Feedback & Followups
- Rather aptly for this solo show, NosillaCastaway MildDeamons perfectly expressed the reason I much prefer recording with Allison on the NosillaCast Slack when he posted:
> “I really enjoy it (and I think most of us do) when you explain things to @podfeet and she tries to wrap her head around them. The best part is when one of you say something that doesnβt quite make βsenseβ to me β Iβm sitting there thinking, ‘Hmm, that doesnβt seem right…’ β and then @podfeet jumps in with, ‘Wait, wait… do you mean…?’ And you go on to explain it another way, and them Iβm, ‘Ahhhh, now I get it!'” - Oracle continues to illustrate how not to respond to security breaches by continue to try, and fail, to cover up a breach of their wider cloud services (above and beyond the Oracle Health breach we mentioned last time) β www.bleepingcomputer.com/β¦
- Some small but nice progress from Microsoft on some of their on-going efforts we’ve discussed before:
- Progress on Windows improvements to make incidents like the infamous CrowdStrike outage from last summer less likely in future: Microsoft tests new Windows 11 tool to remotely fix boot crashes β www.bleepingcomputer.com/β¦ (The new feature is branded Quick Machine Recovery)
- Continuing roll-out of reboot-less security updates β www.bleepingcomputer.com/β¦ (Branded hotpatching it doesn’t get you zero reboots, but it does get you from monthly to quarterly staying fully patched at all times)
- Continuing deprecation of old and insecure technologies: Microsoft blocks ActiveX by default in Microsoft 365, Office 2024 β www.bleepingcomputer.com/β¦
- GitHub have responded to the increased abuses of their services by malicious actors by making it easier and cheaper for organisations to buy their advanced security tools β www.bleepingcomputer.com/β¦
- Google continue to battle the rise of ad-based malware on their platforms: Google blocked over 5 billion ads in 2024 amid rise in AI-powered scams β www.bleepingcomputer.com/β¦
- πΊπΈ We now have an explanation for the embarrassing and illegal ‘Signal-Gate’ woopsie by the US administration β the National Security Advisor un-thinkingly accepted a Siri suggestion to update a contact in his phone β www.macobserver.com/β¦
- This was spun as it all being Apple’s fault by the administration, but it is of course no such thing, it actually perfectly illustrates why secure government communications need to happen on secure and private government channels!
- This means the national security advisor was careless twice rather than just once, not sure how that makes anything better? π
- Humans make mistakes, when you use a public service, not matter how cryptographically secure, those human mistakes can leak secrets to anyone on planet earth, but similar mistakes on private government channels have much smaller blast-radiuses.
- π¬π§ There is still no outcome, and we still have very little detail, but Apple have succeeded in lifting the veil of secrecy over the UK government’s attempt to break iCloud Advanced Encryption for the world β www.cultofmac.com/β¦
Deep Dive β How Apple is Training Apple Intelligence without Breaking their Privacy Promise
TL;DR β there is nothing even vaguely nefarious or dangerous going on here, none of this is enabled by default, it’s all opt-in, and for those who do opt in, it their privacy is provably protected.
When you’re interested in big trends, you don’t need exact data. In fact, just about every real-world statistic is built on top of noisy and incomplete data because there are very few situations where everything can be known perfectly! What percentage of Americans owns a Ford vehicle? Simple question, we rarely think twice about how those numbers come to be, but for them to be perfectly accurate every single American would need to respond to the analytics company compiling the numbers truthfully. Impossible! So, we base statistics on small samples we hope are representative where we have reason to believe most respondents are truthful. As long as the sample is fairly representative of the total population and the responses are reasonably honest you get usable numbers out the other side.
With computer usage data you can actually get perfectly clean data, but at the cost of everyone’s privacy. To determine which typos Apple’s autocorrect fixes most often iOS & macOS could log every change and send them all to Apple! That would utterly violate Apple’s privacy promises and policies, but Apple still want to get a reasonable understanding of how their tools are used in the real world by actual users, so how can they square that circle? By intentionally adding random gibberish to the data to make it noisy! If you know the accuracy of your sampling (100% for which OS features a user does and does not use), and the accuracy you actually need, you can calculate the amount of intentional lies you can inject into your raw data without ruining your results. This is what Apple have been doing for years for all their OS analytics, and it has the fancy name differential privacy. Basically, when you agree to let your iPhone, iPad, or Mac send Apple analytics data, each piece of data gathered will be replaced with an intentional lie a specific percentage of the time. This means no one piece of data can ever be used as evidence of anything, because you know for a fact how likely it is to be a lie, and yet, when you aggregate it all together, the signal still pokes up above the noise, letting Apple make meaningful product decisions.
