{"id":18574,"date":"2019-06-15T15:21:41","date_gmt":"2019-06-15T22:21:41","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=18574"},"modified":"2019-06-15T15:21:41","modified_gmt":"2019-06-15T22:21:41","slug":"sb-2019-06-15","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2019\/06\/sb-2019-06-15\/","title":{"rendered":"Security Bits \u2013 15 June 2019"},"content":{"rendered":"<h3>Followups<\/h3>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; &#x1f1ee;&#x1f1f3; Thanks to a letter sent to Facebook by US Senator Richard Blumenthal we now know that Facebook&#8217;s controversial VPN tracking app collected data on 187K users, and that 31K of those were in the US, and 4.3K of those were teens. The remaining users were in India \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/14\/facebook-got-187000-users-data-with-snoopy-vpn-app\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Security Medium \u2014 Sign in with Apple<\/h3>\n<p><!--more-->Privacy was a strong focus throughout Apple&#8217;s recent WWDC keynote, and all their up-coming OS updates will be crammed with interesting new security and privacy features. As a general rule, we prefer to talk about things that are actually released in this segment, so we&#8217;ll keep our powder dry on the vast majority of the updates until the new OSes are released in a few months.<\/p>\n<p>One announcement stood out above all the other though, because it&#8217;s not an evolutionary improvement or enhancement, but a whole new departure for Apple, and that&#8217;s <em>Sign in with Apple<\/em>.<\/p>\n<h4>What is it?<\/h4>\n<p>Starting in the Fall Apple will offer a centralised mechanism for logging in to participating apps and websites via Apple. They will act as an identity provider. Apple will verify that the person trying to log in really is you, and then cryptographically vouch for you to the site or app you are trying to access.<\/p>\n<p>You&#8217;ve seen this model before in the for of those ever-present  <em>sign in with &lt;INSERT SOCIAL MEDIA NETWORK HERE&gt;<\/em> buttons.<\/p>\n<p>Apple will only provide the service to users with 2FA, and will vouch for two things \u2014 that the user is who they say they are, and, the level of confidence Apple have that the user is a human and not a bot.<\/p>\n<p>When you use the service you will be asked to confirm the information Apple give to the app\/service. The most Apple will share is your name and email address, and you get to alter the name to anything you like, and you get the option to mask your email address with a per-service anonymous <em>burner address<\/em> that Apple will forward to your real address. You can disable these burner addresses any time you like.<\/p>\n<p>Finally, any iOS app that offers third-party logins will be required to also offer Sign in with Apple.<\/p>\n<h4>Background<\/h4>\n<p>For over a decade now there has been a strong desire to deal with the proliferation of passwords everywhere by consolidating our trust into a central identity provider who can vouch for us anywhere we need to authenticate ourselves. The big hope was the free and open <a href=\"https:\/\/openid.net\/foundation\/\">OpenID<\/a> protocol, but that just hasn&#8217;t taken off. Why? Impossible to know for sure, but for what it&#8217;s worth, my theory is that it was crowded out by <a href=\"https:\/\/en.wikipedia.org\/wiki\/OAuth\">OAuth<\/a> and those all-pervasive <em>sign in with *&lt;INSERT SOCIAL MEDIA NETWORK HERE&gt;<\/em> buttons.<\/p>\n<p>OpenID is a charitable foundation, so it has never focused on making money, but Yahoo!, Facebook, Google &amp; Twitter saw an immense opportunity in becoming a central identity provider for as many of their users as possible. If your business is to build profiles of people and use those profiles to sell user attention to advertisers, then knowing every site the user logs into is obviously immensely valuable!<\/p>\n<p>So, for those of us who value our privacy more than we get cranky about the inconvenience of having to make stand-alone-accounts all over the place, we&#8217;ve opted to solve the password problem with password manager rather than identity providers.<\/p>\n<h4>It&#8217;s All About Trust<\/h4>\n<p>Central identity providers are ubiquitous in the corporate world. If you have  Azure Active Directory from Microsoft you can use your traditional domain credentials to authenticate against corporate-owned cloud apps from all sorts of vendors.<\/p>\n<p>You&#8217;ll also find centralised identity providers in ubiquitous use in education \u2014 many schools and universities have Office365 or GSuite and use their OAuth implementations to authenticate students to all sorts of apps with a single set of credentials. There are even global federated identity providers used to allow staff and students from one university to log in to facilities provided by another (<a href=\"https:\/\/edugain.org\/\">eduGAIN<\/a> &amp; <a href=\"https:\/\/www.eduroam.org\/\">eduroam<\/a>are prefect examples).