{"id":24373,"date":"2021-09-05T13:21:24","date_gmt":"2021-09-05T20:21:24","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=24373"},"modified":"2021-09-05T16:06:59","modified_gmt":"2021-09-05T23:06:59","slug":"sb-2021-09-05","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/09\/sb-2021-09-05\/","title":{"rendered":"Security Bits by Bart Busschots \u2013 05 September 2021"},"content":{"rendered":"<p>Bart had Tom Merritt of the Daily Tech News Show on the August episode of Let&#8217;s Talk Apple this week to have an extended discussion of Apple&#8217;s proposed child protection features. It&#8217;s a great discussion with someone who has been described (by a good friend) as being &#8220;pathologically unbiased.&#8221;  You can find this episode of Let&#8217;s Talk Apple in your podcatcher of choice, or listen at <a href=\"https:\/\/www.lets-talk.ie\/blog\/?p=74746\" target=\"%5Fblank\" rel=\"noopener\">lets-talk.ie\/&#8230;<\/a><\/p>\n<p>Now to our regularly-scheduled programming&#8230;<\/p>\n<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><a href=\"https:\/\/tidbits.com\/2021\/09\/03\/apple-delays-csam-detection-launch\/\">Apple Delays CSAM Detection Launch \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> &#x1f3a7; An excellent interview by Kara Swisher with those on the Child Protection side of this debate, a voice that&#8217;s been absent from a lot of the tech press&#8217; coverage of this story: <a href=\"https:\/\/overcast.fm\/+m_roHFlMo\">Sway: Why Ashton Kutcher and Julie Cordua Are Defending Apple \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>NSO Group\/Pegasus Update\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/bahraini-activists-targeted-government-using-pegasus-iphone-hack\">Bahraini activists targeted by government using Pegasus iPhone hack \u2014 www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.imore.com\/icloud-private-relay-will-only-be-available-beta-feature-when-ios-15-launches-fall\">iCloud Private Relay will only be available as a beta feature when iOS 15 launches this fall \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Continuing Social Media improvements:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/instagram-now-requires-birthday-order-create-safer-more-private-experiences-young-people\">Instagram now requires your birthday in order to &#8216;create safer, more private experiences for young people&#8217; \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/techcrunch.com\/2021\/08\/31\/flipboard-rolls-out-newsfeed-personalization-tools-to-save-you-from-doomscrolling\/\">Flipboard rolls out newsfeed personalization tools to save you from doomscrolling \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/twitters-new-safety-mode-aims-block-unwanted-replies-they-get-you\">Twitter&#8217;s new Safety Mode aims to block unwanted replies before they get to you \u2014 www.imore.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/twitter-reveals-surprisingly-low-two-factor-auth-2fa-adoption-rate\/\">Twitter reveals surprisingly low two-factor auth (2FA) adoption rate \u2014 www.bleepingcomputer.com\/\u2026<\/a> (If you&#8217;re one of these people, register for 2FA now!) <\/li>\n<li>Use 1Password as an authenticator for sites with two-factor authentication <a href=\"https:\/\/support.1password.com\/one-time-passwords\/\">support.1password.com\/&#8230;<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Apple&#8217;s Digital IDs<\/h2>\n<p>Apple have announced the first 8 US states that will support digital IDs in Apple Wallet, and that the TSA (US Transportation Authority) will be the first agency to deploy readers for the IDs. Arizona &amp;<br \/>\nGeorgia will lead the way, with Connecticut, Iowa, Kentucky, Maryland,<br \/>\nOklahoma, and Utah following soon after.<\/p>\n<p>While it&#8217;s interesting to know which states will be first, what&#8217;s much more interesting is the details Apple released about how this will work, especially from a security and privacy POV.<\/p>\n<p><strong>TL;DR \u2014 every <em>concern<\/em> I&#8217;ve seen expressed in half-informed speculation online is wrong. Apple seem to really have their Security, Privacy, and Safety Ducks in a row on this one.<\/strong><\/p>\n<p>When you imagine a digital drivers license of state ID in Apple Wallet you&#8217;re probably imagining something like a boarding pass, conference or concert ticket, store loyalty card, or these days, even a COVID pas,. i.e. an image you show someone, perhaps with a 2D or 3D barcode. Don&#8217;t &#8211; that couldn&#8217;t be more wrong!<\/p>\n<p>Instead, think of Apple Pay \u2014 the data is not shown on screen, but sent digitally after you tap and biometrically authenticate. Not <em>tap to pay<\/em>, but  <em>tap to identify<\/em>.<\/p>\n<p>The process to get your ID into your wallet will be similar to how you get a credit card into your wallet, but with some more rigorous checks, and an approval loop through your state&#8217;s issuing institution. Part of the process will be associating a biometric with the ID. It can be TouchID or FaceID, but if you use TouchID you have to pick a single finger that will work for your ID. Don&#8217;t worry, this doesn&#8217;t affect how phone unlocking works, you can continue to register multiple fingers for unlocking the phone, whether or not they&#8217;re all yours. BTW, this last point illustrates why Apple have added the restriction on unlocking the ID \u2014 Apple, and the state governments, are well aware that couples often register each others fingers on their phones, and and ID should only be un-lockable by one person, the person being identified!<\/p>\n<p><strong>The process protects your physical device security \u2014 you do not unlock your device, and you do not hand it over.