Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.bbc.com/news/world-asia-48729110 Rogue slug blamed for Japanese railway chaos, BBC News, 22 June 2019 A power cut that disrupted rail traffic on a Japanese island last month was caused by a slug, officials say. More than 12,000 people's journeys were affected when nearly 30 trains on Kyushu shuddered to a halt because of the slimy intruder's actions. Its electrocuted remains were found lodged inside equipment next to the tracks, Japan Railways says. The incident in Japan has echoes of a shutdown caused by a weasel at Europe's Large Hadron Collider in 2016. When the weasel took a fatal chew on wiring inside a high-voltage transformer, it caused a short circuit which temporarily stopped the work of the particle accelerator. In Japan, local media on the trail of the slug report that it managed to squeeze through a tiny gap to get into a load disconnector. A British cousin of the ill-fated mollusc achieved notoriety in 2011, *The Guardian* reports, when it crawled inside a traffic light control box in the northern town of Darlington and caused a short circuit, resulting in `traffic chaos'.
*Eight of the world's biggest technology service providers were hacked by Chinese cyber spies in an elaborate and years-long invasion, Reuters found. The invasion exploited weaknesses in those companies, their customers, and the Western system of technological defense.* EXCERPT: Hacked by suspected Chinese cyber spies five times from 2014 to 2017, security staff at Swedish telecoms equipment giant Ericsson had taken to naming their response efforts after different types of wine. Pinot Noir began in September 2016. After successfully repelling a wave of earlier, Ericsson discovered the intruders were back. And this time, the company's cybersecurity team could see exactly how they got in: through a connection to information-technology services supplier Hewlett Packard Enterprise. Teams of hackers connected to the Chinese Ministry of State Security had penetrated HPE's cloud computing service and used it as a launchpad to attack customers, plundering reams of corporate and government secrets for years in what U.S. prosecutors say was an effort to boost Chinese economic interests. The hacking campaign, known as Cloud Hopper, was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM. Yet the campaign ensnared at least six more major technology firms, touching five of the world's 10 biggest tech service providers... https://www.reuters.com/investigates/special-report/china-cyber-cloudhopper/
WASHINGTON (AP) Iran has increased its offensive cyberattacks against the US government and critical infrastructure as tensions have grown between the two nations, cybersecurity firms say. In recent weeks, hackers believed to be working for the Iranian government have targeted US government agencies, as well as sectors of the economy, including oil and gas, sending waves of spear-phishing emails, according to representatives of cybersecurity companies CrowdStrike and FireEye, which regularly track such activity. It was not known if any of the hackers managed to gain access to the targeted networks with the emails, which typically mimic legitimate emails but contain malicious software. https://www.timesofisrael.com/iranian-hackers-step-up-cyber-campaign-amid-tensions-with-us/
A US-Israeli cybersecurity firm said Tuesday it had uncovered a massive hack of several global telecommunications companies involving the theft of vast amounts of personal data that was apparently carried out by state-backed actors in China. Cybereason, which is based in Boston and has offices in Tel Aviv, London, and Tokyo, said the hacking included the specific targeting of people working in government, law enforcement and politics. The company said in a statement it had found a "nation state-backed operation against multiple cellular providers that has been underway for years." https://www.timesofisrael.com/us-israeli-cyber-firm-uncovers-massive-telecom-company-hack-apparently-by-china/ ...interesting, not much reported elsewhere.
