Tech Brew Ride Home - Mon., 03/04 - USB 4 Wishes and Password-Free Dreams
Episode Date: March 4, 2019Facebook lets randos look you up by your phone number; Huawei is about to sue the U.S. government; a Vermont law exposes more than 100 data brokers; USB 4 is announced; Facebook offers a way to log in... with your face...kind of; and the W3C has a new standard that promises to do away with passwords forever. Sponsors: Keeps - https://keeps.com/techmeme MetaLab - https://metalab.co Links: Facebook won’t let you opt-out of its phone number ‘look up’ setting (TechCrunch) Scammers abused Facebook phone number search (BBC News) Huawei Said to Be Preparing to Sue the U.S. Government (New York Times) Here are the data brokers quietly buying and selling your personal information (Fast Company) With USB 4, Thunderbolt 3’s benefits become open to all (The Verge) USB Promoter Group Announces USB4 Specification (AP News) Harry McCracken's Facebook tweet (Twitter) Facebook explains how it’ll review nude photos to stop revenge porn (The Verge) Facebook’s New CAPTCHA Test: ‘Upload a Clear Photo of Your Face’ (Wired) W3C approves WebAuthn as the web standard for password-free logins (VentureBeat) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to the TechMeet.
ride home from Monday, March 4th, 2019. I'm Chris Higgins in for Brian McCullough.
Today, Facebook lets Randos look you up by your phone number.
Huawei is about to sue the U.S. government. A Vermont law exposes more than 100 data brokers.
USB4 is announced that I am overly excited about it. Facebook offers a way to log in with your
face, kind of if you have to. And the W3C has a new standard that promises to do away with password.
words forever. Let's go. Another day, another Facebook privacy scandal. TechCrunch reports that after
Facebook implemented two-factor authentication and encouraged the use of phone numbers for it, they then
expose those phone numbers through a friend lookup mechanism. Oops. This happened even though
Facebook claimed they were only using those phone numbers to improve security. The news originally
broke after Emojopedia Maven Jeremy Burge noticed the issue and his tweet about it went viral.
after you have provided your phone number to Facebook, the site has a setting that asks
who can look you up using the phone number you provided.
And the default setting is everyone.
Everyone, meaning literally anyone can go fishing for phone numbers and tie them to specific accounts.
Cool.
Super cool.
Okay, and what are the other options for who can look you up by your phone number?
Well, you can choose Friends of Friends or Friends.
There is no way to opt out of the feature entirely.
I actually checked my own account for this and found that, of course, it was set to the default.
Everyone could look me up.
And you know what?
I bet they have.
Of course, you used to be able to opt out of this feature entirely by simply never giving Facebook your phone
number.
But then two-factor authentication rolled out and most people chose SMS as their preferred second
factor.
And, well, here we are.
The TechCrunch article references an April 2018 BBC article.
which reads in part,
the firm, meaning Facebook,
said malicious actors had been harvesting profiles for years
by abusing the search tool.
It said,
anybody that had not changed their privacy settings
after adding their phone number
should assume their information had been harvested.
When security expert told the BBC
the attack had been possible for years, end quote.
And here's a quote from the TechCrunch article.
When asked specifically if Facebook
will allow users to opt out of the settings,
Facebook said it won't comment on future plans. And, asked why it was set to everyone by default,
Facebook said the feature makes it easier to find people you know but aren't yet friends with, end quote.
And then TechCrunch goes on to remind us that Alex Stamos, Facebook's former chief security officer,
left the company in 2018 to become an adjunct professor at Stanford. And Facebook has not yet
hired a replacement chief security officer. Let's get ready for some litigation. The New York Times reports that
Huawei is gearing up to sue the U.S. government over a defense spending bill that bans federal
agencies from buying the company's products. And by the way, that same bill also bans products
from Chinese companies ZTE, but we're not going to talk about that in this story. The lawsuit is
reportedly about to be filed in the Eastern District of Texas where Huawei has its U.S.
headquarters. This legal move is seen as an escalation of the ongoing PR and public policy battle
between Huawei and the U.S. government.
And let's not forget,
Meng Wenzhou,
Huawei's CFO,
is still being detained in Canada
at the request of the U.S. government.
She's technically out on bail,
but under continuous monitoring.
The U.S. is seeking extradition
so she can be tried
for Huawei's alleged violation
of U.S. sanctions on Iran
through a shell company.
