Information Technology

[embedded content]
A small library that provides audio and video calling capabilities contains a bug that can allow attackers to join audio and video calls without being detected.
The bug —discovered by security firm McAfee, and tracked as CVE-2020-25605— impacts the software development kit (SDK) provided by Agora, a US company specialized in providing real-time communication tools.
Apps that use this SDK for audio and video calling capabilities include the likes of MeetMe, Skout, Nimo TV, temi, Dr. First Backline, Hike, Bunch, and Talkspace.
In a report published today, McAfee says that the Agora SDK does not encrypt details shared during the process of setting up a new call, even if the app has the encryption feature enabled.
Any attacker sitting on the same network as a targeted user can intercept the traffic in the initial phases of a call, extract various call identifiers, and then join the call without being detected.
Image: McAfee
McAfee said it discovered this issue last year, in April, during a security audit for temi, a personal robot used in retail stores, which also supports audio and video calling.
A subsequent investigation also found clues that this behavior also impacted other apps using the SDK, and the security firm said it notified Agora of its findings.

Steve Povolny, Head of Advanced Threat Research at McAfee, told ZDNet in an email last week that they notified Agore of their findings and that the company responded by releasing a new SDK in December 2020 that was not vulnerable to CVE-2020-25605.
“While we don’t know which of these apps have implemented the new SDK, we can confirm that Agora has released the SDK and has followed up with its developers to urge them to implement the update,” Povolny told ZDNet.
An Agora spokesperson did not return a request for comment.
Agora-based apps have tens of millions of downloads on the Play Store alone; however, McAfee said they found no evidence that the bug was abused in the wild to spy on conversations. More

Everyone needs a password manager. Period, full stop. It’s the only possible way to maintain unique, hard-to-guess credentials for every secure site that you, your family members, and your team access daily.

ZDNet Recommends

The six programs listed in this guide all offer a full set of features in exchange for a monthly or annual fee. Although some offer a limited free plan, our evaluation is based on the full feature set available with a paid subscription.
All of the programs run on Windows or Linux PCs, Macs, and mobile devices. To get started, you install a stand-alone app or browser extension and sign in to your account. The app does the work of saving sets of credentials in a database whose contents are protected with high-grade, 256-bit encryption. To unlock the password database, you enter a decryption key (your master password) that only you know. The browser extension or app handles the work of automatically filling in credentials as needed.
Different password managers have different user experiences and different feature sets, but all offer subscribers a similar set of core features: 
A password generator that puts together a combination of upper- and lower-case letters, numbers, and symbols. 
Secure sharing of passwords with trusted contacts. 
Form filling, including the option to automatically enter credit card details. 
Secure notes.
A sync engine that replicates the database across devices, using a cloud service or a local host.
Password managers that sync the saved password database to the cloud use end-to-end encryption. The data is encrypted before it leaves your device, and it stays encrypted as it’s transferred to the remote server. When you sign in to the app on your local device, the program sends a one-way hash of the password that identifies you but can’t be used to unlock the file itself.
What we looked for 
In putting together this list, we looked at third-party reviews and opinions from security experts, with a goal of finding the broadest possible selection of products from established developers. We supplemented that knowledge with our own hands-on experience.
Four of the password managers in our list offer free versions, typically with some limitations and an option to upgrade to a paid subscription for additional features. All offer both personal and business versions of their products, and some offer family subscriptions that allow multiple user accounts with the option to grant access to credentials for shared services. If you prefer open source software, look at BitWarden, which offers an excellent free version as well as subscription options.

Our capsule descriptions are not intended to be comprehensive but rather are designed to help you create your own shortlist. After you narrow down possible contenders, we encourage you to look at the feature table for each one to confirm that it meets your needs, and to take advantage of free trial options before settling on your final choice.
Because security is such an important feature of a password manager, we’ve tried to address the key question many of our readers ask: Where is your data stored? All of these commercial products offer a cloud sync option; some also include the option to save and sync files locally, so you don’t have to trust your online keys to someone else’s infrastructure.
And rather than summarize the encryption and data handling precautions each developer takes, we’ve included a link to their online security page so you can read that information and decide for yourself whether you trust their design and encryption decisions.

Free version supports unlimited devices per user

Security details are here.
LastPass, which has been a member of the LogMeIn family since 2015, is one of the best-known brands in a very crowded field, largely because for years its free edition offered a robust set of features and supported an unlimited number of devices per user. That policy changed in March 2021, when the company revised its offerings to require a paid plan for use on both mobile devices and one or more personal computers. The company’s personal and business product lines work on all major desktop and mobile platforms and browsers. The service is cloud-based only, with files stored on the company’s servers and synced to local devices.
The Premium version ($36 a year), besides enabling cross-platform support, adds a few extra features, such as advanced multi-factor authentication options, 1GB of encrypted file storage, and the capability to designate a trusted contact for emergency access. The family plan, which covers up to six users, costs $48 a year and includes a management dashboard. Business plans start at $48 per user per year. 
View Now at LastPass