Some of the world's biggest casino operators in Macau, the Chinese territory that's the epicenter of global gaming, are starting to deploy hidden cameras, facial recognition technology, digitally-enabled poker chips and baccarat tables to track which of their millions of customers are likely to lose the most money. The new technology uses algorithms that process the way customers behave at the betting table to determine their appetite for risk. In general, the higher the risk appetite, the more a gambler stands to lose and the more profit a casino tends to make, sometimes up to 10 times more. This embrace of high-tech surveillance comes as casino operators jostle for growth in a slowing industry that's under pressure globally from economic headwinds and regulatory scrutiny. In the world's biggest gaming hub, where expansion is reaching its limits, two casino operators—the Macau units of Las Vegas Sands Corp. and MGM Resorts International—have already started to deploy some of these technologies on hundreds of their tables, according to people familiar with the matter. Sands plans to extend them to an additional more-than 1,000 tables, said the people. Three others, Wynn Macau Ltd., Galaxy Entertainment Group Ltd. and Melco Resorts & Entertainment Ltd., are in discussions with suppliers about also deploying the technology, according to the people, who asked not to be identified because they're not authorized to speak publicly about the plans... https://www.bnnbloomberg.ca/china-s-big-brother-casinos-can-spot-who-s-most-likely-to-lose-big-1.1278496
Defense Department officials worry an AI-based system cannot work as well as in-person investigations, said one source involved in the transition. https://www.reuters.com/article/us-usa-security-clearances/top-secret-trumps-revamp-of-u-s-security-clearances-stumbling-officials-report-idUSKCN1TK127
An automated system apparently rejected a scientific article as plagiarized. It also returned a copy of the paper to the authors, flagging the plagiarized parts. This is where it gets hilarious. What was flagged were things like author's affiliation (well, obviously copied from earlier papers), standardized methods of describing experiments, and, citations. Obviously, other authors had cited the same papers before, so this must be a clear case of plagiarism. Also interesting is that Wiley, a well-known scientific publishing house, wanted to get the name of the author. Apparently, they automatically assumed that this was one of theirs, and wanted to save some cost going through the debug logs. Maybe `Artificial Intelligence' is the wrong term in this context, `Artificial Incompetence', maybe? https://twitter.com/jfbonnefon/status/1140946785474633729
Santa Clara, Calif. Cybercriminals are targeting Americans planning summer vacations to places like Mexico and Europe through online booking scams, according to a new report by cybersecurity firm *McAfee*. The company said that cybercriminals are taking advantage of high search volumes for accommodation and deals to drive unsuspecting users to potentially malicious websites that can be used to install malware and steal personal information or passwords. Top destinations being targeted include Cabo San Lucas, Mexico; Puerto Vallarta, Mexico; Amsterdam, Netherlands; Venice, Italy; and Canmore, Canada. McAfee's survey of 1,000 Americans planning vacations found that nearly one in five either have been scammed or have come very close to being scammed. Bargain-hunters are most at risk, with nearly a third of victims being defrauded after spotting a deal that was too good to be true. A smaller group of victims (13%) said their identity was stolen after sharing their passport details with cybercriminals during the booking process. The company suggests only booking through verified websites, using trusted platforms and verified payment methods and, if conducting transactions on a public Wi-Fi connection, utilizing a virtual private network (VPN). https://www.mcafee.com/enterprise/en-us/about/newsroom/press-releases/press-release.html?news_id=20190612005079 http://trk.cp20.com/click/e06u-150ky9-jykhyh-7fgw0x83/ One in five seems high. Why would McAfee exaggerate risks? Oh, wait...
