{"id":25878,"date":"2022-05-01T15:09:58","date_gmt":"2022-05-01T22:09:58","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=25878"},"modified":"2022-05-01T15:09:58","modified_gmt":"2022-05-01T22:09:58","slug":"sb-2022-05-01","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/05\/sb-2022-05-01\/","title":{"rendered":"Security Bits \u2014 1 May 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1ea;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/65-catalan-figures-targeted-pegasus-spyware-new-ios-exploit-revealed\">Spain implicated in Pegasus spyware attack on Catalan politicians \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>Social Media Updates:\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/instagram-will-now-rank-based-originality-improve-product-and-people-tagging\">Instagram will now rank based on originality &amp; improve product and people tagging \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2022\/04\/you-can-now-ask-google-to-remove-your-phone-number-email-or-address-from-search-results\/\">You Can Now Ask Google to Remove Your Phone Number, Email or Address from Search Results \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>A leaked internal report warns that Facebook doesn&#8217;t actually know what it does with user data ATM, so it can&#8217;t honestly make promises to regulators until it gets its house in order \u2014 <a href=\"https:\/\/www.vice.com\/en\/article\/akvmke\/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes\">www.vice.com\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> &#x1f1ea;&#x1f1fa; The EU were quick to remind Elon Musk that Twitter must follow the law in the EU \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/eu-digital-regulator-to-tell-elon-musk-there-are-rules\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple have issued a firmware update for AirTags to tweak the sound air tags make when they&#8217;re away from their owners to make them easier to find \u2014 <a href=\"https:\/\/www.imore.com\/latest-airtag-update-wants-make-it-easier-find-unknown-trackers\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive \u2014 &#x1f1ea;&#x1f1fa; The European Parliament &amp; Council have Reached Agreement on the <em>Digital Services Act<\/em><\/h2>\n<p>About a month ago it was big news when the European Commission, European Parliament, and the European Council reached an agreement on the big-picture structure of the <em>Digital Markets Act<\/em> (DMA), and we dug into it in detail in <a href=\"https:\/\/www.podfeet.com\/blog\/2022\/04\/sb-2022-04-03\/\">Security Bits on 3 April 2022<\/a>.<\/p>\n<p>We mentioned then that the DMA was just the first of two major tech-related acts that were in the works in Europe, the second being the <em>Digital Services Act<\/em> or DSA. Last weekend, the DSA made it to a similar stage, having reached <em>Provisional Political Agreement<\/em>. The DSA&#8217;s arrived here via a slightly different process because it&#8217;s being led by a different commissioner, so there was no last-minute trialogue this time, just a two-way agreement between the parliament and the ministers, and the next step is not technical wording, but final approval by the parliament and council of ministers. I think the reason for the difference is that this bill is smaller, and a lot less prescriptive \u2014 it&#8217;s more about defining responsibilities than mandating specific actions.<\/p>\n<p>While the scale may be smaller, and the technical details different, a lot of the philosophy sounds very similar to me \u2014 like the DMA, the DSA is aimed primarily at big companies. But, with the DSA, unlike the DMA, smaller companies aren&#8217;t completely exempted, they&#8217;re just subject to fewer rules and less stringent oversight.<\/p>\n<h3>What Companies are Primarily Targeted?<\/h3>\n<p>The DSA focuses mostly on what it calls <em>very large online platforms<\/em> (VLOPs) and <em>very large online search engines<\/em> (VLOSEs). The threshold for being considered <em>very large<\/em> is having at least 45 million monthly active users in the EU. Smaller platforms and search engines are &#8220;exempted from certain new obligations&#8221;.<\/p>\n<p>The biggest difference between the big guys and the little guys is that the big guys will be centrally regulated by the European Commission, while the smaller companies will continue to be regulated by the appropriate national institutions within the member countries.