{"id":27188,"date":"2022-11-13T14:40:11","date_gmt":"2022-11-13T22:40:11","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27188"},"modified":"2022-11-13T14:40:11","modified_gmt":"2022-11-13T22:40:11","slug":"sb-2022-11-13","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2022\/11\/sb-2022-11-13\/","title":{"rendered":"Security Bits \u2014 13 November 2022"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The expected OpenSSL emergency patch was released shortly after we last recorded as expected, but it was downgraded from critical to important before release (required validly signed malicious certs to trigger, and only affected servers that used certificates to authenticate clients) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/11\/01\/openssl-patches-are-out-critical-bug-downgraded-to-high-but-patch-anyway\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>The Matter standard has been officially released with 190 certified devices (now into what may prove to be an awkward transition phase for some) \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/04\/whats-next-for-the-matter-smart-home\">appleinsider.com\/\u2026<\/a> &amp; <a href=\"https:\/\/arstechnica.com\/?p=1894785\">arstechnica.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.podfeet.com\/blog\/2021\/05\/ccato-687\/\">CCATP #687 \u2013 Mikah Sargent on What Thread Means for the Internet of Things<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; The rollout of Apple&#8217;s digital IDs continues: <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/09\/colorado-drivers-can-now-add-a-license-or-state-id-to-apple-wallet\">Colorado drivers can now add a license or state ID to Apple Wallet \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 &#x1f9ef;That Apple App Store Tracking Story<\/h2>\n<p>A rather sensationalistic story is doing the rounds which accuses Apple of nefariously tracking users in the App Store against their own rules. But, this story just doesn&#8217;t stack up. It conflates a bunch of things and strikes me as clickbait rather than news.<\/p>\n<p>The basis for the story is code found in an old version of the App store from a few years ago that does normal app analytics. This mundane fact is presented as being a scandal of some sort, but there is just no <em>there<\/em> there that I can see.<\/p>\n<p>When any developer wants to figure out how well or poorly their user interface is working they enable analytics. This helps them figure out what is working, and what&#8217;s not. It may be used for A\/B testing where some users get one version of the interface, and some another, to find pain points,  or to verify that a change has had the expected effect. This is information about how users are using an app captured by that app and sent to the developers of that app. There are no third parties involved here.<\/p>\n<p>Apple know what you do in Apple&#8217;s apps, Google know what you are doing in Google&#8217;s apps, Meta know what you are doing in their apps, and so on and so forth. Nothing in Apple&#8217;s privacy push is about stopping the app you are using knowing what you do in that app, because that would make no sense at all!<\/p>\n<p>So what is App Tracking Transparency about again? It simply requires third parties as for permission before tracking a user&#8217;s activity <strong>across apps and across the web<\/strong>.<\/p>\n<p>Nothing in this report says Apple is performing any kind of cross-app tracking, nor that they are sharing it with a third party, so it literally has nothing whatsoever to do with App Tracking Transparency.<\/p>\n<p>The other clanger is that this behaviour pre-dates the launch of App Tracking Transparency, and the researchers don&#8217;t know if more recent versions of the app store behave in the same way!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>An example of the reporting on the researcher&#8217;s claims: <a href=\"https:\/\/www.macobserver.com\/news\/developers-find-apple-may-be-tracking-user-data-on-app-store-through-ios\/\">Developers Find Apple May Be Tracking User Data on App Store Through iOS \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; Good coverage of this story by Ken Ray: <a href=\"https:\/\/overcast.fm\/+HLr7VjqJw\">Checklist 303: App Store Tracking Opacity \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 Twitter is now the Wild West, Tread with Care!<\/h2>\n<p>I&#8217;m not going to waste your time or mine by cataloging the list of rash and ill-advised decisions and U-turns Elon Musk has made since our previous instalment. Others have done a better job than I could (see links below), and it would probably be out of date a few minutes after I finished typing anyway!<\/p>\n<p>The key points are:<\/p>\n<ol>\n<li>Many if not most of the key staff who keep Twitter both running and safe are gone.<\/li>\n<li>The changes are coming so quickly that not even Twitter&#8217;s employees can possibly keep on top of things.<\/li>\n<li>Badges have effectively lost all meaning since their official appearance and meaning is changing almost daily.