/proprietary/proprietary-insecurity.html-diff
<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: (削除) 1.79 (削除ここまで) (追記) 1.96 -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<!--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please do not edit <ul class="blurbs">!
Instead, edit /proprietary/workshop/mal.rec, then regenerate pages.
See explanations in /proprietary/workshop/README.md.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (追記ここまで)
-->
<title>Proprietary Insecurity
- GNU Project - Free Software Foundation</title>
(追記) <link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" /> (追記ここまで)
<!--#include virtual="/proprietary/po/proprietary-insecurity.translist" -->
<!--#include virtual="/server/banner.html" -->
(追記) <div class="nav">
<a id="side-menu-button" class="switch" href="#navlinks">
<img id="side-menu-icon" height="32"
src="/graphics/icons/side-menu.png"
title="Section contents"
alt=" [Section contents] " />
</a>
<p class="breadcrumb">
<a href="/"><img src="/graphics/icons/home.png" height="24"
alt="GNU Home" title="GNU Home" /></a> /
<a href="/proprietary/proprietary.html">Malware</a> /
By type /
</p>
</div>
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#include virtual="/server/top-addendum.html" -->
<div style="clear: both"></div>
<div id="last-div" class="reduced-width"> (追記ここまで)
<h2>Proprietary Insecurity</h2>
(削除) <a href="/proprietary/proprietary.html">Other examples of proprietary malware</a> (削除ここまで)
(追記) <div class="infobox">
<hr class="full-width" /> (追記ここまで)
<p>Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; <a
href="/philosophy/free-software-even-more-important.html">that is the
basic injustice</a>. The developers (追記) and manufacturers (追記ここまで) often exercise
that power to the detriment of the users they ought to serve.</p>
<p>This (追記) typically takes the form of malicious functionalities.</p>
<hr class="full-width" />
</div>
<div class="article">
<p>This (追記ここまで) page lists clearly established cases of insecurity in proprietary
software that has grave consequences or is otherwise
(削除) noteworthy.</p>
<p>It would be incorrect (削除ここまで) (追記) noteworthy. Even
though most of these security flaws are unintentional, thus are not
malicious functionalities in a strict sense, we report them to show that
proprietary software is not as secure as mainstream media may say.</p>
<p>This doesn't imply that free software is immune (追記ここまで) to (削除) compare (削除ここまで) (追記) bugs or insecurities.
The difference between free and (追記ここまで) proprietary software (追記) in this respect is
the handling of the bugs: free software users are able to study the
program and/or fix the bugs they find, often in communities as they are
able to share the program, while proprietary program users are forced to
rely on the program's developer for fixes.</p>
<p>If the developer does not care to fix the problem — often the case for
embedded software and old releases — the users are sunk. But if the
developer does send a corrected version, it may contain new malicious
functionalities as well as bug fixes.</p>
<div class="important">
<p>If you know of an example that ought to be in this page but isn't
here, please write
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>
to inform us. Please include the URL of a trustworthy reference or two
to serve as specific substantiation.</p>
</div>
<div class="column-limit" id="proprietary-insecurity"></div>
<ul class="blurbs">
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202510240">
<!--#set var="DATE" value='<small class="date-tag">2025-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Universe Browser, tied to online gambling platforms
in Asia and marketed as a “privacy browser,” <a
href="https://arstechnica.com/security/2025/10/this-browser-claims-perfect-privacies-protection-but-it-acts-like-malware/">
installs various malicious functionalities</a> in the user's
computer.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202508060">
<!--#set var="DATE" value='<small class="date-tag">2025-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Academic researchers have published an <a
href="https://arstechnica.com/google/2025/08/researchers-use-calendar-events-to-hack-gemini-control-smart-home-gadgets/">
attack</a> that led Google's supposed “intelligence” [*]
to obey malicious commands to manipulate devices in the user's
home.</p>
<p>Giving Google control of your devices, or control of your own
computing that you do on their servers, inevitably makes you vulnerable
to Google.</p>
<p>This announcement shows that the vulnerability includes third-party
crackers [**] too.</p>
<p>The article says that the crack discoverers worked (追記ここまで) with (追記) Google
to “mitigate“ the danger. What, concretely, does
“mitigate“ mean here? Probably in this case it is (追記ここまで) a
(削除) fictitious idea (削除ここまで) (追記) weasel
word to suggest fixing a problem without claiming to have fixed it.</p>
<p>[*] <small>Let's not call these systems “artificial
intelligence.” Intelligence is something <a
href="/philosophy/words-to-avoid.html#ArtificialIntelligence">they
do not have</a>.</small></p>
<p>[**] <small>Please note that the article
wrongly refers to crackers as “<a
href="/philosophy/words-to-avoid.html#Hacker">hackers</a>.”</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202506030">
<!--#set var="DATE" value='<small class="date-tag">2025-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Researchers discovered that the Meta Pixel and Yandex
Metrica trackers, which are embedded in many websites, have been <a
href="https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/">
spying on behalf (追記ここまで) of (追記) the native Meta and Yandex Android apps</a>
respectively, by taking advantage of security flaws in the Android
API. When the user of an Android device accessed these pages
with a browser such as Chrome, the trackers made all browsing
data available to the native apps running in the background. The
data could then be correlated to the user account or the Android
<a href="/proprietary/proprietary-surveillance.html#M201812290">
Advertising ID</a>, i.e. de-anonymized.</p>
<p>Although Meta and Yandex have discontinued this type of spying, they
may resume it in the future, possibly with other methods, and we don't
know which other companies might follow their example. A foolproof
way to avoid this sort of tracking is to refrain from installing
any proprietary apps on a “smart”phone, especially if
the app has a way of identifying users. To avoid proprietary apps,
we recommend using the <a href="https://f-droid.org/">F-Droid</a>
store instead of Google Play.</p>
<p>Since most trackers, including the Meta Pixel and Yandex Metrica,
are nonfree JavaScript programs, it is also good practice to prevent
nonfree JavaScript from running in the browser, with an add-on such
as GNU LibreJS.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202502210">
<!--#set var="DATE" value='<small class="date-tag">2025-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Apple <a
href="https://www.bleepingcomputer.com/news/security/apple-pulls-icloud-end-to-end-encryption-feature-in-the-uk/">
stopped offering iCloud end-to-end encryption in the UK</a>
after the UK government demanded <a
href="https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/">
worldwide access to encrypted user data</a>. This is one more proof
that storing your own data “in the cloud” puts it at
risk.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202411220">
<!--#set var="DATE" value='<small class="date-tag">2024-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Windows Recall is a feature of Microsoft's Copilot tool that
comes preinstalled on AI-specialized computers. <a
href="https://www.techtarget.com/searchenterpriseai/feature/Privacy-and-security-risks-surrounding-Microsoft-Recall">
Recall records everything users do on their computer</a> and allows
them to search the recordings, but it has numerous security flaws and
poses a risk to privacy. As Recall cannot be completely uninstalled,
disabling it doesn't eliminate the risk because it can be reactivated
by malware or misconfiguration.</p>
<p>Microsoft says that <a
href="https://support.microsoft.com/en-us/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15">
Recall will not take screenshots of digitally restricted
media</a>. Meanwhile, it stores sensitive user information such as
passwords and bank account numbers, showing that whereas Microsoft
worries somewhat about corporate interests, it couldn't care less
about user privacy.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202411040">
<!--#set var="DATE" value='<small class="date-tag">2024-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Pixel 9 “smart”phone <a
href="https://cybernews.com/security/google-pixel-9-phone-beams-data-and-awaits-commands/">
frequently updates Google servers with its location and current
configuration</a> along with personally identifiable data, raising
concerns about user privacy. Moreover, it communicates
with services that are not in use, and periodically attempts to
download experimental, possibly insecure software. The system does
not inform the user that it is doing all this.</p>
<p>There is hope, however: it is possible to <a
href="https://doc.e.foundation/devices"> replace the original Android
operating system with a deGoogled version</a> in Pixel phones up to
8a, and in phones from many other brands. No doubt that the Pixel 9
will be supported soon.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202409200">
<!--#set var="DATE" value='<small class="date-tag">2024-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Kia cars were built with a back door that enabled the company's
server to locate them and take control of them. The car owner had
access to these controls through the Kia server. That the
car owner had such control
is not objectionable. However, that Kia itself had such control
is Orwellian, and ought to be illegal. The icing on the Orwellian
cake is that the server had a security fault which <a
href="https://samcurry.net/hacking-kia">allowed absolutely anyone to
activate those controls</a> for any Kia car.</p>
<p>Many people will be outraged at that security bug, but this was
presumably an accident. The fact that Kia had such control over cars
after selling them to customers is what outrages us, and that must
have been intentional on Kia's part.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202408140">