Fewer than 50 passwords? This free version will do

Security details are here.
Dashlane doesn’t have the longevity of its chief rivals, but it’s been around long enough to earn a reputation for ease of use. Apps are available for Windows PCs, Macs, Android, and iOS. If your password database includes fewer than 50 entries and you only need to use the software on a single device, you can get by with the free version, which also supports two-factor authentication. Dashlane does not offer a family plan, but it does support sharing of passwords between accounts.
The $60-per-year Premium version removes limits on the number of saved passwords and synced devices and includes a VPN option. The $120-per-year Premium Plus bundle adds identity theft insurance and credit monitoring. Business plans include the same features as Premium, at $48 per user per year, with provisioning and deployment options as well as the capability to segregate business and personal credentials. (All prices require annual billing.) 
View Now at Dashlane

Allows an unlimited number of saved credentials

Security details are here.
Sticky Password was founded in 2001 by former executives of AVG Technologies, which was a pioneer in the freemium category for security software. True to their roots, this password manager offers a full-featured free version that works on all major device categories and browsers, allows an unlimited number of saved credentials, and supports two-factor authentication and biometric sign-in.
The $30-per-year premium version includes the ability to sync between devices, using either the company’s servers or a local-only option using your own Wi-Fi network. It also supports cloud backups and secure password sharing and includes priority support. If you’re really committed to the service, you can purchase a lifetime subscription for $200. 
View Now at Sticky Password

Business accounts cost $96 per user per year

Security details are here.
Although this product earned its reputation on Apple’s Mac and iOS devices, it has embraced Windows, Android, Linux, and Chrome OS as well; the 1Password X browser extension fills in credentials, suggests passwords, and provides 2-factor authentication in Chrome, Firefox, and Microsoft Edge. After an initial 30-day free trial, a 1Password personal subscription costs $36 per year; a five-user family subscription costs $60 annually.
1Password works best when its data files are synced from 1Password’s servers, but you also have the option to save passwords locally and sync the data file with your own network or a Dropbox or iCloud account. (The company boasts that it does no user tracking of any kind.)  1Password Business accounts add advanced access control, with activity logs and centrally managed security policies, cost $96 per user per year and include 5GB of document storage (compared to 1GB for personal accounts) plus a free linked family account for each user. 
View Now at 1Password

$60-per-year bundle adds KeeperChat encrypted messaging

Security details are here.
Founded in 2011, Keeper has probably the widest assortment of products of any developer in this guide, with separate offerings for personal and family use, business, enterprise customers, and managed service providers. Personal plans start at $30 a year for Keeper Unlimited, which (naturally) allows storage of an unlimited number of passwords and syncs them on an unlimited number of devices.
A $60-per-year bundle adds the KeeperChat encrypted messaging program, secure file storage, and a breach monitoring service that scans saved passwords to find any known to be compromised. The family version of each plan doubles the cost and supports up to five users. Keeper stores synced data files on the Amazon Web Services cloud. Student plans are half-off the listed prices. 
View Now at Keeper

Core features are “100% free”

Bitwarden brags that its core features are “100% free,” and that’s not an idle boast. That free version has none of the limitations associated with commercial software. Instead, the paid versions ($10 per year for a single user, $40 annually for a family of up to 6) adds advanced features like a built-in TOTP authenticator and two-step login with a hardware key.
The source code for Bitwarden is hosted on GitHub, with separate repositories for desktop, server, web, browser, mobile, and command-line projects. It has all the checklist features of commercial personal password managers, including secure cloud syncing. If you’re uncomfortable with storing your passwords in the Bitwarden cloud, you can host the infrastructure on your own server, using Docker.
View Now at Bitwarden

ZDNet Recommends More

In my previous post about blockchain and cryptocurrency, I discussed why I thought Tesla was making such a substantial investment in Bitcoin and allowing the cryptocurrency to be used for car purchases in the future. The balance of its revenue stream, which comes from selling surplus Renewable Energy Credits (RECs), will dry up in the next several years as competing automakers can produce their own Zero-Emission Vehicles (ZEVs) and build up their own RECs with states that require them.

Allowing its customers to purchase vehicles entirely or partially with Bitcoin is potentially one way of differentiating Tesla from other auto manufacturers. But this in and of itself is not a sustainable business strategy. 
Perhaps Elon Musk has another, even wilder business plan for Tesla over the long-term — a plan just as crazy ambitious as building giant reusable space rockets that can land on their tails.
Your solar roof: The ultimate idle money game
Besides cars, Tesla’s other significant business involves solar panels, solar roofs, and batteries. The batteries are used in their cars and provide power storage for their residential solar systems, sold as the Tesla Powerwall.
In most states where residential solar is installed, surplus energy from the arrays can be fed back into the grid where the local power company will “net meter” or prorate a customer’s electric bill based on what they generate into or draw from the system. Based on a customer’s consumption and how much a solar system produces, there will be a surplus or a deficit.
Powerwalls can store that surplus energy and power various things in your home, including air conditioners, and charge your Tesla EV.
But suppose Tesla added a capability to its on-premises solar energy/battery energy management computer built into its inverter system or the Powerwall that would give it GPUs for mining cryptocurrencies? These are already connected to home Wi-Fi. They have a management app, so upgrading it with Wi-Fi 6 and attaching it to a cryptocurrency network and an easy-to-use mobile app for cryptocurrency account management would be an achievable systems integration effort for Tesla, given the company’s considerable engineering resources. 