<\/p>\n<h3>The Most Significant Rules for Everyone<\/h3>\n<p>The most significant change affecting all services IMO is a new responsibility to safe-guard minors using online services and <strong>an outright ban on targeted advertising aimed at children<\/strong>.<\/p>\n<p>Three other requirements for all online service providers stand out:<\/p>\n<ol>\n<li>All online marketplaces (regardless of size) will have a <em>duty of care<\/em> to ensure they display appropriate information on products and services being sold, regardless of the seller. The aim here is to protect consumers. It means online resellers can&#8217;t knowingly sell things like counterfeit chargers that could kill people without being liable.<\/li>\n<li>So-called <em>dark patterns<\/em>, i.e. intentionally misleading UIs will be illegal for all online services.<\/li>\n<li>There will be transparency requirements for all recommendation engines.<\/li>\n<\/ol>\n<h3>The Most Significant Rules for the VLOPs &amp; VLOSEs<\/h3>\n<p>The single biggest requirement is that large companies must implement <strong>annual systematic risk assessments<\/strong> and put in place measures to reduce the risks they find. This is where the controversy lies because addressing some of these risks will inevitably lead to limits on speech. These are the risks called out in the press release describing the agreed act:<\/p>\n<ol>\n<li>Dissemination of illegal content<\/li>\n<li>Adverse effects services may have on fundamental rights<\/li>\n<li>Adverse effects services may have on democratic processes and public safety<\/li>\n<li>Adverse effects on minors<\/li>\n<li>Increased gender-based violence<\/li>\n<li>Adverse effects on users&#8217; physical or mental health<\/li>\n<\/ol>\n<p>The big companies also have an extra responsibility to offer versions of their recommendation engines not based on user profiles.<\/p>\n<p>Finally, there was a last-minute addition allowing the Commission to decide that a crisis has broken out, and then, impose restrictions on VLOPs &amp; VLOSEs. The examples they give in the press release are pandemics and wars (can&#8217;t imagine why those were on their minds). This hasty last-minute addition has some people nervous because the commission seem to get all the power here \u2014 they get to both declare emergencies and decide what emergency rules to impose on the large services.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>The official press release: <a href=\"https:\/\/www.consilium.europa.eu\/en\/press\/press-releases\/2022\/04\/23\/digital-services-act-council-and-european-parliament-reach-deal-on-a-safer-online-space\/\">www.consilium.europa.eu\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.euronews.com\/my-europe\/2022\/04\/22\/eu-on-cusp-of-deal-to-force-tech-giants-to-tackle-disinformation\">EU strikes deal to force tech giants to tackle disinformation \u2014 www.euronews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Remember <em>&#8220;Unregulated&#8221;<\/em> means you&#8217;ve got no safety net, and you can irrevocably lose everything crypto in seconds:\n<ul>\n<li>If you use a Cryptowallet that backs your private key up to iCloud, then an iCloud Phishing scam can cost you everything in your wallet: <a href=\"https:\/\/www.imore.com\/investor-loses-650k-crypto-and-nfts-through-icloud-scam\">Investor lost $650k in crypto and NFTs through this iCloud scam \u2014 www.imore.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.macobserver.com\/news\/cryptowallet-metamask-warns-apple-users-to-beware-of-phishing-attacks\/\">Cryptowallet MetaMask Warns Apple Users to Beware of Phishing Attacks \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/04\/19\/beanstalk-cryptocurrency-heist-scammer-votes-himself-all-the-money\/\">Beanstalk cryptocurrency heist: scammer votes himself all the money \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (Remember, <em>De-Fi<\/em> is just a new buzzword for an even more dangerous version of crypto)<\/li>\n<li><strong>Related:<\/strong> Glenn Fleishman outdoes himself with the single best article on crypto I&#8217;ve seen yet: <a href=\"https:\/\/tidbits.com\/2022\/04\/20\/understand-cryptocurrency-but-dont-invest-in-it\/\">Understand Cryptocurrency, but Don\u2019t Invest in It \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A timely reminder never to relay 2FA tokens to anyone ever \u2013 Vice have a report detailing how cybercriminals are using services like ApplePay to cash out with stolen credit cards by tricking people into relaying the needed 2FA codes to them \u2014 <a href=\"https:\/\/www.vice.com\/en\/article\/n7ngxm\/apple-pay-fraud-spending-sprees-2fa-bots\">www.vice.