Feedback & Followups
- 🇬🇧 (🏴 & 🏴) Both Apple & Google have stopped the NHS from publishing an update to their COVID app to insert location tracking. This is expressly forbidden in their COVID exposure notification API terms of service, precisely to stop COVID apps being used for government surveillance — nakedsecurity.sophos.com/… (Editorial by Bart: The fact that they even tried this makes my 🤯)
- Apple updates it’s A Day in the Life of Your Data’ educational report — www.imore.com/…
- The Wall Street Journal (WSJ) is reporting that US firm Procter & Gamble helped develop the Chinese-government-sponsored CAID API designed to bypass Apple’s upcoming App Tracking Transparency — www.imore.com/…
- Other browser makers are not signing up to FLoC (Federated Learning of Cohorts), Google’s proposed replacement for tracking cookies (that includes the other Chromium-derived browsers like Edge) — www.theverge.com/…
- Related: The EFF have a tester that lets Chrome users know if they’re part of Google’s FloC trials (the tool is called Am I FloCed), and DuckDuckGo has a new Chrome plugin to block FloC — daringfireball.net/…
- 🇺🇸 🇦🇺 🇮🇱 The WSJ has also found the identity of the security firm the FBI paid to hack into the San Bernardino Shooter’s iPhone — and contrary to wide-spread speculation, it was not the controversial grey-hat Israeli company Celebrite, but an Australian company named Azimuth — www.macobserver.com/…
- 🇩🇪 German data protection officials are attempting to block Facebook’s controversial upcoming new Terms of Service which will see more data sharing between WhatsApp and Facebook — www.imore.com/…
- 🇺🇸 Armed with a court order, the FBI hacked into hundreds of Exchange servers that had been back-doored via the recently patched Zero-day bugs to remove the backdoors — nakedsecurity.sophos.com/…
❗ Action Alerts
- Last Tuesday was Patch Tuesday, and MS patched 19 critical bugs, including a Windows bug being actively exploited in the wild — krebsonsecurity.com/…
- A new ‘bug cluster’ named *NAME:WRECK* has been found and patched in a DNS client implementation used in a number of OSes including FreeBSD and proprietary OSes used in many IoT devices — nakedsecurity.sophos.com/… (Editorial by Bart: this kind of bug just underscores my standard advice ‘if your IoT devices is not getting security updates anymore, bin it!’)
- Project CHIP embraces a timeline and the blockchain – Stacey on IoT | Internet of Things staceyoniot.com/…
Worthy Warnings
- Details of over ½Bn Facebook accounts from all around the world has been found on sale on the dark web (through a Telegram bot). The data was stolen in 2019 and includes full names, dates of birth, email addresses & phone numbers. This opens people up to very convincing phishing attacks, and possibly even SIM swapping or identity theft — tidbits.com/…
- Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof — cybernews.com/…
- Clubhouse API Open to Scraping Public User Data — www.macobserver.com/… (Exposes users to automated but targeted phishing attacks)
- 🇺🇸 ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users – Krebs on Security — krebsonsecurity.com/…
Notable News
- Pwn2Own 2021 went ahead as a virtual event, and lots of money was paid to lots of researchers for responsibly disclosing lots of bugs in really important software like Windows, Ubuntu Desktop, Chrome, Edge, Safari, Zoom, Teams, Exchange, Parallels, and more — nakedsecurity.sophos.com/…
- Microsoft rolls out Kids Mode for its Edge browser on the Mac — www.imore.com/…
- Google copies, pastes iOS 14’s clipboard access notifications for Android — www.imore.com/…
Excellent Explainers
- ⭐️ A superb (but long!) explanation of the so-called SolarWinds attack written for a non-technical audience: A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack — www.npr.org/…
- How Apple’s new App Tracking Transparency policy works — arstechnica.com
- The EFF’s explanation of UID2, a new and very invasive tracking API being developed by the ad industry to track people across apps and websites using their email address. This is not a browser-level tool like cookies, but an information interchange format to allow advertisers, advertising agencies and app and website owners to share data in such a way that they can track actual people all across the connected world, not just browsers — After Cookies, Ad Tech Wants to Use Your Email to Track You Everywhere | Electronic Frontier Foundation — www.eff.org/…
Interesting Insights
- 📌 🇺🇸 In an opinion on the recent US Supreme Court case regarding the @realdonaldtrump account blocking users, Justice Thomas made an interesting argument for treating large social media companies like common carriers — www.protocol.com/… (This could well become very important in future SCOTUS cases)
Palate Cleansers
From Allison
- Probably the most impressive JavaScript demonstration I’ve ever seen — an interactive map of the MCU: Marvel Cinematic Universe — live.yworks.com/…
From Bart
- 🎧 An excellent segment (link jumps to just before the segment starts) on the probable new physics scientists are starting to get a glimpse of when observing muons at particle colliders: The Science Hour: On the trail of rare blood clots — overcast.fm/…
- “Physics Girl” Explaining the exciting new Fermilab muon result to her production team This result could change physics forever
- 🎧 A fascinating discussion about Web Accessibility standards with 29-year veteran Léonie Watson: Code[ish] 16: Accessibility in Web Standards — overcast.fm/… (show notes)
- 🎦 A fun but very informative video from Apple-Reporter-extraordinaire Joanna Stern using Rock ’em-Sock ’em robots with custom heads to explain the fight between Apple & Facebook over privacy in general, an App Tracking Transparency in particular – www.wsj.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
Regarding the ParkMobile data breach: I got an E-mail message from them today (and a pop-up in the iOS app). It contains the same information as contained on their Web page — but at least they are notifying users. Of course I had already changed my (and my wife’s) passwords.