{"id":18485,"date":"2019-06-01T16:14:57","date_gmt":"2019-06-01T23:14:57","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=18485"},"modified":"2019-06-01T16:14:57","modified_gmt":"2019-06-01T23:14:57","slug":"sb-2019-06-01","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/06\/sb-2019-06-01\/","title":{"rendered":"Security Bits \u2013 1 June 2019"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li>Andrew Orr at TMO got a bit of a sneak-peak at Cloudflare&#8217;s soon-to-be released Warp VPN (<strong>Editorial by Bart:<\/strong> support for a split tunnel is a nice touch) \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/tmo-scoop\/cloudflare-warp-split-tunneling\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Security researchers have found that there are still nearly a million devices out there on the internet vulnerable to the <em>BlueKeep<\/em> RDP vulnerability Microsoft recently patched in older versions of Windows (including XP &amp; Server 2003) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/30\/a-million-devices-are-vulnerable-to-bluekeep\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>Security researchers have been finding the bug extremely easy to exploit, so the danger is very real. The common joke in the security community ATM is that RDP now stands for <em>Really Do Patch!<\/em><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/microsoft-issues-second-warning-about-patching-bluekeep-as-poc-code-goes-public\/\">Microsoft issues second warning about patching BlueKeep as PoC code goes public \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple wrote a letter to GCHQ responding to their proposal for a <em>Ghost Key<\/em> to bypass end-to-end encryption in messaging services, and Google, Microsoft, &amp; WhatsApp co-signed the letter. The original proposal was made last November in <a href=\"https:\/\/www.lawfareblog.com\/principles-more-informed-exceptional-access-debate\">a Lawfare article<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<h3>Security Medium 1 \u2014 Mobile App Tracking in the Spotlight<\/h3>\n<p>An article from the Washington Post has shone a fresh spotlight on something we&#8217;ve known about, and talked about, for a long time \u2014 many mobile apps sell your data to data aggregators and advertisers. This <em>tracking<\/em> is not news, but it sure got a lot of attention this week, with some in the media reacting as if the Washing Post made some kind of earth-shattering discovery.<\/p>\n<p>The core problem is real \u2014 if you follow the money it is in fact inevitable. Free apps from for-profit companies must be making their money by selling your attention and\/or your information. As a society we seem to want everything for no financial cost, and the only way that works if we pay in some other way, so of course that&#8217;s what&#8217;s happening.<\/p>\n<p>I quibble with the article&#8217;s definition of trackers though. Not everything that sends information across the internet is in any way nefarious or creepy! There is a world of difference between an app sending data to a software-as-a-service QA tool to monitor how their UI and UX are performing, and a company selling your personal information to 3rd parties for re-sale! The article conflates these two things to imply Microsoft&#8217;s OneDrive is the same as apps that sell your location data and browsing history for profit.<\/p>\n<p>A lot of people are also blaming Apple for this, but IMO that&#8217;s unreasonable. The majority of our apps are windows into the cloud, so apps making network connections are not only not rare, they&#8217;re the absolute norm! Apple could not possibly block all network access, nor could it realistically break TLS\/SSL to look into the data and block certain types of data flowing. For a start, that would be a massive invasion of privacy, and secondly, the same data can be exactly what users want to send, or totally creepy. When a cycle tracking app sends regular GPS position updates to the cloud that&#8217;s the app doing what I want it to do, but that would look no different to an app being really creepy!<\/p>\n<p>What Apple can do is insist in their rules that developers have to have accurate privacy statements, and respond when developers break that rule. And, Apple do that.<\/p>\n<p>An argument I would make is that Apple could do a little more by enforcing a rule that every app that sells data to aggregators or advertisers must have a badge in the app store that makes it clear that the app is paid for by tracking. Then users could more easily make a more informed choice.<\/p>\n<p>If you value your privacy, know that free stuff from for-profit companies comes at a cost, and make your app choices accordingly! I choose to buy apps from developers I trust, and to steer clear of free stuff. Maybe you might want to start thinking that way too? Or maybe you&#8217;re happy to pay with your data and\/or attention? Either way is fine, just make sure it&#8217;s a conscious choice!