<!--#set var="DATE" value='<small class="date-tag">2024-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.bleepingcomputer.com/news/microsoft/zero-click-windows-tcp-ip-rce-impacts-all-systems-with-ipv6-enabled-patch-now/">
A critical vulnerability in Windows systems
that support IPv6</a> was discovered in 2024, <a
href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063">
16 years after the first affected system</a> was released. Unless
the relevant patch is applied, an attacker can remotely execute
arbitrary code on these systems. Microsoft considers exploits
“likely.”</p>
<p>The same sort of vulnerability in a free/libre operating system
would probably be discovered sooner, since many more people would be
able to look at the source code.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202401180.3">
<!--#set var="DATE" value='<small class="date-tag">2024-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a href="/proprietary/uhd-bluray-denies-your-freedom.html">UHD
Blu-ray disks are loaded with malware of the worst kinds</a>. Among
other things, playing them on a PC requires Intel SGX (Software
Guard Extensions), which not only has numerous security
vulnerabilities, but also was deprecated and removed from
mainstream Intel CPUs in 2022.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202312270">
<!--#set var="DATE" value='<small class="date-tag">2023-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/">
A back door in Apple devices</a>, present and abused from at least
2019 until 2023, allowed crackers to have full control over them by
sending iMessage texts that installed malware without any action on
the user's part. Infections, among other things, gave the intruders
access to owners' microphone recordings, photos, location and other
personal data.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202311300">
<!--#set var="DATE" value='<small class="date-tag">2023-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.bleepingcomputer.com/news/security/logofail-attack-can-install-uefi-bootkits-through-bootup-logos/">x86
and ARM based computers shipped with UEFI are potentially vulnerable
to a design omission called LogoFAIL</a>. A cracker can replace the
BIOS logo with a fake one that contains malicious code. Users can't
fix this omission because it is in the nonfree UEFI firmware that
users can't replace.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202306010">
<!--#set var="DATE" value='<small class="date-tag">2023-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Eclypsium <a
href="https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/">
discovered an insecure universal back door</a> on many computers using
Gigabyte mainboards. Gigabyte designed their nonfree firmware so they
could add a program to Windows to download additional software from
the Internet, and run it behind the user's back.</p>
<p>To add injury to injury, the back-door program was insecure,
and opened ways for crackers to run their own programs on the
affected systems, also behind the user's back. Gigabyte's “<a
href="https://www.gigabyte.com/Press/News/2091">solution</a>”
was to ensure the back door would only run programs from Gigabyte.</p>
<p>In this case, the back door required the connivance of Windows
accepting the program, and running it behind the user's back. Free
operating systems rightly ignore such “Greek gifts,” so
users of GNU (including GNU/Linux) are safe from this particular
back door, even on affected hardware.</p>
<p>Nonfree software does not make your computer secure—it does
the opposite: it prevents you from trying to secure it. When nonfree
programs are required for booting and impossible to replace, they
are, in effect, a low-level rootkit. All the things that the industry
has done to make its power over you secure against you also protect
firmware-level rootkits against you.</p>
<p>Instead of allowing Intel, AMD, Apple and perhaps ARM to impose
security through tyranny, we should demand laws that require them to
allow users to install their choice of startup software and make
available the information needed to develop such. Think of this as
right-to-repair at the initialization stage.</p>
<p><small>Note: Eclypsium at least mentions the problem of
“unwanted behavior within official firmware,” but does
not seem to recognize that the only real solution is for firmware to
be free, so users can fix these problems without having to rely on
the vendor.</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202211301">
<!--#set var="DATE" value='<small class="date-tag">2022-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Hackers discovered <a
href="https://samcurry.net/web-hackers-vs-the-auto-industry/"> dozens
of flaws in the security (in the usual narrow sense) of many brands
of automobiles</a>.</p>
<p>Security in the usual narrow sense means security against unknown
third parties. We are more concerned with security in the broader
sense—against the manufacturer as well as against unknown
third parties. It is clear that each of these vulnerabilities can
be exploited by the manufacturer too, and by any government that
can threaten the manufacturer enough to compel the manufacturer's
cooperation.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202210140">
<!--#set var="DATE" value='<small class="date-tag">2022-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.bleepingcomputer.com/news/security/microsoft-office-365-email-encryption-could-expose-message-content/">
The Microsoft Office encryption is weak</a>, and susceptible to
attack.</p>
<p>Encryption is a tricky field, and easy to mess up. It is wise
to insist on encryption software that is (1) (追記ここまで) free software (追記) and (2)
studied by experts.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202208240">
<!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A security researcher found that the iOS in-app browser of TikTok <a
href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows">
injects keylogger-like JavaScript code into outside web pages</a>. This
code has the ability to track all users' activities, and to
retrieve any personal data that is entered on the pages. We have
no way of verifying TikTok's claim that the keylogger-like code
only serves purely technical functions. Some of the accessed data
could well be saved to the company's servers, and even sent to
third parties. This would open the door to extensive surveillance,
including by the Chinese government (to which TikTok has indirect
ties). There is also a risk that the data would be stolen by crackers,
and used to launch malware attacks.</p>
<p>The iOS in-app browsers of Instagram and Facebook
behave essentially the same way (追記ここまで) as (削除) perfect. Every nontrivial program (削除ここまで) (追記) TikTok's. The main
difference is that Instagram and Facebook allow users
to access third-party sites with their default browser, whereas <a
href="https://web.archive.org/web/20221201065621/https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/">
TikTok makes it nearly impossible</a>.</p>
<p>The researcher didn't study the Android versions of in-app
browsers, but we have no reason to assume they are safer than the
iOS versions.</p>
<p><small>Please note that the article wrongly refers
to crackers as “hackers.”</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202207040">
<!--#set var="DATE" value='<small class="date-tag">2022-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A bug in Tesla cars software <a
href="https://www.tweaktown.com/news/86780/new-app-allows-hackers-to-steal-teslas-by-making-their-own-keys/index.html">
lets crackers install new car keys</a>, unlock cars, start engines,
and even prevent real owners from accessing their cars.</p>
<p>A cracker even reported that he was able to <a
href="https://fortune.com/2022/01/12/teen-hacker-david-colombo-took-control-25-tesla-ev/">
disable security systems and take control of 25 cars</a>.</p>
<small>Please note that these articles wrongly use the word “<a
href="/philosophy/words-to-avoid.html#Hacker">hacker</a>”
instead of cracker.</small>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202202090">
<!--#set var="DATE" value='<small class="date-tag">2022-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A security failure in Microsoft's Windows is <a
href="https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/">infecting
people's computers with RedLine stealer malware</a> using a fake
Windows 11 upgrade installer.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202201040">
<!--#set var="DATE" value='<small class="date-tag">2022-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A critical bug in Apple's iOS makes
it possible for attackers to alter a shutdown event, <a
href="https://blog.zecops.com/research/persistence-without-persistence-meet-the-ultimate-persistence-bug-noreboot/">tricking
the user into thinking that the phone (追記ここまで) has (削除) bugs, (削除ここまで) (追記) been powered
off</a>. But in fact, it's still running, (追記ここまで) and (追記) the user can't feel (追記ここまで)
any (削除) system, (削除ここまで) (追記) difference between a real shutdown and the fake shutdown.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202111200">
<!--#set var="DATE" value='<small class="date-tag">2021-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Hundreds of Tesla drivers <a
href="https://www.theguardian.com/technology/2021/nov/20/tesla-app-outage-elon-musk-apologises">were
locked out of their cars as a result of Tesla's app suffering from an
outage</a>, which happened because the app is tethered to the company's
servers.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202111110">
<!--#set var="DATE" value='<small class="date-tag">2021-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some researchers at Google <a href="https://www.vice.com/en/article/93bw8y/google-caught-hackers-using-a-mac-zero-day-against-hong-kong-users">found
a zero-day vulnerability on MacOS,
which crackers used to target people visiting the websites</a> of
a media outlet and a pro-democracy labor and political group in Hong
Kong.</p>
<p><small>Please note that the article wrongly refers
to crackers as “<a href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202108170">
<!--#set var="DATE" value='<small class="date-tag">2021-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Various models of security cameras, DVRs,
and baby monitors that run proprietary software <a
href="https://www.wired.com/story/kalay-iot-bug-video-feeds/">are
