\n<\/p>\n
A funny \u2014<\/span> but true \u2014 joke at TechCrunch is that the security desk might as well be called the Department of Bad News, since, well, have you seen what we\u2019ve covered of late?<\/a> There is a never-ending supply of devastating breaches, pervasive surveillance and dodgy startups flogging the downright dangerous.<\/p>\n Sometimes though \u2014 albeit rarely \u2014 there are glimmers of hope that we want to share. Not least because doing the right thing, even (and especially) in the face of adversity, helps make the cyber-realm that little bit safer.<\/p>\n When a security researcher found that a Bangladeshi government website was leaking the personal information of its citizens, clearly something was amiss. Viktor Markopoulos found the exposed data thanks to an inadvertently cached Google search result, which exposed citizen names, addresses, phone numbers and national identity numbers from the affected website. TechCrunch verified that the Bangladeshi government website was leaking data, but efforts to alert the government department were initially met with silence<\/a>. The data was so sensitive, TechCrunch could not say which government department was leaking the data, as this might expose the data further.<\/p>\n That\u2019s when the country\u2019s computer emergency incident response team, also known as CIRT, got in touch and confirmed the leaking database had been fixed<\/a>. The data was spilling from none other than the country\u2019s birth, death and marriage registrar office. CIRT confirmed in a public notice that it had resolved the data spill<\/a> and that it left \u201cno stone unturned\u201d to understand how the leak happened. Governments seldom handle their scandals well, but an email from the government to the researcher thanking them for their finding and reporting the bug shows the government\u2019s willingness to engage over cybersecurity where many other countries will not.<\/p>\n It\u2019s been more than a decade since Apple dropped its now-infamous claim<\/a> that Macs don\u2019t get PC viruses (which while technically true, those words have plagued the company for years). These days the most pressing threat to Apple devices is commercial spyware, developed by private companies and sold to governments, which can punch a hole in our phones\u2019 security defenses and steal our data. It takes courage to admit a problem, but Apple did exactly that by rolling out Rapid Security Response fixes to fix security bugs actively exploited by spyware makers<\/a>.<\/p>\n Apple rolled out its first emergency \u201chotfix\u201d earlier this year to iPhones, iPads and Macs. The idea was to roll out critical patches that could be installed without always having to reboot the device (arguably the pain point for the security-minded). Apple also has a setting called Lockdown Mode, which limits certain device features on an Apple device that are typically targeted by spyware. Apple says it\u2019s not aware of anyone using Lockdown Mode who was subsequently hacked<\/a>. In fact, security researchers say that Lockdown Mode has actively blocked ongoing targeted hacks<\/a>.<\/p>\n When a security researcher told TechCrunch that a ridesharing service called iRent \u2014 run by Taiwanese automotive giant Hotai Motors \u2014 was spilling real-time updating customer data to the internet, it seemed like a simple fix. But after a week of emailing the company to resolve the ongoing data spill \u2014 which included customer names, cell phone numbers and email addresses, and scans of customer licenses \u2014 TechCrunch never heard back. It wasn\u2019t until we contacted the Taiwanese government for help disclosing the incident<\/a> that we got a response immediately<\/em>.<\/p>\n Within an hour of contacting the government, Taiwan\u2019s minister for digital affairs Audrey Tang told TechCrunch by email that the exposed database had been flagged with Taiwan\u2019s computer emergency incident response team, TWCERT, and was pulled offline. The speed at which the Taiwanese government responded was breathtakingly fast, but that wasn\u2019t the end of it. Taiwan subsequently fined Hotai Motors for failing to protect the data<\/a> of more than 400,000 customers, and was ordered to improve its cybersecurity. In its aftermath, Taiwan\u2019s vice premier Cheng Wen-tsan said the fine of about $6,600 was \u201ctoo light\u201d and proposed a change to the law that would increase data breach fines by tenfold.<\/p>\n At the heart of any judicial system is its court records system, the tech stack used for submitting and storing sensitive legal documents for court cases. These systems are often online and searchable, while restricting access to files that could otherwise jeopardize an ongoing proceeding. But when security researcher Jason Parker found several court record systems with incredibly simple bugs that were exploitable using only a web browser<\/a>, Parker knew they had to see that these bugs were fixed.<\/p>\n Parker found and disclosed eight security vulnerabilities in court records systems used in five U.S. states \u2014 and that was just in their first batch disclosure<\/a>. Some of the flaws were fixed and some remain outstanding, and the responses from states were mixed. Florida\u2019s Lee County took the heavy-handed (and self-owning) position of threatening the security researcher with Florida\u2019s anti-hacking laws. But the disclosures also sent the right kind of alarm. Several state CISOs and officials responsible for court records systems across the U.S. saw the disclosure as an opportunity to inspect their own court record systems for vulnerabilities. Govtech is broken (and is desperately underserved), but having researchers like Parker finding and disclosing must-patch flaws<\/a> makes the internet safer \u2014 and the judicial system fairer\u00a0\u2014 for everyone.<\/p>\n It was Google\u2019s greed driven by ads and perpetual growth that set the stage for geofence warrants. These so-called \u201creverse\u201d search warrants allow police and government agencies to dumpster dive into Google\u2019s vast stores of users\u2019 location data to see if anyone was in the vicinity at the time a crime was committed. But the constitutionality (and accuracy) of these reverse-warrants have been called into question<\/a> and critics have called on Google to put an end to the surveillance practice it largely created to begin with. And then, just before the holiday season, the gift of privacy: Google said it would begin storing location data on users\u2019 devices and not centrally, effectively ending the ability for police to obtain real-time location<\/a> from its servers.<\/p>\n Google\u2019s move is not a panacea, and doesn\u2019t undo the years of damage (or stop police from raiding historical data stored by Google). But it might nudge other companies also subject to these kinds of reverse-search warrants \u2014 hello Microsoft, Snap, Uber and Yahoo (TechCrunch\u2019s parent company) \u2014 to follow suit and stop storing users\u2019 sensitive data in a way that makes it accessible to government demands.<\/p>\n<\/p><\/div>\nBangladesh thanked a security researcher for citizen data leak discovery<\/h2>\n
Apple throwing the kitchen sink at its spyware problem<\/h2>\n
Taiwan\u2019s government didn\u2019t blink<\/em> before intervening after corporate data leak<\/h2>\n
Leaky U.S. court record systems sparked the right kind of alarm<\/h2>\n
Google killed geofence warrants, even if it was better late than never<\/h2>\n