Riviera Beach agrees to $600,000 ransom payment to regain data access Tony Doris, Palm Beach Post, 19 Jun 2019 https://www.palmbeachpost.com/news/20190619/why-riviera-beach-agreed-to-pay-600000-ransom-payment-to-regain-data-access-and-will-it-work Riviera Beach—The Riviera Beach City Council has authorized the city's insurer to pay nearly $600,000 worth of ransom to regain access to data walled off through an attack on the city's computer systems. In a meeting Monday night announced only days before, the board voted 5-0 to authorize the city insurer to pay 65 bitcoins, a hard-to-track cryptocurrency valued at approximately $592,000. An additional $25,000 would come out of the city budget, to cover its policy deductible. Without discussion on the merits, the board tackled the agenda item in two minutes, voted and moved on. The dollar amount was not mentioned before or after the vote, only that the insurer would pay through bitcoins, “whose value changes daily.'' The city's email and computer systems, including those that control city finances and water utility pump stations and testing systems, are still only partially back online, two weeks after the ransomware attack was disclosed. But crucial data encrypted by the attackers remains beyond reach and there was no explanation of whether the city has any guarantee that the ransomers will release it if paid. The FBI, Secret Service and Department of Homeland Security are investigating the attack, which officials said began after someone in the police department opened an infected email May 29. More than 50 cities across the United States, large and small, have been hit by ransomware attacks over the past two years. Among them: Atlanta; Baltimore; Albany, N.Y.; Greenville, N.C.; Imperial County, Cal.; Cleveland, Ohio; Augusta, Maine; Lynn, Mass.; Cartersville, Ga.; and in April, nearby Stuart, Fla. The Atlanta attack alone cost that city an estimated $17 million, Vice News reported. The Palm Beach County village of Palm Springs was hit in 2018, paid an undisclosed amoun to ransom but nonetheless lost two years of data, according to one source who asked not to be identified. “This whole thing is so new to me and so foreign and it's almost where I can't even believe that this happens but I'm learning that it's not as uncommon as we would think it is,'' Riviera Beach Council Chairwoman KaShamba Miller-Anderson said Wednesday. “Every day I'm learning how this even operates, because it just sounds so far fetched to me.'' The ransomware attack paralyzed the computer system, sending all operations offline. Everyone from the city council on down was been left without email and phone service. Paychecks that were supposed to be direct-deposited to employee bank accounts instead had to be hand-printed by Finance Department staffers working overtime. Police searched their closets to find paper tickets for issuing traffic citations. Interim Information Technology Manager Justin Williams told the council Monday that the city website and email is back up, as are Finance Department and water utility pump stations. Miller-Anderson said city officials have been briefed by investigating agencies and asked not to discuss details. The agencies advised the city but it was up to the council to decide whether the information lost was so valuable that the city should comply with the ransom demand and hope the ransomers provide a decryption key, she said. “It's a risk. Those were the two options: Either do it or don't.'' The insurance company negotiated on the city's behalf, she said. She said she did not know if police department records were compromised. Water quality never was in jeopardy but water quality sampling had to be done manually, she said. The attack has prompted the city to replace much of its computer system sooner than expected. The council on June 4 authorized $941,000 for 310 new desktop and 90 laptop computers and other hardware. Insurance will cover more than $300,000 of that total. The city already planned to spend $300,000 for equipment replacements in the next budget and will accelerate that expense, Councilwoman Julie Botel said. Much of the existing hardware was a half-dozen years old and vulnerable to another malware attack, so it was time to replace it anyway, she said.