<\/strong><\/p>\n<p>The process for identifying yourself works as follows:<\/p>\n<ol>\n<li>You tap your <strong>locked<\/strong> phone on the ID terminal<\/li>\n<li>A popup appears on your phone, like the Apple Pay one, that shows who&#8217;s asking for your ID, and what specific data fields they are asking for<\/li>\n<li>You biometrical approve the ID request \u2014 <strong>this does not unlock your phone<\/strong><\/li>\n<li>The data is wirelessly sent over an encrypted channel<\/li>\n<\/ol>\n<p>Notice the permission step shows you what is being asked for \u2014 the terminal can ask for as much or as little information as is actually needed. The TSA for example don&#8217;t need your blood type, while an EMT does need your blood type, your age, and your next of kin, but not the types of vehicles you&#8217;re licensed to drive. Finally, a liquor store doesn&#8217;t actually need your address, they just need an assertion that you are over a given age. All of these scenarios are supported by the API.<\/p>\n<p>Speaking of APIs, these IDs use an ISO standard that is publicly available, and that Apple helped develop.<\/p>\n<p>One final point \u2014 just like Apple Wallet has not replaced physical credit cards, this does not replace physical ID cards, at least not for a long time yet. This is an additional, more secure and private, option that will slowly roll out over time. It will start in airports, but will slowly spread to more and more places as readers become available to ever more authorities, agencies, and organisations. If all goes to plan, one day, a decade or so from now, we&#8217;ll realise that we&#8217;ve not used our physical IDs in ages, and that it&#8217;s now all digital, but it will be a slow and gradual rollout, a lot like <em>tap to pay<\/em> was.<\/p>\n<p>Anyway, for me, the bottom line is that every worry or criticism I&#8217;ve encountered on podcasts, twitter, and tech sites proved to be wrong \u2014 what ever it was, Apple had not just thought about it, but addressed it. As best as I can tell, Apple really have thought of everything on this one, and they&#8217;ve engineered a solution that&#8217;s a lot more secure and private than physical IDs are or ever could be.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Apple&#8217;s Press Release (with screenshots): <a href=\"https:\/\/www.apple.com\/newsroom\/2021\/09\/apple-announces-first-states-to-adopt-drivers-licenses-and-state-ids-in-wallet\/\">Apple announces first states signed up to adopt driver\u2019s licenses and state IDs in Apple\u00a0Wallet \u2014 www.apple.com\/\u2026<\/a><\/li>\n<li>An excellent writeup by John Gruber following an on-the-record conversation with Apple about the announcement: <a href=\"https:\/\/daringfireball.net\/2021\/09\/initial_details_on_ids_in_apple_wallet\">Initial Details on Using Driver\u2019s Licenses and State ID\u2019s in Apple Wallet \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Think twice before connecting a 3D printer to the cloud: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/08\/23\/whats-that-on-my-3d-printer-cloud-bug-lets-anyone-print-to-everyone\/\">What\u2019s <em>THAT<\/em> on my 3D printer? Cloud bug lets anyone print to everyone \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>An excellent illustration of why you need to be suspicious of every email, this was done via phishing emails: <a href=\"https:\/\/www.imore.com\/man-steals-620000-icloud-photos-quest-share-nude-photos-women\">Man steals 620,000 iCloud Photos in quest to share nude photos of women \u2014 www.imore.com\/\u2026<\/a> <\/li>\n<li>Listener Donna Campbell Submitted: <a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/09\/02\/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address\/\">Pwned! The home security system that can be hacked with your email address \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.techrepublic.com\/article\/tech-companies-pledge-to-help-toughen-us-cybersecurity-in-white-house-meeting\/\">Tech companies pledge to help toughen US cybersecurity in White House meeting \u2014 www.techrepublic.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; The GDPR in Action: <a href=\"https:\/\/www.brusselstimes.com\/news\/eu-affairs\/183536\/whatsapp-fined-e225-million-in-ireland-in-privacy-case\/\">WhatsApp fined \u20ac225 million in Ireland in privacy case \u2014 www.brusselstimes.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; <a href=\"https:\/\/www.brusselstimes.com\/news\/eu-affairs\/183524\/european-court-facebook-users-responsible-for-others-hateful-posts\/\">European Court: Facebook users responsible for others\u2019 hateful posts \u2014 www.brusselstimes.com\/\u2026<\/a><\/li>\n<li>Google have published a human-friendly page explaining how search works, and if you drill down, it even has some informative but accessible videos. It&#8217;s very much the spin Google want to portray, but it&#8217;s accurate, clear, and IMO very useful to know \u2014 <a href=\"https:\/\/www.google.com\/search\/howsearchworks\/\">www.google.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>The wonderful Darknet Diaries podcast celebrates 100 episodes with a spell-binding 2-part story connecting the Weinstein case and the NSO group (the Pegasus people) through the eyes of a PI in NYC \u2014 <a href=\"https:\/\/overcast.fm\/+PMNdBL1NI\">Darknet Diaries 99: The Spy \u2014 overcast.fm\/\u2026<\/a> &amp; <a href=\"https:\/\/overcast.fm\/+PMNc5Hr8c\">Darknet Diaries 100: NSO \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Bart had Tom Merritt of the Daily Tech News Show on the August episode of Let&#8217;s Talk Apple this week to have an extended discussion of Apple&#8217;s proposed child protection features. It&#8217;s a great discussion with someone who has been described (by a good friend) as being &#8220;pathologically unbiased.&#8221; You can find this episode of [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[976,4772,4722,4777,4774,2188,2012,4775,4773,4708,50,569,4776,73],"class_list":["post-24373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-app-store","tag-apple-digital-id","tag-csam","tag-darknet-diaries","tag-flipboard","tag-instagram","tag-japan","tag-kara-swisher","tag-nso","tag-pegasus","tag-security","tag-security-bits","tag-sway-podcast","tag-twitter"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=24373"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24373\/revisions"}],"predecessor-version":[{"id":24393,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/24373\/revisions\/24393"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=24373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=24373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=24373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}