Apple is now extending this approach to Apple Intelligence β for tools like image playgrounds and genmoji, the prompts people who opt in to sending Apple analytics data will be shared with Apple using differential privacy. That works great for AI features powered by short little prompts, but not for AI features that take huge inputs like summarisation.
Here Apple are being wonderfully clever β instead of training and testing their models on real emails from people’s actual inboxes, they’re using generative AI to create fake but realistic emails to use instead. This protects user privacy perfectly because no ones actual emails are ever involved in any stage of the process. But, the quality of the training entirely depends on the realism of the synthetic data. What Apple need to do is not harvest your emails, but check how similar your emails are to their synthetic ones, and this is something you can achieve safely with the help of differential privacy.
Apple are not going to gather your emails and upload them to their servers, instead, they’re going to randomly send devices where users have opted in a few synthetic emails, and on-device, the OS will perform statistical comparisons between users actual emails and the sample synthetic ones, and report those statistics back to Apple’s servers with intentional lies mixed into all the replies. So, even without differential privacy this would already not be sending actual emails to Apple, but for extra protection, even the statistics it does send are intentionally noisy, making it mathematically impossible to actually know what emails are on who’s devices. But, Apple will none-the-less be able to get a good estimate of the quality of their synthetic data.
The key points to note:
- None of the data sent to Apple includes any kind of identifier β no device IDs, no user IDs, and no network identifiers like IP addresses, so what ever is sent is completely anonymous
- Everything that is sent is intentionally polluted with lies so no single piece of data can ever be used as evidence of anything
- For long pieces of text, users are not sending any actual data to Apple, but returning accuracy scores for Apple’s synthetic dummy data
- All this is opt-in rather than opt-out or compulsory
Links
- Apple’s blog post explaining what they are doing: Understanding Aggregate Trends for Apple Intelligence Using Differential Privacy β machinelearning.apple.com/β¦
- Good Summaries:
β Action Alerts
- Apple patch just about everything, some OSes twice!
- Current OSes; iOS/iPadOS 18.4, macOS Sequoia 15.4, tvOS 18.4 & visionOS 2.4, and legacy OSes; iPadOS 17.7.6, iOS/iPadOS 16.7.11, iOS/iPadOS 15.8.4, macOS Sonoma 14.7.5 & macOS Ventura 13.7.5 β isc.sans.edu/β¦ (Includes two zero-days!)
- Apple releases security updates for iOS 18.4.1, macOS Sequoia 15.4.1 β appleinsider.com/β¦ (Fixes two zero-days, and there are also matching updates for tvOS & visionOS)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws β www.bleepingcomputer.com/β¦
- More details and analysis β isc.sans.edu/β¦ & krebsonsecurity.com/β¦
- The April Android Patches are out: Google fixes Android zero-days exploited in attacks, 60 other flaws β www.bleepingcomputer.com/β¦ (Patch if you can, or consider getting a securable phone if you can’t)
- Googleβs Android Is Copying Apple iOSβs Auto-Restart Security Feature β www.macobserver.com/β¦ (The good kind of copying!)
- Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent β thehackernews.com/β¦ (Google’s AirDrop equivalent)
- WhatsApp flaw can let attackers run malicious code on Windows PCs β www.bleepingcomputer.com/β¦ (Windows only bug)
Worthy Warnings
- πΊπΈ US lab testing provider exposed health data of 1.6 million people β www.bleepingcomputer.com/β¦ (Laboratory Services Cooperative)
- “LSC is a Seattle-based nonprofit organization that provides centralized laboratory services to its member affiliates, including select Planned Parenthood centers”
- Not clear if victims are being notified, but there is a portal for people who fear they may be caught up on this to get more information (details in the linked story)
Notable News
- πΊπΈ The Trump administration continue to undermine the nation and the world’s cybersecurity π
- The Trump administration almost killed the CVE system for cataloging and scoring known security vulnerabilities β bleepingcomputer.com/β¦ & krebsonsecurity.com/β¦
- The CVE database acts as the data source for just about every vulnerability detection tool in use today
- The CVSS Scores assigned to vulnerabilities in the CVE database make it possible for people with jobs like mine to triage and priorities our responses to what ever vulnerabilities our scanning tools alert us to
- There has always been an independent board overseeing the CVE database, but the contract to do the actual work has always been with the US quasi-governmental agency MITRE and paid for by the US government, current via CISA
- Moves were already afoot to remove the CVE database’s sole dependence on US good will, but those moves have now accelerated
- At the last minute CISA invoked a clause in the contract with MITRE to extend the contact, but it has not been renewed, so MITRE’s work maintaining the CVE database hangs by a thread π
- The Trump administration have attacked the first ever director of the Cybersecurity & Infrastructure Security Agency (CISA) Chris Krebs for his declarations on the legitimacy of the 2020 elections β krebsonsecurity.com/β¦ (Ironically, Krebs was appointed by Trump in his first term)
- Trump launched the attack in a published Presidential Memorandum directing all agencies to remove Krebs’ security clearance as well as those from all employees at the company he works for (SentinelOne), and instructs the Attorney General and Secretary of Homeland Security to launch an investigation into Krebs and CISA and propose “appropriate remedial or preventative actions”
- “Krebs, through CISA, falsely and baselessly denied that the 2020 election was rigged and stolen, including by inappropriately and categorically dismissing widespread election malfeasance and serious vulnerabilities with voting machines.” β the Trump Memo
- Krebs has resigned from SentinelOne to fight the Trump administration full-time, and to protect the company β arstechnica.com/β¦
- Opinion from Bart: this is full-on authoritarianism, twisting the power of the state to persecute people and companies in order to force them to accept a false narrative that has simply never stood up to scrutiny. The fiction that the 2020 election was somehow stolen from Trump is literally his Hitler-esque Big Lie.
