Connect with us

Biz & IT

Home alarm tech backdoored security cameras to spy on customers having sex



Getty Images / Aurich Lawson

A home security technician has admitted he repeatedly broke into cameras he installed and viewed customers engaging in sex and other intimate acts.

Telesforo Aviles, a 35-year-old former employee of home and small office security company ADT, said that over a five-year period, he accessed the cameras of roughly 200 customer accounts on more than 9,600 occasions—all without the permission or knowledge of customers. He said he took note of homes with women he found attractive and then viewed their cameras for sexual gratification. He said he watched nude women and couples as they had sex.

Aviles made the admissions Thursday in US District Court for the District of Northern Texas, where he pleaded guilty to one count of computer fraud and one count of invasive visual recording. He faces a maximum of five years in prison.

Aviles told prosecutors that he routinely added his email address to the list of users authorized to access customers’ ADT Pulse accounts, which allow customers to remotely connect to the ADT home security system so they can turn on or off lights, arm or disarm alarms, and view feeds from security cameras. In some cases, he told customers that he had to add himself temporarily so he could test the system. Other times, he added himself without their knowledge.

More legal fallout

An ADT spokesman said the company brought the illegal conduct to the attention of prosecutors last April after learning Aviles gained unauthorized access to the accounts of 220 customers in the Dallas area. The security company then contacted each customer “to help make this right.” The company has already resolved disputes with some of the customers. ADT published this statement last April and has continued to update it.

“We are grateful to the Dallas FBI and the US Attorney’s Office for holding Telesforo Aviles responsible for a federal crime,” the company wrote in an update posted on Friday.

In the aftermath of the breach discovery, ADT has been hit by at least two proposed class-action lawsuits, one on behalf of ADT customers and the other on behalf of minors and others living inside the homes. A plaintiff in one of the suits was allegedly a teenager at the time that the breach occurred. ADT informed her family that the technician spied on her home almost 100 times, according to the lawsuit.

The suits alleged that ADT marketed its camera systems as a way for parents to use smartphones to check in on kids and pets. ADT, the plaintiffs said, failed to implement safeguards—including as two-factor authentication or text alerts when new parties access the accounts—that could have alerted customers to the invasion. The breach was discovered when a customer noticed an unauthorized email among addresses that had permission to access the security system.

Continue Reading

Biz & IT

Gab, a haven for pro-Trump conspiracy theories, has been hacked again



Beleaguered social networking site Gab was breached on Monday, marking the second time in as many weeks that hackers have gained unauthorized access to a platform that caters to users pushing hate speech and pro-Trump conspiracy theories.

The compromise came to light after someone hijacked the account of Gab founder and CEO Andrew Torba and left a post criticizing him for not paying an 8 bitcoin ransom for the safe return of documents used to verify the identity of some users. The unknown hacker also accused Torba of failing to disclose the full extent of the earlier breach.

Gab quickly took the site offline and removed the post, but not before it was archived here. When the service was restored a few hours later, a statement Torba posted said that Monday’s breach was the result of site administrators failing to revoke OAuth2 bearer tokens, which browsers and mobile apps store after a user has successfully logged in to a site.

Token harvesting

“The attacker who stole data from Gab harvested OAuth2 bearer tokens during their initial attack,” Torba wrote. “Though their ability to harvest new tokens was patched, we did not clear all tokens related to the original attack. By reusing these old tokens, the attacker was able to post 177 statuses in an 8-minute period today.”

Gab’s failure to purge bearer tokens may have stemmed from unfamiliarity with the open-source Mastodon code the site runs or an unwillingness to require users to go through the hassle of resetting OAuth2 bearer tokens. The theft of the tokens came as a surprise to many because they weren’t included in a trove of hacked Gab data posted by the Wikileaks-style site Distributed Denial of Secrets following the breach.

“I think what’s noteworthy here is that they never knew this data was obtained, at least not based on their reporting,” Troy Hunt, owner of the breach notification service Have I been Pwned?, said, referring to this notification that Gab posted on Saturday. Hunt said he was also surprised that Gab has yet to enforce a mandatory password reset for all users. Such resets are standard practice after sites experience breaches that compromise user data.

The first breach came to light last Monday, when DDoSecrets said that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, DDoSecrets co-founder Emma Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in Gab’s website code.