<\/p>\n<p>One final note \u2014 I strongly advise against disabling following the <em>&#8216;advice&#8217;<\/em>  some news sites are peddling to disable iOS&#8217;s <em>Background App Refresh<\/em> feature. That feature exists for a really important reason, it massively improves your phone&#8217;s battery life by managing how all apps talk to the internet. Disabling it makes as much sense as disabling wifi and cellular data in response to this!<\/p>\n<h4>Links<\/h4>\n<ul>\n<li>The WP article that triggered the interest in this topic this week: <a href=\"https:\/\/www.washingtonpost.com\/technology\/2019\/05\/28\/its-middle-night-do-you-know-who-your-iphone-is-talking\/?utm_term=.ca32dd3a0b99\">It\u2019s the middle of the night. Do you know who your iPhone is talking to? \u2014 www.washingtonpost.com\/\u2026<\/a><\/li>\n<li><strong>Opinion:<\/strong> <a href=\"https:\/\/daringfireball.net\/linked\/2019\/05\/29\/ios-background-refresh-fowler\">iOS Apps Grossly Abusing Background App Refresh for Tracking Purposes \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2014 Apple&#8217;s <em>Privacy Preserving Ad Click Attribution<\/em> Proposal<\/h3>\n<p>Apple have announced <em>Privacy Preserving Ad Click Attribution<\/em>, a new protocol which they&#8217;re working towards developing into a standard  through the <em>W3C Web Platform Incubator Community Group<\/em> (WICG). The aim of this protocol is to facilitate a privacy-respecting mechanism for tracking online ad effectiveness.<\/p>\n<p>Apple have made a lot of moves in their browsers to stop ad networks tracking users across the internet. These privacy-protecting features are a massive boost for users, but they are hurting the advertising industry quite badly. As well as hampering the ad and data aggregation companies ability to track all of us as we surf the web, these protections also impede ad buyers and sellers ability to measure the effectiveness of ad campaigns. For online advertising to be an effective way to monetise financially free content it has to be possible to measure the value produced by a given ad buy, and right now, browser privacy protections are making that very difficult, if no impossible.<\/p>\n<p>This new technology would allow ad buyers and sellers to continue to measure the conversion rates for their ads (what percentage of the people who clicked on an ad actually bought something), but without compromising our privacy. Basically, if I bought ads I&#8217;d know how many conversion I got, but not who the individual people were.<\/p>\n<p>If we assume the ad industry is being genuine when it says it needs privacy-invading tracking because that&#8217;s the only way to measure ad effectiveness and make the financially-free internet possible, then they should welcome this with open arms. This really is a win-win for everyone. It remains to be seen just how the ad industry will react, and for this to really make a big difference, other browser vendors would need to adopt the standard too.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li>Apple&#8217;s very human-friendly description of <em>Privacy Preserving Ad Click Attribution<\/em> \u2014 <a href=\"https:\/\/webkit.org\/blog\/8943\/privacy-preserving-ad-click-attribution-for-the-web\/\">webkit.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/24\/safari-test-points-to-a-future-with-tracker-free-ads\/\">Safari test points to a future with tracker-free ads \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><strong>Opinion:<\/strong> <a href=\"https:\/\/daringfireball.net\/linked\/2019\/05\/22\/privacy-preserving-ad-click-attribution\">daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium 3 \u2014 The US Casts a Cloud of Doubt over Huawei Phone Users<\/h3>\n<p>As part of the Trump administration&#8217;s on-going antagonism with China the US government has banned US companies from selling hardware or software to Huawei. Initially the ban was total and immediate, but the US government has backed off a little, allowing security updates until at least the 19<sup>th<\/sup> of October. It&#8217;s not clear what happens then.<\/p>\n<p>In theory this whole Huawei ban is about ensuring security, but it seems the end result might be massive insecurity for all western Huawei phone users. If Huawei can&#8217;t get Android security updates, then all Huawei phones have just become un-securable, and hence, impossible to use safely.<\/p>\n<p>For now, Huawei phone users know they can stay patched and stay secure until October. Maybe things will get onto a firmer footing by then. Either way, if you have a Huawei phone, you need to watch how this story develops, because you may be forced to bin your phone in a few months!<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/uk.reuters.com\/article\/us-huawei-tech-alphabet-exclusive\/exclusive-google-suspends-some-business-with-huawei-after-trump-blacklist-source-idUKKCN1SP0NB\">Google suspends some business with Huawei after Trump blacklist \u2014 uk.reuters.com\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/www.loopinsight.com\/2019\/05\/20\/google-suspends-huaweis-non-open-source-android-license\/\">Google suspends Huawei\u2019s non-open source Android license \u2014 www.loopinsight.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/uk.reuters.com\/article\/uk-huawei-tech-usa-license\/u-s-eases-restrictions-on-huawei-founder-says-u-s-underestimates-chinese-firm-idUKKCN1SQ284\">U.S. eases curbs on Huawei; founder says clampdown underestimates Chinese firm \u2014 uk.reuters.