shift change 01-25-2024
1. EFF announces: “Victory! Ring Announces It Will No Longer Facilitate Police Requests for Footage from Users—which is utterly untrue. The very next line of the announcement is the actual news:
Amazon’s Ring has announced that it will no longer facilitate police's warrantless requests for footage from Ring users. This is a victory in a long fight, not just against blanket police surveillance, but also against a culture in which private, for-profit companies build special tools to allow law enforcement to more easily access companies’ users and their data—all of which ultimately undermine their customers’ trust.
So Ring will ABSOLUTELY still facilitate police requests for footage from users devices—as long as they have a warrant. Getting a warrant is not hard, and once police find a winning formula of legal language, threat, and appeal to going after bad guys they will still get the records.
Is it a great win to require a simple warrant requirement to get private footage for police purposes? Sure. Does the warrant requirement slightly increase the work and frustration of a police officer having to spend a few more minutes on an application. Sure. Will Ring continue to comply with legal requests for information it holds. Yes.
Is it a win for privacy or security? F*ck no. It’s just paperwork.
But if the police come to your door and ask for the footage—as opposed to avoiding you and taking it from Ring directly—ask for the dang warrant and get it to a defense attorney who knows the judge who signed it.
2. Hewlett Packhard (non-Enterprises) claims its miserable consumer printer and ink product line is to keep us safe from…hackers.
Hewlett Packard went out, had a researcher create a never-before-and-never-since-seen-again hardware attack using off brand print cartridges, and decided its wildly profitable to hammer down on protecting everyone from the attack Hewlett Packard specifically made up to make this point. How secure is HP? See below.
3. Hewlett Packard Enterprises hacked by Cozy Bear.
How did Cozy Bear pull it off? The usual—password spraying legacy accounts:
News of the HPE breach comes just days after Microsoft disclosed that Midnight Blizzard hackers had breached some corporate email accounts, including those of the company’s “senior leadership team and employees in our cybersecurity, legal, and other functions.” According to the tech giant, the hacking group used a password spray attack – where a bad actor tries the same password on multiple accounts – on a legacy account to access targeted email accounts containing information related to Midnight Blizzard itself.
It’s not yet known whether the HPE and Microsoft incidents are linked.
The two attacks share an attributed actor, similar victims, similar techniques—there is plenty to link the attacks. What conclusions can analysts draw from those similarities without access to the files and logs involved?
4. Advice from the Markup as we near the end of their “Gentle January” series? Use cash and shred, baby—shred.
Personal tip: don't shred the cash.
## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.