affected by a security vulnerability that could give attackers access
to live feeds</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202107180">
<!--#set var="DATE" value='<small class="date-tag">2021-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones">
The pegasus spyware used vulnerabilities on proprietary smartphone
operating systems</a> to impose surveillance on people. It can record
people's calls, copy their messages, and secretly film them, using a
security vulnerability. There's also <a
href="https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf">
a technical analysis of this spyware</a> available in PDF format.</p>
<p>A (追記ここまで) free (追記) operating system would've let people to fix the bugs for
themselves but now infected people will be compelled to wait for corporations to
fix the problems.</p>
<p><small>Please note that the article
wrongly refers to crackers as “<a
href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202107090">
<!--#set var="DATE" value='<small class="date-tag">2021-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A newly found Microsoft Windows vulnerability <a
href="https://edition.cnn.com/2021/07/08/tech/microsoft-windows-10-printnightmare/">
can allow crackers to remotely gain access to the operating system</a>
and install programs, view and delete data, (追記ここまで) or (削除) proprietary, (削除ここまで) (追記) even create new user
accounts with full user rights.</p>
<p>The security research firm accidentally leaked instructions on
how the flaw could be exploited but Windows users should still wait
for Microsoft to fix the flaw, if they fix it.</p>
<p><small>Please note that the article
wrongly refers to crackers as “<a
href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202106030">
<!--#set var="DATE" value='<small class="date-tag">2021-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/">TikTok
apps collect biometric identifiers and biometric information from
users' smartphones</a>. The company behind it does whatever it wants
and collects whatever data it can.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202105240">
<!--#set var="DATE" value='<small class="date-tag">2021-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.cpomagazine.com/data-privacy/icloud-data-turned-over-to-chinese-government-conflicts-with-apples-privacy-first-focus/">Apple
is moving its Chinese customers' iCloud data to a datacenter controlled
by the Chinese government</a>. Apple is already storing the encryption
keys on these servers, obeying Chinese authority, making all Chinese
user data available to the government.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202105040">
<!--#set var="DATE" value='<small class="date-tag">2021-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A motorcycle company named Klim is selling airbag
vests with different payment methods, one of them is through a <a
href="https://www.vice.com/en/article/93yyyd/this-motorcycle-airbag-vest-will-stop-working-if-you-miss-a-payment">proprietary
subscription-based option that will block the vest from inflating if
the payments don't go through</a>.</p>
<p>They say there is a 30-days grace period if you miss a payment
but the grace period is no excuse to the insecurity.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202105030">
<!--#set var="DATE" value='<small class="date-tag">2021-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The United States' government is reportedly considering <a
href="https://www.infosecurity-magazine.com/news/private-companies-may-spy-on/">teaming
up with private companies to monitor American citizens' private online
activity and digital communications</a>.</p>
<p>What creates the opportunity to try this is the fact that these
companies are already snooping on users' private activities. That
in turn is due to people's use of nonfree software which snoops,
and online dis-services which snoop.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202104090">
<!--#set var="DATE" value='<small class="date-tag">2021-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A zero-day vulnerability in Zoom which <a
href="https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/">can
be used to launch remote code execution (RCE) attacks</a> has been
disclosed by researchers. The researchers demonstrated a three-bug
attack chain that caused an RCE on a target machine, all this without
any form of user interaction.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202103090">
<!--#set var="DATE" value='<small class="date-tag">2021-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://web.archive.org/web/20210309214836/https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams">
Over 150 thousand security cameras that used Verkada
company's proprietary software are cracked</a> by a major security
breach. Crackers have had access to security archives of various
gyms, hospitals, jails, schools, and police stations that have used
Verkada's cameras.</p>
<p><a href="/philosophy/surveillance-vs-democracy.html">It is injustice
to the public</a> for gyms, stores, hospitals, jails, and schools to
hand “security” footage to a company from which the government can
collect it at any time, without even telling them.</p>
<p><small>Please note that the article
wrongly refers to crackers as “<a
href="/philosophy/words-to-avoid.html#Hacker">hackers</a>”.</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202103050">
<!--#set var="DATE" value='<small class="date-tag">2021-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>At least 30 thousand organizations
in the United States are newly “<a
href="/philosophy/words-to-avoid.html#Hacker">cracked</a>” via <a
href="https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/">holes
in Microsoft's proprietary email software, named Microsoft 365</a>. It
is unclear whether there are other holes and vulnerabilities in the
program or not but history and experience tells us it wouldn't be
the last disaster with proprietary programs.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202102110">
<!--#set var="DATE" value='<small class="date-tag">2021-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Researchers at the security firm SentinelOne discovered a <a
href="https://www.wired.com/story/windows-defender-vulnerability-twelve-years/">security
flaw in proprietary program Microsoft Windows Defender that lurked
undetected for 12 years</a>. If the program was free (as in freedom),
more people would have had a chance to notice the problem, therefore,
it could've been fixed a lot sooner.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202101110">
<!--#set var="DATE" value='<small class="date-tag">2021-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A cracker <a
href="https://www.vice.com/en/article/m7apnn/your-cock-is-mine-now-hacker-locks-internet-connected-chastity-cage-demands-ransom">took
control of people's internet-connected chastity cages and demanded
ransom</a>. The chastity cages are being controlled by a proprietary
app (mobile program).</p>
<p><small>(Please note that the article
wrongly refers to crackers as "<a
href="/philosophy/words-to-avoid.html#Hacker">hackers</a>".)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202012200">
<!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Commercial crackware can <a
href="https://www.theguardian.com/technology/2020/dec/20/iphones-vulnerable-to-hacking-tool-for-months-researchers-say">
get passwords out of an iMonster</a>, use the microphone and camera,
and other things.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202012190">
<!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.washingtonpost.com/technology/2020/12/18/zoom-helped-china-surveillance/">
A Zoom executive carried out snooping and censorship for the Chinese
government</a>.</p>
<p>This abuse of Zoom's power shows how dangerous that power is. The
root problem is not the surveillance and censorship, but rather the
power that Zoom has. It gets that power partly from the use of its
server, but also partly from the nonfree client program.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202012150">
<!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>United States officials are facing
one of biggest crackings against them in years, when <a
href="https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department">malicious
code was sneaked into SolarWinds' proprietary software named
Orion</a>. Crackers got access to networks when users downloaded
a tainted software update. Crackers were able to monitor internal
emails at some of the top agencies in the US.</p>
<p><small>(Please note that the article
wrongly refers to crackers as "<a
href="/philosophy/words-to-avoid.html#Hacker">hackers</a>".)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202012070">
<!--#set var="DATE" value='<small class="date-tag">2020-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Baidu apps were <a
href="https://www.zdnet.com/article/baidus-android-apps-caught-collecting-sensitive-user-details/">
caught collecting sensitive personal data</a> that can be used for
lifetime tracking of users, and putting them in danger. More than 1.4
billion people worldwide are affected by these proprietary apps, and
users' privacy is jeopardized by this surveillance tool. Data collected
by Baidu (追記ここまで) may (追記) be handed over to the Chinese government, possibly
putting Chinese people in danger.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202011230">
<!--#set var="DATE" value='<small class="date-tag">2020-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some Wavelink and JetStream wifi routers (追記ここまで) have
(追記) universal back doors that enable unauthenticated
users to remotely control not only the routers, but
also any devices connected to the network. There is evidence that <a
href="https://cybernews.com/security/walmart-exclusive-routers-others-made-in-china-contain-backdoors-to-control-devices/">
this vulnerability is actively exploited</a>.</p>
<p>If you consider buying a router, we encourage you to get one
that <a href="https://ryf.fsf.org/categories/routers">runs on free
software</a>. Any attempts at introducing malicious functionalities in
it (e.g., through a firmware update) will be detected by the community,
and soon corrected.</p>
<p>If unfortunately you own a router that runs on
proprietary software, don't panic! You may be able to
replace its firmware with a free operating system such as <a
href="https://librecmc.org">libreCMC</a>. If you don't know how,
