Home

Podfeet Podcasts

Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 9 July 2023

  • by Bart Busschots

    • Feedback & Followups

    • We now have more details on how iOS 17’s new Check In safety feature will work: www.macobserver.com/…
    • 🇪🇺 Six companies have confirmed to the EU Commission that they will fall under the Digital Markets Act (DMA) definition of a Gate Keeperappleinsider.com/…
      • Apple
      • Alphabet/Google
      • Amazon
      • Meta/Facebook
      • Microsoft
      • ByteDance/TikTok
    • 🇬🇧 Apple has joined the chorus of companies, industry associations, and public advocacy groups warning the UK government about the dangers of their ill-conceived Online Safely Bill which, as it stands, would ban effective and safe encryption in the UK — appleinsider.com/…

    Deep Dive 1 — Firefox Update Their Support Matrix

    With the release of Firefox 115 Mozilla have announced changes to their support plans for older OSes.

    Firstly on the Windows end, Windows 7 & Windows 8 users will not get any more feature updates. They are being automatically migrated to Firefox 115 ESR, which will only provide security updates. Note that nothing older than Windows 7 will get any updates.

    Similarly, Mac users on macOS 10.12 (Sierra), 10.13 (High Sierra) & 10.14 (Mojave) are also being migrated to 115 ESR for security-only updates. Again, nothing older gets any updates at all.

    This is a very generous support matrix, and Mozilla definitely should not be criticised for this move. It makes no sense for an organisation to put resources into feature updates for obsolete OSes, and once the vendor drops support (as is the case for Windows 7 & 8, and macOS 11 Big Sur and older), even offering security updates is more than is reasonably required!

    Links

    Deep Dive 2 — 🇫🇷 France’s Controversial New Surveillance Law

    The French government is in the process of passing a large cybersecurity bill, and much of it is uncontroversial, some of it even good like placing requirements on cloud companies to protect the data they store. But, one aspect of the law is getting a lot of attention, and much of it missing all nuance and context.

    The controversial part is the bit that grants law enforcement the right to enable ‘spying’ features on smart devices including phones, tablets, computers, and even cars.

    There have been some amendments to the law as it’s made its way through the process, and there may well be more, so this is just the current state of play.

    The first thing to note is that both of the provisions I’m about to describe need judicial approval, so it’s like getting a warrant in the US.

    When investigating a crime whose sentence would be 5 or more years in prison, police can apply for the right to enable location tracking on a suspect.

    “When justified by the nature and seriousness of the crime”, police can request the right to enable a camera or microphone, but only “for a strictly proportional duration”, and never more than 6 months. There are also explicit exclusions preventing the law being used to target doctors, journalists, lawyers, judges, and members of parliament.

    Note that this law gives law enforcement the right to enable this tracking by whatever means they can, so it’s about giving the police the right to social engineer, hack, or use tools like Pegasus, there is no mandate on tech companies to alter their software to this for law enforcement.

    This is nothing like mandating back doors, but it does set up a dangerous conflict of interest, one we’ve seen before with CIA leaks, the incentive to keep security vulnerabilities secret from the vendors, putting everyone at risk.

    In the abstract, this sounds bad, but maybe this is better than what is happening in other major democracies now. E.g. in the US, there are secret courts and national security letters companies have to follow and can’t talk about, and we know lots of governments are buying tools like Pegasus.

    So, is it really worse to put it into law, with clear rules, limitations, and oversight, than to just do it in secret like everyone else? Is France actually doing this better than its peers, rather than worse?

    Links

    Notable News

    • 🇺🇸 A US Federal District Judge has issued a controversial ruling that places an injunction on some branches of the federal government from even talking to social media companies about moderation. Legal opinion on the ruling appears to be that it’s broad, sweeping, and not based on law of precedent. Since this is a low-level federal court, appeals seem inevitable — www.cultofmac.com/…
    • 🇷🇺 One of Russia’s biggest disinformation troll farms falls victim to the recent coup attempt: Prigozhin-controlled Russian media group shuts after mutiny — www.reuters.com/…

    Just Because it’s Cool 😎

    Palate Cleansers

    Legend

    When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

    Emoji Meaning
    🎧 A link to audio content, probably a podcast.
    A call to action.
    flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
    📊 A link to graphical content, probably a chart, graph, or diagram.
    🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
    💵 A link to an article behind a paywall.
    📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
    🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top