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>FireFox 67 has been released, it patches two critical bugs, and also brings along some nice privacy improvements \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/23\/mozilla-fixes-bugs-improves-privacy-in-latest-firefox-release\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li>Improved fingerprinting protection<\/li>\n<li>Cryptominer blocking<\/li>\n<li>Control over which plugins &amp; passwords are available in private browsing mode<\/li>\n<\/ul>\n<\/li>\n<li>Apple have released a firmware update for their now discontinued AirPort line of routers \u2014 <a href=\"https:\/\/support.apple.com\/en-us\/HT210090\">support.apple.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2019\/05\/22\/tp-link-routers-vulnerable-remote-hijack\/\">Thousands of vulnerable TP-Link routers at risk of remote hijack \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>Beware <em>Nokelock<\/em> smart padlocks, security researchers find massive security vulnerabilities in these products, despite some of them being <em>Amazon&#8217;s Choice<\/em> \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/29\/researchers-uncover-smart-padlocks-dumb-security\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A security researcher has demonstrated a phishing technique that can be used to trick users into bypassing Gatekeeper and running a malicious app. The attack starts by tricking a user into opening a malicious ZIP file, so the standard advice not to open files from un-trusted sources applies. Apple have not fixed the underlying problems yet. \u2014 <a href=\"https:\/\/9to5mac.com\/2019\/05\/25\/macos-gatekeeper-vulnerability\/\">9to5mac.com\/\u2026<\/a><\/li>\n<li>Security researchers have found that over a quarter of iPhones can be accessed with one of the most popular 20 PINs (<strong>Editorial by Bart:<\/strong> If you use a PIN, make sure it is not on the list. I&#8217;d suggest going further though, and using a true alphanumeric password. With TouchID and FaceID massively reducing how often you need your passcode, that&#8217;s now a very practical option) \u2014 <a href=\"https:\/\/www.cultofmac.com\/628306\/is-your-iphone-passcode-on-this-list-of-pathetic-pins\/\">www.cultofmac.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; Facebook have not had a good two weeks in the Delaware Chancery Court where they are defending a share-holder lawsuit over the Cambridge Analytica scandal:\n<ul>\n<li><a href=\"https:\/\/www.reuters.com\/article\/us-facebook-lawsuit-privacy\/u-s-judge-orders-facebook-to-turn-over-data-privacy-records-idUSKCN1T120F\">Facebook ordered by U.S. judge to turn over data privacy records \u2014 www.reuters.com\/\u2026<\/a><\/li>\n<li>While defending the company in this case, Facebook attorney Orin Snyder argued that Facebook could not be guilty of invasion of privacy because its users <em>&#8220;have no expectation of privacy&#8221;<\/em>, so <em>&#8220;There is no invasion of privacy at all, because there is no privacy&#8221;<\/em>t (<strong>Editorial\/Snark by Bart:<\/strong> I guess we should applaud this rare moment of honesty!) \u2014 <a href=\"https:\/\/www.dailydot.com\/debug\/facebook-lawyer-no-expectation-of-privacy\/\">www.dailydot.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>The Intercept is reporting that Facebook offers cell carriers around the world extra data pulled from users phones by their mobile apps (Facebook, WhatsApp &amp; Instagram) \u2014 <a href=\"https:\/\/theintercept.com\/2019\/05\/20\/facebook-data-phone-carriers-ads-credit-score\/\">theintercept.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/17\/google-recalls-titan-bluetooth-keys-after-finding-security-flaw\/\">Google recalls Titan Bluetooth keys after finding security flaw \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2019\/05\/29\/following-ftc-complaint-google-rolls-out-new-policies-around-kids-apps-on-google-play\/\">Following FTC complaint, Google rolls out new policies around kids\u2019 apps on Google Play \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>A new academic study has found that while advertisers pay about 2\u00bd as much for a behaviourally targeted (creepy) ad as compared to a regular ad, behaviourally targeted ads are only 4% more effective (<strong>Editorial by Bart:<\/strong> if this study is backed up by further research then the argument that we need creepy tracking to fund the free internet falls apart) \u2014 <a href=\"https:\/\/www.wsj.com\/articles\/behavioral-ad-targeting-not-paying-off-for-publishers-study-suggests-11559167195\">www.wsj.