Saturday, November 25, 2017

Imagine the ‘discussion’ if Russia also manipulated the Net Neutrality repeal. What does Russia have to gain if it is repealed?
More than a Million Pro-Repeal Net Neutrality Comments were LikelyFaked
NY Attorney General Schneiderman estimated that hundreds of thousands of Americans’ identities were stolen and used in spam campaigns that support repealing net neutrality. My research found at least 1.3 million fake pro-repeal comments, with suspicions about many more. In fact, the sum of fake pro-repeal comments in the proceeding may number in the millions. In this post, I will point out one particularly egregious spambot submission, make the case that there are likely many more pro-repeal spambots yet to be confirmed, and estimate the public position on net neutrality in the “organic” public submissions.¹

It takes very little to complete a full dossier. (And my new favorite phrase!)
Name+DOB+SSN=FAFSA Data Gold Mine
KrebsOnSecurity has sought to call attention to online services which expose sensitive consumer data if the user knows a handful of static details about a person that are broadly for sale in the cybercrime underground, such as name, date of birth, and Social Security Number. Perhaps the most eye-opening example of this is on display at, the Web site set up by the U.S. Department of Education for anyone interested in applying for federal student financial aid.
Short for the Free Application for Federal Student Aid, FAFSA is an extremely lengthy and detailed form required at all colleges that accept and award federal aid to students.
Visitors to the login page for FAFSA have two options: Enter either the student’s FSA ID and password, or choose “enter the student’s information.” Selecting the latter brings up a prompt to enter the student’s first and last name, followed by their date of birth and Social Security Number.
Anyone who successfully supplies that information on a student who has applied for financial aid through FAFSA then gets to see a virtual colonoscopy of personal information on that individual and their family’s finances — including almost 200 different data elements.

Refining my understanding of “The Fourth.”
The Fourth Amendment Doesn't Recognize a General "Right to be Secure"
… I don't find the “right to be secure” argument persuasive, and I thought I would say why. Here's the relevant text:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated[.]
That text does not provide for some sort of general “right to be secure.” Rather, the text is much more specific. It states that “the people” have a right “to be secure” in particular things (“in their persons, houses, papers, and effects”) against something specific (“unreasonable searches and seizures”). In ordinary language, if you have a right to be secure against some specific bad thing, you don't have a general right to be secure. You just have a right to be secure against that specific bad thing. Your right is violated if the bad thing happens. If the bad thing doesn't happen, your right isn't violated.

A truly interesting question.
Can A.I. Be Taught to Explain Itself?
As machine learning becomes more powerful, the field’s researchers increasingly find themselves unable to account for what their algorithms know — or how they know it.

Jobs for those who lose jobs to automation?
Facebook hiring hundreds to comply with hate speech law
Facebook is adding 500 more contractors in Germany to help comply with a new law targeting online hate speech, according to the Associated Press.
The new personnel, who will work for a service provider called CCC out of a new office in the western city of Essen that opened on Thursday, will be responsible for reviewing content posted to the social media platform.
The new law, passed by the German parliament in June, requires social media sites to remove flagged content within 24 hours when the content is obviously illegal. Companies have a week to remove more ambiguous cases.
It threatens fines of up to 50 million euros ($59 million) for persistent failure to remove illegal content.

Not just for kids?

For my students.

Friday, November 24, 2017

So is this “Insider Trading?” How did it change the deal?
SoftBank Knew About Uber’s 2016 Hack Before The Public Did
SoftBank knew about the massive hack Uber suffered in late 2016 before details of the incident were publicly revealed on Tuesday, the ride-hailing company confirmed in a statement issued to Bloomberg. The breach that compromised approximately seven million drivers and 50 million riders was disclosed to the Japanese conglomerate as part of its due diligence investigation into the world’s most valuable startup which it intends to back with around $10 billion in the near future, seeking to gain at least a 14 percent stake in it. As per a statement from an Uber official, the information that was given to SoftBank was still “incomplete” as the firm didn’t conclude its investigation into the matter at that time, but the management opted for disclosure in an effort of negotiating with a potential investor in good faith.