- Trump launched the attack in a published Presidential Memorandum directing all agencies to remove Krebs’ security clearance as well as those from all employees at the company he works for (SentinelOne), and instructs the Attorney General and Secretary of Homeland Security to launch an investigation into Krebs and CISA and propose “appropriate remedial or preventative actions”
- The Trump administration almost killed the CVE system for cataloging and scoring known security vulnerabilities β bleepingcomputer.com/β¦ & krebsonsecurity.com/β¦
- πΊπΈ Google has an illegal monopoly on online advertising, judge rules β appleinsider.com/β¦ (
- Note that this is a second DOJ anti-trust case against Google, this case is entirely separate to the one they lost last year and are currently appealing that found Google has a monopoly in search.
- Google claims it won half of its monopoly case, and will appeal the rest β appleinsider.com/β¦ (The court did not agree with the DOJ that Google’s acquisition of DoubleClick decades ago was anti-competitive)
- SSL/TLS certificate lifespans reduced to 47 days by 2029 β www.bleepingcomputer.com/β¦
- March 15 2026 β 200 days for certs & domain control validation
- March 15 2027 β 100 days for certs & domain control validation
- March 15 2029 β 47 days for certs & 10 days for domain control validation
- In effect, this means that if your website uses HTTPS certs and you don’t already have the process automated using something like Let’s Encrypt’s CertBot (which can use any Certificate Authority as the back end if they choose to offer the appropriate API) you’d better start work on fixing that soon!
- Chrome 136 fixes 20-year browser history privacy risk β www.bleepingcomputer.com/β¦
- For years, links you visit from any website anywhere on the web are shown in a different colour on every website everywhere on the web
- With the advent of CSS and JavaScript it’s been possible for ages for websites to learn your browsing history by including links to sites of interest on their own pages, perhaps in hidden areas of the page, and checking the colour the browser assigns the links
- To combat this data leak, Chrome will only show links are visited from the domains where the user clicked on them
- So, if you only ever search the web on Google you’re not likely to notice anything because all your clicks will originate in Google, so you’ll still see results you’ve already been to in purple instead of blue
- But, if you search the web from two sites, say Google & Bing, any results you visit in Bing will not show are visited on Google, and vice-versa.
- Google rolls out easy end-to-end encryption for Gmail business users β www.bleepingcomputer.com/β¦
- Purely an enterprise feature as it requires organisations to run their own key server
- Only works in the web version of GMail (leverages the browser to do the encryption/decryption)
- Very clever design though with a good delegation of trust
- Real-world ready unlike the geek/hobbyist PGP option
- Much easier for organisations of all sizes to deploy than S/MIME which has existed for decades but failed to gain wide adoption
- π§ Get the nerdy details in Security Now episode 1020 (Ignore Steve’s failure to comprehend that in an enterprise context the ‘ends’ in end-to-end encryption are the organisations, not the individual mailboxes, so in the context it’s intended for, it absolutely is true E2E despite his scoffing)
Palate Cleansers
- Steve Gibson’s Photo of the Week recently had a fun overlap with coding:
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| π§ | A link to audio content, probably a podcast. |
| β | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| π | A link to graphical content, probably a chart, graph, or diagram. |
| π§― | A story that has been over-hyped in the media, or, “no need to light your hair on fire” π |
| π΅ | A link to an article behind a paywall. |
| π | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| π© | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| π¦ | A link to video content. |