{"id":28745,"date":"2023-07-09T13:17:05","date_gmt":"2023-07-09T20:17:05","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=28745"},"modified":"2023-07-30T13:38:10","modified_gmt":"2023-07-30T20:38:10","slug":"sb-2023-07-09","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/07\/sb-2023-07-09\/","title":{"rendered":"Security Bits \u2014 9 July 2023"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>We now have more details on how iOS 17&#8217;s new <em>Check In<\/em> safety feature will work: <a href=\"https:\/\/www.macobserver.com\/tips\/how-to\/how-to-send-and-use-ios-17-check-in-messages-on-iphone\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; Six companies have confirmed to the EU Commission that they will fall under the <em>Digital Markets Act<\/em> (DMA) definition of a <em>Gate Keeper<\/em> \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/23\/07\/04\/apple-google-confirm-new-eu-gatekeeper-law-applies-to-them\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li>Apple<\/li>\n<li>Alphabet\/Google<\/li>\n<li>Amazon<\/li>\n<li>Meta\/Facebook<\/li>\n<li>Microsoft<\/li>\n<li>ByteDance\/TikTok<\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1ec;&#x1f1e7; Apple has joined the chorus of companies, industry associations, and public advocacy groups warning the UK government about the dangers of their ill-conceived <em>Online Safely Bill<\/em> which, as it stands, would ban effective and safe encryption in the UK \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/23\/06\/27\/apple-urges-uk-to-rethink-anti-encryption-online-safety-bill\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 Firefox Update Their Support Matrix<\/h2>\n<p>With the release of Firefox 115 Mozilla have announced changes to their support plans for older OSes.<\/p>\n<p>Firstly on the Windows end, Windows 7 &amp; Windows 8 users will not get any more feature updates. They are being automatically migrated to <em>Firefox 115 ESR<\/em>, which will only provide security updates. Note that nothing older than Windows 7 will get any updates.<\/p>\n<p>Similarly, Mac users on macOS 10.12 (Sierra), 10.13 (High Sierra) &amp; 10.14 (Mojave) are also being migrated to 115 ESR for security-only updates. Again, nothing older gets any updates at all.<\/p>\n<p>This is a very generous support matrix, and Mozilla definitely should not be criticised for this move. It makes no sense for an organisation to put resources into feature updates for obsolete OSes, and once the vendor drops support (as is the case for Windows 7 &amp; 8, and macOS 11 Big Sur and older), even offering security updates is more than is reasonably required!<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Mozilla&#8217;s Release Notes \u2014 <a href=\"https:\/\/www.mozilla.org\/en-US\/firefox\/115.0\/releasenotes\/\">www.mozilla.org\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/firefox-to-stop-macos-mojave-windows-7-8-updates-heres-why-thats-a-good-thing\/\">Firefox to end macOS Mojave, Windows 7\/8 updates\u2014Here&#8217;s why that&#8217;s a good thing \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/07\/05\/firefox-115-is-out-says-farewell-to-older-windows-and-mac-users\/\">Firefox 115 is out, says farewell to users of older Windows and Mac versions \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 &#x1f1eb;&#x1f1f7; France&#8217;s Controversial New Surveillance Law<\/h2>\n<p>The French government is in the process of passing a large cybersecurity bill, and much of it is uncontroversial, some of it even good like placing requirements on cloud companies to protect the data they store. But, one aspect of the law is getting a <strong>lot<\/strong> of attention, and much of it missing all nuance and context.<\/p>\n<p>The controversial part is the bit that grants law enforcement the right to enable <em>&#8216;spying&#8217;<\/em> features on smart devices including phones, tablets, computers, and even cars.<\/p>\n<p>There have been some amendments to the law as it&#8217;s made its way through the process, and there may well be more, so this is just the current state of play.<\/p>\n<p>The first thing to note is that both of the provisions I&#8217;m about to describe need judicial approval, so it&#8217;s like getting a warrant in the US.<\/p>\n<p>When investigating a crime whose sentence would be 5 or more years in prison, police can apply for the right to enable location tracking on a suspect.<\/p>\n<p><em>&#8220;When justified by the nature and seriousness of the crime&#8221;<\/em>, police can request the right to enable a camera or microphone, but only <em>&#8220;for a strictly proportional duration&#8221;<\/em>, and never more than 6 months. There are also explicit exclusions preventing the law being used to target doctors, journalists, lawyers, judges, and members of parliament.