Canada just granted the U.S.'s extradition request
on March 1st.
In a quick response,
yesterday Wenzhou's attorneys
filed suit against the Canadian government,
the Royal Canadian Mount of Police, and the Canada Border Services Agency,
alleging that she was illegally detained, interrogated, and searched prior to being informed that she was
under arrest. It's unclear how that case will proceed, but it sure seems like that will at least
delay the extradition. But back to the upcoming Huawei case against the U.S., which is unrelated,
but it's also obviously related. The core argument there is the Congressional Spending Bill
constitutes what's called a bill of a tinder, meaning the law
singles out the company and punishes that company without a trial. As the Times noted, this is a very
similar situation to what happened with Russian cybersecurity company Kaspersky Lab. Kaspersky actually
filed two suits, which made very similar arguments after a very similar law was passed,
preventing U.S. government agencies from using Kaspersky products. Those suits were dismissed last
May by a D.C. court. This legal move by Huawei is interesting because it is literally asking for a
trial. The Chinese company wants the U.S. to put its cards on the table in court and reveal what
basis it has to seek such broad punishment. Given that the U.S. government sees this as a matter of
national security, it'll be interesting to see what comes out in that trial and what remains sealed.
Stay tuned. Now, here's a phrase I didn't think I'd ever read on the news. Thanks, Vermont.
Fast Company reports that thanks to a new Vermont law, companies that buy and sell personal data
have to register with Vermont's Secretary of State.
So far, Fast Company has been able to identify 121 data brokers who have done so.
Their new article provides some advice on how you might get them to stop collecting your data.
Now, not all companies provide a way to opt out, and the Vermont law does not require them to.
But some do have that option.
Also, the Vermont law does not extend to every company that collects personal data.
For instance, it doesn't apply to Facebook, which collects user data directly,
meaning it's a first-party data collector.
This law targets companies that buy data collected by other parties
and then sell that data to others.
Still, it's a start.
And just scrolling through this list of 121 companies,
this list of data brokers is pretty daunting.
Here are some names that jumped out at me
just as names that I recognized and thought were kind of big
and really wondered,
what is their policy about getting off the list,
if there is one?
Here's my list.
Spokio.
Zoom info, Equifax, Experian, TransUnion, Axiom, Oracle, Lexus, Inovus, Bin Verified, CoreLogic,
and the National Student Clearinghouse.
And that's just a little handful. This list is super long. Check the link in the show notes for the whole thing.
But remember, just because you know someone is collecting your data doesn't mean you can stop them.
But still, at least now we know.
Thank you, Vermont.
Okay, big nerd news today.
USB 4 has been announced, and it's basically Thunderbolt 3 with some special sauce.
I know that sounds confusing, and it kind of is confusing, but I'm going to break that down in a minute.
But before I get into the actual news, I do need to disclose that in a previous career,
I used to build software that was used by the USB Implevenors Forum, and later I built software used by the folks who invented Thunderbolt.
And I was involved in that picture as a vendor for well over a decade.
I didn't actually make the specs or do any of that stuff.
And today I have no financial or other relationship with these folks whatsoever.
But the point is, this was my beat.
This is what I worked for like well over a decade.
So I know a whole lot of the history of these technologies
and how they've diverged and converged and kind of almost converged for the past two decades, really.
And I can tell you one key fact.
The one thing I wanted since the first day Thunderbolt came out,
original Thunderbolt 1. The thing I wanted was for that to replace USB. And that's what's about to happen.
Okay, so what is the specific news today? The news is the USB 4 spec will be released in draft form later this year.
And guess what? At its core, USB 4 is a souped up version of Thunderbolt 3. This is going to make
your life better. Trust me, I've been working with the stuff since USB 1 and Thunderbolt 1 and I have seen
every type of connector and chipset and weird cable that they made along the way,
and what has previously been a messy and confusing set of often incompatible plugs and standards
and speeds that don't make sense is now finally on the road to becoming compatible and simple.
But not just that, it's also going to be really, really powerful.
And it's going to be powerful on things like laptops and maybe even phones, too.