Also: Going solar in the Sunshine State: Why the investment makes sense now 
It would then be possible for your home to become the ultimate idle money-producing game — you would generate actual Bitcoins with the surplus energy your solar system makes. That might be more lucrative than getting the net metering discount from your power company, which is not incentivized to be price competitive with your solar system’s energy output, as most of these companies are paying Time-Of-Use (TOU) pricing for your power generation.
If you have a large enough solar array and you live in a state with plenty of sunshine — and assuming Tesla comes up with an easily expandable, modular design (perhaps even as an add-on product for Powerwall) — you could add a whole chain of these GPUs to your solar computer and make a decent amount of crypto.
That makes the prospect of installing solar in your home a lot more attractive if you figure the Tesla roof, on average, will cost $50,000 to $75,000, not counting government tax incentives.
All Tesla needs is a simple app interface to point and click which cryptos you want to mine, API integration with a currency exchange for cash conversion, and, presto, everyone with a solar roof is in the crypto business. 
Why Tesla and GPUs
To execute this plan, Tesla would need a power-efficient GPU that requires minimal cooling (perhaps fanless, or even water-cooled). If these GPUs are colocated with the Inverter/Powerwall, they would have to operate in environments that could get as hot as inside a garage during summer months or inside a housing mounted on the outside of your home, unless they are physically networked and placed inside the house and tied into the Inverter or Powerwall’s power distribution system.
Where would Tesla get such a thing? And why would the company suddenly decide to do this? The idea to use GPUs to mine cryptocurrency when its products are idle during a charge phase or generating surplus energy almost certainly arose during the development of its cars’ autonomous driving feature and benchmarking the onboard computing hardware’s capabilities.
In 2019, the company held an Autonomy Investor Day and claimed that it had switched from NVIDIA GPUs in its vehicles to chips of its own design in the model S, X, and Model 3 cars. At the time, the company’s director of silicon engineering, Peter Bannon, stated:

So here’s the design that we finished. You can see that it’s dominated by the 32 megabytes of SRAM. There’s big banks on the left and right and the center bottom, and then all the computing is done in the upper middle. Every single clock, we read 256 bytes of activation data out of the SRAM array, 128 bytes of weight data out of the SRAM array, and we combine it in a 96 by 96 small add array, which performs 9,000 multiply/adds per clock. At 2 gigahertz, that’s a total of 3.6 — 36.8 TeraOPS.
We had a goal to stay under 100 watts. This is measured data from cars driving around running a full autopilot stack. We’re dissipating 72 watts, which is a little bit more power than the previous design, but with the dramatic improvement in performance, it’s still a pretty good answer. Of that 72 watts, about 15 watts is being consumed running the neural networks.
In terms of costs, the silicon cost of this solution is about 80% of what we were paying before. So we are saving money by switching to this solution. And in terms of performance, we took the narrow camera neural network, which I’ve been talking about that has 35 billion operations in it, we ran it on the old hardware in a loop as quick as possible and we delivered 110 frames per second. And we took the same data, the same network, compiled it for hardware for the new FSD computer, and using all 4 accelerators, we can get 2,300 frames per second processed, so a factor of 21.

In 2021, the GPU used in Tesla’s latest vehicles is even more ambitious. The newest Model S (and, supposedly, the X) EVs uses a custom AMD RDNA 2 GPU with 10 teraflops of computing power, which puts it on par with some of the most powerful console gaming systems on the market like the Sony PS5. With an onboard system like this, you wouldn’t even need a GPU-equipped Powerwall; when the vehicle is being charged, it could be used to generate cryptocurrency as well.
The business opportunity
So, Tesla certainly has plenty of experience with GPUs, but can it use them as a key differentiator from other automakers and solar technology companies like Enphase Energy, Samsung, LG, and Panasonic, the current market leaders in the solar space?
While sleeker and more tightly integrated, Tesla’s solar roof is more expensive than competing solutions, and that’s been hampering adoption. Its solar roof solution is currently only more competitive in scenarios where an entire roof has to be replaced.
Having a roof that generates income for the consumer when using surplus energy could be a significant selling point, mainly if a substantial portion of the cryptocurrency income could be applied to the financed cost of the solar panels or the payments on a Tesla vehicle. If it brings down the equivalent price of a Model S from $75,000 to $65,000 throughout a five-year finance term, or a $50,000 Model 3 to $40,000, that’s a good incentive. It also makes a payoff of a $70,000 roof that much quicker of a return on investment, even if the GPU piece adds a few thousand dollars to the purchase price.
Tesla could also pro-rate the expense of the roofs (and the vehicles) by effectively leasing the GPUs’ space in each home (or at commercial business where the roofs or solar cells are installed) and keep the balance of the crypto income for themselves.
Also: Scallops, vaccines and Tesla: The wild world of blockchain and cryptocurrency
And if you bought that vehicle or that roof or panels in cash? That vehicle’s GPU or the solar roof GPU stack (assuming you can add several just as you can with multiple Powerwalls) should be building assets for you that increase in value. Tesla shouldn’t get to keep any of it.
However, instead of using the cryptocurrency generated by the systems to pay off fiat currency-based financing, it is more likely that it could be used to build up “credits” in an escrowed account Tesla would honor toward future purchases. Tesla itself would keep the cryptocurrency income, like Bitcoin, Dogecoin, or whatever instrument the GPUs generate — but the consumer would have loyalty points accumulated. If a new car costs 100,000 loyalty points, and over five years, your roof and your vehicle generate 30,000, that could be used towards your next vehicle purchase — locking you into that ecosystem.
Is Tesla going to differentiate from other solar and auto manufacturers by using automotive and solar energy compute GPUs to generate cryptocurrency? Talk Back and Let Me Know.