you can get help from a nearby GNU/Linux user group.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202011120">
<!--#set var="DATE" value='<small class="date-tag">2020-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Apple has <a
href="https://sneak.berlin/20201112/your-computer-isnt-yours/">implemented
a malware in its computers that imposes surveillance</a> on users
and reports users' computing to Apple.</p>
<p>The reports are even unencrypted and they've been leaking this
data for two years already. This malware is reporting to Apple what
user opens what program at what time. It also gives Apple
power to sabotage users' computing.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202010120">
<!--#set var="DATE" value='<small class="date-tag">2020-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Samsung is forcing its smartphone users in Hong Kong (and Macau) <a
href="https://web.archive.org/web/20240606175013/https://blog.headuck.com/2020/10/12/samsung-phones-force-mainland-china-dns-service-upon-hong-kong-wifi-users/">to
use a public DNS in Mainland China</a>, using software update released
in September 2020, which causes many unease and privacy concerns.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202008110">
<!--#set var="DATE" value='<small class="date-tag">2020-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>TikTok <a
href="https://boingboing.net/2020/08/11/tiktok-exploited-android-secur.html">
exploited an Android vulnerability</a> to obtain user MAC
addresses.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202006160">
<!--#set var="DATE" value='<small class="date-tag">2020-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.wired.com/story/ripple20-iot-vulnerabilities/">
A disasterous (追記ここまで) security
(削除) holes. That (削除ここまで) (追記) bug</a> touches millions of products (追記ここまで) in (削除) itself (削除ここまで) (追記) the
Internet of Stings.</p>
<p>As a result, anyone can sting the user, not only the
manufacturer.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202004270">
<!--#set var="DATE" value='<small class="date-tag">2020-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The proprietary program Microsoft Teams' insecurity <a
href="https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-whole-companys-microsoft-teams-data-couldve-been-stolen-with-an-evil-gif/">could
have let a malicious GIF steal user data from Microsoft Teams
accounts</a>, possibly across an entire company, and taken control
of “an organization's entire roster of Teams accounts.”</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M202004150">
<!--#set var="DATE" value='<small class="date-tag">2020-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Riot Games' new anti-cheat (追記ここまで) is (追記) malware; <a
href="https://www.extremetech.com/gaming/309320-riot-games-new-anti-cheat-system-runs-at-system-boot-uses-kernel-driver">runs
on system boot at kernel level</a> on Windows. It is insecure software
that increases the attack surface of the operating system.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201911190">
<!--#set var="DATE" value='<small class="date-tag">2019-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Internet-tethered Amazon Ring had
a security vulnerability that enabled attackers to <a
href="https://www.commondreams.org/newswire/2019/11/07/amazons-ring-doorbells-leaks-customers-wi-fi-username-and-password">
access the user's wifi password</a>, and snoop on the household
through connected surveillance devices.</p>
<p>Knowledge of the wifi password would (追記ここまで) not (削除) culpable. (削除ここまで) (追記) be sufficient to carry
out any significant surveillance if the devices implemented proper
security, including encryption. (追記ここまで) But (追記) many devices with (追記ここまで) proprietary
software
(削除) developers frequently disregard gaping holes, (削除ここまで) (追記) lack this. Of course, they are also used by their
manufacturers for snooping.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201908310">
<!--#set var="DATE" value='<small class="date-tag">2019-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A series of vulnerabilities <a
href="https://www.forbes.com/sites/gordonkelly/2019/08/31/apple-iphone-ipad-security-ios-upgrade-iphone-xs-max-xr-update/">found
in iOS allowed attackers to gain access to sensitive information
including private messages, passwords, photos and contacts stored on
the user's iMonster</a>.</p>
<p>The deep insecurity of iMonsters is even more pertinent given that
Apple's proprietary software makes users totally dependent on Apple
for even a modicum of security. It also means that the devices do
not even try to offer security against Apple itself.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201908020">
<!--#set var="DATE" value='<small class="date-tag">2019-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Out of 21 gratis Android antivirus apps
that were tested by security researchers, eight <a
href="https://www.comparitech.com/antivirus/android-antivirus-vulnerabilities/">
failed to detect a test virus</a>. All of them asked for dangerous
permissions (追記ここまで) or (追記) contained advertising trackers, with seven being more
risky than the average of the 100 most popular Android apps.</p>
<p><small>(Note that the article refers to these proprietary apps as
“free”. It should have said “gratis”
instead.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201907080">
<!--#set var="DATE" value='<small class="date-tag">2019-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many Android apps can track
users' movements (追記ここまで) even (削除) introduce (削除ここまで) (追記) when the user says <a
href="https://www.theverge.com/2019/7/8/20686514/android-covert-channel-permissions-data-collection-imei-ssid-location">
not to allow (追記ここまで) them
(削除) deliberately, (削除ここまで) (追記) access to locations</a>.</p>
<p>This involves an apparently unintentional weakness in Android,
exploited intentionally by malicious apps.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201905150">
<!--#set var="DATE" value='<small class="date-tag">2019-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Users caught in the jail of an iMonster are <a
href="https://boingboing.net/2019/05/15/brittle-security.html"> sitting
ducks for other attackers</a>, and the app censorship prevents security
companies from figuring out how those attacks work.</p>
<p>Apple's censorship of apps is fundamentally unjust, (追記ここまで) and (削除) <em>the (削除ここまで) (追記) would be
inexcusable even if it didn't lead to security threats as well.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201903210">
<!--#set var="DATE" value='<small class="date-tag">2019-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Medtronics Conexus Telemetry Protocol has <a
href="https://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/">
two vulnerabilities that affect several models of implantable
defibrillators</a> and the devices they connect to.</p>
<p>This protocol has been around since 2006, and similar
vulnerabilities were discovered in an earlier Medtronics communication
protocol in 2008. Apparently, nothing was done by the company to
correct them. This means you can't rely on proprietary software
developers to fix bugs in their products.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201902270">
<!--#set var="DATE" value='<small class="date-tag">2019-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The Ring doorbell camera is designed so that the
manufacturer (now Amazon) can watch all the time. Now it turns out
that <a
href="https://web.archive.org/web/20190918024432/https://dojo.bullguard.com/dojo-by-bullguard/blog/ring/">
anyone else can also watch, and fake videos too</a>.</p>
<p>The third party vulnerability is presumably
unintentional and Amazon will probably fix it. However, we
do not expect Amazon to change the design that <a
href="/proprietary/proprietary-surveillance.html#M201901100">allows
Amazon to watch</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201809240">
<!--#set var="DATE" value='<small class="date-tag">2018-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Researchers have discovered how to <a
href="https://web.archive.org/web/20250716164612/https://news.rub.de/english/press-releases/2018-09-24-it-security-secret-messages-alexa-and-co">
hide voice commands in other audio</a>, so that people cannot hear
them, but Alexa and Siri can.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201808130">
<!--#set var="DATE" value='<small class="date-tag">2018-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Since the beginning of 2017, <a
href="https://web.archive.org/web/20250329181224/https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled">Android
phones have been collecting the addresses of nearby cellular
towers</a>, even when location services are disabled, and sending
that data back to Google.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201808120">
<!--#set var="DATE" value='<small class="date-tag">2018-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Crackers found a way to break the security of an Amazon device,
and <a href="https://boingboing.net/2018/08/12/alexa-bob-carol.html">
turn it into a listening device</a> for them.</p>
<p>It was very difficult for them to do this. The job would be much
easier for Amazon. And if some government such as China or the US
told Amazon to do this, or cease to sell the product in that country,
do you think Amazon would have the moral fiber to say no?</p>
<p><small>(These crackers are probably hackers too, but please <a
href="https://stallman.org/articles/on-hacking.html"> don't use
“hacking” to mean “breaking security”</a>.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201807100">
<!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Siri, Alexa, and all the other voice-control systems can be <a
href="https://www.fastcompany.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa">
hijacked by programs that play commands in ultrasound that humans
can't hear</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201807020">
<!--#set var="DATE" value='<small class="date-tag">2018-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Some Samsung phones randomly <a
href="https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages">send
photos to people in the owner's contact list</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201801260">
<!--#set var="DATE" value='<small class="date-tag">2018-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Google's ad platform enabled advertisers to <a