At press time, investors in RoloBucks had already lost over $7.8 billion in the Rolo market. https://www.theonion.com/rolos-unveils-new-cryptocurrency-exclusively-for-rolos-1835695340
The launch of Facebook's new coin is certainly a big event, but so much about it remains unsettled. If it's not the most high-profile cryptocurrency-related event ever, Facebook's launch of a test network for its new digital currency, called Libra coin, has been the most hyped. It is also polarizing among cryptocurrency enthusiasts. Some think it's good for the crypto industry; others dislike the fact that a big tech company appears to be co-opting a technology that was supposed to help people avoid big tech companies. Still others say it's not even a real cryptocurrency. Peel away the hype and controversy, though, and there are at least three important questions worth asking at this point. Is Libra really a cryptocurrency? Well, that depends on how you define cryptocurrency. The Libra coin will run on a blockchain, but it will be a far cry from Bitcoin. To begin with, it will not be a purely digital asset with fluctuating value; rather, it will be designed to maintain a stable value. Taking cues from other so-called stablecoins, it will be “fully backed with a basket of bank deposits and treasuries from high-quality central banks,'' according to a new paper (PDF) describing the project. Besides that, Bitcoin's network is permissionless, or public, meaning that anyone with an internet connection and the right kind of computer can run the network's software, help validate new transactions, and mine new coins by adding new transactions to the chain. Together these computers keep the network's data secure from manipulation. Libra's network won't work that way. Instead, running a validator node requires permission. To begin with, Facebook has signed up dozens of firms—including Mastercard, Visa, PayPal, Uber, Lyft, Vodafone, Spotify, eBay, and popular Argentine e-commerce company MercadoLibre—to participate in the network that will validate transactions. Each of these founding members has invested around $10 million in the project. That obviously runs counter to the pro-decentralization ideology popular among cryptocurrency enthusiasts. The distributed power structure of public networks like Bitcoin and Ethereum gives them a quality that many purists see as essential to any cryptocurrency: censorship resistance. It's extremely difficult and expensive to manipulate the transaction records of popular permissionless networks. Networks like the one Facebook has described for Libra are more vulnerable to censorship and centralization of power, since they have a relatively small, limited number of stakeholders that could be compromised or pool together to attack the network... https://www.technologyreview.com/s/613801/facebooks-libra-three-things-we-dont-know-about-the-digital-currency/
Carrier workers bribed or tricked into helping hackers https://www.nbcbayarea.com/news/local/Mans-1M-Life-Savings-Stolen-In-Cell-Phone-Scam-509097961.html
---—--- Forwarded Message from a friend ---—--- Date: Sat, 22 Jun 2019 17:27:43 -0700 Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption I was wondering if hw-encrypted external SSDs were worth looking into and found this: https://www.zdnet.com/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/ “the SEDs they've analyzed, allowed users to set a password that decrypted their data, but also came with support for a so-called 'master password' that was set by the SED vendor. Any attacker who read an SED's manual can use this master password to gain access to the user's encrypted password, effectively bypassing the user's custom password.'' `Flaw' seems like an understatement.
1. Matthew Miller for Smartphones and Cell Phones, 17 Jun 2019 SIM swap horror story: I've lost decades of data and Google won't lift a finger First they hijacked my T-Mobile service, then they stole my Google and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase. I'm stuck in my own personal Black Mirror episode. Why will no one help me? https://www.zdnet.com/article/how-i-survived-a-sim-swap-attack-and-how-my-carrier-failed-me/ After a crazy week where T-Mobile handed over my phone number to a hacker twice, I now have my T-Mobile, Google, and Twitter accounts back under my control. However, the weak link in this situation remains and I'm wary of what could happen in the future. 2. Matthew Miller for Smartphones and Cell Phones, 26 Jun 2019 Last week, I shared a horror story: My SIM was swapped. My Google and Twitter accounts were also stolen, and $25,000 was withdrawn from my bank account for a Bitcoin purchase. I thought I was targeted for my online presence. Turns out, the attack was likely driven by a Coinbase account I experimented with in early 2018 that was never closed. While I already provided many details about my experience, I wanted to update you on the progress made to date—while also offering some advice. Readers offered me fantastic advice in the comments to last week's article, and I sincerely appreciate all the helpful feedback, tips, and tricks.