Interesting, but when every website alerts you I suspect most people will remove the addon.
HackRead reports:
Mozilla is joining hands with popular data breach notification website (HIBP) to send an in-browser alert to Firefox browser users if they are visiting a site that was previously hacked and whether their login credentials have been involved in a data breach.
“This is an addon that I’m going to be using for prototyping an upcoming feature in Firefox that notifies users when their credentials have possibly been involved in a data breach,” Mozilla developer Nihanth Subramanya wrote in his Github repository.
Read more on HackRead.

Something for my Computer Security students to ponder.
Security Sense: You Can Outsource the Work but Never the Risk

“Welcome to the US, land of the free. Here’s how we’ll be tracking your every move.” So these are “High Risk” visitors that still qualify for a visa?
ICE asks tech companies to help them track visa holders on social media
… ICE officials explained at a conference last week that they are hoping to develop algorithms that would assess potential threats posed by visa holders, and conduct social media surveillance of those deemed high risk. Microsoft, Deloitte and Motorola Solutions were among the companies in attendance.
… Carissa Cutrell, a spokeswoman for ICE, told ProPublica that the Department of Homeland Security has not actually begun building such a program, but was simply gathering information from industry leaders.
ICE officials told tech companies last week that the department hopes to get automated notifications about any visa holders’ social media activity. ICE already monitors some social media posts, but plans to expand its operation.

Thursday, November 23, 2017

So, how is that “Don’t tell anyone we’ve been breached” tactic working for you?
Multiple countries launch probes into Uber breach
Multiple countries are launching probes into Uber after a report revealed that it had covered up a massive cyber attack that exposed the data of 57 million passengers and drivers last year.
According to Reuters, four countries — the United States, the United Kingdom, Australia and the Philippines — have vowed to investigate the matter.
At the same time, attorneys general in multiple U.S. states, including New York, Illinois and Connecticut, have begun investigating the hack, and some lawmakers are calling on the Federal Trade Commission (FTC) to launch a probe of Uber.

Each new technology must learn the security lessons older technologies have learned.
Curing The Security Sickness in Medical Devices
Just as the rapid development of the Internet of Things (IoT) has transformed traditional industries and service sectors, it is also having a great impact in the world of healthcare. It’s easy to argue, in fact, that no area is being transformed by digital technologies as rapidly or with as many benefits for society as new medical technologies.
But the understandable desire to press ahead and unlock those benefits has led to a lack of scrutiny on the subject of digital security in devices for treatment and monitoring, and a spate of high profile problems in the area has begun to concern many. In the US, the Food and Drug Agency (FDA) has issued formal warnings about cybersecurity vulnerabilities in four separate products in the last 18 months. It has also hosted an array of consultations and workshops focussing on the cybersecurity of medical devices. The most recent product notice from the FDA, regarding an exploitable flaw in connected cardiac pacemakers, seems to be finally waking the industry up to the threats that connected technologies bring.

For my students.
Google Has Some Great Advice for Your Tech Career
… The Google Tech Dev Guide is a must-read if you are considering a career in technology, or even if you’re already a few years into one.
Google’s Guide to Technical Development is a curated resource of materials that will help you learn the right topics in computer science. Think of them as “learning paths” to follow for teaching yourself pro-level skills.
These are the skills Google thinks you should have — not to become a Google Developer (though, that’s achievable) but to become a well-rounded student, educator, or software engineer.
… It includes recommendations for coding in Java, JavaScript, C++, and Python.