href="https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/">
run cryptocurrency miner code on the computers of YouTube users through
proprietary JavaScript</a>. Some people noticed this, and the outrage
made Google remove the miners, but the number of affected (追記ここまで) users (追記) was
probably very high.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201712240">
<!--#set var="DATE" value='<small class="date-tag">2017-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>One of the dangers of the “internet of stings”
is that, if you lose your internet service, you also <a
href="https://torrentfreak.com/piracy-notices-can-mess-with-your-thermostat-isp-warns-171224/">
lose control of your house and appliances</a>.</p>
<p>For your safety, don't use any appliance with a connection to the
real internet.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201711204">
<!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Intel's intentional “management engine” back door has <a
href="https://www.theregister.com/2017/11/20/intel_flags_firmware_flaws/">
unintended back doors</a> too.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201711200">
<!--#set var="DATE" value='<small class="date-tag">2017-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Amazon recently invited consumers to be suckers and <a
href="https://www.techdirt.com/2017/11/22/vulnerability-found-amazon-key-again-showing-how-dumber-tech-is-often-smarter-option/">
allow delivery staff to open their front doors</a>. Wouldn't you know
it, the system has a grave security flaw.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201709290">
<!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Bad security in some cars makes it possible to <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14937">
remotely activate the airbags</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201709200">
<!--#set var="DATE" value='<small class="date-tag">2017-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A “smart” intravenous pump
designed for hospitals is connected to the internet. Naturally <a
href="https://www.techdirt.com/2017/09/22/smart-hospital-iv-pump-vulnerable-to-remote-hack-attack/">
its security has been cracked</a>.</p>
<p><small>(Note that this article misuses the term <a
href="/philosophy/words-to-avoid.html#Hacker">“hackers”</a>
referring to crackers.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201708280">
<!--#set var="DATE" value='<small class="date-tag">2017-08</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The bad security in many Internet of Stings devices allows <a
href="https://www.techdirt.com/2017/08/28/iot-devices-provide-comcast-wonderful-new-opportunity-to-spy-you/">ISPs
to snoop on the people that use them</a>.</p>
<p>Don't be a sucker—reject all the stings.</p>
<p><small>(It is unfortunate that the article uses the term <a
href="/philosophy/words-to-avoid.html#Monetize">“monetize”</a>.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201706200.1">
<!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many models of Internet-connected cameras <a
href="/proprietary/proprietary-back-doors.html#InternetCameraBackDoor">
have backdoors</a>.</p>
<p>That is a malicious functionality, but in addition it
is a gross insecurity since anyone, including malicious crackers, <a
href="https://arstechnica.com/information-technology/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">can
find those accounts and use them to get into users' cameras</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201706200">
<!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many models of Internet-connected cameras (追記ここまで)
are (削除) helpless (削除ここまで) (追記) tremendously insecure. They have login
accounts with hard-coded passwords, which can't be changed, and <a
href="https://arstechnica.com/information-technology/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/">there
is no way (追記ここまで) to (削除) fix them</em>.</p>
<ul>
<li> (削除ここまで) (追記) delete these accounts either</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201706050">
<!--#set var="DATE" value='<small class="date-tag">2017-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p id="intel-me-10-year-vulnerability">Intel's
CPU backdoor—the Intel Management Engine—had a <a
href="https://arstechnica.com/information-technology/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/">major
security vulnerability for 10 years</a>.</p>
<p>The vulnerability allowed a cracker to access
the computer's Intel Active Management Technology (AMT) <a
href="https://arstechnica.com/information-technology/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/">
web interface with an empty password and gave administrative
access</a> to access the computer's keyboard, mouse, monitor among
other privileges.</p>
<p>It does not help that in newer Intel processors, it is impossible
to turn off the Intel Management Engine. Thus, even users who are
proactive about their security can do nothing to protect themselves
besides using machines that don't come with the backdoor.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201705250">
<!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The proprietary code that runs pacemakers,
insulin pumps, and other medical devices is <a
href="https://www.bbc.com/news/technology-40042584"> full of gross
security faults</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201705160">
<!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Conexant HD Audio Driver Package (version 1.0.0.46 and earlier)
pre-installed on 28 models of HP laptops logged the user's keystroke
to a file in the filesystem. Any process with access to the filesystem
or the MapViewOfFile API could gain access to the log. Furthermore, <a
href="https://modzero.com/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html">according
to modzero</a> the “information-leak via Covert Storage Channel
enables malware authors to capture keystrokes without taking the risk
of being classified as malicious task by AV heuristics”.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201705120">
<!--#set var="DATE" value='<small class="date-tag">2017-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Exploits of bugs in Windows, which were developed by the NSA
and then leaked by the Shadowbrokers group, are now being used to <a
href="https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/">attack
a great number of Windows computers with ransomware</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201704050">
<!--#set var="DATE" value='<small class="date-tag">2017-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many Android devices <a
href="https://arstechnica.com/information-technology/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/">
can be hijacked through their Wi-Fi chips</a> because of a bug in
Broadcom's nonfree firmware.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201703270">
<!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>When Miele's Internet of
Stings hospital disinfectant dishwasher is <a
href="https://www.vice.com/en/article/pg9qkv/a-hackable-dishwasher-is-connecting-hospitals-to-the-internet-of-shit">
connected to the Internet, its security is crap</a>.</p>
<p>For example, a cracker can gain access to the dishwasher's
filesystem, infect it with malware, and force the dishwasher to launch
attacks on other devices in the network. Since these dishwashers are
used in hospitals, such attacks could potentially put hundreds of
lives at risk.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201703070">
<!--#set var="DATE" value='<small class="date-tag">2017-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The CIA exploited existing vulnerabilities
in “smart” TVs and phones to design a malware that <a
href="https://www.independent.co.uk/tech/wikileaks-vault-7-android-iphone-cia-phones-handsets-tv-smart-julian-assange-a7616651.html">
spies through their microphones and cameras while making them appear
to be turned off</a>. Since the spyware sniffs signals, it bypasses
encryption.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201702280">
<!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>“CloudPets” toys with microphones <a
href="https://www.theguardian.com/technology/2017/feb/28/cloudpets-data-breach-leaks-details-of-500000-children-and-adults">
leak childrens' conversations to the manufacturer</a>. Guess what? <a
href="https://www.vice.com/en/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings">
Crackers found a way to access the data</a> collected by the
manufacturer's snooping.</p>
<p>That the manufacturer and the FBI could listen to these
conversations was unacceptable by itself.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201702200">
<!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>If you buy a used “smart”
car, house, TV, refrigerator, etc., usually <a
href="https://boingboing.net/2017/02/20/the-previous-owners-of-used.html">the
previous owners can still remotely control it</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201702170">
<!--#set var="DATE" value='<small class="date-tag">2017-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The mobile apps for communicating <a
href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with
a smart but foolish car have very bad security</a>.</p>
<p>This is in addition to the fact that the car contains a cellular
modem that tells big brother all the time where it is. If you own
such a car, it would be wise to disconnect the modem so as to turn
off the tracking.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201701271">
<!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A cracker would be able to <a
href="https://uploadvr.com/hackable-webcam-oculus-sensor-be-aware/">
turn the Oculus Rift sensors into spy cameras</a> after breaking into
the computer they are connected to.</p>
<p><small>(Unfortunately, the article <a
href="/philosophy/words-to-avoid.html#Hacker">improperly refers
to crackers as “hackers”</a>.)</small></p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201701270">
<!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Samsung phones <a
href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have
a security hole that allows an SMS message to install
ransomware</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201701130">
