Category Archives: Security

Biden Blocks Chinese-Backer Crypto Mining Firm From Land Ownership Near Wyoming Missile Base

President Joe Biden issued an order blocking a Chinese-backed cryptocurrency mining firm from owning land near a Wyoming nuclear missile base, calling its proximity to the base a “national security risk” The Associated Press reported.

The order forces the divestment of property operated as a crypto mining facility near the Frances E. Warren Air Force Base. MineOne Partners Ltd., a firm partly backed by Chinese nationals, and its affiliates are also required to remove certain equipment on the site.

This comes as the U.S. is slated on Tuesday to issue major new tariffs on electric vehicles, semiconductors, solar equipment and medical supplies imported from China, according to a U.S. official and another person familiar with the plan.

The Monday divestment order was made in coordination with the U.S. Committee on Foreign Investment in the United States – a little-known but powerful government committee tasked with investigating corporate deals for national security concerns that holds power to force companies to change ownership structures or divest completely from the U.S.

The U.S. Department of the Treasury posted a press release titled: “Statement on the President’s Decision Prohibiting theAcquisition by MineOne Cloud Computing Investment I L.P. of Real Estate and the Operation of a Cryptocurrency Mining facility, in Close Proximity to Frances E. Warren Air Force Base”

Today President Biden issued an order prohibiting the purchase and requiring the divestment of certain real estate operated as a cryptocurrency mining facility located within one mile of Frances E. Warren Air Force Base (F.E. Warren AFB), as well as the requiring the removal of certain improvements and equipment at the property by MineOne Partners Limited, which is ultimately majority owned by nationals of the People’s Republic of China; MineOne Cloud Computing Investment I L.P.; MineOne Data Center LLC; and MineOne Wyoming Data Center LLC (collectively MineOne), as well as their affiliates.

MineOne acquired the property in June 2022 and then made improvements to allow for use of the property for specialized cryptocurrency mining operations within one mile of F.E. Warren AFB in Cheyenne, Wyoming, a strategic missile base and home to Minuteman III intercontinental ballistic missiles. The Committee on Foreign Investment in the United States (CFIUS or the Committee) reviews and investigated this transaction pursuant to authorities provided by Congress in the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) to cover real estate transactions in close proximity to certain sensitive U.S. facilities, including F.E. Warren AFB.

“Today’s divestment order underscores President Biden’s steadfast commitment to protecting the United States’ national security. It also highlights the critical gatekeeper role that CFIUS serves to ensure that foreign investment does not undermine our national security, particularly as it related to the transactions that present risk to sensitive U.S. military installations a well as those specialized equipment and technologies,” said Secretary of the Treasure Janet L. Yellen.

ABC News reported MineOne purchased the land that is within one mile of the Air Force base in Cheyenne in 2022 and according to CFIUS, the purchase was not reported to the committee as required until after the panel received a public tip.

CFIUS directed the sale of the property within 120 days, and that within 90 days the company remove all structures and equipment on the site.

In my opinion, the person who tipped off the U.S. government about the Chinese backed cryptocurrency mining facility did the right thing. 

Biden Executive Order Aims To Stop Russia And China From Buying American’s Personal Data

President Joe Biden will issue an executive order that aims to limit the mass-sale of Americans’ personal data to “countries of concern” including Russia and China. The order specifically targets the bulk sale of geolocation, genomic, financial, biometric, health and other personally identifying information, Engadget reported.

During a briefing with reporters, a senior administration official said that the sale of such data to these countries poses a national security risk. “Our current policies and laws leave open access to vast amounts of American sensitive personal data,” the official said. “Buying data through data brokers is currently legal in the United States, and that reflects a gap in our national security toolkit that we are working to fill with this program.”

Through the White House described the step as “the most significant executive action any President has ever taken to protect Americans data security,” it’s unclear how exactly enforcement of the new policies will be handled within the Justice Department. A DoJ said the executive order would require due diligence from data brokers to vet who they are dealing with, similar to the way companies are expected to adhere to US sanctions.

The Verge reported President Joe Biden has issued an executive order authorizing the US attorney general “to prevent the large-scale transfer of Americans’ personal data to countries of concern.” According to the US Department of Justice today, those countries could include China, Russia, Iran, and North Korea.

The White House says it’s targeting data brokers, which it says collect more personal data than ever before — data that includes things like personal health and financial data. The scale can be staggering: in a recent example from a Consumer Reports study, 48,000 companies had sent Facebook data on a single user.

Several departments will be required to roll out new protections under the order. The White House writes that the Department of Justice (DOJ) will have to create rules to prevent countries of concern from exploiting personal data, though it’s not clear through what means the DOJ would accomplish this. The data would include that related to genomics, biometrics, personal health, finances, and “certain kinds of personal identifiers.” The DOJ would also be required to work with the Department of Homeland Security to set new security standards regarding data gathered through “investment, vendor, and employment relationships.”

NBC News reported President Biden will issue an executive order Wednesday intended to safeguard the personal data of American citizens from countries deemed hostile. 

The executive order centers on the business of selling people’s personal information, in which companies and so-called data brokers collect and trade data. The Biden Administration is worried that data brokers and other commercial entities will sell this information to “countries of concern- which have a track record of collecting and misusing data on Americans.”

In my opinion, this executive order is very likely going to make the data of Americans safer than it has been before. Data privacy is important, and no one should have to worry about certain countries collecting information on American citizens.


DuckDuckGo Browser Updates: Sync Your Bookmarks And Passwords

DuckDuckGo has added browser updates that sync your bookmarks and passwords across devices. Here are some of newly added features:

Now live: Sync bookmarks, passwords, and Email Protection settings between DuckDuckGo browsers on phones, tablets, and computers, privately and securely.

Our new Sync & Backup feature is designed with your privacy and security in mind. You don’t need to create an account or sign in to use it, and DuckDuckGo never sees your bookmarks or passwords.

The DuckDuckGo browser is our privacy-respecting alternative to Chrome and other browsers — use it every day to visit websites and search the web. You can download it for Windows, Mac, iPhone, and Android devices.

Ditching Chrome for the DuckDuckGo browser is easier than ever.

Have you been waiting to try the DuckDuckGo browser? Maybe you’re using our browser on your phone but haven’t tried the Windows or Mac version? Now is the perfect time to make DuckDuckGo the default browser on all your devices, thanks to our latest improvement: Sync & Backup. You could already import bookmarks and passwords from other browsers into DuckDuckGo, but now you can privately sync those bookmarks and passwords between DuckDuckGo browsers on multiple devices.

Bring your passwords and bookmarks with you — without compromising your privacy.

When you use Chrome, there’s a good chance you’re signed in with your Google account – because they’re constantly pressuring you to do so! There is a convenience in that; all your bookmarks, passwords, and favorites follow you wherever you browse, whether you’re using your computer, phone, or tablet. But there’s a problem. This also gives Google implicit permission to collect even more data about your browsing activity than they would otherwise have and use for targeted advertising that can follow you around.

At DuckDuckGo, we don’t track you; that’s our privacy policy in a nutshell. We’ve developed our privacy-respecting import and sync functions without requiring a DuckDuckGo account – and without compromising your personal data…

ArsTechnica reported that DuckDuckGo keeps adding new features to its browser; and while these features are common in other browsers, DuckDuckGo is giving them a privacy-minded twist. The latest is a private, end-to-end encrypted syncing service. There’s no account needed, no sign-in, and the company says it never sees what you’re syncing.

DuckDuckGo points to Google’s privacy policy for using its signed-in sync services on Chrome, which uses “aggregated and anonymized synchronized browsing data to improve other Google product and services.” DuckDuckGo states that the encryption key for browsers sync is stored only locally on your devices and that to lacks any access to your password or other data.

In my opinion, DuckDuckGo is clearly trying to sway people away from Google. And why wouldn’t it? Google’s privacy options are terrible, and DuckDuckGo is much safer.