For the student toolkit.
How to Use Microsoft OneNote for Work

Wednesday, November 22, 2017

Probably not the best way to handle a breach. Would you trust hackers to delete the data and never use it? Pinky promise?
Uber Paid Hackers to Delete Stolen Data on 57 Million People
Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

(Related) As inevitable as night follows the day.
New York attorney general launches investigation of Uber’s $100,000 hack cover-up

The sage (unfortunately) continues.
House Committees Get Serious in New Letter to Equifax
The chairpersons of the House Science, Space, and Technology Committee and the House Oversight and Government Reform Committee on Monday sent a new letter (PDF) to Paulino Barros, the interim CEO of Equifax.
The former committee's jurisdiction includes the standards of use for securing personally identifiable information (PII), while the latter committee's jurisdiction covers how data breaches impact the federal workforce and national security. Both are investigating the loss of PII on 145 million Americans announced by Equifax on September 7, 2017.
This is not the first letter to Equifax by chairpersons Lamar Smith (R-Texas) and Trey Gowdy (R-S.C.). They also wrote (PDF) on September 14, 2017 requesting 'all documents' relevant to five specific areas; such as "to and from members of Equifax's corporate leadership", and "relating to the NIST Framework or other cybersecurity standards used by Equifax." That first letter specified no later than September 28, 2017.
It would seem that Equifax has not yet, or at least not yet satisfactorily, fulfilled this first request almost eight weeks after the deadline. "We look forward to Equifax providing all documents in response to the five categories of requested materials in the September 14 request, as well as the requests that were made at subsequent Committee briefings." It adds that the Committees expect to make additional requests in the future.
In the meantime, however, it is clear the committees are beginning to get to grips with the details of both Equifax and the breach. While the first letter requested 'areas' of documents, the second letter is far more specific. For example, it asks for documentation that would allow the identification "of any and all individuals in an executive leadership role", and those who received the DHS email alert "regarding Apache Struts 2".

Actually, he has a few ideas, but it might be amusing to ask my students to prioritize what Congress should hear.
I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?
There's a title I never expected to write! But it's exactly what it sounds like and on Thursday next week, I'll be up in front of US congress on the other side of the world testifying about the impact of data breaches. It's an amazing opportunity to influence decision makers at the highest levels of government and frankly, I don't want to stuff it up which is why I'm asking the question - what should I say?

For my Computer Security students.
Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources
CRS Reports & Analysis – Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources. November 14, 2017 (R44408): “As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea. Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources…”

Google wants to do what Russia did, but Russia denies it ever did what Google says it did, so Google should have just done it and denied it did.
The ominous cloud of doom surrounding the ongoing U.S. investigations into alleged Russian interference in the 2016 federal elections got a little darker on Tuesday, with Russian state communications agency Roskomnadzor allegedly threatening retaliation against Google for suggesting it could lower government-funded outlets RT and Sputnik in search rankings.

Imagine if someone on that list walked into a church in Texas and started shooting people…
Colorado VA Kept Secret List Of Patients Who Wanted Mental-Health Care
A new federal investigation revealed Thursday that VA officials in Colorado broke agency rules by using an off-the-books system to track patients who wanted mental-health therapy — a violation that caused veterans to wait for care and one that recalls past abuses by the U.S. Department of Veterans Affairs.
Investigators with the VA’s internal watchdog found that in three separate facilities — Denver, Golden and Colorado Springs — agency officials did not follow proper protocol when keeping tabs on patients who sought referrals for treatment of conditions such as post-traumatic stress disorder.
The practice hindered proper oversight and made it possible for Colorado veterans to fall through the cracks, wrote officials with the VA Office of Inspector General, which examined care at the facilities between October 2015 and September 2016.

Perspective. “They may look fake to you, but they look Okay to me.”
New York attorney general says the FCC won’t help investigate fake net neutrality comments
New York Attorney General Eric Schneiderman revealed today that his office has been investigating a flood of spam FCC comments that impersonated real people, and criticized the FCC for withholding useful information. In an open letter addressing FCC chairman Ajit Pai, Schneiderman writes that his office has spent six months investigating who submitted hundreds of thousands of identical anti-net neutrality comments under the names and addresses of unwitting Americans. But he says that the FCC has ignored multiple requests for logs and records, offering “no substantive response.”

How Amazon, Apple, Facebook and Google manipulate our emotions

For my students and the Boards of Directors of Uber, Equifax, Wells Fargo, etc.
More than 50 tech ethics courses, with links to syllabi
There has never been a more urgent moment to merge ethics and technology: this shared spreadsheet of 57 (and counting) university courses on ethics and tech includes links to syllabi, moderated by Colorado University information science assistant prof Casey Fiesler, who runs The Internet Rules Lab (hey, grad students, she's hiring!)

