact

"#91 The Russian Passenger" and "#93 Beware All" from, the podcast, Reply All of Gimlet Media (PDF archive of Episode #91 and Episode #93)

Summary

This story spans two episodes of Reply All. Alex Blumberg, the founder of Gimlet Media, had his Uber account hacked into, where rides were taken at his expense. When he tries to log into the Uber account, it acted as though his account never existed. They contact Uber and find that his credit card number also does not exist in their system. Over the course of two episodes, they follow through different theories on how the Uber account could have been hacked and when.

Spoilers ahead! They follow through theories of key loggers, malware, and hackers. Their search leads them through the dark web for data being sold from hacked accounts to see if there are traces of Alex's information. In the end, the Uber account was linked to an old, forgotten email (from a previous employer) and he had used the same password for all of his accounts. This old email and its password were sold on the dark web and those were the same credentials for his Uber account. The ultimate moral of the story was to have unique passwords for all accounts and it's helpful to keep them in a password manager, like KeePass or LastPass. (However, LastPass may not be great because your passwords are stored on their servers and vulnerable, like the information for the websites it stores on your behalf.)

Reason Chosen

I've been using a password manager for a while, but really haven't converted all of my accounts to the complicated and unique passwords that are recommended. I don't think I'm the worst with my passwords, but think there's room for improvement. It is a good reminder that we all have to take responsibility when it comes to the websites we're working with.

They mention the website haveibeenpwned.com in the podcast and explain how it uses the data leaked from data breaches to see if your email/username (and associated data) was compromised. Upon searching for my email on the website, I found that I had four cases of my information being distributed.

Ethical Implications and Personal and Social Values at Stake

Using the internet and creating accounts for oneself on the internet requires a certain level of responsibility, not only for ourselves but for our loved ones. It's important that we educate each other on the best practices when working in this space. The internet is no longer a place where we go to just converse with people from a distance. It's a place where we store medical and financial records, our memories, and random personal information. Knowing the best practices is important here. Because we're so connected, we make everyone else vulnerable too.

I know that I still have family members that use simple passwords for every website they use and they're the kind my co-workers would joke about (password is "password" kinds). I understand where they're coming from since creating, setting up, and logging into a password manager is a hassle. But as we store so much more information on the internet, we, as tech-savvy friends, are responsible for helping them understand the risks.

Source Credibility

Reply All is a podcast created by Gimlet Media, which was founded in 2015. Gimlet Media is focused on high-quality, well-researched podcasts. It was founded by Alex Blumberg and Matthew Lieber, who both have experience producing public radio shows.

Reply All is produced by Phia Bennin and hosted by PJ Vogt and Alex Goldman who all have backgrounds in public radio. For more information, see their team member page. The hosts also did an "Ask Me Anything" (AMA) on Reddit two years ago.

CST 373 Week 5

Scrapbook 5 - Banks, ATMs, and Their Users

Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear by Andy Greenberg of Wired (PDF archive)

Summary

Kaspersky, a Russian research company, found and reproduced a set of ATM robberies that had presented vulnerabilities in a widely used set of ATMs. ATM hackers drill a hole about the size of a golf ball near the pin pad and connect to the ATMs' hardware with their small computer using a wire. There isn't any authentication between the modules within the ATM, so the attacker can directly access the module that dispenses the cash and then tell it how much to dispense. The only limit is that the ATM will sense that something has gone wrong and reboot. Unfortunately, the ATM could have already dispensed $1,000 and can simply be told to dispense more after it has rebooted.

Reason Chosen

Hacking ATM is a new form of bank robbery and it's particularly interesting because of the accessibility. Regular bank hours are pretty limited and there's usually security but ATMs are often left without protection, outdated and vulnerable. Banks and users alike are more vulnerable to losing money and data through these seemingly secure machines.

Ethical Implications and Personal and Social Values at Stake

It's pretty obvious that it is not ethical to rob a bank and stealing from ATMs is not different. ATMs are still a fairly new component to our banking system and it can be very difficult to manage new technologies like these. The banks managing these machines have a responsibility to keep them secure and regularly test them for vulnerabilities.

As clients to large banks with ATM machines, we're expecting them to protect our data and our money. Everyone should be concerned about hackers accessing these machines because of the very important information (and money!) that they contain. Keeping our banks accountable for protecting our information and upgrading these machines is important.

There have been videos and articles released that help teach the average bank user how to look out for red flags that indicate an ATM has been tampered with but there aren't systems in place (at least that are known to me) for reporting suspected problems. Is this because the banks don't want the users to feel that their software isn't secure? Should we expect more from them or do the users have some responsibility to notify their bank when they notice a potential vulnerability?

Source Credibility

Wired is a well-known, technology-focused magazine based in San Francisco, California that has been active since 1993. They provide detailed articles surrounding relevant issues in technology.

Andy Greenberg is a Senior Staff Writer for Wired and previously worked at Forbes.