*Think your iPhone or iPad is secure from prying eyes?* /Think again./ *Companies such as Cellebrite,* with its Universal Forensic Extraction Device (UFED), operate lucrative businesses helping people around the world to unlock your devices. Of course, Cellebrite promises to only sell to legit law enforcement, but then what? *Once that genie is out of the bottle,* how can they contain it? In this week's /Security Blogwatch, we wish for more wishes. https://techbeacon.com/contributors/richi-jennings
Every aspect of Jibo was designed to make the robot as lovable to humans as possible, which is why it startled owners when Jibo presented them with an unexpected notice earlier this year: someday soon, Jibo would be shutting down. The company behind Jibo had been acquired, and Jibo's servers would be going dark, taking much of the device's functionality with it. ... For him and many other owners, Jibo has become like a dog that greets them whenever they walk into the house. It also sometimes takes on the role of an overbearing parent or kid sibling and tells owners, "don't work too hard," or "remember to take bathroom breaks," before they leave for work. But with the update and the company's silence, owners expect Jibo's time to be winding down, and they're thinking about Jibo's mortality and what they'll do when its last day arrives. “People that really do love him and live with him daily,'' Nusbaum says. “It's like having somebody very, very sick that you don't know: is this close to the end? Are they going to get better? Is this a false alarm? Yeah, it's not a great feeling right now."'' https://www.theverge.com/2019/6/19/18682780/jibo-death-server-update-social-robot-mourning
In many trials, information garnered by the police from telephone companies plays an important part in determining whether a suspect has been at a certain place at a certain time. However, the Rigspolitiet national police force has discovered an error in the computer program that converts the information from the different telephone companies, reports DR Nyheder. http://cphpost.dk/news/computer-problems-may-have-led-to-miscarriages-of-justice.html More in Danish: https://politiken.dk/search/?ie=utf8&oe=utf8&hl=da&q=rigspolitiet%20telefon dr.phil. Donald B. Wagner, DK-3600 Frederikssund, Denmark
Recently, a decades-old bug in the way that many software packages used to call Fortran from C has surfaced. People apparently have been assuming that it was safe not to pass the length of a character argument to a Fortran routine when calling it from C, basically invoking undefined behavior. A change to gfortran exposed this, leading to crashes when calling routines from the well-known (and standard) linear algebra package LAPACK. This was first noticed by the developers of the R programming language. The discussion revealed positions ranging from “people should just fix their code'' to “This interface has worked for decades, this is the de facto interface, even broken code must be supported.'' Fortran has a standard way of interfacing with C since the Fortran 2003 standard, but the old interface code often predates this standard, and people also appear to be quite reluctant to use standard features of newer Fortran versions. This is despite the fact that all relevant compilers today support this feature. As a result, gfortran now contains a workaround for this particular bug in user code. There is a nice writeup on LWN: https://lwn.net/SubscriberLink/791393/90b4a7adf99d95a8/ Here the gcc bug dealing with the issue: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90329 Here the correspoinding Redhat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1709538 And finally a write-up by the R developer who analyzed this: https://developer.r-project.org/Blog/public/2019/05/15/gfortran-issues-with-lapack/
Bulb Insanity: How to factory reset your GE C smart bulb. Legit. Really! https://youtu.be/1BB6wj6RyKo Read many brilliant comments. Among them: Hey GE, “how many people does it take to change a light bulb'' is a joke set-up, not a goal. (This follows conversation I had yesterday about how technology and interfaces are often awful if not nightmarish)
I learned recently from Twitter (source of all knowledge)  that the American Kennel Club allows no more than 37 dogs of any given breed with the same name . The reason is amusing—dogs with the same name are given suffixes in Roman numerals, and 37 is the largest number that can be represented in six characters (XXXVII). There's something in how programs are printed that limits the width of the column—going to a wider number field would require reducing font size or reducing the width of some other field. This seems to date from before easy typesetting of variable-width fonts. I wonder if AKC even knows why this limit exists, or whether it's been in place so long that the institutional memory has been lost and recently rediscovered? Or whether they've considered relaxing the limit due to variable-width fonts? Of course moving from Roman numerals to Arabic numerals [*] would make the issue go away, albeit at the cost of not having the panache of something that takes some focus to understand. The Risk? The historic requirement (fixed-width typesetting) drives what is (perhaps) an obsolete feature (the number of dogs with the same name). There are undoubtedly plenty of other historic decisions that could be rethought today, perhaps with different results. On the other hand, AKC gets some value from the use of (possibly?) prestigious Roman numerals, so maybe this is a feature rather than a bug.  https://twitter.com/leftoblique/status/1139737041162272768  https://www.akc.org/register/information/naming-of-dog/ [* Based on an item in a recent RISKS, I presume Arabic dogs would then have to be disallowed as well? PGN]
I gather it's even more complicated than that—they didn't refuse him, they didn't reply at all in time for his trip. US visa processing has apparently been getting slower in the past couple of years but it seems particularly slow for cryptographers. Bruce Schneier blogged about it in May: https://www.schneier.com/blog/archives/2019/05/why_are_cryptog.html
Not so fast—it's not a horn, it's at most a bone spur, and there's lots of reasons to be sceptical about the whole thing, reports Ars Technica. https://arstechnica.com/science/2019/06/debunked-the-absurd-story-about-smartphones-causing-kids-to-sprout-horns/ [PS: nonetheless, your mother's advice to stand up straight remains valid.]