<\/li>\n<\/ol>\n<p>IMO, you simply cannot trust anything on Twitter anymore. You have no way to know what accounts are fake or real, so anything and everything of importance must be assumed to be a lie. By all means continue to have fun with friends, but don&#8217;t rely on Twitter for information or anything of any importance what so ever!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>The best rundown of recent events I&#8217;ve come across: <a href=\"https:\/\/www.platformer.news\/p\/inside-the-twitter-meltdown\">Inside the Twitter meltdown \u2014 www.platformer.news\/\u2026<\/a><\/li>\n<li>Phishers are abusing the chaos \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/31\/some-twitter-users-are-receiving-fake-account-verification-emails\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 3 \u2014 Considering Mastodon?<\/h2>\n<p>If Twitter has gone to heck in a handcart, where can we go? Today, the obvious choice seems to be Mastodon, but while it is a microblogging platform where people share short messages and can follow each other, it has a fundamentally different architecture, and it&#8217;s important to understand the difference.<\/p>\n<p>I&#8217;ve heard a lot of people tie themselves in knots explaining how Mastodon works as if it&#8217;s somehow an exotic or new model, but it really isn&#8217;t, it&#8217;s a model that&#8217;s so old and well-established we ignore it as much as we ignore the air that&#8217;s always around us.<\/p>\n<p>Mastodon is a protocol that allows users to publish short posts, and subscribe to the posts made by others. To use the protocol you need an account on a server, then, you can share with and subscribe to anyone on any other Mastodon server.<\/p>\n<p>Email is a protocol that allows users to send messages to each other. To use email you need an account on a server, then, you can exchange messages with anyone else with an account on another email server.<\/p>\n<p>To get an email account, you need to pick a provider and sign up. To get a Mastodon account you need to pick a server and sign up. Your email address is your username at your server, your Mastodon account is your username at your server.<\/p>\n<p>Now, the important part \u2014 you must trust your email provider to treat your data with respect and care because your data is on their server! Similarly, you must trust your Mastodon server provider.<\/p>\n<p>When you think about how other single-provider social media services work, the fact that you must trust your provider is not what&#8217;s changed \u2014 Twitter know what you do on their servers, Meta know what you do on their Facebook, Instagram, and WhatsApp servers, etc. What&#8217;s different is not that you must trust, but that you get to choose who to trust! Moving to Mastodon does not require more or less trust, but it gives you the freedom to choose who to give that same trust.<\/p>\n<p>Like there is no central email authority, there is no central Mastodon authority \u2014 each server enforces its own rules. This means those who think radically free speech is utopian and those who think it&#8217;s dystopian can find servers that align with their views.<\/p>\n<p>A potential downside to the decentralised model is the lack of an authority to provide any kind of official verification. But, the same model provides an interesting new avenue for verification \u2014 trusted servers. Like email addresses impart trust based on their domain, so can Mastodon servers. If someone has an <code>@whitehouse.gov<\/code> email address you know they work for the Whitehouse, if someone has an <code>@intel.com<\/code> address you know they&#8217;re with Intel, etc. Organisation can do the same with Mastodon! The EU is leading the way here, with an official Mastodon server at <code>social.network.europa.eu<\/code> \u2014 only actual EU officials can get accounts there, so all accounts on that server are, by definition, verified! (<a href=\"https:\/\/mstdn.social\/@InclusiveLucie\/109302210731818702\">Source<\/a>)<\/p>\n<p>So, if you decide you want to give Mastodon a try, I strongly recommend you take the time to carefully choose your server so it aligns with your priorities. As an example, my criteria were:<\/p>\n<ol>\n<li>The server must be community-owned or run by a registered charitable foundation; it must not be a commercial entity out to make money from my data<\/li>\n<li>The server must have what I consider to be sane rules<\/li>\n<li>The server must be in the EU so they are covered by the GDPR and other EU protections<\/li>\n<li>The server must have a good data privacy policy<\/li>\n<li>The server must be reliable<\/li>\n<\/ol>\n<p>While it is valuable to take the time to choose wisely, it&#8217;s not the end of the world if you get it wrong, the Mastodon protocol provides a mechanism for migrating accounts between servers, so you can take your content with you should you choose to move to a new server later!<\/p>\n<p>Anyway, <strong>my advice is simply to think about your own requirements before you start looking for a server.<\/strong> If you don&#8217;t know what you want, how can you know when you&#8217;ve found it?