So in 2017, Intel announced it would open up the Thunderbolt 3,
technology so other chip makers could add the tech to their machines without having to buy
Intel host chips or pay royalties on each device. This is a whole lot like what they did with the
original USB technology many decades ago. That's how USB took over the computing world. It was
basically royalty-free technology, except for a small fee up front to get in the door, and also a fee if
you wanted to like use the logo of USB on your product, and sometimes you had to pay to have things
tested. But basically, it was a very, very inexpensive way to get things made. Today's announcement
of USB4 lays out a roadmap for how that is going to play out as Thunderbolt and USB merge. If you're
not familiar with Thunderbolt, it's basically PCI Express over a wire. It offers the same kinds of
speeds and features over that wire that you used to get only by plugging things directly
into a motherboard inside a PC. Thunderbolt cabling is a little bit expensive because it needs to
manage those high-speed connections, but the technology enables tons of new features for computers,
especially laptops, where there's no room to have internal PCI Express slots, but there's plenty
of room for little connectors on the side. Thunderbolt 3 offers 40 gigabits per second of bandwidth,
and so will USB 4. Now that's double what the fastest USB 3.2 variant offers right now, and it's
eight times faster than the baseline USB3.0, which was previously called USB3.O, which was previously called USB3.O
Gen 1. So like, don't worry about the weird naming schemes.
Point is, USB 4 is much, much faster than any previous USB standard.
Today, the USB landscape is super confusing.
Let's just admit it.
Thunderbolt 3 and some forms of USB 3 use the same connector called USB type C,
but the cables are actually different on the inside.
Thunderbolt cables have controller chips in them that are not present in USB cables.
Add to that, the classic USB type A connector, that's the rest of,
rectangular one that we've all plugged in 10 million times on one end to plug in our phone and the
other end is an iPod connector or a lightning connector or a mini A or a mini B or etc.
Anyway, that type A connector can be USB 3 compatible or USB 2 compatible or USB 1 compatible.
And within each of those three things, there are varying speeds of those standards.
So you've got a real mess there.
And all of those things are currently trying to play together on modern computers.
From a consumer perspective, I have this belief that a plug is a plug.
Anything that fits in the plug should just work.
But today, it doesn't.
I mean, sometimes it does.
But other times, it doesn't.
But why?
It's really hard to tell unless you're as much of a nerd as I am about USB4 and Thunderbolt and blah, blah, blah.
By folding Thunderbolt into USB4, all of this plug stuff will go away.
It will be one plug to rule them all.
They will all work.
They will all work backwards.
They will work forwards.
And that is a huge deal.
It really is.
USB 4 will continue to use the USBC style connectors we've become used to in recent years.
That effectively means Thunderbolt 3 ports are just going to appear under a new name and a new licensing scheme.
That means that, for example,
a laptop with a few USB 4 ports will be able to use those ports to charge the machine,
drive external GPUs, attach 4K and 5K displays, attach giant storage arrays, create ultra-fast
networking, you name it. It's PCI Express. Anything that you wanted to do, you could plug it in.
And it will be backwards compatible with legacy USB 2 and 3 devices, though you may need cable
adapters to plug in those, you know, rectangular ports into the USB style ports. But a small
dongle, not a huge price to pay just to plug in your mouse or whatever. Now, it's going to take a few
years for USB 4 to roll out into real world use. But when it does, our long international nightmare
of weird cabling and bad naming conventions will come to an end. And I think that's something
worth celebrating. All right, file this next story under technically old news, but definitely new news
to me. And yeah, it's another Facebook story. I'm sorry, but that's just, yeah. Yesterday on
Twitter, Harry McCracken shared a screenshot showing what happens when you can't log into Facebook
because you lost your two-factor authentication device. Maybe you lost your phone or your UBee key
or your phone number changed or whatever. When that happens and you also lost your backup codes
because, of course, you didn't print those out and store them in the wall safe hidden behind
the priceless artwork in your fricking mansion. Well, you have two options.
The first option is to send Facebook a photo of a government issued ID.
You know, there was a time when I would do that without thinking twice about it.
And that time with Facebook is over.
What could possibly go wrong with providing my ID info to Facebook?
Hmm.
But, okay, let's give them the benefit of the doubt.
It's not that bad.
We show ID all the time to gain access to private spaces.
And Facebook is a private space.
If you have to show ID to buy beer, okay, maybe it's fine to upload ID to log in in one of these weird cases.
I get that.
But it's the second option that's the real doozy.