Innovation More

Research suggests as many as one in five businesses are now using technology capable of monitoring worker activity. 
Image: Getty Images/iStockphoto
Finding effective ways of managing remote workers will be a priority of many businesses in the months to come, as new styles of working spurred by COVID-19 settle into long-term trends.
While many organizations have been able to keep teams running successfully using a hodgepodge of email, messaging apps and video-conferencing software, managers that want more visibility of their remote workers have started looking towards more comprehensive means of keeping a detailed track of what employees are up to. That means a renewed interest in remote management and monitoring software.

Remote monitoring software is often sold as a tool for helping employers track productivity and as a means to help managers identify areas where workplace processes can be improved – something high on the agenda for businesses looking to make flexible working a permanent fixture.
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
These technologies provide a variety of capabilities that can give employers a remarkable insight into how employees use their time while at work, including the websites they visit, the apps they use, and in some cases include the ability to record their keystrokes and desktop sessions. 
According to research from Skillcast and YouGov in December 2020, as many as one in five businesses are now using technology capable of tracking workers’ online activity, or have plans to do so in the future. In a separate study by the UK’s Trades Union Congress (TUC) in November, one in seven employees reported that their workplace had increased monitoring and surveillance since the start of the pandemic.
While businesses may have legitimate reasons for wanting to introduce activity-tracking software, particularly in those industries that handle high-value data on a day-to-day basis, some have raised concerns over what the slow creep of this technology into the remote-working environment means for employee privacy, particularly as the boundaries that separate work and private life become even more blurred.

“I think there are huge questions around how technology is changing our relationship to work and with employers, but also the speed at which it’s being introduced,” says Andrew Pakes, direction of communications and research at professional trade union Prospect.
“During COVID-19, we’ve seen this growing interest in the use of digital technology to support remote working, and in many ways, that’s been a real benefit to support and connect people. But alongside the positive use of technology, we’ve seen this worrying trend of intrusive surveillance, and a rush to use these new forms of software.”
Prospect has been vocal in its pursuit for clearer guidance around the use of remote monitoring software, and what more widespread introduction of the technology into businesses means.
Research carried out by YouGov on behalf of Prospect last year suggested that two-thirds of employees were uncomfortable with the notion of employers recording information like screenshots and keystrokes while they were working from home.
Since then, the union has called on the UK Information Commissioner’s Office (ICO) to provide further clarity on what worker’s rights are when it comes to the data employers collect on them, as well as ensure that workers can have a say in the conversation around workplace technology.
Pakes calls the practice of monitoring employees “a discreet discussion that too often happens in procurement and board rooms”, but far away from employees themselves.
“The law is clear that workers have a right to be informed if their data is being collected for surveillance purposes, and we have a right to be consulted. Our worry is that, too often, that consultation involvement isn’t happening,” says Pakes.
“We’re saying two things. One, the ICO needs to provide greater and clearer guidance so that workers can see what their rights are. Secondly, we really need to start picking up and looking at where the gaps exist in existing legislation.”
What does GDPR say?
The ICO’s Code of Employment Practices warns that businesses risk breaching the General Data Protection Regulation (GDPR) if they begin monitoring employees without proper authority. 
It also states that workers should be left with a clear understanding of when information about them is likely to be obtained, why it is being obtained, how it will be used and to whom – if anyone – it will be disclosed.
“If monitoring is to be justified on the basis that it is necessary to enforce the organization’s rules and standards, [these] must be known and understood by workers,” the guidance reads. And yet, in TUC’s November survey, fewer than 1 in 3 (31%) employees said they were consulted when new forms of technology were introduced to the workplace.
There are six lawful bases for processing personal data under GDPR: clear consent from the individual in question; legal obligation; vital interest to the individual; public interest; contractual obligation as well as legitimate interest of the data controller.
Sarah Pearce, privacy and cybersecurity partner at global law firm Paul Hastings, says this is where things can get murky for remote monitoring tools, particularly those that collect anything that could be deemed as sensitive or personal data under GDPR.
“When it pushes into the border of special category and sensitive data, then there is more of an issue, because there are certain additional conditions in Article 9 of GDPR that need to be satisfied,” she tells ZDNet.
Pearce also finds that companies are increasingly seeking to justify remote monitoring tools under the grounds of ‘legitimate interest’ under GDPR. “From speaking to my employment colleagues, it is very difficult to find a legal basis to justify monitoring in that way,” she says.
Using the consent mechanism can also be problematic for employers. “There is a big issue with using consent in the employment context. Generally speaking, you cannot use the consent mechanism in an employment context, because it’s seen as being an unfair balance of power,” says Pearce.
Employees not ready
Certainly not all staff are comfortable with such monitoring. Microsoft faced criticism from privacy advocates who took issue with its Productivity Score feature for Microsoft 365. The tool analysed how users within an organization used Microsoft 365 products and then assigned them an overall “productivity score” based on how often they engaged with things like meetings, email and messaging apps.
The outcry mainly stemmed from the fact that Productivity Score showed analytics for individual employees that could potentially be used by managers to judge their performance. Microsoft subsequently pared back the tool by removing the ability for admins to view data on named employees.
Microsoft 365 corporate vice president, Jared Spataro, later clarified that Productivity Score was not designed as a tool for surveillance, but rather to help businesses identify how users were working within its software suite and help them run remote-working environments more successfully.
SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)
Regardless of employee attitudes to these kinds of tools, the fact that Microsoft is making moves in this space is enough to set alarm bells ringing for Pakes, who sees it as a sign that the technology is moving into the mainstream.
“If Microsoft is introducing tools that can be used for work-based surveillance, then lots of other software products will be offering similar forms of monitoring that employers can use,” he says.
“It was sold as a really exciting product for employers, that you could check what your workers are doing. That sets alarm bells off to me. What is says is that workers don’t have a seat at the table when these issues are being discussed, either by big software companies or inside businesses, and that we need to get a better understanding of what the power of these tools are.”
A booming business
Both employers and employees agree that remote working, or at the very least a combination of both at-home and office-based working, is going to form the foundations of the post-COVID work economy. It stands to reason, then, that more organizations will be looking for tools that can make this sustainable in the long-term, by leveraging the kind of insights that can be enabled by analytics and reporting capabilities – particularly if it offers to fix problems that the rushed approach to remote working has created.
“What businesses want to know right now is really two things. One: what are the employees working on when they are working from home? And two: trying to bring back that level of security that they had in an office environment,” says Eli Sutton, VP of operations at Teramind.
Teramind’s software offers a combination of user productivity monitoring, data loss and threat detection tools for employers who need deeper insight into workplace activity. The company has customers throughout the healthcare, legal, automotive, energy, government and financial industries.

Enterprise Software

Sutton says the software ensures that workers are using company time properly. Teramind can track which websites employees visit and for how long; live-stream and record workers’ desktop sessions, monitor employee keystrokes and read the contents of their email, along with any attachments.
The purpose of the software is two-fold: keeping track of productivity and performance, as well as protecting businesses from any harm they could be exposed to as a result of data leaks, fraud or, in the case of banking and finance, insider trading.
“Typically our customers in the financial sector use the solution on the security side of things: making sure that users who have access to their data don’t either accidentally or maliciously leak information that could cause financial harm or harm to their credibility,” says Sutton.
“On the productivity side, it’s essentially monitoring of websites and applications. From there, you can drill down and see exactly how much time they spend on either these websites or applications, if there are websites or applications that don’t necessarily fit within their company tasks, and how much time was spent on those.”
Sutton explains that features can be enabled or disabled based on what customers want from the software. He also suggests that, for the most part, organizations aren’t using Teramind’s to micromanage employees or call them out for spending too much time on YouTube (although this is something the software can flag).
“The only time it really comes to discussion is if somebody’s really abusing company policy. For the most part, it’s more about making sure the user has all the resources necessary, especially during the work-from-home environment,” he says.
“We’ve found that, for many of our customers, they’ve discovered that particular users were taking longer to complete certain tasks. Through the solution, they found that it was because they were lacking the essential tools while working at home to complete these tasks.”
Whatever your take on the technology is, there is clearly an appetite for it. According to Sutton, Teramind has seen business increase three-fold since the start of the pandemic.
“Even today, with talks of vaccinations and talk of people going back to work, we’re still seeing an increase,” he says.
The right to disconnect
The fact that a large chunk of the professional workforce is now working from home adds another degree of complexity to the debate around remote monitoring software.
In December, the European Parliament voted in support of granting digital workers in Europe a fundamental ‘right to disconnect’ from work-related tasks outside of working hours, without facing consequences from their employers.
In January, MEPs called for this to be enshrined into EU law, saying it was crucial for preventing burnout among workers in a culture that pressured them to be always on – an issue that has undoubtedly been exacerbated by the pivot to working from home.
Pakes argues that the rise of remote monitoring tools, particularly as they move into the home, would make it even harder for workers to disengage from work “This creeping boundary of what is our home life and our right to a private life, I think, is going to be one of the great challenges of this decade,” he says.
“This is a fundamental change, and that’s why we’ve got to ensure that we’re using the rights that we’ve got, but we also have an embracing conversation about, what does it look like for the future?”
Kiri Addison, head of data science for threat intelligence and overwatch at Mimecast, suggests that more invasive forms of remote monitoring and surveillance software risks eroding trust between employer and employee.
“Personally, I think to go to those extremes is probably more damaging for the relationship between the employer and the company,” she tells ZDNet.
“There are cases where, particular employees see it then as a game, they’re trying to get around the monitoring software, and you’re introducing security risks. It’s not a good dynamic, the relationship between the company and the employee, if they see the company as an enemy or someone they have to ‘beat’.
Gartner analyst Whit Andrews shares a similar view, adding that workers may view monitoring attempts as a breach of the “social contract” between employer and employee.
“It’s unsurprising then that we’re beginning to see that workers are not particularly pleased with increased capacity to monitor them,” he tells ZDNet. 
“They’re seriously concerned about this, and their reaction is understandably oriented towards evading the system… When you start talking about monitoring workers in their homes, I think that social contract becomes a little bit harder to defend.”
ICO guidance makes clear that, in all but the most straightforward of cases, employers should perform a Data Protection Impact Assessment (DPIA) to decide if and how to carry out monitoring, and whether monitoring is justified to begin with.
A DPIA can help organizations identify and minimize any risks associated with projects that include processing personal data, particularly those that could pose a high risk to individuals, and are something that Pearce always recommends to clients that are thinking about going down the monitoring avenue.
“A DPIA really is an assessment, evaluation, and in-depth analysis of what you are anticipating doing: what are your reasons, what are your anticipations, and then equally, what is the impact on the individuals? That has to be very in-depth,” she says.
“The ICO has a template standard form. It’s not a requirement that you follow it in that way, but it does set out some suggestions of what you might want to include in a DPIA. Any company looking to do that would be well-advised to have a look at that.”
Current guidance ‘woefully outdated’
Of course, with many organizations having been forced to move to cloud-based working almost overnight, businesses have been left with little time to draw up new technology blueprints for the months and years ahead.
Reports have suggested that some organizations have had to bring forward their digital transformation plans by as many as five years, and that guidance could be slow to catch up.