<\/p>\n<p>Why do identity providers work in the corporate and education worlds, but not in our persona lives? Simple \u2014 they are under the direct control of the organisations who&#8217;s users they provide identity for, so there is inherent trust. If I work for Bartificer Widgets then of course I trust their central identiy provider to authenticate me to the services they provide me in order to facilitate the work I do for them in exchange for my salary! The same applies if I am a student paying BartificerU for a good education \u2014 of course I trust BartificerU to authenticate me to the Virtual Learning Envirnment where I get my lecture notes, and of course I trust them to authenticate me to free wifi at any educational institution in the world that supports eduroam, and of course I trust them to authenticate me to the journal papers and ebooks I need for my studies via eduGAIN!<\/p>\n<p>The issue with the <em>Log in with XXX<\/em> buttons is that to use them, we must implicitly trust the identity provider powering them! It is impossible to act as an identity provider without communicating with the sites your user is trying to authenticate to. The service requires the provider to know these things every bit as much as doctoring requires doctors to know things about their patients, and mechanics to see under the hoods of people&#8217;s cars. You can&#8217;t have an identity provider without them knowing where you authenticate!<\/p>\n<p>If you want a convenience that you cannot have without placing your trust in a provider, then you have to choose which provider you trust most. You can&#8217;t not trust, your only choice is who to trust!<\/p>\n<h4>Follow the Money!<\/h4>\n<p>I feel like a stuck record, but it always comes back to the same thing \u2014 do the incentives acting on the company who&#8217;s offering me a service align with my best interests? It all comes back to business models!<\/p>\n<p>The three most popular identity providers out there are Facebook, Google, and Twitter. All three of them share a business model where their users are not their customers. All three of them give their users free services in exchange for tracking them more thoroughly than any authoritarian state has ever been able to do so they can build up a detailed profile of each user that they can use to sell those users eyeballs to their customers, advertisers.<\/p>\n<p>The reason this announcement from Apple is interesting is because their business model is very different, so their incentives align differently with their users interests. Apple sell products and services to their users, so their users are their customers. That means Apple is incentivised not to exploit the inherent trust that users have to place in an identity provider.<\/p>\n<p>There is a very obvious downside to Apple&#8217;s approach \u2014 you have to pay them!<\/p>\n<p>You always have to pay! You can choose to pay with your data, or your wallet, but pay you shall!<\/p>\n<h4>There is no Universal Answer<\/h4>\n<p>There is no absolute right and wrong choice here. It all comes down to your personal priorities. Do you value the convenience of a central identity provider enough to pay for it in any way at all? And if so, would you prefer to pay with your privacy or your money?<\/p>\n<p>Depending on how you answer those questions, you&#8217;ll come to very different decisions on whether to use any of these buttons at all, and if you do, which ones.<\/p>\n<h4>How are all the Various Parties Effected?<\/h4>\n<p>Developers get to write apps that allow user logins without the need to spend time coding a username and password management system, and without the need to worry about verifying that users really are human. Developers also don&#8217;t need to secure user data, because they can&#8217;t lose what they don&#8217;t have!<\/p>\n<p>Developers who already use 3rd-party login buttons have to add a new service. I&#8217;ve read the docs and the APIs are wonderfully simple and easy to implement, but, it&#8217;s work, and since Apple don&#8217;t want to track people, there will be no kick-backs from Apple in exchange for user data, so there will be no direct financial reward like there could be from companies like Facebook who often do deals in exchange for data. This are the only party I see with no obvious gains from this new development.<\/p>\n<p>Users who trust Apple get to have a frictionless way of authenticating to apps and services relatively anonymously.<\/p>\n<p>Apple get to say they offer their customers this nice <em>privacy as a service<\/em> feature.<\/p>\n<p>Finally, Facebook, Google, etc. are not directly affected because they are not third parties to themselves. They will not have to add Sign in with Apple buttons to their apps.<\/p>\n<h4>Side Note: Anonymous Email Forwarding Also Involves Trust<\/h4>\n<p>It is certainly true that you can make your own burner email addresses, but it&#8217;s a lot of hassle to do that each time you want to try some new app or service that needs an account.