Tuesday, November 21, 2017

Harvard seems to agree with me, my Computer Security students will be amazed or amused.
… In analyzing the top breaches over the past few years, it is clear that executives make a set of common mistakes, which is surprising given that so many companies, often led by otherwise effective leaders, fail to learn from the botched responses and mishandled situations of the companies that were breached before them.
Here are the missteps executives make time and again, and advice for avoiding these pitfalls:
Foot dragging
Poor customer service
Not being transparent
Failing to accept accountability

Suggests to me that it is possible to secure data and processes in the cloud.
Amazon launches new cloud storage service for U.S. spy agencies
Amazon’s cloud storage unit announced Monday that it is releasing a new service called the Amazon Web Services Secret Region, a cloud storage service designed to handle classified information for U.S. spy agencies.
The service will be provided to the intelligence community through an existing $600 million contract with U.S. intelligence agencies, which has made Amazon a dominant player in federal IT contracting.
… The announcement comes at a time when Amazon’s business and government customers are under intense scrutiny over whether they are storing data securely in the cloud. Amazon’s cloud-based folders – referred to as “buckets” – have been at the center of several high-profile security incidents in recent months, in which customers inadvertently left sensitive information on an Amazon server in an unprotected format.

Looking forward.
Trends in Technology and Digital Security
“Foreword – On September 14, 2017, the George Washington University Center for Cyber & Homeland Security (CCHS) convened a Symposium on Trends in Technology and Digital Security. Four panels addressed emerging threats and their implications for security policy, with a focus on digital infrastructure protection and anticipatory analysis. In addition, a featured speaker from abroad presented a country-specific case study. In a series of Issue Briefs, compiled herein, CCHS shares the findings and recommendations that emerged from the Symposium, primarily on a not-for-attribution basis. The subject and title of each Brief is as follows:
  • Methods of Analysis and the Utility of New Tools for Threat Forecasting
  • Artificial Intelligence for Cybersecurity: Technological and Ethical Implications
  • Space, Satellites, and Critical Infrastructure
  • Cybersecurity in the Financial Services Sector
  • Israel: The Making of a Cyber Power (Case Study)
This volume is produced in and reflective of the spirit of CCHS’s work, which is to address advanced technologies and emerging (“next generation”) cyber threats, from the standpoint of U.S. policy. CCHS functions as a network of networks, acting as a hub for upcoming companies, emerging technologists, and cutting-edge public policy.”

Note: this is no help in securing the election. Voting machines and the counting process are a whole other thing.
Belfer Center Cybersecurity Campaign Playbook
This Cybersecurity Campaign Playbook was written by a bipartisan team of experts in cybersecurity, politics, and law to provide simple, actionable ways of countering the growing cyber threat. Cyber adversaries don’t discriminate. Campaigns at all levels – not just presidential campaigns – have been hacked. You should assume you are a target. While the recommendations in this playbook apply universally, it is primarily intended for campaigns that don’t have the resources to hire professional cybersecurity staff. We offer basic building blocks to a cybersecurity risk mitigation strategy that people without technical training can implement (although we include some things which will require the help of an IT professional). These are baseline recommendations, not a comprehensive reference to achieve the highest level of security possible. We encourage all campaigns to enlist professional input from credentialed IT and cybersecurity professionals whenever possible…”

So you can’t be someone different (have a public persona) online? Ask yourself: How can they do this? What tools will they use?
Tyler Durden writes:
In perhaps the most intrusive move of social media platforms’ efforts signal as much virtue as possible and appease their potentially-regulating government overlords, Twitter has announced that it is cracking down on what it defines at hate-speech and not just by looking at its own site.
In what amounts to a major shift in Twitter policy, Mashable’s Kerry Flynn reports that the company announced on Friday that it will be monitoring user’s behavior “on and off the platform” and will suspend a user’s account if they affiliate with violent organizations, according to an update to Twitter’s Help Center on Friday.
Read more on ZeroHedge.