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/psa-fake-whatsapp-support-accounts-are-out-steal-your-information\">PSA: Fake WhatsApp Support accounts are out to steal your information \u2014 www.imore.com\/\u2026<\/a> (On any service, if the <em>verified<\/em> badge is in someone&#8217;s avatar it&#8217;s fake!)<\/li>\n<li>A reminder to check out AirDrop settings, it&#8217;s starting to be abused for spam &#x1f641;: <a href=\"https:\/\/www.macobserver.com\/news\/apple-store-patrons-in-select-cities-find-airdrop-surprise-from-refurbishing-company\/\">Apple Store Patrons in Select Cities Find AirDrop Surprise From Refurbishing Company \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>Time to buy your sysadmin friends <em>another<\/em> coffee \u2013 Oracle have released a patch to Java that fixes a catastrophic hole in one of the languages core crypto libraries (all zeros is effectively a skeleton key!) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/04\/20\/critical-cryptographic-java-security-blunder-patched-update-now\/\">nakedsecurity.sophos.com\/\u2026<\/a> (There&#8217;s nothing for regular folks to do, this is another one for corporate IT like Log4Shell earlier in the year)<\/li>\n<li>&#x1f1ec;&#x1f1e7; Apple is bringing its <em>Communication Safety in Messages<\/em> parental control feature to the UK (this is the uncontroversial CSAM protection feature that is already active in the US, not the controversial feature that&#8217;s indefinitely postponed) \u2014 <a href=\"https:\/\/www.imore.com\/apple-bringing-its-child-safety-features-imessage-uk\">www.imore.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa22-117a\">2021 Top Routinely Exploited Vulnerabilities \u2014 us-cert.cisa.gov\/\u2026<\/a><\/li>\n<li>&#x1f3a7; A little over a year ago the Malicious Life podcast sponsored by Cyber Reason, did an excellent 3-part series on <em>Clearview<\/em> AI and the complex questions facial recognition technology raises:\n<ul>\n<li><a href=\"https:\/\/overcast.fm\/+JadW9laEU\">Malicious Life: Clearview AI \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/overcast.fm\/+JadUaJ03Y\">Malicious Life: Should Law Enforcement Use Facial Recognition? Pt. 1  \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/overcast.fm\/+JadU1N35U\">Malicious Life: Facial Recognition in Law Enforcement, Pt. 2 \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a6; <strong>Bart:<\/strong> <a href=\"https:\/\/m.youtube.com\/watch?v=Ncj3QAKvBBo\">Duckin\u2019 Autocorrect: The Inventor of iPhone\u2019s Autocorrect Explains How It Works | WSJ &#8211; YouTube \u2014 m.youtube.com\/\u2026<\/a><\/li>\n<li><strong>Bart:<\/strong> <a href=\"https:\/\/overcast.fm\/+HZUf-oI6A\">A recent Change Log podcast episode<\/a> pointed me towards a very interesting new Terminal app that&#8217;s in public beta now called Warp \u2014 <a href=\"https:\/\/www.warp.dev\/\">www.warp.dev\/\u2026<\/a> (it&#8217;s cloud-integrated because the intention is to enable collaboration, so you have to sign in to the app with GitHub, they are clear that they absolutely do not send your commands or their outputs to the cloud)\n<ul>\n<li>&#x1f3a6; Demo video showing Warp in action \u2014 <a href=\"https:\/\/youtube.com\/watch?v=T7R8lvvBgOI&#038;feature=share\">youtube.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1ea;&#x1f1f8; Spain implicated in Pegasus spyware attack on Catalan politicians \u2014 www.imore.com\/\u2026 Social Media Updates: Instagram will now rank based on originality &amp; improve product and people tagging \u2014 www.imore.com\/\u2026 You Can Now Ask [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[5238,5236,5237,156,4951,4708,50,569],"class_list":["post-25878","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-catalan","tag-digital-services-act","tag-dsa","tag-facebook","tag-java","tag-pegasus","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=25878"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25878\/revisions"}],"predecessor-version":[{"id":25881,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/25878\/revisions\/25881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=25878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=25878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=25878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}