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/31\/foreign-spies-may-be-hiding-in-your-vpn-warns-dhs\/\">Foreign spies may be hiding in your VPN, warns DHS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2019\/05\/legal-threats-make-powerful-phishing-lures\/\">Legal Threats Make Powerful Phishing Lures \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/everything-you-need-to-know-about-software-updates\/\">What every Apple user should know about software updates \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li>&#x2b50;&#xfe0f; &#x1f9ef;There was a data breach at Stack Overflow, but it was very quickly addressed, and only names, email addresses and IPs were leaked, and only of a &#8216;small number of users&#8217; who have been notified by the company \u2014 <a href=\"https:\/\/techcrunch.com\/2019\/05\/17\/stack-overflow-user-data-exposed\/\">techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/arstechnica.com\/?p=1507147\">>20,000 Linksys routers leak historic record of every device ever connected \u2014 arstechnica.com<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f9ef;Google accidentally stored some GSuite passwords in plain text for 14 years. This is not as bad as it sounds because the passwords were stored on secured servers, and only some GSuite accounts were affected, not regular Google accounts \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/23\/google-stored-some-passwords-in-plain-text-for-14-years\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.imore.com\/flipboard-resets-passwords-after-data-breach-exposed-users-details\">Flipboard resets passwords after data breach exposed users&#8217; details \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/31\/flipboard-data-breach-what-users-should-do-now\/\">Flipboard data breach \u2013 what users should do now \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x2b50;&#xfe0f; Consumer Reports has found that Google uses Gmail to build a database of what you buy, and that there doesn&#8217;t seem to be a way of deleting it \u2014 <a href=\"https:\/\/www.cnbc.com\/2019\/05\/17\/google-gmail-tracks-purchase-history-how-to-delete-it.html\">www.cnbc.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/28\/millions-of-canva-users-data-stolen-as-gnosticplayers-strikes-again\/\">Millions of Canva users\u2019 data stolen as GnosticPlayers strikes again \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.vice.com\/en_us\/article\/xwnva7\/snapchat-employees-abused-data-access-spy-on-users-snaplion\">Snapchat Employees Abused Data Access to Spy on Users \u2014 www.vice.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/31\/facial-recognition-used-to-strip-adult-industry-workers-of-anonymity\/\">Facial recognition used to strip adult industry workers of anonymity \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2019\/05\/account-hijacking-forum-ogusers-hacked\/\">Account Hijacking Forum OGusers Hacked \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/28\/hackers-breach-us-license-plate-scanning-company\/\">Hackers breach US license plate scanning company \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/threatpost.com\/pos-malware-found-at-102-checkers-restaurant-locations\/145181\/\">POS Malware Found at 102 Checkers Restaurant Locations \u2014 threatpost.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2019\/05\/ny-investigates-exposure-of-885-million-mortgage-documents\/\">NY Investigates Exposure of 885 Million Mortgage Documents \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; (<strong>Editorial by Bart:<\/strong> a good illustrations of why SMS is the weakest form of 2FA, though of course, still better than no 2FA)<a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/17\/hacking-gang-stole-millions-in-cryptocurrency-via-sim-swaps\/\">Hacking gang stole millions in cryptocurrency via SIM swaps \u2014 nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Related Suggested Reading:<\/strong> <a href=\"https:\/\/medium.com\/coinmonks\/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124\">The Most Expensive Lesson Of My Life: Details of SIM port\u00a0hack \u2014 medium.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/theintercept.com\/2019\/05\/20\/facebook-data-phone-carriers-ads-credit-score\/\">Thanks to Facebook, Your Cellphone Company Is Watching You More Closely Than Ever \u2014 theintercept.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; The Irish Data Protection Commissioner have launched an investigation to see if Google&#8217;s <em>Ad Exchange<\/em> violates the GDPR \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/24\/google-ad-exchange-in-data-privacy-probe\/\">nakedsecurity.sophos.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> &#x1f1fa;&#x1f1f8; The WSJ is reporting that the Justice Department are preparing to open an anti-trust investigation into Google, but this has not been officially confirmed \u2014 <a href=\"https:\/\/www.wsj.com\/articles\/justice-department-is-preparing-antitrust-investigation-of-google-11559348795?mod=e2tw\">www.wsj.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/23\/tor-browser-for-android-8-5-offers-mobile-users-privacy-boost\/\">Tor Browser for Android 8.5 offers mobile users privacy boost \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/facebook-banned-over-2-million-fake-accounts\/\">Facebook Banned Over 2 billion Fake Accounts in Q1 2019 \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/20\/facebook-bans-accounts-of-fake-news-firm\/\">Facebook bans accounts of fake news firm \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.consumerreports.org\/privacy\/facebook-facial-recognition-privacy-setting-missing-for-some-users\/\">Facebook&#8217;s Face Recognition Privacy Setting Missing for Some Users \u2014 www.consumerreports.