Please correct me if I'm wrong, but I always thought that the idea behind 2FA is to increase security by conducting a part of the transaction via a *different* device. If an SMS confirmation message is sent to the same device from which a user is attempting to login, there's no added security at all, I wonder why it would take a hacker's application to make anyone notice that!
> We do not know how it had happened, but someone else took the car on > your reservation ... Its never a good sign when a company which runs software that has direct control over the engine of a car says about any part of their software: “We do not know how it happened!''
I worked as a senior software engineer for a year for one of these companies, on the core product. I was involved in installation of the first Bluetooth-based system. The article is technically inaccurate, whilst being spiritually correct, but misses the not-quite-so-obvious huge issue in favour of the much smaller presented issue, I suspect the author prolly isn't technical. So, phone tracking was performed by two means, wifi and Bluetooth. The article only covers Bluetooth, which was a new product at the time (2015ish). The main product used wifi. Bluetooth beacons are very simple devices. They emit a signal with a unique ID. That's *it*. *Nothing* else. The devices have no network connectivity, no storage, nothing. They just sit there and emit a unique ID, and we used a battery driven unit. (Despite this, we managed to find vendors asking over 100 euro a unit.) We bought ours from alibaba.com.) The key players making this all work are the apps on the phone. Phone apps get to `wake up' regularly, and they can examine their environment, and one of the things they can do is look around for Bluetooth signals. (It's been a few years now—I remember there was something of a difference between Apple and Android, and so there was I think more unique ID fidelity with Android.) So what happens is the company publishes an API in the form of a library, which app developers ingest into their software. In particular, rather than trying to reach out to every app developer out there, deals are made with third party companies—such as advertising companies—who already publish their own APIs as libraries, which are already ingested by lots of different apps. These third companies companies ingest this library into their library, and hey presto, as people's phones auto-update you're very quickly installed on goodness knows how many tens or hundreds of millions of phones. This really is the bigger story, but the article has missed it. Apps really are random bits of software strangers run on your phone. Users have no idea which sketchy friend-of-a-friend-of-a-friend has just managed to get his API running on their phone. Simple solution to this : do not install apps on your phone. I'm not kidding. People have the expectation they are buying a phone—paying a lot of money for a phone—to put apps on it and use them, and that it must be possible to do this, because they've spent a bunch of money on it. This is not the case. The time when apps could be used on phones has passed. You cannot now buy a phone to run apps, because it is not safe to do so. This means phones no longer make sense. It is in fact I would say a tragedy of the commons. If you *are* going to do this damn silly thing, don't do it in this damn silly way. Root your phone first and (for the love of God) get a firewall installed—and *don't* log into Google on your phone, not ever. Never use a service in an app you can use on a website, again, for the love of God. And never, NEVER, *EVER* give ANY company your phone number. These days it's the key fact around which third-party data collation revolves. Email addresses aren't so bad because it's easy to get disposable addresses, but phone numbers cost money, so they don't change so much. Email addresses need to be used like passwords—you have a different email address for every site or app, just as you have a different password. This helps break third-party data collation. Good email hygiene is the same as good password hygiene. Do not reuse passwords. Do not reuse email addresses. (I run most apps now in VirtualBox, on x86 Android. Being able to reinstall fresh versions of the OS when they come out also handles the upgrade problem. Only one app I care about has no x64 version (lookin' at you, Revolut). I'll also be buying the Librem 5 when it comes out, which is real Linux, not Android, on ARM on a mobile form factor