Last month, Labour shadow digital minister, Chi Onwurah, warned that “guidance and regulation to protect workers are woefully outdated in light of the accelerated move to remote working and rapid advancements in technology,” and called on ministers to provide better regulatory oversight of online surveillance software to ensure people have the right to privacy whether in their workplace or home, “which are increasingly one and the same.”
Speaking to ZDNet, Onwurah says that neither the Government nor the ICO have responded to this dramatic change in our working lives, leaving far too many subject to exploitative practices.
“There is a woeful lack of protection for workers as they bring their work home in this pandemic, and they are also increasingly being subject to unacceptable levels of digital surveillance without their informed consent,” she warns.
An ICO spokesperson told ZDNet that the organization was in the early stages of developing new employer-focused guidance, though didn’t specify whether this would contain provisions for the use of remote monitoring and surveillance software.
“As this work develops, we will be engaging with organizations and seeking their views,” the spokesperson said.
Pakes worries that too much of the ICO guidance is focused on employers, rather than workers themselves. “Yes, the ICO has a role to provide advice to employers, but it also has a role to provide it to workers,” he says.
“The ICO never says we’re going to provide clear guidance for workers so that you can see your rights. They only talk about guidance for employers, and I think we’ve got to redress that balance.”
Technology vs Trust
Clearly, there is a balance to strike in making remote working sustainable for businesses in the long term, while respecting the rights of employees and ensuring that their homes remain safe havens from the demands of work.
Employers will undoubtedly need more visibility over staff who are working on home networks that may be less secure than corporate ones, particularly if they’re regularly dealing with valuable data. But what degree of monitoring this requires – or is perhaps necessary – is another question.
You could argue that employers who are doing the work they’re meant to have nothing to worry about. But the issue doesn’t seem to be in employers having tools to catch workers not doing their jobs, but what it means for trust, transparency and fairness in working environments increasingly governed by analytics.
Employees have already proven that they can be trusted to work from home and still be productive. Is remote monitoring software needed to ensure it stays that way?
“We’ve long argued that workers should have flexibility. What we want to avoid is a return to presenteeism, where people are told they have to be in the office when they don’t,” says Pakes.
“We’ve inverted our economic model over the past year and we’ve proved that many of us can work safely and securely and productively from home.
“If we’re going to be using digital technology to create a kind of national framework for the future of work, we’ve got to ensure that we are amplifying the benefits and having serious conversations about minimizing the risks. And surveillance is one of them.”

Innovation More

Invisible pixels used to track email activity are now an “endemic” issue that breaches our privacy, analysts suggest. 

This week, the Hey messaging service analyzed its traffic following a request from the BBC and discovered that roughly two-thirds of emails sent to its users’ private email accounts contained what is known as a “spy pixel.”
Spy pixels, also known as tracking pixels or web beacons, are invisible, tiny image files — including .PNGs and .GIFs — that are inserted in the content body of an email. 
They may appear as clear, white, or another color to merge with the content and remain unseen by a recipient and are often as small as 1×1 pixels.
The recipient of an email does not need to directly engage with the pixel in any way for it to track certain activities. Instead, when an email is opened, the tracking pixel is automatically downloaded — and this lets a server, owned by a marketer, know that the email has been read. Servers may also record the number of times an email is opened, the IP address linked to a user’s location, and device usage. 
Similar pixels are also widely used on web domains to track visitors. 
Tracking pixels have been around for some time but are not well-known. For marketers, pixels can be an invaluable method to measure engagement levels, estimate the success of marketing campaigns, and potentially to send follow-ups and more personalized notes when a message has been read, but not responded to. 