<\/p>\n<p>Note that this law gives law enforcement the right to enable this tracking by whatever means they can, so it&#8217;s about giving the police the right to social engineer, hack, or use tools like Pegasus, there is no mandate on tech companies to alter their software to this for law enforcement.<\/p>\n<p>This is nothing like mandating back doors, but it does set up a dangerous conflict of interest, one we&#8217;ve seen before with CIA leaks, the incentive to keep security vulnerabilities secret from the vendors, putting everyone at risk.<\/p>\n<p>In the abstract, this sounds bad, but maybe this is better than what is happening in other major democracies now. E.g. in the US, there are secret courts and national security letters companies have to follow and can&#8217;t talk about, and we know lots of governments are buying tools like Pegasus.<\/p>\n<p>So, is it really worse to put it into law, with clear rules, limitations, and oversight, than to just do it in secret like everyone else? Is France actually doing this better than its peers, rather than worse?<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.engadget.com\/french-assembly-passes-bill-allowing-police-to-remotely-activate-phone-cameras-and-microphones-for-surveillance-210539401.html\">French Assembly passes bill allowing police to remotely activate phone cameras and microphones for surveillance \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bankinfosecurity.com\/new-french-bill-would-permit-law-enforcement-surveillance-a-22493\">New French Bill Would Permit Law Enforcement Surveillance \u2014 www.bankinfosecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.firstpost.com\/explainers\/explained-the-new-law-in-france-that-will-allow-police-to-spy-on-its-citizens-12838092.html\">Explained: The new law in France that will allow police to spy on its citizens \u2014 www.firstpost.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; A US Federal District Judge has issued a controversial ruling that places an injunction on some branches of the federal government from even talking to social media companies about moderation. Legal opinion on the ruling appears to be that it&#8217;s broad, sweeping, and not based on law of precedent. Since this is a low-level federal court, appeals seem inevitable \u2014 <a href=\"https:\/\/www.cultofmac.com\/822575\/judge-blocks-government-from-pushing-social-media-censorship\/\">www.cultofmac.com\/\u2026<\/a><\/li>\n<li>&#x1f1f7;&#x1f1fa; One of Russia&#8217;s biggest disinformation troll farms falls victim to the recent coup attempt: <a href=\"https:\/\/www.reuters.com\/world\/europe\/prigozhin-controlled-russian-media-group-shuts-amid-mutiny-fallout-2023-07-02\/\">Prigozhin-controlled Russian media group shuts after mutiny \u2014 www.reuters.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<ul>\n<li>Evidence to back Bart&#8217;s view that emoji have developed into their own language: <a href=\"https:\/\/appleinsider.com\/articles\/23\/07\/08\/canadian-court-rules-thumbs-up-emoji-counts-as-signing-a-contract\">Court rules &#8216;thumbs-up&#8217; emoji counts as signing a contract \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a7; <a href=\"https:\/\/overcast.fm\/+JadVrucmE\">Malicious Life: Sony BMG\u2019s Rootkit Fiasco \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. We now have more details on how iOS 17&#8217;s new Check In safety feature will work: www.macobserver.com\/\u2026 &#x1f1ea;&#x1f1fa; Six companies have confirmed to the EU Commission that they will fall under the Digital Markets [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[1019,71,1816,2060,81,2079,50,569,2239,90],"class_list":["post-28745","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-emoji","tag-firefox","tag-france","tag-malware","tag-mozilla","tag-patch","tag-security","tag-security-bits","tag-security-updates","tag-spyware"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/28745","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=28745"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/28745\/revisions"}],"predecessor-version":[{"id":29350,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/28745\/revisions\/29350"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=28745"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=28745"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=28745"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}