Trying to stay afloat

Shortly after the first breach was discovered, someone at Gab patched a critical SQL-injection vulnerability that was introduced into the website code by site CTO Fosco Marotto. Marotto declined to say if that vulnerability was the one hackers exploited to take over the site, but the bug’s introduction early this year and its removal so soon after the site compromise stoked speculation that it was indeed the one used in the hack.

Marotto didn’t immediately respond to an email seeking comment for this post.

Gab has been struggling to stay afloat for more than two years as it continues to provide a haven for hate speech and conspiracy theories. In 2018, Google removed the Gab app from the Play store for terms of service violations. A year later, web host GoDaddy terminated service to Gab after one of its users took to the site to criticize the Hebrew Immigrant Aid Society shortly before killing 11 people in a Pittsburgh synagogue.

Following the January 6 storming of the US Capitol by pro-Trump extremists, Amazon and other web hosts have refused to provide service to the site, citing its inability to moderate user content including unfounded claims by Torba and users alike that the 2020 election was stolen from former President Trump.

The revelation that the earlier hack exposed OAuth 2 bearer tokens leaves open the possibility that those responsible obtained other types of sensitive user data. And if that’s the case, Gab’s security woes may still not yet be over.

Continue Reading

Biz & IT

Google tells harassment victims to take “medical leave,” report finds



Enlarge / Sunset, over the Google empire.

A new report alleges that Google employees who report experiencing gender or racial harassment or discrimination routinely are told to take “medical leave” and seek mental health treatment—only to be shoved aside when they try to come back.

Nearly a dozen current and former Google employees told NBC News that company HR officials told them to seek mental health treatment or take medical leave “after colleagues made comments about their skin color or Black hairstyles, or asked if they were sexually interested in their teammates.” Another dozen current and former Google employees told NBC the practice is common within the company.

“I can think of 10 people that I know of in the last year that have gone on mental health leave because of the way they were treated,” one former Google employee told NBC News. He himself had taken medical leave “after he said he had numerous unproductive conversations with human resources about how his colleagues discussed race.”

Those breaks mostly served to push people out of the organization, either quickly or slowly, sources said. Multiple employees told NBC that when they returned from a recommended leave, they found themselves assigned to new managers or new parts of the company. Those changes, in turn, suppressed positive performance reviews, due to lack of time to build up new relationships and work histories, and so those employees did not receive promotions or raises when they otherwise could have.

Another employee told NBC that after they experienced racism at Google, they took HR up on the offer to take medical leave and move to a different position when they came back. Upon return, however, the employee was turned down from every single internal role they applied for, so they were forced to leave Google.

Google spokesperson Jennifer Rodstrom told NBC the company has “a well-defined process for how employees can raise concerns and we work to be extremely transparent about how we handle complaints,” adding that “[a]ll concerns reported to us are investigated rigorously, and we take firm action against employees who violate our policies.”

Minority reports

Women, especially Black and Latina women, are drastically underrepresented at Google, according to the company’s own data.

Google’s 2020 diversity report (PDF) found that Google employees overall were 51.7 percent white and 41.9 percent Asian. Black workers represented only 3.7 percent of the company’s 2020 workforce, and Hispanic workers were 5.9 percent. (Less than 1 percent of Google employees were Native American.)

The picture grows even more stark broken down on gender lines. Globally, 68 percent of Google employees are men and 32 percent are women. Only 2 percent of all Google employees are Latina women, and 1.6 percent are Black women, according to the report. The numbers are worse when it comes to leadership positions within the company, about 66 percent of which are held by white employees.

Google’s diversity report also focuses on inclusion, in addition to diversity, which helps companies retain employees who feel a sense of belonging and support rather than a sense of tokenism or being singled out. Recent events and reports, however, cast doubt on the effectiveness of those efforts.

In particular, the December departure of well-known AI ethics head Timnit Gebru thrust Google’s inclusivity efforts into the spotlight. Google said Gebru resigned, but Gebru (who is Black) said Google pushed her out, describing a pervasive attitude inside the company to silence marginalized voices, including women and people of color.

Gebru said that she, too, was told to go seek mental health treatment when she reported issues to her managers about how women were treated inside Google. “And I would respond that no amount of support system is going to get rid of Google’s hostile work environment,” Gebru told NBC.

Google has in recent years faced several suits related to its handling of sexual harassment and racial discrimination in the workplace. A trio of former Google employees sued in 2017, alleging that women inside the company were systematically pushed into lower-paying jobs. A 2018 lawsuit accused Google of fostering a “bro culture,” with retaliation against women who complained about experiencing sexual harassment on the job.