However, according to Hey co-founder David Heinemeier Hansson, they also represent a “grotesque invasion of privacy.”
Hansson told the publication that on average, the company processes one million emails and over 600,000 pixel tracker attempts are blocked every day. If you bring these levels up to the millions and millions of emails processed by services such as Gmail or Outlook, the suggestion that pixel tracker usage is “endemic” may be realistic. 
In Europe, GDPR demands that organizations tell recipients of the use of such pixels. However, the water has been muddied surrounding the transparency necessary to implement pixel tracking, as consent is not always required — and when it is, this could be ‘obtained’ automatically when a user signs up to an email service and is asked to read a privacy notice published on a website.
The UK’s own Information Commissioner’s Office (ICO), which acts as a data protection watchdog, uses pixels to track email openings in its newsletter, as noted by the publication. Users are clearly told of the trackers at sign-up; however, the ICO intends to remove this functionality soon. 
It is possible to prevent tracking pixels from triggering by disallowing automatic image uploads in your web browser, or by downloading email and browser add-ons to block trackers.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Electronic Frontier Foundation (EFF) has called for the Indonesian government to amend its internet regulation legislation, labelling the laws as a “serious threat to Indonesians’ free expression rights”.
The internet regulatory laws came into force in November last year as part of efforts to create a regulatory framework regarding the management and supervision of electronic system providers by private entities.
The laws, currently only available in Bahasa Indonesian, have made it mandatory for all private electronic system operators (ESO) to register and obtain an ID certificate issued by the Indonesian government,  according to international law firm Hogan Lovells.
The obligation extends to all private ESOs that operate internet portals, websites, and applications that are used for trading, delivering content, search engines, or cloud computing, Hogan Lovells partner Chalid Heyder wrote [PDF].  
Failure to register by May 24 will result in the domestic internet regulator sanctioning non-registrants by blocking their services and content.
The Indonesian laws also provide government with the power to compel private ESO, except for cloud providers, to take down prohibited information, which includes content that creates “anxiety for society” and “disturbs public order”.
“This creates a chilling effect on free expression: Platforms will naturally choose to err on the side of removing gray area content rather than risk the punishment,” EFF said in a blog post. 

“In fact, the Indonesian government is exploring new lows in harsh, intrusive, and non-transparent internet regulation. The MR5 regulation, issued by the Indonesian Ministry of Communication and Information Technology, seeks to tighten the government’s grip over digital content and users’ data.”
Private ESOs are also required to appoint a local point of contact based in Indonesia that would be responsible for responding to content removal or personal data access orders. 
According to the EFF, platforms will find it much harder to resist orders and be vulnerable to domestic legal action, including potential arrest and criminal charges.
In response to blocking orders received from the Indian government that threatened to imprison the company’s employees, Twitter permanently banned or hidden over 500 accounts on its platform last month.
On the same day of the EFF criticising the Indonesian government, both Google and Reddit published updates that focused on the impact of coordinated influence operation campaigns and spam, respectively, on their platforms.
Google’s quarterly threat analysis group update revealed that it blocked almost 3,000 YouTube channels as part of ongoing investigations into coordinated influence operations linked to China.
The near-3,000 blocked channels primarily posted spammy content in Chinese about music, entertainment, and lifestyle, while a small subset uploaded content in Chinese and English criticising the US response to COVID-19 and political divisions.
In the Reddit transparency update, the platform revealed it removed 85 million pieces of spam content. It also said it received 611 standard requests for user information by law enforcement or government and 324 emergency disclosure requests, although it did not specify what types of warrants were used to issue these requests and only described one such request in detail.
That one request came from the Pakistan Telecommunication Authority, which alleged that 812 Reddit communities contained obscenity and nudity that violated its domestic online criminal laws. Of those 812 subreddits reported by the Pakistani regulator, the platform restricted access in the country to 753 of them. 
Related Coverage
GitHub reinstates youtube-dl library after EFF intervention
GitHub also establishes a $1 million “developer defense fund” to help open source developers fight against abusive DMCA Section 1201 takedown claims.
Google reveals sophisticated Windows and Android hacking operation
The attackers used a combination of Android, Chrome, and Windows vulnerabilities, including both zero-days and n-days exploits.
Google said it took down ten influence operation campaigns in Q2 2020
Google said the influence ops were traced back to China, Russia, Iran, and Tunisia.
Hacker leaks 15 million records from Tokopedia, Indonesia’s largest online store
The Tokopedia data has been published on a well-known hacking forum. More

Telstra has asked Australia’s pending national critical infrastructure laws to avoid creating duplicate or conflicting requirements for the telecommunications sector, highlighting that existing regimes it is bound by already “work well”.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 aims to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure”.
Among other things, the Bill introduces a positive security obligation (PSO) for critical infrastructure entities, along with sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD). Telecommunications is one such sector that would be deemed as “systems of national significance” under the Bill, which would update the Security of Critical Infrastructure Act 2018 (SOCI Act).
As a telecommunications provider, Telstra is covered by the Telecommunications Sector Security Reforms (TSSR) regime.
“The telecommunications sector has a well-established and robust security regime in the TSSR,” Telstra told the Parliamentary Joint Committee on Intelligence and Security (PJCIS). “Industry has invested capital and resources into its network security and resilience to comply with the TSSR security obligation. The TSSR works well and has resulted in excellent engagement with the Department of Home Affairs along with operational compliance with the security requirements.”
As a result, Telstra has recommended that government achieve its systems of national significance objectives by leveraging existing obligations under the TSSR as far as possible and working closely with industry to ensure those obligations align with those under the SOCI Act.
“The TSSR framework has been in place for more than two years, enabled the telecommunications sector to mature and uplift its security awareness and posture, more so than other sectors, and is a regime that works well,” it said.