<\/p>\n<p>Apple are offering real convenience with their per-app anonymised forwarding service. However, it is unavoidable that Apple&#8217;s servers have to process all the mail that comes through those anonymised forwarders, so, using them inevitably involves placing trust in Apple.<\/p>\n<h4>Personal Soap Box (Bart) \u2014 Allison, OK to delete if you prefer<\/h4>\n<p>&#8220;Apple could &lt;INSERT EVIL PRIVACY VIOLATING THING HERE&gt; some day in the future&#8221; is not an argument IMO! Companies do their best not to harm their own interests, so unless you can explain to me why Apple would be incentivised to do a complete U-turn on privacy I&#8217;m not interested in hearing your conspiratorial nonsense! I see no reason to assume Apple will become corporately suicidal any time soon!<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2019\/06\/07\/answers-to-your-burning-questions-about-how-sign-in-with-apple-works\/\">Answers to your burning questions about how \u2018Sign In with Apple\u2019 works \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/how-sign-apple-works-ios-13-ipados-13-and-macos-catalina\">How &#8216;Sign In with Apple&#8217; works in iOS 13, iPadOS 13, and macOS Catalina \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/05\/apple-battles-facebook-google-with-rival-sign-in-service\/\">Apple battles Facebook and Google with rival sign in service \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/youtu.be\/T-fXzUsPZtM\">Apple ad: Privacy on iPhone \u2014 Inside Joke<\/a><\/li>\n<li><a href=\"https:\/\/www.theverge.com\/2019\/6\/12\/18662594\/google-login-apple-sso-account-security-passwords-mark-risher\">Google\u2019s login chief would rather you use Apple\u2019s sign-in button than keep using passwords \u2014 www.theverge.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Last Tuesday was <em>Patch Tuesday<\/em> which saw Microsoft release 88 patches for Windows, Office, and other produces including fixes for 4 bugs being actively exploited in the wild, and Adobe releasing a critical update for Flash \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2019\/06\/microsoft-patch-tuesday-june-2019-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Intel has released security updates for multiple products \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2019\/06\/11\/Intel-Releases-Security-Updates-Mitigations-Multiple-Products\">www.us-cert.gov\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/05\/patch-android-june-2019-update-fixes-eight-critical-flaws\/\">Patch Android! June 2019 update fixes eight critical flaws \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Patch now! <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/14\/critical-flaw-found-in-evernote-web-clipper-for-chrome\/\">Critical flaw found in Evernote Web Clipper for Chrome \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/07\/action-required-exim-mail-servers-need-urgent-patching\/\">Action required! Exim mail servers need urgent patching \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/p>\n<\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.engadget.com\/2019\/06\/13\/yubico-recalls-government-grade-security-keys-due-to-bug\/\">Yubico recalls government-grade security keys due to bug \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<li>Microsoft are warning users against running un-patched versions of Office because they have seen a spike in real-world attacks against a bug that was patched in 2017 \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/10\/microsoft-warns-of-time-travelling-equation-exploit-are-you-safe\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>YouTube announced improved protections for kids on their platform. Kids must now be accompanied by and adult while live streaming, comments will be disabled on video featuring kids, and kids will not receive recommendations for videos that show kids in risky situations \u2014 <a href=\"https:\/\/youtube.googleblog.com\/2019\/06\/an-update-on-our-efforts-to-protect.html\">youtube.googleblog.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/06\/youtube-bans-kids-live-streaming-without-an-adult-present\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Apple have tightened their rules on advertising and tracking within apps targeted at kids. Previously only behavioural ads were banned, now all third-party ads and analytics are banned \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/05\/apple-bans-ads-third-party-tracking-in-apps-meant-for-kids\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>FireFox version 67 come with notable security and privacy improvements including Advanced Tracking Protection, a feature for sandboxing Facebook so it can&#8217;t track you around the web, an updated cloud-based integrated password manager now renamed to Lockwise (it was Lockbox and is available as a desktop browser plugin, iOS app and Android app), and improvements to FireFox Monitor (integration with <a href=\"https:\/\/haveibeenpwned.com\/\">have I been pwned<\/a>) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/06\/firefox-aims-at-google-with-enhanced-tracking-prevention\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; &#x1f30e; Foreigners applying for a US visa will now have to provide 5 years worth of social media usernames on their applications. Note that only the usernames are being requested, not the passwords. Civil liberties groups are arguing that this new policy is both invasive and ineffective, and open to obvious abuses \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/04\/us-visa-applicants-required-to-hand-over-social-media-info\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; The <em>Investigatory Powers Commissioner<\/em> (a government watchdog) rules that MI5 (Britain&#8217;s domestic intelligence service) showed a <em>&#8220;historical lack of compliance&#8221;<\/em> with Britain&#8217;s <em>Investigatory Powers Act<\/em> (better known as the <em>snooper&#8217;s charter<\/em>), and that he was applying <em>&#8220;special measures&#8221;<\/em>, meaning the agency will be under extra scrutiny each time it applies for a warrant \u2014  <a href=\"https:\/\/www.bbc.co.uk\/news\/uk-48597111\">www.bbc.co.uk\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/security-build-threat-model\/\">Security 101: What is a Threat Model, and How Do I Create One? \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/12\/fbi-warns-users-to-be-wary-of-phishing-sites-abusing-https\/\">FBI warns users to be wary of phishing sites abusing HTTPS \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/square-sends-sensitive-receipts-to-the-wrong-person\/\">Square Sends Sensitive Receipts to the Wrong Person \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; A US Customs &amp; Border Patrol (CBP) contractor was breached, losing <em>&#8220;fewer than 100,000&#8221;<\/em> images of drives and license plates captured at border crossings \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/12\/hackers-stole-photos-of-travelers-and-license-plates-from-subcontractor\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Notable IoT Vulnerabilities\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/11\/critical-flaws-found-in-amcrest-security-cameras\/\">Critical flaws found in Amcrest security cameras \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.intego.com\/mac-security-blog\/new-security-and-privacy-features-in-macos-catalina-and-ios-13\/\">New Security and Privacy Features in macOS Catalina and iOS 13 \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/techcrunch.com\/2019\/06\/10\/apple-is-making-corporate-byod-programs-less-invasive-to-user-privacy\/\">Apple is making corporate \u2018BYOD\u2019 programs less invasive to user privacy \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.cbc.ca\/news\/canada\/hamilton\/city-of-burlington-falls-for-503-000-phishing-scheme-1.5174695\">City of Burlington falls for $503,000\u00a0phishing scheme \u2014 www.cbc.ca\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/04\/gandcrab-ransomware-service-shuts-up-shop\/\">GandCrab ransomware crooks to shut up shop \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/10\/the-goldbrute-botnet-is-trying-to-crack-open-1-5-million-rdp-servers\/\">The GoldBrute botnet is trying to crack open 1.5 million RDP servers \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/13\/microsofts-battle-with-sandboxescaper-zero-days-turns-into-grim-groundhog-day\/\">Microsoft\u2019s battle with SandboxEscaper zero days turns into grim Groundhog Day \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/13\/facebook-keeps-deepfake-of-mark-zuckerberg\/\">Facebook keeps deepfake of Mark Zuckerberg \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.engadget.com\/2019\/06\/06\/microsoft-discreetly-wiped-its-massive-facial-recognition-databa\/\">Microsoft discreetly wiped its massive facial recognition database \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<li>Android devices can now be used as security keys for logging in to Google services on iOS devices \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/14\/android-phones-can-now-be-security-keys-for-ios-devices\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/03\/g-suite-users-will-have-confidential-gmail-mode-set-to-on-by-default\/\">All G Suite users to get Gmail \u2018confidential\u2019 mode \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/10\/laptops-used-in-2016-nc-poll-to-be-examined-by-feds-after-2-5-years\/\">Laptops used in 2016 NC poll to be examined by feds \u2013 after 2.5 years \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/07\/the-fbi-is-sitting-on-more-than-641m-photos-of-peoples-faces\/\">The FBI is sitting on more than 641m photos of people\u2019s faces \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/maine-internet-privacy-law\/\">Maine Introduces Strong New Internet Privacy Law \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; A thought-provoking essay arguing the need to start thinking about <em>ambient privacy<\/em> instead of <em>individual privacy<\/em> \u2014 <a href=\"https:\/\/idlewords.com\/2019\/06\/the_new_wilderness.htm\">idlewords.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.nytimes.com\/interactive\/2019\/06\/12\/opinion\/facebook-google-privacy-policies.html\">We Read 150 Privacy Policies. They Were an Incomprehensible Disaster. \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; A good article explaining Apple&#8217;s philosophy on data, why it can store so much less than companies with advertising-based business models, and, much more practically, what Apple does and doesn&#8217;t know about you broken down by service \u2014 <a href=\"https:\/\/www.axios.com\/what-apple-knows-about-you-fa7fa529-05af-48fa-bc51-54c15a6f5fbc.html\">What Apple knows about you \u2014 www.axios.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/securosis.com\/blog\/apple-flexes-its-privacy-muscles\">Apple Flexes Its Privacy Muscles \u2014 securosis.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; A timely reminder to make sure your AirDrop settings are not overly open \u2014 <a href=\"https:\/\/www.theatlantic.com\/technology\/archive\/2019\/06\/why-teens-try-airdrop-you-memes-concerts\/591064\/\">When Grown-Ups Get Caught in Teens\u2019 AirDrop Crossfire \u2014 www.theatlantic.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; &#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.nytimes.com\/2019\/06\/13\/opinion\/privacy-law-enforcment-congress.html\">I\u2019m a Judge. Here\u2019s How Surveillance Is Challenging Our Legal System. \u2014 www.nytimes.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/07\/whats-the-best-approach-to-patching-vulnerabilities\/\">What\u2019s the best approach to patching vulnerabilities? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/newrepublic.com\/article\/154167\/government-nsa-inept-protecting-cyber-data-whatsapp\">The U.S. Government Is Utterly Inept at Keeping Your Data Secure \u2014 newrepublic.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/www.wired.com\/story\/apple-find-my-cryptography-bluetooth\/\">Apple&#8217;s &#8216;Find My&#8217; Feature Uses Some Very Clever Cryptography \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/03\/your-phones-sensors-could-be-used-as-a-cookie-you-cant-delete\/\">Your phone\u2019s sensors could be used as a cookie you can\u2019t delete \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x2b50;&#xfe0f;<a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/13\/vim-devs-fix-system-pwning-text-editor-bug\/\">Vim devs fix system-pwning text editor bug \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/04\/synthetic-clicks-and-the-macos-flaw-apple-cant-seem-to-fix\/\">Synthetic clicks and the macOS flaw Apple can\u2019t seem to fix \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/product-news\/ios-apps-disable-ats\/\">Two Thirds of iOS Apps Disable App Transport Security \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2019\/06\/07\/researchers-eavesdrop-on-smartphone-finger-taps\/\">Researchers eavesdrop on smartphone finger taps \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Suggested Listening<\/h3>\n<ul>\n<li>&#x1f3a7; The history of the Like button complete with a clearly explained analysis of the privacy concerns it brings along with it \u2014 <a href=\"https:\/\/overcast.fm\/+JJ-WBcp4Q\">50 Things That Made the Modern Economy: \u2018Like\u2019 button \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Palate Cleansers<\/h3>\n<ul>\n<li>&#x1f3a7; A fascinating look at the computer that got man to the Moon \u2014 <a href=\"https:\/\/overcast.fm\/+RkpqiZ-RE\">13 Minutes to the Moon Ep.05: The fourth astronaut \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<p><em><strong>Note:<\/strong> When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Followups &#x1f1fa;&#x1f1f8; &#x1f1ee;&#x1f1f3; Thanks to a letter sent to Facebook by US Senator Richard Blumenthal we now know that Facebook&#8217;s controversial VPN tracking app collected data on 187K users, and that 31K of those were in the US, and 4.3K of those were teens. The remaining users were in India \u2014 nakedsecurity.sophos.com\/\u2026 Security Medium \u2014 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-18574","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/18574","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=18574"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/18574\/revisions"}],"predecessor-version":[{"id":18576,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/18574\/revisions\/18576"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=18574"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=18574"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=18574"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}