<!--#set var="DATE" value='<small class="date-tag">2017-01</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>WhatsApp has a feature that <a
href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/">
has been described as a “back door”</a> because it would
enable governments to nullify its encryption.</p>
<p>The developers say that it wasn't intended as a back door, and that
may well be true. But that leaves the crucial question of whether it
functions as one. Because the program is nonfree, we cannot check by
studying it.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201612060.1">
<!--#set var="DATE" value='<small class="date-tag">2016-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The “smart” toys My Friend Cayla and i-Que can be <a
href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/">remotely
controlled with a mobile phone</a>; physical access is not
necessary. This would enable crackers to listen in on a child's
conversations, and even speak into the toys themselves.</p>
<p>This means a burglar could speak into the toys and ask the child
to unlock the front door while Mommy's not looking.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201610230">
<!--#set var="DATE" value='<small class="date-tag">2016-10</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>4G LTE phone networks are drastically insecure. They can be <a (削除) href="https://web.archive.org/web/20161027223907/http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/"> (削除ここまで)
(追記) href="https://www.theregister.com/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/"> (追記ここまで)
taken over by third parties and used for man-in-the-middle
attacks</a>.</p>
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201608110">
<!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>Due to weak security, <a (削除) href="http://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">it (削除ここまで)
(追記) href="https://jalopnik.com/almost-every-volkswagen-built-since-1995-is-vulnerable-1785159844">it (追記ここまで)
is easy to open the doors of 100 million cars built by
Volkswagen</a>.</p>
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201608080">
<!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>Ransomware <a (削除) href="https://www.pentestpartners.com/blog/thermostat-ransomware-a-lesson-in-iot-security/">has (削除ここまで)
(追記) href="https://www.pentestpartners.com/security-blog/thermostat-ransomware-a-lesson-in-iot-security/">
has (追記ここまで) been developed for a thermostat that uses proprietary
software</a>.</p>
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201608020">
<!--#set var="DATE" value='<small class="date-tag">2016-08</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>A <a (削除) href="http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/">flaw (削除ここまで)
(追記) href="https://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/">flaw (追記ここまで)
in Internet Explorer and Edge</a> allows an attacker to retrieve
Microsoft account credentials, if the user is tricked into visiting
a malicious link.</p>
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201607290">
<!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p><a
href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/">“Deleted”
WhatsApp messages are not entirely deleted</a>. They can be recovered
in various (削除) ways.
</p> (削除ここまで) (追記) ways.</p> (追記ここまで)
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201607280">
<!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A half-blind security critique of a tracking app: it found that <a
href="https://www.consumerreports.org/mobile-security-software/glow-pregnancy-app-exposed-women-to-privacy-threats-a1100919965/">
blatant flaws allowed anyone to snoop on a user's personal data</a>.
The critique fails entirely to express concern that the app sends the
personal data to a server, where the <em>developer</em> gets it all.
This “service” is for suckers!</p>
<p>The server surely has a “privacy policy,” and surely
it is worthless since nearly all of them are.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201607220">
<!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>A vulnerability in Apple's Image I/O API allowed an attacker to <a
href="https://www.theguardian.com/technology/2016/jul/22/stagefright-flaw-ios-iphone-imessage-apple">execute
(削除) malacious (削除ここまで)
(追記) malicious (追記ここまで) code from any application which uses this API to render a
certain kind of image file</a>.</p>
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201607190">
<!--#set var="DATE" value='<small class="date-tag">2016-07</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>A bug in a proprietary ASN.1 library, used
in cell phone towers as well as cell phones and routers, <a (削除) href="http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover">allows (削除ここまで)
(追記) href="https://arstechnica.com/information-technology/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover/">allows (追記ここまで)
taking control of those systems</a>.</p>
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201606290">
<!--#set var="DATE" value='<small class="date-tag">2016-06</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>Antivirus programs have so many errors that <a
href="https://theconversation.com/as-more-vulnerabilities-are-discovered-is-it-time-to-uninstall-antivirus-software-61374">they
may make security worse</a>.</p>
<p>GNU/Linux does not need antivirus software.</p>
</li>
(削除) <li>
<p>Over 70 brands of network-connected surveillance
cameras <a href="http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">have
security bugs that allow anyone to watch through them</a>.</p>
</li>
<li>
<p>
Samsung's (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201605020">
<!--#set var="DATE" value='<small class="date-tag">2016-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Samsung's (追記ここまで) “Smart Home” has a big security hole; <a (削除) href="http://arstechnica.com/security/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">unauthorized (削除ここまで)
(追記) href="https://arstechnica.com/information-technology/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/">
unauthorized (追記ここまで) people can remotely control it</a>.</p>
<p>Samsung claims that this is an “open” platform so the
problem is partly the fault of app developers. That is clearly true
if the apps are proprietary software.</p>
<p>Anything whose name is “Smart” is most likely going
to screw you.</p>
</li>
(削除) <li>
<p>
The (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201604120">
<!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>A bug in the iThings Messages app <a
href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/">allowed
a malicious web site to extract all the user's messaging
history</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201604110">
<!--#set var="DATE" value='<small class="date-tag">2016-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Malware was found on <a
href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html">
security cameras available through Amazon</a>.</p>
<p>A camera that records locally on physical media, and has no network
connection, does not threaten people with surveillance—neither
by watching people through the camera, nor through malware in the
camera.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201603220">
<!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Over 70 brands of network-connected surveillance cameras have <a
href="https://web.archive.org/web/20250117130741/http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html">
security bugs that allow anyone to watch through them</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201603100">
<!--#set var="DATE" value='<small class="date-tag">2016-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Many proprietary payment apps <a
href="https://web.archive.org/web/20160315055725/https://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">
transmit personal data in an insecure way</a>. However,
the worse aspect of these apps is that <a
href="/philosophy/surveillance-vs-democracy.html">payment is not
anonymous</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201602240">
<!--#set var="DATE" value='<small class="date-tag">2016-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p id="nissan-modem">The (追記ここまで) Nissan Leaf has a built-in
cell phone modem which allows effectively anyone (追記) to (追記ここまで) <a (削除) href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/">to (削除ここまで)
(追記) href="https://www.troyhunt.com/controlling-vehicle-features-of-nissan/"> (追記ここまで)
access its computers remotely and make changes in various
settings</a>.</p>
<p>That's easy to do because the system has no authentication
when accessed through the modem. However, even if it asked
for authentication, you couldn't be confident that Nissan
has no access. The software in the car is proprietary, <a
href="/philosophy/free-software-even-more-important.html">which means
it demands blind faith from its users</a>.</p>
<p>Even if no one connects to the car remotely, the cell phone modem
enables the phone company to track the car's movements all the time;
it is possible to physically remove the cell phone (削除) modem (削除ここまで) (追記) modem, (追記ここまで) though.</p>
</li>
(削除) <li>
<p>
Malware found
on <a href="http://www.slate.com/blogs/future_tense/2016/04/11/security_cameras_sold_through_amazon_have_malware_according_to_security.html">security
cameras available through Amazon</a>.
</p>
<p>A camera that records locally on physical media, and has no network
connection, does (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do (追記ここまで) not (削除) threaten people with surveillance—neither by
watching people through the camera, nor through malware (削除ここまで) (追記) edit (追記ここまで) in (削除) the camera.
</p>
</li>
<li> (削除ここまで) (追記) proprietary-insecurity.html. -->
<li id="M201602110">
<!--#set var="DATE" value='<small class="date-tag">2016-02</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>A (削除) bug in the iThings Messages
app (削除ここまで) (追記) pacemaker running proprietary code (追記ここまで) <a (削除) href="https://theintercept.com/2016/04/12/apple-bug-exposed-chat-history-with-a-single-click/">allowed
a malicious web site (削除ここまで)
(追記) href="https://www.wired.com/2016/02/i-want-to-know-what-code-is-running-inside-my-body/">was
misconfigured and could have killed the implanted person</a>. In order (追記ここまで)
to (削除) extract all (削除ここまで) (追記) find out what was wrong and get it fixed, (追記ここまで) the (削除) user's messaging history</a>.