Basic economics, right?
Mexican heroin is flooding the US, and the Sinaloa cartel is steering the flow
… Mexican cartels' shift to producing heroin — as well as synthetic drugs like fentanyl — has been driven in part by loosening marijuana laws in the US, and the Sinaloa cartel appears to be the main player in a lucrative market.
… the value of marijuana had fallen considerably — from about $74 a kilo seven years ago to a little over $26 now — due to marijuana legalization in the US. Falling prices led many marijuana growers to shift to opium.

Better emails? Why not!
Have you made email work for you? Do you spend the time and effort to make emails look perfect and professional? There’s an art to it, but it’s not that difficult. Your reward will the response from the person you want an answer from.
...Email templates are freely available on the web. Borrow them and tweak them to your situation.
ProEmailwriter gives you a neat interface to select the right kind of email template and use them in your email. The dropdown menu gives you choices for Topic, Sub-Topic, and Tone. Copy the one you need and customize it to your situation.

For my students who read…
This Chrome Extension Helps You Find Books to Borrow
Library Extension is a free Chrome extension that will show you local library listings for the books that you viewing on Amazon, Google Books, Barnes & Noble, and other popular book retailer websites.
Library Extension currently shows listings from more than 4,000 public library databases in the United States, Canada, UK, New Zealand and Australia.
… One drawback to the extension is that you can only view results from one local library at a time.

Monday, November 20, 2017

Why wait two weeks? The phones are likely not important to the investigation?
Authorities serve Apple a warrant for Texas shooter’s iPhone
Two weeks ago today, 26 people were killed by a gunman at First Baptist Church in Sutherland Springs, Texas. Two phones were discovered at the scene: older push-button LG and what local news described as a “blood spattered” Apple iPhone SE. Now local law enforcement has served Apple with a search warrant in order to retrieve information from the smartphone.
… The Tuesday following the murders, the FBI held a press conference noting the existence of one of two phones, without revealing the make, as it didn’t want to “tell every bad guy out there what phone to buy.”
As reported by The Washington Post, the mystery handset was indeed an iPhone. Apple reached out to law enforcement after the press conference, offering technical assistance in getting onto the device. The company, it seems, could have provided help early on, without much legal wrangling or more software controversial backdoors.

I think this is a really bad idea unless you are highly trained and have some good lawyers on staff. On the other hand, it would open things up for my Ethical Hackers…
For years now, there has been a discussion surrounding the feasibility of active cyber defense, and allowing private entities or individuals to “hack back” against hostile cyber activity, but there has not been a major push in Congress to explicitly authorize such activity, or to propose changes or exceptions under the current legal and statutory framework that would enable it. But a proposal by Representatives Tom Graves (R-GA), Kyrsten Sinema (D-AZ), titled the Active Cyber Defense Certainty Act (ACDC) (H.R. 4036), is starting to change the conversation. The new draft legislation provides an exception to liability under the Computer Fraud and Abuse Act (CFAA) and, in essence, would authorize individuals or organizations to go into networks outside of their own to gather intelligence on hackers for attributional purposes. To date, the proposal has undergone at least three rounds of public scrutiny, after which, to the great credit of Graves’ office, the draft language has been updated, and it now takes into account some legitimate concerns and criticisms. Some of these critiques should be examined carefully, from both a policy and legal perspective, as the bill makes its way through committee.

It’s about time! (Welcome to the 1980s?)
Rising to the risk: Cybersecurity top concern of corporate counsel
“Risk management is not just a compliance exercise but an opportunity to gain a competitive advantage. More than ever, legal departments are playing a significant role in managing risk and monitoring its effectiveness, especially in the critical area of cybersecurity. Grant Thornton and Corporate Counsel magazine recently surveyed over 190 corporate general counsel to assess their views on the keys to business growth. The topics ranged from regulatory risk management and risk assessments to cybersecurity and data analytics. Below are a sampling of insights from Grant Thornton’s 2017 Corporate General Counsel Survey:
  • 58% of legal departments are highly involved in responding to data security risks; nearly a quarter have primary responsibility for the issue
  • Less than a quarter of counsel are very satisfied with their organizaton’s risk assessment
  • Nearly three-quarters of legal departments cite cyber issues as a top risk.
  • Of those very concerned about data security, only about a third feel adequately prepared
As a result of increasing risk concerns, the role of the corporate general counsel continues to evolve to include new, important areas of focus and responsibilities. While maintaining a firm handle on the traditional functions of the legal department, the survey reveals that their role is increasingly concerned with regulation and compliance, as well as data privacy and related cybersecurity issues.”