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/29\/deepfake-researchers-can-now-make-paintings-talk\/\">New research generates deepfake video from a single picture \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.nytimes.com\/2019\/05\/25\/us\/nsa-hacking-tool-baltimore.html?smid=nytcore-ios-share\">In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.theverge.com\/2019\/5\/23\/18637330\/senate-vote-approve-anti-robocalling-bill-congress-traced-act-fcc\">The Senate votes to approve anti-robocalling bill \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<li>&#x1f1e8;&#x1f1e6; Canada will be introducing a digital charter to combat hate speech &amp; misinformation online \u2014 <a href=\"https:\/\/www.cbc.ca\/news\/politics\/digital-charter-trudeau-1.5138194\">www.cbc.ca\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.wired.co.uk\/article\/london-underground-wifi-tracking\">TfL is going to track all London Underground users using Wi-Fi \u2014 www.wired.co.uk\/\u2026<\/a><\/li>\n<li>&#x1f1e9;&#x1f1ea; <a href=\"https:\/\/www.macobserver.com\/link\/germany-banning-end-to-end-encryption\/\">Germany Considering Law Banning End-to-End Encryption in Chat Apps \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.wired.co.uk\/article\/google-image-search-sexist-suggestions\">Google&#8217;s Image search has a massive celebrity sexism problem \u2014 www.wired.co.uk\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.independent.co.uk\/life-style\/gadgets-and-tech\/features\/apple-iphone-privacy-security-park-interview-federighi-a8925291.html\">Inside Apple\u2019s top secret testing facilities where iPhone defences are forged in temperatures of -40C \u2014 www.independent.co.uk\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f508; <a href=\"https:\/\/overcast.fm\/+HuIjF7-fQ\">Planet Money Episode 915: How To Meddle In An Election \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f508; <a href=\"https:\/\/overcast.fm\/+Ip8z2ofac\">The Real Story: The new technology cold war \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li><a href=\"http:\/\/fortune.com\/2019\/05\/29\/splinternet-online-censorship\/\">The Splinternet Is Growing \u2014 fortune.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.nytimes.com\/2019\/05\/26\/opinion\/nancy-pelosi-facebook-video.html\">Nancy Pelosi and Fakebook\u2019s Dirty Tricks \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/30\/what-a-teen-grade-hackers-confession-can-teach-us\/\">What a teen grade hacker\u2019s confession can teach us \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/information-technology\/2019\/05\/advanced-linux-backdoor-found-in-the-wild-escaped-av-detection\/\">Advanced Linux backdoor found in the wild escaped AV detection \u2014 arstechnica.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/31\/unpatched-docker-bug-allows-read-write-access-to-host-os\/\">Unpatched Docker bug allows read-write access to host OS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/20\/brave-browser-concerned-that-client-hints-could-be-abused-for-tracking\/\">Brave browser concerned that <em>Client Hints<\/em> could be abused for tracking \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/05\/25\/serious-security-dont-let-your-sql-server-attack-you-with-ransomware\/\">Serious Security: Don\u2019t let your SQL server attack you with ransomware \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/ourworldindata.org\/does-the-news-reflect-what-we-die-from\">Does the news reflect what we die from? &#8211; Our World in Data \u2014 ourworldindata.org\/\u2026<\/a><\/li>\n<li>A great satirical cartoon shared by NosillaCastaway Steven Goetz \u2014 <a href=\"https:\/\/twitter.com\/goatman\/status\/1134290963931811845\">twitter.com\/\u2026<\/a><\/li>\n<\/ul>\n<p><em><strong>Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Followups Andrew Orr at TMO got a bit of a sneak-peak at Cloudflare&#8217;s soon-to-be released Warp VPN (Editorial by Bart: support for a split tunnel is a nice touch) \u2014 www.macobserver.com\/\u2026 Security researchers have found that there are still nearly a million devices out there on the internet vulnerable to the BlueKeep RDP vulnerability Microsoft [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":16218,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-18485","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/08\/PBS_logo-16-grey.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/18485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=18485"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/18485\/revisions"}],"predecessor-version":[{"id":18488,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/18485\/revisions\/18488"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/16218"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=18485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=18485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=18485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}