Tesla Says Data Breach Impacting 75,000 Employees Was An Insider Job

Tesla has said that insider wrongdoing was to blame for a data breach affecting more than 75,000 company employees, TechCrunch reported.

Tesla, the electric car maker owned by Elon Musk, said in a data breach notice filed with Maine’s attorney general that an investigation had found that two former employees leaked more than 75,000 individuals’ personal information to a foreign media company.

“The investigation revealed that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with a media outlet,” Steven Elentukh, Tesla’s data privacy officer, wrote in the notice.

According to TechCrunch, this information includes personally identifying information, including names, addresses, phone numbers, employment-related records and Social Security numbers belonging to 75,735 current and former employees.

Tesla said two former employees had shared the data with German newspaper Handelsblatt. The outlet assured Tesla that it wouldn’t publish the information and that it is “legally prohibited from using it inappropriately,” according to the notice.

The publication obtained more than 23,000 internal documents, dubbed the “Tesla Files,” containing 100 gigabytes of confidential data. This included employees’ personal information, customer bank details, production secrets and customer complaints about Tesla’s Full Self-Driving (FSD) features.

According to Handelsblatt, Musk’s Social Security number was also included in the leak.

The Verge reported that, according to a filing with the state of Maine’s attorney general office, Tesla’s data privacy officer Steven Elentukh, reported the breach as “insider wrongdoing,” leaking employee information including social security numbers.

The Maine filing includes a template letter by Elentukh written to send to affected employees in the state. It confirms that Handelsblatt, the German media outlet recipient of 100GB of Tesla’s data, had notified Tesla on May 10th that it had received confidential information.

According to The Verge, what Handelsblatt did let out was customer complaints about Tesla’s Full Self-Driving (FSD). It found that the automaker’s advanced driver-assistant system, which aims to achieve autonomous city driving capability, had 2,400 self-acceleration issues and more than 1,500 braking problems reported by customers. The occurrences spanned between 2015 and March 2022. Tesla demanded that Handelsblatt delete the data, according to the news outlet.

The Verge also reported that this isn’t the first time Tesla employees have mishandled internal data. In April, it was reported that workers viewed and shared private videos recorded by customers’ Teslas, which are made from the vehicles’ Sentry Mode security systems.

Personally, I think this entire situation is a gigantic mess. It appears that the two employees who sent personal information about the other employees to a German news site not only shouldn’t have done that, but also should face some kind of reprimand for what they did. The other sketchy part of this story is that some Tesla employees appear to enjoy spying on Tesla owners through videos the vehicle creates.

WhatsApp Announces New Security Features

WhatsApp posted “New Security Features: Account Protect, Device Verification, Automatic Security Codes”. From the blog post:

At WhatsApp, we believe that your messages should be private and secure as an in-person conversation. Protecting your personal messages with default end-to-end encryption is the foundation of that security, and we’ll never stop building features to give you extra layers of privacy, and more control over your messages.

WhatsApp will be adding the following:

Account Protect: If you need to switch out your WhatsApp account to a new device – we want to double check that it’s really you. From now on, we may ask you on your old device to verify that you want to take this step as an extra security check. This feature can help alert you to an unauthorized attempt to move you account to another device.

Device Verification: Mobile device malware is one of the biggest threats to people’s privacy and security today because it can take advance of your phone without your permission and use your WhatsApp to send unwanted messages. To help prevent this, we have added checks to help authenticate your account – with no action needed from you – and better protect you if your device is compromised. This lets you continue using WhatsApp uninterrupted.

Automatic Security Codes: Our most security conscious users have always been able to take advantage of our security code verification feature, which helps ensure you are chatting with the intended recipient. You can check this manually by going to the encryption tab under a contact’s info. To make this process easier and more accessible to everyone, we’re rolling out a security feature based on a process called “Key Transparency” that allows you to automatically verify that you have a secure connection. What it means for you is that when you click on the encryption tab, you’ll be able to verify away with your personal conversation is secured.

These are additions ways we’re helping secure your account. While there’s many things we can do to make security easy for everyone, there are two features that only can turn on: two-step verification and use of end-to-end encrypted backups. If you’re already using both, please tell your friends about them so more people can benefit from these layers of security too.

