Feedback & Followups
- 🇺🇸 Apple have released their opt-in new Advanced Data Protection for iCloud , but only in the US for now — appleinsider.com/…
- At least initially, enabling ADP could complicate the setup of new devices — appleinsider.com/…
- Related: Physical Security Key Support Arrives in iOS 16.3, macOS Ventura 13.2 Beta — www.macobserver.com/…
- LastPass have released more details regarding their ongoing investigation into their recent breach — blog.lastpass.com/…
- Users are vulnerable to phishing attacks because of leaked personal details
- Backups of users’ end-to-end encrypted vaults were leaked, so any user with a weak password needs to change all their passwords everywhere
- LastPass’s custom file format stores some information like website names and URLs in the clear, so phishing attacks could be very believable
- Secrets like passwords, private keys and secure notes have not been leaked
Deep Dive — Is Twitter’s New Blue Tick Account Verification?
TL;DR — nope, but the gold and grey ones might be, if we choose to take Twitter’s word for it.
Bart explained in Chit Chat Across the Pond #756 the meaning of verification and Twitter/Mastodon implementations.
Last time we recorded Twitter had promised they would be re-launching Twitter blue, that it would have some kind of human review, and that there would be options for validating corporations and government entities.
🇦🇺 🇨🇦 🇳🇿 🇬🇧 🇺🇸 Since then the service has officially launched in 5 countries (Australia, Canada, New Zealand, The UK, and the USA), and Twitter have updated their website with more details.
People who earned a blue tick when it meant something will get to keep the tick, but it will be marked as being a legacy tick. New people who pay for the tick won’t get the tick until a human has reviewed their account, and changing your username, display name, or profile picture will remove the tick again until the account is reviewed again.
However, Twitter are making no claims about validating the account, the only claim they make is that blue-tick accounts appear to be non-deceptive. They don’t give a detailed definition for what a deceptive account is other than saying accounts can’t show evidence of being misleading or of manipulating the platform, i.e. being some kind of malicious bot.
This is better than nothing, and a lot better than the utter failure that was the first for-purchase tick mark, but this is not account validation.
Twitter have also announced an initial test of a corporate account plan that does claim to offer verification but does not detail that verification in any way whatsoever. Verified companies will get a gold tick.
Similarly, government agencies, officials, elected representatives, and their staff will be able to get their accounts verified in some unspecified way to earn a grey tick.
The level of confidence you should assign the gold and grey ticks is based purely on your assessment of Twitter’s competence as an organisation, they have provided zero detail to help us make an informed judgment. Time will have to tell I guess — if we hear stories of fakes with ticks we’ll no it failed, if we don’t, we can assume the system works.
Links
- Twitter Blue on iOS Relaunches on Monday for $11 Monthly — www.macobserver.com/…
- Twitter’s Current Description of the Service: About Twitter Blue — help.twitter.com/…
- Twitter’s Current Criteria for the Blue Tick: How to get the blue checkmark on Twitter — help.twitter.com/…
❗ Action Alerts
- Patch Tuesday has been and gone, including fixes for two zero-day bugs in Windows:
- Patch Tuesday: 0-days, RCE bugs, and a curious tale of signed malware — nakedsecurity.sophos.com/…
- Microsoft Patch Tuesday, December 2022 Edition — krebsonsecurity.com/…
- Related: details have emerged of an extremely dangerous Windows bug that was patched in September, it allowed for completely automated remote takeover of vulnerable computers, in other words, it was wormable — arstechnica.com/…
- Apple release security patches for just about everything:
- Apple Releases iOS 16.2, iPadOS 16.2, macOS 13.1 Ventura, watchOS 9.2, and tvOS 16.2 — tidbits.com/…
- Apple hasn’t left Monterey, Big Sur, iPadOS 15, iOS 15 behind yet — appleinsider.com/…
- Safari 16.2 — tidbits.com/…
- Related: Microsoft have released details of a bug in macOS 11 & 12 that Apple recently patched, it was similar to a recent Windows bug in that it bypassed Gatekeeper, allowing un-signed software that should be blocked to run — nakedsecurity.sophos.com/… (The bug was not particularly serious, but got a disproportionate amount of media buzz, presumably because it mentions Apple, and, because Microsoft gave their article a catchy name — The Achilles’ Heel of macOS)
Worthy Warnings
- 🇺🇸 Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy — www.vox.com/… (Dark patterns & COPPA violations)
- 🇺🇸 There are real Equifax breach settlement emails being sent ATM, but Brian Krebs warns that scammers are likely to start sending fake ones soon, so he describes how to verify your email is real — krebsonsecurity.com/…
- “Suspicious login” scammers up their game – take care at Christmas — nakedsecurity.sophos.com/… (Fake ‘we noticed suspicious activity on your account’ emails)
Notable News
- TikTok Spied On Forbes Journalists — www.forbes.com/…
- Pwn2Own Toronto: 54 hacks, 63 new bugs, $1 million in bounties — nakedsecurity.sophos.com/…
- Interestingly, no one even attempted to hack iPhones, Pixel Phones, or any of the major smart speakers, but it’s not clear if that’s because no one found reliable attacks, or because they are worth more on the grey/black market
- 🇦🇺 The Australian e-Safety Commissioner has criticised Microsoft & Apple for not doing enough to fight CSAM on their platforms — appleinsider.com/…
- 🇬🇧 UK says sharing Netflix passwords could be illegal — appleinsider.com/…
Palate Cleansers
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |