As we gather 'round the fire, warming our facepalm-weary hands, the blaze burning bright with the shreds of our privacy and security, it's important to reflect on what we're grateful for:
Companies that did the infosec version of stepping on a rake, forcing them to secure us better. Idiots who tried to "hack" the FCC comment system while leaving their OPSEC cake out in the rain. Whatever geniuses left road signs eminently hackable, and the ones who made ATMs susceptible to malware that literally spits out cash.
Here are the "winners" of utter and complete security failures we're almost grateful for. Let's hope the next time these clowns fall off a stack of servers, they don't fail to miss the ground.
What the fail
With the Pixel 4 face unlock debacle, you really can say that Google's Android security team did not check itself before it wrecked itself. What we're thankful for here is the BBC journalist, who probably does not have narcolepsy, but instead pretended to be asleep with his review copy of a Pixel 4 to see if its "face unlock" feature was secure.
The Pixel 4's only biometric security option, facial recognition, unlocked the phone even if the user's eyes were closed. Google said it would be issuing a fix... in a few months. It made us wonder if everyone at Google was okay. In response to our queries, Google said: "We've been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months."
So thank you for learning how to fake naptime, Mr. BBC reporter. You may have saved a lot of ordinary users (who do not have your access and influence) a lot of sleepless nights.
A vote for sanity
Since at least 2004, voting machine hackers — ahem, election-security researchers — at Def Con were treated like crazy people or conspiracy nuts (which are kind of the same thing). Usually, both. In 2016, we wrote: "The machines are so badly maintained, historically backdoored, and easily hacked that even Def Con hackers massively stress out about the voting process in their own forums and chat spaces."
It's a setup that should seem familiar to any horror fan. The protagonist keeps trying to warn people about some looming danger -- the Necronomicon, a clown in the sewer, a possessed car. But no one believes them, so the clown, the car and the gateway-to-hell book win every time. That's what every day is like for researchers pointing out the insane mess of voting machine and election security year after year.
That is, until this year, when a voting machine (that was not possessed, we think) was filmed by a Mississippi voter actually changing their vote in front of their eyes. That viral video made national headlines, further exposing the numerous, simultaneous issues in electronic voting machines across the state, putting the governor's race (and more) in doubt.
So let's give thanks for that seemingly possessed voting machine. It's time for everyone to start believing those Def Con election security "final girls."
The story of the fake FCC commenters could really be old episode of Scooby Doo, with Old Man Jenkins in a bad monster disguise cursing those nosy kids for seeing through his obvious scam. It started in 2017 when the FCC decided to decimate the open internet by killing net neutrality, and (cough) miraculously, the FCC's website was flooded with fake comments supporting the FCC's widely opposed move.
Fast forward to October this year, when reports emerged proving those comments were not only fake, but were the stolen identities and information of US breach victims. You can't say no one expected that plot twist: Turns out the people whose names were used in those fake FCC comments were none too pleased about it. Let's just be thankful that the org behind this reprehensible attempt to hack public opinion, industry group Broadband for America, used the (ahem) brain trust at Media Bridge and LCX Digital to make sure a big stinky pile of breadcrumbs lead right back to the source.
Little green fail-iens
If it turns out that Mark Zuckerberg arrived on this planet promising a better world through his janky tech and carrying around a book called "To Serve Man," we'd be among the humans saying "I told you so." But in a way we're glad Facebook has been so profoundly terrible at everything, because it helps us identify the planet-sized security #fails the company has made.
Like how in April, we found out that the passwords for hundreds of millions of Facebook, Facebook Lite, and Instagram users were stored in plain text. Facebook wanted everyone to know passwords were readable and searchable "only" internally, but with nearly 40,000 full-time employees, that comfort is as cold as Uranus. It's even more chilling knowing the company discovered this complete and utter failure at password security by way of a 2018 breach, when attackers made off with data from 50 million Facebook users via compromised account access tokens.
Thanks for being terrible, Facebook! You have revealed your intentions on our planet.
We don't see a problem
Look. No one wants ATMs to be insecure, susceptible to viruses or hackable by jerks who might try to take money from any unsuspecting individual.
The sad truth is that ATMs are so scattershot in their security, they're a common theme in hacking presentations. And in organized crime there are "cashing crews" who swoop in to scoop up the Benjamins. In fact, the hacker who makes the ATM spew cash is a persistent and annoying Hollywood trope. But, for good reason: It's real. In 2010, hacker Barnaby Jack made global headlines when he "jackpotted" ATMs on the Black Hat conference stage.
This is such a known problem and has been going on so long that it's hard to feel bad for ATM vendors or their software and hardware vendors. So when we read headlines like "Malware That Spits Cash Out of ATMs Has Spread Across the World", it's tough to feel like we'd be anything but grateful if this ongoing security blunder accidentally spit out some extra cash onto our feet this chilly holiday season.
In the slums of our cyberpunk future, "Equifax" is the word harsh parents whisper to frighten their children into making strong, complex passwords. That's thanks to news in October about a shareholder class-action suit over the credit reporting company's egregious 2017 breach.
This revealed a slew of truly appalling, grossly negligent security practices. Especially, as Hot for Security reported, the use of "admin" as both username and password "to authorize access to a portal used to manage credit disputes," which "contained a vast trove of personal information."
If you read the suit's laundry list of security #fails it's not a stretch to think of the company as both a folklore bogeyman of the American credit system and a cautionary tale, monster under the bed for bad practices. We're just grateful the headlines might've scared some people into following better password practices.
Keep on hackin'
not an isolated incident: pic.twitter.com/kVeKPTILT7— Eli Wirtschafter (@RadioEli) September 2, 2019
Who forgot to secure all those electronic road signs we keep seeing hacked with messages like "THE FUTURE SUCKS"? Whoever you are, I hope you got fired, but I also have a strong urge to buy you a beer. Because in this abysmally wrong alternate timeline, I think many can agree that hackable road signs are bringing us a much-needed bit of levity right now.
The security failings of these signs are kind of two-fold. One is that they're all issued with a default username and password, according to one manufacturer, ADDCO. If the signs were issued with a one-time password, that would be the end of warnings about "Entering bat country."
The other #fail is that few people setting up their brand-new electronic road signs are changing those default passwords -- unless the calls are coming from inside the house, and someone working on the road crew was responsible for the sign reading "TRAPPED IN SIGN FACTORY." In which case, let's give thanks for anything reminding us that hacks are supposed to be fun, and people still love making each other smile.