Feedback & Followups
- The existing Yorkie-Pro GPS tracker finder from Berkeley Varitronics Systems (BVS) which is already used by law enforcement has received a free firmware update to allow it find AirTags too — www.macobserver.com/…
- 🇺🇸 The controversy over the IRS’s now-abandoned plans to force all online-tax filers to use ID.me to prove their identity has taken another icky turn — senators are now calling for an investigation after internal whistleblowers let it be known that the company was lying about not using one-to-many facial recognition, current implementations of which are deeply flawed with massive racial and gender biases — krebsonsecurity.com/…
- 🇬🇧 🇨🇦 🇦🇺 🇳🇿 Last time we mentioned that Apple were about to launch the non-controversial parts of the new child protection features for iMessage in the UK, that has now happened, but not just in the UK, Canada, Australia, and New Zealand got the features too — www.macobserver.com/…
- 🇺🇸 Drivers in Maryland can now put their license in their iPhone’s Wallet app — www.imore.com/…
- Social Media Developments
- Some context for how difficult these platforms are to police:
- 🇺🇸 Twitter agrees a $150M settlement with the FTC (Federal Trade Commission) for misusing email addresses and phone numbers requested for authentication for ad targeting — www.imore.com/…
- Twitter outlines its new crisis misinformation policy to deal with fake news — www.imore.com/…
- Instagram is testing a change that hides Stories from over-sharers — www.imore.com/…
- TikTok is making it easier for people to credit original creators in videos — www.imore.com/…
- Twitter tweaks its monetisation options for creators:
🧯 Deep Dive 1 — Duck Duck Go’s Browser Tracking Kerfuffle
A security researcher has found that the Duck Duck go web browser makes an explicit exception to one of its advanced privacy protections for Microsoft-owned sites.
The context here is very important because the actual scope of this exception is much much smaller than most people realise:
- This does not affect the Duck Duck Go search engine
- This does not affect the Duck Duck Go Browser’s 3rd-Party Cookie Blocking
- This only affects a Duck Duck Go-only advanced feature that stops known tracker JavaScript files from being loaded by the browser
So what does that mean? The Duck Duck Go browser never even loads most tracking scripts, so that speeds up web page load times, and it stops your visit to the site showing up in the logs on the server hosting the script, but for the Microsoft properties the script is loaded, so the fact that your IP address loaded the script will appear in the server logs just like it would on every other browser! The script will then run, and try to set a 3rd-party cookie, which the Duck Duck Go browser will then block like it does all 3rd-party cookies!
So this is a teeny tiny leak of a piece of data that is actually very poor at tracking people that is also leaked by every other browser. In other words, there’s no real there here from a technical POV.
But, there is a potential problem from the trust POV — Duck Duck Go were not up-front about this pretty meaningless exception to their very robust privacy protections.
You might wonder why this even happened, and the answer is that it’s required by their contract with Microsoft for their anonymous search partnership. It also appears that this contract is at the root of Duck Duck Go’s lack of up-front disclosure. The contract has a privacy clause that prevents disclosure of all kinds of things, including the existence of the privacy clause, and stuff like the tracking exception.
Now that the news is out, Duck Duck Go are free to ignore that bit of the contract, and their CEO has said that they have been working to re-negotiate that part of the contract for some time and will continue that fight.
This looks a lot worse than it is, but for a company that’s built on trust, this is a lot more damaging than it would be for known-privacy abusers like Meta, Twitter, etc. It also makes Microsoft look pretty bad!
What makes all this so stupid is that the most plausible explanation for this whole mess is that the contract pre-dates Duck Duck Go even starting work on their browser, so this was a small irrelevant clause that didn’t have any effect at all when it was included in the presumably massive document.
Microsoft should have dropped the clause when asked, then none of this would have happened — a frustrating missed opportunity to do the right thing 🙁
Links
- DuckDuckGo browser allows Microsoft trackers due to search agreement — www.bleepingcomputer.com/…
- 🎧 An excellent discussion of the situation: DTNS 4283 — overcast.fm/… (time-stamped to the start of the relevant section)
🧯 Deep Dive 2 — Security Researchers Find a Way to Run Malware on iOS Devices Even When they’re ‘Off’
TL;DR The headline sounds pretty scary, but at least for now, this is an interesting new area for research rather than a practical way of attacking devices.