You can, and I quote,
take a photo of yourself holding a sign with a handwritten code, end quote.
In researching this, this option has existed since at least 2018
and appears to be a method of last resort for those who either can't or won't provide government ID.
But there are several truly bizarre things about this option.
First, it's eerily reminiscent of kidnappers' proof of life schemes,
where hostages are shown with today's newspaper,
or they're encouraged to share some bit of information that only they would know
in order to verify their identity and that they are currently alive.
And this is where we live now.
If you're locked out of Facebook,
you can provide your own proof of life using your webcam.
And of course,
we all know there's absolutely no way to fake a photo of a person holding up a sign
with something written on it, right?
Right?
I mean, that's far beyond current technology.
Anyway, the second thing that makes this weird
is how similar it is to previous Facebook efforts
to get you to log in using your face.
Facebook very much wants pictures of you. Lots of pictures of you.
In 2017, Wired reported that Facebook was testing a verification process that involved simply uploading a fresh selfie as a form of identification.
That's a lot like the face ID system on a modern iPhone.
Except the facial recognition system involves remote analysis by Facebook, not a piece of hardware in your hand that you can control.
But Facebook doesn't just want pictures of your face.
In 2017, the Verge reported that Facebook was testing a process in which it encouraged Australian users of its messenger product to proactively upload nude photos of themselves in order to prevent revenge porn.
And yes, Facebook employees did look at the nude photos before they were scrolled away in a database, supposedly in a file format that could never be seen again by a human.
The idea there was that if you had a specific photo or set of photos that you worried would be posted to Facebook by someone seeking to harm you, you could proactively
put them on a block list using this process. But you did that by letting Facebook look at the
pictures, the pictures that are by definition things that you do not want people to look at.
So while the intent of all these features is clearly good, you know, Facebook is trying to help
people log into their accounts and trying to reduce harm in the form of preventing revenge porn,
but it is increasingly bizarre that a company so beset with privacy concerns continues to ask
its users for pictures of themselves as some sort of proof that we are who we say we are.
We're increasingly unwilling to give this stuff away to Facebook. And Facebook, you know that we're
living in an era of deep fakes, right? And finally today, more nerdy tech news that actually
has the potential to change how you work in a good way. The W3C has approved a web standard that
aims to do away with passwords once and for all. It's called WebOth-N. It's called WebOth-N.
The Open Standard is supported by a ton of W3C contributors, including Airbnb, Alibaba, Apple,
Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Ubico.
The new spec will allow users to log in using a variety of different technologies on the user's side.
You can use a biometric thing like a fingerprint scanner.
You can use a phytosecurity key known to most of us as those little UB keys.
Web browser makers have actually already built in support for WebOthN into Chrome, Firefox, Edge,
and the preview version of Safari.
And you can already use it on sites, including Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter.
Now, with all these heavy hitters already supporting this technology,
the rest of the web can't be that far behind.
The goal of the new standard is to destroy the password once and for all.
Passwords have inherent problems.
Too many to go into here.
Webothan promises to wipe all of them away.
For instance, the login credentials for a WebOthN user
are never stored on a server,
and they never leave the user's device.
That means there is no password database for a hacker to steal.
There is no password to crack.
That makes dictionary and rainbow attacks literally impossible.
And this is cool.
The implementation on the user's side can vary
because users have very different needs and abilities
when it comes to authentication.
So users can choose from
choose from fingerprint readers, from face readers, from phytosecurity keys, from mobile devices,
and potentially things that we haven't yet thought of. And because the keys are unique for every
website, it's impossible to use login credentials to track users across multiple sites. Sounds pretty
good, right? So watch this space as WebOthN increasingly becomes the standard for password-free
logins. It's going to take years, of course, but it's a worthy goal. And one day, we'll all
sit around telling our grandchildren how we had to memorize these weird words.
and numbers and symbols,
and then we had to get applications to keep a list of those things,
and we had a password to get into the application to the thing,
just to log into our bank.
I am so excited for a password-free future.
That's it for today's ride home.
Brian will be back with you tomorrow.
I'm pretty sure he won't go on another five-minute USB-4 rant,
but you never know what the news will bring.
Meanwhile, you can follow me on Twitter at Chris Higgins.
Follow Brian at Brian MCC.
and follow the editors of TechMeme at TechMeme.
We'll be back with you tomorrow on your ride home.