</p>
</li>
<li>
<p>Many proprietary payment apps <a
href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">
transmit personal data in an insecure way</a>.
However, (削除ここまで) (追記) person needed to break
into (追記ここまで) the (削除) worse aspect of these apps is (削除ここまで) (追記) remote device (追記ここまで) that
(削除) <a href="/philosophy/surveillance-vs-democracy.html">payment is not anonymous</a>.
</p> (削除ここまで) (追記) sets parameters in the pacemaker (possibly
infringing upon manufacturer's rights under the DMCA). If this system
had run free software, it could have been fixed much sooner.</p> (追記ここまで)
</li>
(削除) <li>
<p>
FitBit (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201510210">
<!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>FitBit (追記ここまで) fitness trackers (削除) <a href="http://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/"> (削除ここまで) have a (追記) <a
href="https://www.tripwire.com/state-of-security/latest-security-news/10-second-hack-delivers-first-ever-malware-to-fitness-trackers/"> (追記ここまで)
Bluetooth vulnerability</a> that allows attackers to send malware
to the devices, which can subsequently spread to computers and other
FitBit trackers that interact with (削除) them.
</p> (削除ここまで) (追記) them.</p> (追記ここまで)
</li>
(削除) <li>
<p>
“Self-encrypting” (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201510200">
<!--#set var="DATE" value='<small class="date-tag">2015-10</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>“Self-encrypting” (追記ここまで) disk drives
do the encryption with proprietary firmware so you
can't trust it. Western Digital's “My Passport” drives <a (削除) href="https://motherboard.vice.com/en_uk/read/some-popular-self-encrypting-hard-drives-have-really-bad-encryption">have (削除ここまで)
(追記) href="https://www.vice.com/en/article/mgbmma/some-popular-self-encrypting-hard-drives-have-really-bad-encryption">
have (追記ここまで) a back (削除) door</a>.
</p>
</li>
<li>
<p>
Mac OS X had an
<a href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/">
intentional local back door for 4 years</a>, which could be
exploited by attackers to gain root privileges.
</p> (削除ここまで) (追記) door</a>.</p> (追記ここまで)
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201508120">
<!--#set var="DATE" value='<small class="date-tag">2015-08</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>Security researchers discovered a <a (削除) href="http://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text"> (削除ここまで)
(追記) href="https://www.theguardian.com/technology/2015/aug/12/hack-car-brakes-sms-text"> (追記ここまで)
vulnerability in diagnostic dongles used for vehicle tracking and
insurance</a> that let them take remote control of a car or lorry
using an (削除) SMS.
</p> (削除ここまで) (追記) SMS.</p> (追記ここまで)
</li>
(削除) <li>
<p>
Crackers (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201507214">
<!--#set var="DATE" value='<small class="date-tag">2015-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Crackers (追記ここまで) were able to <a (削除) href="http://arstechnica.com/security/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">take (削除ここまで)
(追記) href="https://arstechnica.com/information-technology/2015/07/fiat-chrysler-connected-car-bug-lets-hackers-take-over-jeep-remotely/">
take (追記ここまで) remote control of the Jeep</a> “connected car”.
(削除) <br/>They (削除ここまで) (追記) They (追記ここまで)
could track the car, start or stop the engine, and activate or
deactivate the brakes, and (削除) more.
</p>
<p>
I (削除ここまで) (追記) more.</p>
<p>We (追記ここまで) expect that Chrysler and the NSA can do this (削除) too.
</p>
<p>
If I ever (削除ここまで) (追記) too.</p>
<p>If you (追記ここまで) own a (削除) car, and it (削除ここまで) (追記) car that (追記ここまで) contains a (削除) portable phone, I will (削除ここまで) (追記) phone modem, it would be a good
idea to (追記ここまで) deactivate (削除) that.
</p> (削除ここまで) (追記) this.</p> (追記ここまで)
</li>
(削除) <li>
<p>
Hospira (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201506080">
<!--#set var="DATE" value='<small class="date-tag">2015-06</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Due to bad security in a drug pump, crackers could use it to <a
href="https://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">
kill patients</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201505294">
<!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html">
Many smartphone apps use insecure authentication methods when storing
your personal data on remote servers</a>. This leaves personal
information like email addresses, passwords, and health information
vulnerable. Because many of these apps are proprietary it makes it
hard to impossible to know which apps are at risk.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201505050">
<!--#set var="DATE" value='<small class="date-tag">2015-05</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Hospira (追記ここまで) infusion pumps, which are used
to administer drugs to a patient, were rated “<a
href="https://securityledger.com/2015/05/researcher-drug-pump-the-least-secure-ip-device-ive-ever-seen/">least
secure IP device I've ever seen</a>” by a security (削除) researcher.
</p>
<p>
Depending (削除ここまで)
(追記) researcher.</p>
<p>Depending (追記ここまで) on what drug is being infused, the insecurity could open
the door to (削除) murder.
</p> (削除ここまで) (追記) murder.</p> (追記ここまで)
</li>
(削除) <li>
<p>
Due to bad security (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit (追記ここまで) in (削除) a drug pump, crackers could use it to
<a href="http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/">kill patients</a>.
</p>
</li>
<li>
<p> (削除ここまで) (追記) proprietary-insecurity.html. -->
<li id="M201504090">
<!--#set var="DATE" value='<small class="date-tag">2015-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Mac OS X had an (追記ここまで) <a (削除) href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
The NSA can tap data in smart phones, including iPhones, Android, and
BlackBerry</a>. While there is not much detail here, it seems that
this does not operate via the universal (削除ここまで)
(追記) href="https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/">
intentional local (追記ここまで) back door (削除) that we know nearly
all portable phones have. It may involve exploiting various bugs.
There
are <a href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone">
lots of bugs in the phones' radio software</a>.
</p>
</li>
<li>
<p><a href="http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/">
“Smart homes”</a> turn out to be stupidly vulnerable to
intrusion.</p>
</li>
<li>
<p>The
<a href="http://arstechnica.com/security/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity of WhatsApp</a>
makes eavesdropping a snap.</p>
</li>
<li>
<p><a href="http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html">
The FTC punished a company (削除ここまで) for (削除) making webcams with bad security so
that it was easy for anyone (削除ここまで) (追記) 4 years</a>, which could be exploited
by attackers (追記ここまで) to (削除) watch them</a>.
</p> (削除ここまで) (追記) gain root privileges.</p> (追記ここまで)
</li>
(削除) <li>
<p><a href="http://www.pcworld.idg.com.au/article/379477/hacking_music_can_take_control_your_car/">
It is possible to take control of some car computers through malware (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit (追記ここまで) in (削除) music files</a>.
Also <a href="http://www.nytimes.com/2011/03/10/business/10hack.html?_r=0">by
radio</a>. Here is <a href="http://www.autosec.org/faq.html">more
information</a>.
</p>
</li>
<li>
<p><a href="http://siliconangle.com/blog/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/">
It is possible to kill people by taking control of medical implants by
radio</a>. Here
is <a href="http://www.bbc.co.uk/news/technology-17631838">more
information</a>. And <a href="http://blog.ioactive.com/2013/02/broken-hearts-how-plausible-was.html">here</a>.
</p>
</li>
<li>
<p>Lots of <a href="http://www.wired.com/2014/04/hospital-equipment-vulnerable/">hospital equipment has lousy security</a>, and it can be fatal.
</p>
</li>
<li>
<p><a href="http://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/">
Point-of-sale terminals running Windows were taken over and turned
into a botnet for the purpose of collecting customers' credit card
numbers</a>.
</p>
</li>
<li> (削除ここまで) (追記) proprietary-insecurity.html. -->
<li id="M201405190">
<!--#set var="DATE" value='<small class="date-tag">2014-05</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p>An app to prevent “identity theft”
(access to personal data) by storing users' data on a special server <a (削除) href="http://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">was (削除ここまで)
(追記) href="https://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">was (追記ここまで)
deactivated by its developer</a> which had discovered a security (削除) flaw.