Thousands of employees staged a walkout in 2018 to protest Google’s handling of sexual harassment allegations in the wake of reports that found three senior executives received multimillion-dollar payouts to leave the company after they were credibly accused of misconduct. Shareholders sued Alphabet, Google’s parent company, in the wake of those allegations; Google settled that suit in 2020.

Earlier this year, Google also agreed to settle with federal regulators over allegations that it systematically underpaid women software engineers and unfairly passed over women and Asian candidates for software engineering roles.

Continue Reading

Biz & IT

SpaceX plans Starlink broadband for cars, boats, and planes



Enlarge / Cars could eventually get satellite Internet from SpaceX Starlink.

SpaceX on Friday asked the Federal Communications Commission for permission to deploy Starlink satellite broadband to passenger cars and other moving vehicles.

The application describes SpaceX’s plans for Earth Stations in Motion (ESIMs) for automobiles, ships, and aircraft. SpaceX said it is “seek[ing] authority to deploy and operate these earth stations… throughout the United States and its territories… in the territorial waters of the United States and throughout international waters worldwide, and… on US-registered aircraft operating worldwide and non-US-registered aircraft operating in US airspace.”

“Granting this application would serve the public interest by authorizing a new class of ground-based components for SpaceX’s satellite system that will expand the range of broadband capabilities available to moving vehicles throughout the United States and to moving vessels and aircraft worldwide,” SpaceX told the FCC. Internet users are no longer “willing to forego connectivity while on the move, whether driving a truck across the country, moving a freighter from Europe to a US port, or while on a domestic or international flight,” SpaceX said.

“Electrically identical” to Starlink home terminals

The application said that vehicle-mounted terminals will be similar to the Starlink satellite dishes designed for home-Internet service, with some key differences:

SpaceX Service’s ESIMs are electrically identical to its previously authorized consumer user terminals but have mountings that allow them to be installed on vehicles, vessels, and aircraft, which are suitable for those environments. SpaceX Service’s ESIMs will communicate only with those SpaceX satellites that are visible on the horizon above a minimum elevation angle of 25 degrees. The proposed phased array user terminal will track SpaceX’s NGSO [non-geostationary orbit] satellites passing within its field of view. As the terminal steers the transmitting beam, it automatically changes the power to maintain a constant level at the receiving antenna of its target satellite, compensating for variations in antenna gain and path loss associated with the steering angle.

The ESIM terminals could be deployed “on passenger cars or pleasure boats,” SpaceX said in a radiation hazard analysis submitted with its application. ESIM terminals may also be deployed on “the masts of ships or the tops of semitrucks that are not generally accessible to the public.” The devices “are compliant and will not result in exposure levels exceeding the applicable radiation hazard limits,” SpaceX said.

SpaceX’s application noted that it already has FCC permission to deploy up to 1 million user terminals in the US. The requested license allowing terminals on moving vehicles apparently would not increase the total number of terminals. But SpaceX has separately asked the FCC for permission to increase its allowed number of terminals from 1 million to 5 million.

While Starlink home-Internet service can be set up by users themselves, that may not be the case with Starlink for moving vehicles. SpaceX said that it “will ensure installation of ESIM terminals on vehicles and vessels by qualified installers who have an understanding of the antenna’s radiation environment and the measures best suited to maximize protection of the general public and persons operating the vehicle and equipment.”

The ESIMs will transmit in the 14.0-14.5 GHz band and receive in the 10.7-12.7 GHz band, and they will comply with spectrum-sharing rules to avoid interference with other spectrum users, SpaceX said. SpaceX is already battling Dish Network over Dish’s claim that Starlink could interfere with satellite TV and 5G mobile services that may eventually be permitted in the 12 GHz range.

Starlink for Tesla (and other) cars

Starlink terminals for moving vehicles could theoretically be installed on any brand of car. But Elon Musk, the CEO of both SpaceX and Tesla, would have a special interest in bring Starlink to Tesla vehicles.

“Tesla’s electric cars are connected to the Internet for features like video streaming and over-the-air updates, with the company even offering a ‘Premium Connectivity’ service as an option today,” a Teslarati article about SpaceX’s application said. “With Starlink’s capability to connect to the Internet in a moving vehicle, Tesla would no longer have to rely on existing mobile Internet providers for its cars.”

Musk tweeted in October 2020 that Starlink could be deployed on fast-moving vehicles. “Everything is slow to a phased array antenna,” he wrote at the time.

Continue Reading