Engadget reported that the most notable of the security features set the company doing more to protect users against SIM jacking and other social engineering attacks that could compromise your account. The next time you download WhatsApp on a new device, you may be asked to use your old device to confirm you want to move your account to a new phone.

According to Engadget, if you’re worried about the potential of being locked out of your account, a WhatsApp spokesperson told Engadget Account Protect will only activate if the company detects a suspicious registration attempt. Moreover, if you don’t have access to your old device, you can request the company send you a second one-time passcode.

In my opinion, it is a very good idea for WhatsApp to add additional protection for users. Ideally, these changes would make it much more difficult for nefarious people to hijack other people’s WhatsApp accounts.

FCC Bans U.S. Sales Of Huawei And ZTE Over Security Concerns

Huawei, ZTE, Hikvision, Hytera and Dahua all sell telecommunications equipment and video surveillance technology into the United States, but many of their future security cams and radio hardware will no longer be welcome, The Verge reported.

According to The Verge, the Federal Communications Commission has just announced it will no longer authorize some of their equipment – which is a big deal, because companies can’t legally import or sell anything with a radio in the US without authorization.

The FCC posted news (in the form of a PDF, Docx, or Txt) titled: “FCC Bans Equipment Authorizations For Chinese Telecommunications And Video Surveillance Equipment Deemed To Pose A Threat To National Security”.

From the news:

The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks. In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States.

“The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”…

… The new rules prohibit the authorization of equipment through the FCC’s Certification process, and makes clear that such equipment cannot be authorized under the Supplier’s Declaration of Conformity process or be imported or marketed under rules that allow exemptions from an equipment authorization. The Covered List (which includes both equipment and services) currently includes communications equipment produced by Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology (and their subsidiaries and affiliates). The new rules implement the directive in the Secure Equipment Act of 2021, signed into law by President Biden last November, the requires the Commission to adopt such rules…

Brendan Carr, the FCC’s commissioner tweeted: “Today the FCC takes an unprecedented step to safeguard our networks and strengthen America’s national security. Our unanimous decision represents the first time in FCC history that we have voted to prohibit the authorization of new equipment based on national security concerns.”

Engadget reported that this latest move follows years of conflict between the US and companies closely tied to Chinese governments. That’s included placing several notable Chinese companies, including DJI, on the Department of Commerce’s “Entity List,” which prohibits US firms from selling equipment to them.

According to Engadget, the FCC is also calling for $5 billion to help US carriers with the massive task of replacing equipment from Huawei and ZTE.

In my opinion, it seems like a good idea for the United States to try and protect itself from products and services that “could pose a threat to national security”. I think the FCC is right to request $5 billion to help US carriers remove equipment from Huawei and ZTE, and I hope the money will also enable the carriers to install equipment made in the United States.

GitHub Will Require All Users Who Contribute Code to Enable 2FA

GitHub announced that it will require all users who contribute code on to enable one or more forms of two-factor authentications (2FA) by the end of 2023. This is part of GitHub’s platform-wide effort to secure the software ecosystem through improving account security.

GitHub described their reasoning for requiring 2FA this way:

The software supply chain starts with the developer. Developer account are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step towards securing the supply chain. GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.

According to GitHub, most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.

GitHub continues by pointing out that compromised accounts can be used to steal private code or push malicious changes to the code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.

Protocol reports that just 16.5% of users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect’s 83 million users, and is being announced well in advance to “make sure we get this right” in terms of user experience for developers, said Mike Hanley, chief security officer at GitHub.

According to Protocol, the announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential for security risks of open source software components. This is due in part to rising attacks against software supply chains – which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.

In my opinion, it is a very good idea to put 2FA on everything – even if you don’t happen to post code on GitHub. Two-factor identification is a great way to prevent someone from stealing your social media accounts, breaking into your personal website, or preventing you from accessing your most frequently used email accounts. It makes sense for GitHub to be requiring 2FA.