Since iOS 15, iPhones have had the ability to do certain things even when they’re “off”. This is what makes it possible for an iPhone to be a reliable car key, a reliable transit ticket, and to be reliably findable on the FindMy network. This is achieved by keeping a small number of low-level chips powered on even when the phone itself is off. Those chips have firmware, and if you can inject malware into that firmware then it can run all the time, even when the phone is “off”.
Researchers have found that this firmware is not as well secured as it could (and should) be, and they have demonstrated an actual attack, but it requires either physical access in a lab, or jailbreaking the phone.
Bruce Schneier sums it up well:
“The research is fascinating, but the attack isn’t really feasible. It requires a jailbroken phone, which is hard to pull off in an adversarial setting.” (www.schneier.com/…)
Apple now have an opportunity to harden the firmware’s defences in future iPhones, hopefully before someone finds a way of injecting malware via some kind of remote attack (which is very non-trivial!).
Read more: www.macobserver.com/…
❗ Action Alerts
- Apple patches just about everything — tidbits.com/… & tidbits.com/…
- ❗ Apple patches zero-day kernel hole and much more – update now! — nakedsecurity.sophos.com/…
- Apple also released a security update for iTunes on Windows — www.imore.com/…
- Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday! — nakedsecurity.sophos.com/…
- Editorial by Bart: A great example of how well run software teams deal with bug reports!
- VMWare have patched two particularly nasty bugs in their very popular virtualisation platform, if you run VMWare in your business, be sure to patch ASAP. The US government have mandated the patch be applied immediately on all government networks! — nakedsecurity.sophos.com/…
Worthy Warnings
- If you work for Verizon, some of your data, including your contact details, have been stolen by attackers, so you’re at risk of spearphishing attacks: A Verizon employee database was stolen by a hacker, now held for ransom — www.theverge.com/…
Notable News
- The privacy-focused Brave browser for iOS has been updated with a new privacy hub — www.imore.com/…
- 🇺🇸 The DOJ has announced that it will stop using the problematic Computer Fraud & Abuse Act (CFAA) against good-faith security researchers — techcrunch.com/…
- Editorial by Bart: This is literally the bare minimum they could do, and it does little more than spin an acceptance of last year’s Supreme Court decision greatly limiting the law’s vague and hence overly broad scope as some kind of wonderful initiative by the DOJ. This also doesn’t address the core problem — the CFAA is a terrible law that makes the world less safe and has been abused to ruin lives.
- 🇬🇧 The Information Commissioners Office (ICO) have announced the final details of their judgment against ClearView AI — the company must stop including UK citizens in its DB, delete any existing data on UK citizens, and pay a £7.5M fine (a lot less than the previously promised £17M!) — nakedsecurity.sophos.com/…
- A good news story from Allison: the EFF are retiring their HTTPS-Everywhere browser plugin because it’s not needed anymore, browsers now have this functionality baked in — www.eff.org/… (Editorial by Bart: my annual donation at work changing the world for the better 🙂)
Interesting Insights
- The Irish Council for Civil Liberties has released a detailed report into how Google and others (but not Facebook or Amazon for some reason 🤨) operate their Real-Time Bidding system for selling ads — they are very critical of the way the system is operated, describing it as ‘a massive privacy breach ‘ — www.macobserver.com/…
- ““Google and other key players in the high velocity, surveillance-based ad auction system are processing and passing people’s data billion of times per day””
Palate Cleansers
- From Allison & Bart: Go inside the iPod with stunning CT scans and creator Tony Fadell — www.scanofthemonth.com/…
- 🎧 From Bart: I’ve mentioned Bruce Schneier a lot in recent weeks, so I wanted to share this fantastic recent interview: The Changelog: Software Development, Open Source — overcast.fm/… (I particularly enjoyed the section on cryptocurrency (& NFTs, etc) near the start — Bruce makes the case that it doesn’t add value and doesn’t actually do what its promises)
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |