{"id":22552,"date":"2020-12-20T13:19:19","date_gmt":"2020-12-20T21:19:19","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=22552"},"modified":"2020-12-20T13:19:19","modified_gmt":"2020-12-20T21:19:19","slug":"sb-2020-12-20","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2020\/12\/sb-2020-12-20\/","title":{"rendered":"Security Bits \u2014 20 December 2020 \u2013 SolarWinds, Apple&#8217;s Tracking Transparency"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<h3>Listener Thomas Cooper Question \u2014 Is TikTok a National Security Threat?<\/h3>\n<p><strong>TL;DR \u2014 nope<\/strong><\/p>\n<p>We got some listener feedback asking about the US&#8217;s proposed ban on TikTok on national security grounds.<\/p>\n<p>This is very much an opinion piece by Bart \u2014 there aren&#8217;t enough hard facts for this to be anything else.<\/p>\n<p>The argument for the ban is that TikTok is a Chinese company, so, in theory, the Chinese government could order them to hand over data to them. The argument isn&#8217;t that this is happening, but that this <strong>could<\/strong> happen. There&#8217;s no way to disprove that, but that doesn&#8217;t make it a good argument. As Bertrand Russell famously said, &#8220;I can&#8217;t prove there isn&#8217;t a Tea Pot in orbit around Mars, but that doesn&#8217;t mean there is!&#8221;<\/p>\n<p>The way I think of TikTok is as a <em>Chinese wanna-be Facebook<\/em>. The data they can collect is similar, but since they&#8217;re not as all-pervasive, they&#8217;ll be less effective at data hoovering than Facebook is.<\/p>\n<p>To be clear, there is <strong>zero evidence TikTok share anything with the Chinese Government<\/strong>, but for the sake of argument, let&#8217;s pretend they share everything. What would that mean?<\/p>\n<p>With the exception of a few edge cases like political leaders, it would pose no direct danger. If I were the President of America on a secret mission to visit the troops in a war zone I&#8217;d be darn careful not to use <strong>any<\/strong> social media, because giving away my location could be very dangerous indeed!<\/p>\n<p>Leaving aside the edge cases, all that&#8217;s left is soft power, specifically:<\/p>\n<ol>\n<li>Intelligence gathering \u2014 what do typical Americans do? What views are common? What does the average American like?<\/li>\n<li>Censorship \u2014 TikTok could be (and probably has been) ordered to block content referencing things the Chinese government find objectionable, like their persecution of the Uyghurs or the Tiananmen Square massacre<\/li>\n<li>Propaganda \u2014 the algorithms could be tweaked to push content the Chinese government do like.<\/li>\n<\/ol>\n<p>I can&#8217;t see a substantial difference between a European using Facebook, and an American using TikTok. We know the American government has secret courts it uses to force companies to hand over data to the government, and we suspect the Chinese government do too.<\/p>\n<p>So, is TikTok a problem? IMO, yes, but no more or less so than Facebook!<\/p>\n<h3>Followups<\/h3>\n<ul>\n<li>COVID Update\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/covid-19-exposure-notifications-iphone-6-older-devices\/\">COVID-19 Exposure Notifications Now Work on iPhone 6 And Other Older Devices \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.macobserver.com\/news\/california-launching-covid-19-exposure-notification-app-in-partnership-with-apple-and-google\/\">California Launching COVID-19 Exposure Notification App in Partnership With Apple and Google \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple &amp; Google are banning the location data collection API X-Mode which was one of the focuses of an article recently linked to under <em>Interesting Insights<\/em> \u2014 <a href=\"https:\/\/www.imore.com\/ftc-lawsuit-could-force-facebook-give-instagram-and-whatsapp\">www.imore.com\/\u2026<\/a>\n<ul>\n<li>The original article: <a href=\"https:\/\/www.vice.com\/en\/article\/jgqm5x\/us-military-location-data-xmode-locate-x\">How the U.S. Military Buys Location Data from Ordinary\u00a0Apps \u2014 www.vice.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Wavlink have released a firmware update for the Jetstream routers sold by Walmart they claim removes the back door we reported on time. The claim has not been independently verified yet (<strong>Editorial by Bart:<\/strong> if I owned one of these routers I would still not trust it, and still throw it in the bin) \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/jetstream-routers-firmware-update\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>More Social Media Service Improvements:\n<ul>\n<li>&#x1f1fa;&#x1f1f8; Twitter has updated it&#8217;s warning labels on false election claims to say <em>&#8216;Election officials have certified Joe Biden as the winner of the U.S. Presidential election&#8217;<\/em> \u2014 <a href=\"https:\/\/twitter.com\/b_fung\/status\/1340355594969116676\">twitter.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/signal-group-video-calls\/\">Private Messenger \u2018Signal\u2019 Adds Encrypted Group Video Calls \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/whatsapp-bringing-video-and-audio-calls-desktop-and-web-client\">WhatsApp bringing video and audio calls to desktop and web client \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f384;<a href=\"https:\/\/www.imore.com\/zoom-offering-unlimited-video-calling-christmas\">Zoom is offering unlimited video calling this Christmas \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple have rolled so-called <em>privacy nutrition labels<\/em> in their app stores as promised. Apple also took the opportunity to improve their privacy page \u2014 <a href=\"https:\/\/www.imore.com\/apples-new-privacy-page-goes-live-alongside-new-app-store-nutrition-labels\">www.imore.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/understanding-apples-new-app-privacy-information\/\">Understanding Apple&#8217;s New App Privacy Information \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li>WhatsApp immediately complained that because Apple&#8217;s Messages app is pre-installed it doesn&#8217;t show in the App Store, so it has no labels. Apple have promised to add labels for their standard apps to their website \u2014 <a href=\"https:\/\/www.imore.com\/whatsapp-wants-apples-privacy-labels-apply-imessage-well\">www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/apple-will-put-privacy-labels-its-website-it-wont-satiate-whatsapp\">www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-facebook-messenger-top-ios-14-tracking-charts\">Facebook, Facebook Messenger top iOS 14 tracking charts \u2014 www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/apples-new-privacy-feature-reveals-astonishing-cost-using-facebook\">Apple&#8217;s new privacy feature reveals astonishing cost of using Facebook \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apples-craig-federighi-says-it-wants-others-copy-its-app-store-privacy-labels\">Apple&#8217;s Craig Federighi says it wants others to copy its App Store privacy labels \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h3>&#x1f1fa;&#x1f1f8;  Deep Dive 1 \u2014 The <em>SolarWinds<\/em> Attack on the US Government<\/h3>\n<p>On the 17th of December, the US Cybersecurity &amp; Infrastructure Security Agency (CISA) released an alert detailing a long-running attack by an <em>advanced persistent thread<\/em> (APT) against US <em>&#8216;government agencies, critical infrastructure, and private sector organizations&#8217;<\/em>. At least as far back as March 2020, an APT (generally a euphemism for state-sponsored hackers) has been successfully infiltrating the US government, etc. We can&#8217;t know for certain, but the consensus in the security community seems to be pointing the finger at Russia.<\/p>\n<p>A big part of this attack has been the successful injection of malware into the third-party network monitoring and management platform <em>Orion<\/em> sold by US software company <em>SolarWinds<\/em> and widely used in large organisations. The attackers infiltrated SolarWinds so deeply that they were able to get their malicious code incorporated into the software distributed through SolarWinds&#8217; standard software update processes. This is what is referred to as a <em>supply chain attack<\/em>. This is difficult to pull off, but very powerful, because it turns <em>&#8216;stay patched to stay secure&#8217;<\/em> into <em>&#8216;stay patched to get hacked&#8217;<\/em>!<\/p>\n<p>The reason this activity has gone unnoticed until now is that the APT used the new powers at their disposal very judiciously \u2014 this kind of access us extremely valuable, so you want to focus on the highest possible value targets before your cover is blown, and you want to do as little obvious damage as possible for as long as possible so you don&#8217;t come to anyone&#8217;s attention for as long as possible. So, while all fully patched users of Orion had a hypothetical back door into their systems, most of those back doors were never opened.<\/p>\n<p>The most recent update from the CISA suggests this attack involved other <em>vectors of exploitation<\/em>, i.e. other lines of attack, not just Orion, and, it may have been going on from before March. The details are still very hazy, and CISA have promised more updates as they learn more.<\/p>\n<p>CISA issued only its 5th ever emergency order on the 17th, ordering all US government agencies to power down their Orion appliances ASAP, and to start examining their networks for evidence of infiltration by checking their logs for a list of specific <em>Indicators of Compromise<\/em>, or IOCs.<\/p>\n<p>Because of how this attack worked, simply patching Orion doesn&#8217;t solve the problem at all. Orion was just a proverbial beach-head, giving the attackers a powerful entry point into a network from where they can burrow in properly.<\/p>\n<p>Like an AV on your desktop computer has to be given highly privileged access within your OS to do its job, a system like Orion needs very highly-privileged access to the network, and to key Windows servers to do its job. One of the things the attackers did was to leverage the level of access Orion had to steal the private keys for vitally important security protocols, and use those to forge valid but unauthorised digital access tokens. These tokens could be used to directly access data like files, account details, or email messages via APIs, or to reset passwords on key system accounts, or create entirely new privileged accounts. In some cases the attackers even added entirely new federated identity provides to the network, tricking all servers on the network into trusting accounts issued by a server controlled by the attackers!<\/p>\n<p>Listener Lynda asked if the Orion vulnerability affected Windows or Macs, or if it was just servers. That&#8217;s not really a relevant question when it comes to this kind of attack. This is not like a malicious version or Word or something, this is a compromise of a domain-level service that does run on specific Windows servers in a very literal sense, but it effectively infects the entire Windows domain.<\/p>\n<p>Once your network is compromised as deeply as the victims of this attack have been compromised, it&#8217;s an absolutely Herculean task to get the attackers out completely. Like treating a cancer that&#8217;s spread throughout the body, if you miss just one device in a corner somewhere, the attackers can lay dormant for weeks, months, or even years, before slowly and carefully starting to infest your network again. The list of required actions in the various CISA documents is sobering \u2014 if you know anyone working in US government IT, buy them a coffee, they&#8217;ll need it!<\/p>\n<p>A smaller part of this story is that the security company FireEye was also attacked by this ATP, and some of their internal <em>red team<\/em> hacking tools were stolen. To protect the community FireEye have open-sourced the tools and released advice for detecting their use, neutering their effectiveness. FireEye were also keen to point out that none of the stolen tools exploit any currently un-patched vulnerabilities.<\/p>\n<p>Another smaller detail is that in some cases the attackers were able to spread beyond the victim&#8217;s local Windows domain, and up into the victim&#8217;s Office365 tenancy too. There were some initial reports that Microsoft&#8217;s own servers were compromised, but that doesn&#8217;t seem to be correct, and Microsoft are insistent that they have not been compromised.<\/p>\n<p>The bottom line is that this is going to take a very long time indeed to deal with, and, that we&#8217;ve only discovered the tip of the iceberg in terms of the damage done. Over the coming days and weeks expect to hear news reports that the attacks started earlier, affected more systems in more organisations, and did more damage than we currently know.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa20-352a\">Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations \u2014 us-cert.cisa.gov\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/cyber.dhs.gov\/ed\/21-01\/\">Emergency Directive 21-01 \u2014 cyber.dhs.gov\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2020\/12\/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise\/\">U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2020\/12\/solarwinds-hack-could-affect-18k-customers\/\">SolarWinds Hack Could Affect 18K Customers \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.fireeye.com\/blog\/products-and-services\/2020\/12\/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html\">FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community \u2014 www.fireeye.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2020\/12\/13\/customers-protect-nation-state-cyberattacks\/\">Important steps for customers to protect themselves from recent nation-state cyberattacks \u2014 blogs.microsoft.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Deep Dive 2 \u2014 Facebook&#8217;s PR Campaign Against Apple&#8217;s Up-Coming Tracking Transparency Feature<\/h3>\n<p>As a reminder, at WWDC this summer Apple announced that it would be adding a feature to iOS to make access to a device&#8217;s tracking ID for advertisers opt-in instead of opt-out. Apps could still use the ID to facilitate cross-app tracking, but only with explicit consent from the user.<\/p>\n<p>This new level of transparency is deeply worrying to Facebook because their business model depends on clandestine tracking. Facebook know users would find the level of tracking they do creepy if they knew about it, and Apple&#8217;s change will ensure people will know, and, will have a chance to opt-out.<\/p>\n<p>Facebook are painting this forced honesty as a ban on tracking, which is interesting. It shows they know what they are doing now would not be sustainable if people knew about it.<\/p>\n<p>To that end Facebook ran two full-page newspaper ads in the US arguing that Apple&#8217;s move to shine a light on tracking amounts to an attack on small businesses and that Facebook are the good-guys, standing up for all those little guys. They also argue that because of COVID Apple should not go ahead with their change.<\/p>\n<p>Apple replied with a simple message pointing out that they&#8217;re not blocking anything, and simply giving users information and choices, and showing a sample dialogue box.<\/p>\n<p>While the flash-point for this campaign is the pending release of the app tracking transparency feature in iOS, Facebook and indeed the entire ad industry are still reeling from the improved tracking protections Apple has been adding to Safari over the past few years.<\/p>\n<p>In related news, US publishers also signed on to Epic&#8217;s Coalition for App Fairness, again, over fears of tracking-based ad revenue going away.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/facebook-attacks-apples-new-privacy-measures-full-page-newspaper-ads\">Facebook slams Apple&#8217;s new privacy measures in full-page newspaper ads \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-says-apples-anti-tracking-measures-about-profit-not-privacy\">Facebook says Apple&#8217;s anti-tracking measures about &#8216;profit, not privacy&#8217; \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/facebook-privacy-app-banners-warning\/\">Facebook Warns of iOS 14 Privacy With App Banners \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/facebook-alerts-businesses-how-apples-privacy-protections-will-affect-ads\">Facebook alerts businesses how Apple&#8217;s privacy protections will affect ads \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apple-responds-facebooks-attack-ad-says-users-deserve-privacy-choices\">Apple responds to Facebook&#8217;s attack ad, says users deserve privacy choices \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macrumors.com\/2020\/12\/17\/facebook-runs-apple-vs-free-internet-ad\/\">Facebook Runs Second Full-Page Ad Criticizing Apple, Says Opt-In Tracking Will Make the Internet Worse \u2014 www.macrumors.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/mozilla-throws-weight-behind-apple-anti-tracking-plans\">Mozilla throws weight behind Apple iOS 14 anti-tracking plans \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/news\/us-publishers-join-coalition\/\">US Publishers Join Coalition for App Fairness Against Apple \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><strong>Opinion:<\/strong> <a href=\"https:\/\/www.imore.com\/facebook-cant-hide-its-disregard-privacy-behind-small-businesses\">Facebook can&#8217;t hide its disregard for our privacy behind small businesses \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>This month&#8217;s Patch Tuesday saw critical and important patches for Windows 10 and Office from Microsoft, and Lightroom from Adobe \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2020\/12\/patch-tuesday-good-riddance-2020-edition\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>Adobe released patches for Acrobat &amp; Reader a day after Patch Tuesday \u2014 <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2020\/12\/10\/adobe-releases-security-updates-acrobat-and-reader\">us-cert.cisa.gov\/\u2026<\/a><\/li>\n<li>Apple updated just about everything \u2014 <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2020\/12\/15\/apple-releases-security-updates-multiple-products\">us-cert.cisa.gov\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2020\/12\/15\/surprise-ios-12-5-and-watchos-6-3-updates-bring-exposure-notification-and-a-security-fix\/\">Surprise iOS 12.5 and watchOS 6.3 Updates Bring Exposure Notification and a Security Fix \u2014 tidbits.com\/\u2026<\/a><\/li>\n<li><strong>related:<\/strong> <a href=\"https:\/\/appleinsider.com\/articles\/20\/12\/14\/ecosia-now-a-default-search-engine-option-on-ios-ipados-macos\">Ecosia now a default search engine option on iOS, iPadOS, macOS \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><a href=\"https:\/\/techcrunch.com\/2020\/12\/10\/spotify-resets-user-passwords-after-a-bug-exposed-private-account-information\/\">Spotify resets passwords after a security bug exposed users\u2019 private account information \u2014 techcrunch.com\/\u2026<\/a>\n<ul>\n<li>A copy of a letter sent to affected users: <a href=\"https:\/\/beta.documentcloud.org\/documents\/20422370-spotify-breach-notice-letter-californiadocx\">beta.documentcloud.org\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/12\/18\/is-it-you-in-the-video-dont-fall-for-this-messenger-scam\/\">\u201cIs it you in the video?\u201d \u2013 don\u2019t fall for this Messenger scam \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; The Federal Trade Commission and 48 states have filed an anti-trust suit against Facebook alleging that their acquisitions of Instagram and WhatsApp were anti-competitive, and requesting they be broken up \u2014 <a href=\"https:\/\/www.imore.com\/ftc-lawsuit-could-force-facebook-give-instagram-and-whatsapp\">www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.wired.com\/story\/texas-accuses-google-facebook-illegal-conspiracy\/\">Texas Accuses Google and Facebook of an Illegal Conspiracy \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; The European Commission has released new guidelines requesting search companies and companies operating stores &#8220;identify the algorithmic parameters that determine ranking and to share them with companies&#8221;. ATM these are just guidelines, but the Commission followed up with proposed legislation (see next story) a few days later \u2014 <a href=\"https:\/\/uk.reuters.com\/article\/uk-eu-tech-platforms-idUKKBN28H25E\">uk.reuters.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; The European Commission has published two pieces of draft legislation to regulating large tech companies \u2014 <a href=\"https:\/\/www.reuters.com\/article\/eu-tech-rules-idUSKBN28P24A\">www.reuters.com\/\u2026<\/a>, <a href=\"https:\/\/www.forbes.com\/sites\/siladityaray\/2020\/12\/15\/new-eu-rules-could-fine-us-tech-giants-billions\/\">www.forbes.com\/\u2026<\/a>\n<ol>\n<li>The <em>Digital Markets Act<\/em> (DMA) lays down rules regulating the behaviour of &#8216;online gatekeepers&#8217; to make sure their market places are fair (think search results, online stores, and app stores). The act includes a fine of up to 10% of global revenue.<\/li>\n<li>The <em>Digital Services Act<\/em> (DSA) lays down rules for platform operators around illegal content and allows for fines of up to 6% of global revenue (think news and social media companies).<\/li>\n<\/ol>\n<\/li>\n<li>&#x1f1ea;&#x1f1fa; &#x1f1ec;&#x1f1e7; <a href=\"https:\/\/www.theverge.com\/2020\/12\/15\/22177226\/facebook-uk-users-california-based-privacy-terms-of-service-agreement\">Facebook\u2019s UK users will lose EU privacy protections next year &#8211; The Verge<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/microsoft-sony-and-nintendo-agree-shared-safety-standards-across-gaming\">Microsoft, Sony and Nintendo agree to shared safety standards across gaming \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.zdnet.com\/article\/apple-google-microsoft-and-mozilla-ban-kazakhstans-mitm-https-certificate\/\">Apple, Google, Microsoft, and Mozilla ban Kazakhstan&#8217;s MitM HTTPS certificate \u2014 www.zdnet.com\/\u2026<\/a><\/li>\n<li>&#x1f1e6;&#x1f1fa; <a href=\"https:\/\/techcrunch.com\/2020\/12\/16\/australia-sues-facebook-over-its-use-of-onavo-to-snoop\/\">Australia sues Facebook over its use of Onavo to snoop \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; &#x1f1ee;&#x1f1ea; <a href=\"https:\/\/www.imore.com\/twitter-slapped-550k-ireland-violating-eus-data-privacy-law\">Twitter gets slapped with $550K fine in Ireland for violating EU&#8217;s data privacy law \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2020\/12\/15\/phishing-tricks-that-really-work-and-how-to-avoid-them\/\">Phishing tricks that really work \u2013 and how to avoid them \u2014 nakedsecurity.sophos.com\/\u2026<\/a> <\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>Apple&#8217;s Craig Federighi was one of the keynote speakers at the <em>European Data Protection &amp; Privacy Conference<\/em>. He described Apple&#8217;s four privacy principles very clearly \u2014 <a href=\"https:\/\/www.macrumors.com\/2020\/12\/08\/craig-federighi-apple-privacy-keynote\/\">www.macrumors.com\/\u2026<\/a> (&#x1f3a6; video embedded in post, Craig starts at the 49 minute mark)<\/li>\n<li><a href=\"https:\/\/time.com\/5921820\/facebook-shopping-scams-holidays-covid-19\/\">Here&#8217;s How Shopping Scams On Facebook Are Ripping Off Thousands of Customers, With The Money Flowing Overseas \u2014 time.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/i-think-i-know-how-kid-spent-16k-game-rings-he-cant-blame-apple\">I think I know how a kid spent $16k on in-game rings &amp; he can&#8217;t blame Apple \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a7; An excellent episode from Nilay Patel&#8217;s new podcast <em>decoder<\/em> which gives a great insight into how advertising actually works from the POV of a company trying to sell a product: <a href=\"https:\/\/overcast.fm\/+QLduPjO1I\">How the @!#$ does advertising work, with Cadillac CMO Melissa Grady \u2014 Decoder with Nilay Patel \u2014 Overcast \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Listener Thomas Cooper Question \u2014 Is TikTok a National Security Threat? TL;DR \u2014 nope We got some listener feedback asking about the US&#8217;s proposed ban on TikTok on national security grounds. This is very [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569,4425,4424],"class_list":["post-22552","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits","tag-solarwinds","tag-tiktok"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=22552"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22552\/revisions"}],"predecessor-version":[{"id":22554,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/22552\/revisions\/22554"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=22552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=22552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=22552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}