<\/p>\n<ul>\n<li>Allison on Mastodon <a href=\"https:\/\/chaos.social\/@podfeet\">@podfeet@chaos.social<\/a><\/li>\n<li>Bart on Mastodon: <a href=\"https:\/\/mstdn.social\/@bbusschots\">@bbusschots@mstdn.social<\/a><\/li>\n<\/ul>\n<h3>Further reading<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/mastodon-safety-how-to-protect-yourself-from-security-and-privacy-risks\/\">Mastodon Safety: How To Protect Against Security and Privacy Risks \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cultofmac.com\/796714\/move-to-mastodon\/\">How to get started using Mastodon \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/22\/10\/31\/google-patches-seventh-zero-day-exploit-in-chrome-in-2022\">Google patches seventh zero-day exploit in Chrome in 2022 \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/11\/11\/dangerous-sim-swap-lockscreen-bypass-update-android-now\/\">Dangerous SIM-swap lockscreen bypass \u2013 update Android now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>An important Patch Tuesday from Microsoft: <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/11\/09\/exchange-0-days-fixed-at-last-plus-4-brand-new-patch-tuesday-0-days\/\">Exchange 0-days fixed (at last) \u2013 plus 4 brand new Patch Tuesday 0-days! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/2022\/11\/10\/ios-16-1-1-ipados-16-1-1-and-macos-13-0-1-ventura-plug-two-security-holes\/\">iOS 16.1.1, iPadOS 16.1.1, and macOS 13.0.1 Ventura Plug Two Security Holes \u2014 tidbits.com\/\u2026<\/a>\n<ul>\n<li><a href=\"https:\/\/www.cultofmac.com\/796734\/apple-restricts-airdrop-everyone-visibility-china\/\">Apple restricts AirDrop\u2019s \u2018Everyone\u2019 visibility to 10 minutes in China with iOS 16.1.1 \u2014 www.cultofmac.com\/\u2026<\/a> &amp; <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/10\/apple-plans-to-expand-airdrop-time-limit-to-customers-worldwide\">Apple plans to expand AirDrop time limit to customers worldwide \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Another reminder that crypto is the wild west, and that you should never invest money you can&#8217;t afford to lose: <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/10\/crypto-holders-left-holding-the-bag-as-ftx-exchange-collapses\">Crypto holders left holding the bag as FTX exchange collapses \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/appleinsider.com\/articles\/22\/11\/10\/transunion-data-breach-exposes-consumers-financial-information\">TransUnion breached, consumers&#8217; financial information exposed \u2014 appleinsider.com\/\u2026<\/a> (not clear how many users are affected)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>While Elon Musk is busy making the web a less safe place, others are making things that little bit safer:\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/youtube-to-begin-labeling-doctors-and-nurses-as-reliable\/\">YouTube to Begin Labeling Doctors and Nurses As Reliable \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2022\/11\/linkedin-adds-verified-emails-profile-creation-dates\/\">LinkedIn Adds Verified Emails, Profile Creation Dates \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>1Password has made a major investment in Passkeys, but its not clear yet what products will result: <a href=\"https:\/\/www.axios.com\/2022\/11\/03\/1password-passage-passkey-cybersecurity\">1Password acquires Passage, will offer new passkey tools \u2014 www.axios.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; A sign of the future: <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2022\/10\/31\/cisa-releases-guidance-phishing-resistant-and-numbers-matching\">CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication \u2014 us-cert.cisa.gov\/\u2026<\/a><\/li>\n<li>A reminder that everyone is a target: <a href=\"https:\/\/almascience.eso.org\/news\/alma-services-affected-by-cyberattack\">ALMA Services Affected by Cyberattack \u2014 almascience.eso.org\/\u2026<\/a> (via Allison)<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/inside\/macos-ventura\/tips\/how-to-manage-thunderbolt-usb-security-in-macos-ventura\">How to manage Thunderbolt &amp; USB security in macOS Ventura \u2014 appleinsider.com\/\u2026<\/a> (Only applies Apple Silicon Macs)<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><a href=\"https:\/\/twitter.com\/dieworkwear\/status\/1590831852658790400\">Chiquita Banana Wins Fake Verified Twitter Accounts<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The expected OpenSSL emergency patch was released shortly after we last recorded as expected, but it was downgraded from critical to important before release (required validly signed malicious certs to trigger, and only affected [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[5577,3192,50,569,73],"class_list":["post-27188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-app-store-tracking","tag-mastodon","tag-security","tag-security-bits","tag-twitter"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27188"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27188\/revisions"}],"predecessor-version":[{"id":27190,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27188\/revisions\/27190"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}