Apparently, Congress needs a lot more “education” than we thought?
Tech beefs up lobbying amid Russia scrutiny
... Executives from Facebook, Google and Twitter testified before lawmakers this month about Russian actors using their platforms to influence the vote and tried to reassure them they were taking steps to address the issue.
But lawmakers left the hearings frustrated and say they want more details from the companies and concrete steps to prevent interference in the future. Congress is also considering legislation to toughen disclosure rules for online advertisements.
That threat of tougher regulation has tech firms scrambling.

A business model for those who are first to automate what they do well? (As long as we have to do it, can we sell it?)
The newspaper created a platform to tackle its own challenges. Then, with Amazon-like spirit, it realized there was a business in helping other publishers do the same.
… Since 2014, a new Post operation now called Arc Publishing has offered the publishing system the company originally used for as a service. That allows other news organizations to use the Post’s tools for writers and editors. Arc also shoulders the responsibility of ensuring that readers get a snappy, reliable experience when they visit a site on a PC or mobile device. It’s like a high-end version of Squarespace or, tailored to solve the content problems of a particular industry.

How can I stay anti-social?
New on LLRX – The Use and Abuse of Social Media in the Post-Truth Era
Via LLRXThe Use and Abuse of Social Media in the Post-Truth Era – Law librarian and adjunct professor Paul Gatz provides important guidance on social media discourse and information literacy that is especially timely and instructive as we are experiencing an escalating wave of highly questionable news and data through sites such as Facebook.

Sunday, November 19, 2017

I just taught my Computer Security class how to generate RSA public/private keys and encrypt messages. They each generated a unique encryption key and can keep generating unique encryption keys until they run out of random numbers. Would the FBI try to compel me to break that encryption?
Is the Government Waging an Out-of-Sight Fight With Apple on Encryption?
The Justice Department and Apple have been locked in a bitter fight for years over the company’s encryption system, which allows consumers to prevent anyone —including law enforcement—from opening their devices without permission. That’s why a security story this week should be getting more attention than it has.
Titled “Yup: The Government Is Secretly Hiding Its Crypto Battles In The Secret FISA Court,” the story appeared on the well-regarded security blog EmptyWheel, and suggests the Justice Department is using a legal backdoor to force open software backdoors at companies like Apple.
The details are complex and require some familiarity with the FISC, a closed court that oversees top secret intelligence operations, and with Section 702, an amendment to the Patriot Act that permits certain forms of warrantless surveillance. But the gist of the story is this: The Justice Department may be relying on an annual approval process at the FISC to compel “technical assistance” from Apple and others, and this assistance may include the breaking of encryption.
… The over-arching issue raised by EmptyWheel is not whether citizens should have the right to deploy unbreakable encryption (there are good arguments on each side), but instead that the government may be settling the debate in secret. The issue of encryption is too important to be stuffed into secret court proceedings. Let’s hope the Justice Department finds a way to debate this in the open.

“Oh he looks just like you!” Time for plastic surgery?
A 10-Year-Old Used Face ID To Unlock His Mom's iPhone X: Will All Families Have The Same Problem?
… Attaullah Malik uploaded a video that demonstrated how his 10-year-old son, Ammar Malik, was able to unlock the iPhone X of his wife, Sana Sherwani, through the Face ID feature.
According to Apple, there is a roughly one in 1 million chance that a random person will be able to unlock somebody else's iPhone X using their face. However, things are different in the cases of twins, siblings, and children under the age of 13 years old.