</p>
<p>
That (削除ここまで)
(追記) flaw.</p>
<p>That (追記ここまで) developer seems to be conscientious about protecting personal
data from third parties in general, but it can't protect that data
from the state. Quite the contrary: confiding your data to someone
else's server, if not first encrypted by you with free software,
undermines your (削除) rights.
</p> (削除ここまで) (追記) rights.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201404250">
<!--#set var="DATE" value='<small class="date-tag">2014-04</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>Lots of <a
href="https://www.wired.com/2014/04/hospital-equipment-vulnerable/">
hospital equipment has lousy security</a>, and it can be fatal.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201402210">
<!--#set var="DATE" value='<small class="date-tag">2014-02</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The <a
href="https://arstechnica.com/information-technology/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity
of WhatsApp</a> makes eavesdropping a snap.</p> (追記ここまで)
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201312290">
<!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p><a (削除) href="http://www.bunniestudios.com/blog/?p=3554"> (削除ここまで) (追記) href="https://www.bunniestudios.com/blog/?p=3554"> (追記ここまで) Some flash
memories have modifiable software</a>, which makes them vulnerable
to viruses.</p>
<p>We don't call this a “back door” because it is normal
that you can install a new system in a (削除) computer (削除ここまで) (追記) computer, (追記ここまで) given physical access
to it. However, memory sticks and cards should not be modifiable in
this way.</p>
</li>
(削除) <li> (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201312040">
<!--#set var="DATE" value='<small class="date-tag">2013-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://arstechnica.com/information-technology/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/">
Point-of-sale terminals running Windows were taken over</a> and
turned into a botnet for the purpose of collecting customers' credit
card numbers.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201311120">
<!--#set var="DATE" value='<small class="date-tag">2013-11</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">
The NSA can tap data in smart phones, including iPhones,
Android, and BlackBerry</a>. While there is not much
detail here, it seems that this does not operate via
the universal back door that we know nearly all portable
phones have. It may involve exploiting various bugs. There are <a
href="https://www.osnews.com/story/27416/the-second-operating-system-hiding-in-every-mobile-phone/">
lots of bugs in the phones' radio software</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201309054">
<!--#set var="DATE" value='<small class="date-tag">2013-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security">The
NSA has put back doors into nonfree encryption software</a>. We don't
know which ones they are, but we can be sure they include some widely
used systems. This reinforces the point that you can never trust
the security of nonfree software.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201309050">
<!--#set var="DATE" value='<small class="date-tag">2013-09</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>The FTC punished a company for making webcams with <a
href="https://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html">
bad security so that it was easy for anyone to watch through
them</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201308060">
<!--#set var="DATE" value='<small class="date-tag">2013-08</small>'
--><!--#echo encoding="none" var="DATE" --> (追記ここまで)
<p><a href="http://spritesmods.com/?art=hddhack&page=6">
Replaceable nonfree software in disk drives can be written by a
nonfree
(削除) program.</a> (削除ここまで) (追記) program</a>. (追記ここまで) This makes any system vulnerable to persistent
attacks that normal forensics won't detect.</p>
</li>
(削除) <li>
<p><a href="http://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html">
Many smartphone apps use insecure authentication methods when storing
your personal data on remote servers.</a>
This leaves personal (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201307270">
<!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p> It is possible to <a
href="https://siliconangle.com/2013/07/27/famed-hacker-barnaby-jack-dies-days-before-scheduled-black-hat-appearance/">
kill people by taking control of medical
implants by radio</a>. More (追記ここまで) information (削除) like email addresses, passwords, (削除ここまで) (追記) in <a
href="https://www.bbc.com/news/technology-17631838">BBC
News</a> (追記ここまで) and (削除) health information vulnerable. Because many
of these apps are proprietary it makes it hard (削除ここまで) (追記) <a
href="https://ioactive.com/broken-hearts-how-plausible-was-the-homeland-pacemaker-hack/">
IOActive Labs Research blog</a>.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201307260">
<!--#set var="DATE" value='<small class="date-tag">2013-07</small>'
--><!--#echo encoding="none" var="DATE" -->
<p><a
href="https://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/">
“Smart homes”</a> turn out (追記ここまで) to (削除) impossible (削除ここまで) (追記) be stupidly vulnerable (追記ここまで) to (削除) know which apps are at risk.</p> (削除ここまで)
(追記) intrusion.</p> (追記ここまで)
</li>
(削除) </ul>
</div><!-- for id="content", starts (削除ここまで)
(追記) <!-- Copied from workshop/mal.rec. Do not edit (追記ここまで) in (追記) proprietary-insecurity.html. -->
<li id="M201212170">
<!--#set var="DATE" value='<small class="date-tag">2012-12</small>'
--><!--#echo encoding="none" var="DATE" -->
<p id="break-security-smarttv"><a
href="http://www.dailymail.co.uk/sciencetech/article-2249303/Hackers-penetrate-home-Crack-Samsungs-Smart-TV-allows-attacker-seize-control-microphone-cameras.html">
Crackers found a way to break security on a “smart” TV</a>
and use its camera to watch (追記ここまで) the (削除) include above (削除ここまで) (追記) people who are watching TV.</p>
</li>
<!-- Copied from workshop/mal.rec. Do not edit in proprietary-insecurity.html. -->
<li id="M201103110">
<!--#set var="DATE" value='<small class="date-tag">2011-03</small>'
--><!--#echo encoding="none" var="DATE" -->
<p>It is possible to <a
href="https://www.pcworld.com/article/495592/with_hacking_music_can_take_control_of_your_car.html">
take control of some car computers through malware in music files</a>.
Also <a
href="https://www.nytimes.com/2011/03/10/business/10hack.html">
by radio</a>. More information in <a
href="https://web.archive.org/web/20240308015157/http://www.autosec.org/faq.html"> Automotive Security And
Privacy Center</a>.</p>
</li>
</ul>
</div>
</div>
<!--#include virtual="/proprietary/proprietary-menu.html" (追記ここまで) -->
<!--#include virtual="/server/footer.html" -->
<div (削除) id="footer"> (削除ここまで) (追記) id="footer" role="contentinfo"> (追記ここまで)
<div class="unprintable">
<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF. Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>
<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
replace it with the translation of these two:
We work hard and do our best to provide accurate, good quality
translations. However, we are not exempt from imperfection.
Please send your comments and general suggestions in this regard
to <a href="mailto:web-translators@gnu.org">
<web-translators@gnu.org></a>.</p>
<p>For information on coordinating and (削除) submitting (削除ここまで) (追記) contributing (追記ここまで) translations of
our web pages, see <a
href="/server/standards/README.translations.html">Translations
README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and (削除) submitting (削除ここまで) (追記) contributing (追記ここまで) translations
of this article.</p>
</div>
<!-- Regarding copyright, in general, standalone pages (as opposed to
files generated as part of manuals) on the GNU web server should
be under CC BY-ND 4.0. Please do NOT change or remove this
without talking with the webmasters or licensing team first.
Please make sure the copyright date is consistent with the
document. For web pages, it is ok to list just the latest year the
document was modified, or published.
If you wish to list earlier years, that is ok too.
Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
years, as long as each year in the range is in fact a copyrightable
year, i.e., a year in which the document was published (including
being publicly visible on the web or in a revision control system).
There is more detail about copyright years in the GNU Maintainers
Information document, www.gnu.org/prep/maintain. -->
<p>Copyright © 2013, (削除) 2015, 2016 (削除ここまで) (追記) 2015-2025 (追記ここまで) Free Software Foundation, Inc.</p>
<p>This page is licensed under a <a rel="license"
(削除) href="http://creativecommons.org/licenses/by-nd/4.0/">Creative (削除ここまで)
(追記) href="http://creativecommons.org/licenses/by/4.0/">Creative (追記ここまで)
Commons (削除) Attribution-NoDerivatives (削除ここまで) (追記) Attribution (追記ここまで) 4.0 International License</a>.</p>
<!--#include virtual="/server/bottom-notes.html" -->
<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2025年11月26日 02:04:30 $
<!-- timestamp end -->
</p>
</div>
(削除) </div> (削除ここまで)
(追記) </div><!-- for class="inner", starts in the banner include --> (追記ここまで)
</body>
</html>