It suggested that this be done by applying the Act to only those critical telecommunications assets declared as systems of national significance which, therefore, would have the enhanced cybersecurity obligations applied to only those assets; enhancing the TSSR to have the new Bill’s PSO applied there; and having more “objective” criteria and thresholds applied to elements of the PSO and government assistance powers.
“Telstra’s recommended approach avoids potential operational and compliance issues resulting from duplicated security regimes for the telecommunications sector,” Telstra said.
“It also recognises the maturity of the sector and the significant capital and resources this sector has already invested into network security and resilience over several years, to comply with the TSSR security obligation.”
The Bill also introduces government assistance to entities in response to significant cyber attacks on Australian systems.
Tech giants operating in Australia, such as Amazon Web Services (AWS), Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers, but the ASD expects intervention in the cyber attack response of companies considered critical infrastructure to only occur in rare circumstances.
Telstra has asked these powers be inserted into the TSSR and for them to be used only as a final resort.
Meanwhile, despite reiterating many of the concerns it shared during the Bill’s pre-consultation, AWS has provided the PJCIS with a further 11 recommendations to consider when reporting on the draft legislation.
One of the recommendations is the complete removal of government powers to respond to serious cybersecurity incidents.
“The powers are too broad and give the government exceptionally broad powers to gather information, issue directions, or act autonomously to directly intervene in an asset without adequate limitations or guardrails,” it wrote [PDF].
Instead, AWS recommends talking with industry about what its aims actually are to come to a more appropriate resolution.
The cloud giant also wants the removal of government ability to enact sector-specific rules without consultation.
Meanwhile, the Group of Eight (Go8) — comprising the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector.
As a result, the Go8 wants the government to set out a detailed and compelling case for why higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.
In doing so, it has suggested the use of established mechanisms, such as the Guidelines to Counter Foreign Interference in the Australian University Sector, as a way of meeting the PSO for the sector.
“The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highlight disproportionate to the likely degree and extent of criticality of the sector,” its submission [PDF] to the PJCIS reads.
The group is concerned Australia is the only Five Eyes nation to consider higher education and research as critical infrastructure.
MORE ON THE BILL More

Getty Images/iStockphoto
French software company Centreon said today that none of its paid customers were the victims of a years-long hacking campaign that came to light on Monday.

Exposed in a report published by ANSSI, France’s cyber-security agency, the hacking campaign lasted between 2017 and 2020, and targeted companies running Centreon’s primary product, a software package of the same name, used for monitoring IT resources inside large companies.
Hackers, believed to be linked to the Russian government, breached companies running the software and installed malware to perform silent surveillance.
But in a press release today, Centreon said that none of its primary commercial customers were hit in these attacks. Only companies that downloaded the open-source version of the Centreon app, which the company freely provides on its website, were impacted, Centreon said.
“According to discussions over the past 24 hours with ANSSI, only about fifteen entities were the target of this campaign, and that they are all users of an obsolete open source version (v2.5.2), which has been unsupported for 5 years,” the French company said today.
Released in November 2014, Centreon said companies deployed the outdated version “without respect for the security of servers and networks.”
“Since this version, Centreon has released eight major versions,” the company said.

Centreon, who declined to comment yesterday, immediately after the ANSSI report’s release, had to issue a statement to prevent its reputation from being impacted, similar to how companies have started abandoning the SolarWinds Orion IT monitoring platform following news of a major security breach last December.
On its website, Centreon lists customers such as Airbus, Agence France Press, Euronews, Orange, Lacoste, Sephora, ArcelorMittal, Total, SoftBank, Air France KLM, and several French government agencies and city governments.
However, none of these appear to have been attacked, according to Centreon. Furthermore, according to the ANSSI report, the cyber-security agency also said the attackers targeted web hosting companies primarily.
The French cyber-security agency also drew some thin lines between the attacks and a hacking group known as Sandworm, linked last year by the US government to Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army.
The connection between the attacks and Sandworm was the use of Exaramel, a type of multi-platform backdoor trojan that the attackers installed on servers after gaining a foothold via the Centreon software.
Costin Raiu, Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, also said on Monday that Sandworm was the only group seen using the Exaramel malware described in the ANSSI report, confirming the agency’s report.

6/9 Hades / Sandworm is the only known group that uses Exaramel. Exaramel has code similarities with the Industroyer main backdoor. The report does not include other public links to Hades / Sandworm.
— Costin Raiu (@craiu) February 16, 2021 More