and it should have enough umph to run a VirtualBox VM, which being on ARM can run the usual ARM based APKs. Learn to sideload, BTW, and use Raccoon to get genuine APKs off the Google App Store (which I refuse to call Google Play—an astoundingly silly name invented by the kind of marketing people Douglas Adams had in mind with the Sirius Cybernetics Division. I'm surprised Google haven't yet described their app store as your plastic pal who's fun to be with.) The Bluetooth beacons we had, had a pretty good range. We aimed to have one per floor in pretty large stores—that was the granularity of extra information being aimed for in this first deployment; the progression through floors of a phone. With an Android app you could get signal strength info (as we had an app to configure the Bluetooth beacons), but I don't know if that was true for the “wake up and look around'' time of a phone, rather than an actual app. Bear in mind also that I think in general Bluetooth is turned off on phones -- however, I never saw any numbers for this, so I could be completely wrong. The wifi based system was rather different. With this, there are wifi routers located (fairly carefully) around a store. Phones emit wifi signals periodically, which contain an inherent unique ID (can't remember which now -- prolly MAC address) and the signal strength is measured at each router. The store is logically divided up into zones, and a machine learning system, based on the signal strengths at the routers, decides which zone the user is in, for any given signal. Zone sizes vary, based on customer preferences and technical and cost limits; the more routers near an area, the smaller and more precise the zones can be. Actual physical signal triangulation is *not* used. It was tested, before I joined, I'm told it just didn't work. Far too much signal strength variability. Received phone signals vary enormously, second by second, in a normal shop environment. There's just a lot of physical (people moving around all the tie, in and out of the way of the signal) and electro-magnetic stuff going on. During my time there a wifi specification design flaw was uncovered, where-by you could force a phone, even with wifi turned off as I recall, to emit a response—so now you didn't need to passively sit there and wait for the phone wifi to emit a signal; you could coerce the phone into doing so. This could matter somewhat. Some phones kindly emitted a signal every second (iPhones), others only one a minute. A person can walk a long way in one minute. This however probably crossed the line of local law, which said something like you're not allowed to actively, overtly act upon other people's computers/phones. In any case, it wasn't used before I left. IMHO, wifi tracking is borderline viable as a product. I saw test cases where someone would walk around an empty store with a known device (we had calibration data on a per-device basis, because they vary so much in signal strength), and report back to us where he was and when, and half of his journey would be missing from the data. If you did it right, and were careful, I'd say you could get a mediocre but still genuinely useful and rather unique data set from it. Only problem is, I'd say 99.99% of the time customers don't know it was going on (let alone understand what was happening), and that's what makes it unethical. The basic rule is that when you do stuff with people, they have to choose to do it and they have to understand what they're choosing to do (except in self-defence, of course). You can't force people, and you can't deceive them, Most of this surveillance capitalism we see is unethical because the people being tracked do not know what's going on, or understand. T&Cs are a legal fig leaf, not an actual genuine communication to the user of what's going on such that the user is then known to understand—the ethical obligation of the company to *actually ensure* users understand is *not* met. Users don't know, and that's why it's wrong. Topically, this article has just been published in the WaPo; “It's the middle of the night. Do you know who your iPhone is talking to?'' https://www.msn.com/en-us/news/technology/its-the-middle-of-the-night-do-you-know-who-your-iphone-is-talking-to/ar-AAC1Wvl#page=2 “In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic. According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That's half of an entire basic wireless service plan from AT&T.''
Please report problems with the web pages to the maintainer