{"id":31275,"date":"2024-06-23T12:47:37","date_gmt":"2024-06-23T19:47:37","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=31275"},"modified":"2024-06-23T12:47:37","modified_gmt":"2024-06-23T19:47:37","slug":"sb-2024-06-23","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2024\/06\/sb-2024-06-23\/","title":{"rendered":"Security Bits \u2013\u00a02024-06-23"},"content":{"rendered":"<h1>Feedback &amp; Followups<\/h1>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-delays-windows-recall-amid-privacy-and-security-concerns\/\">Microsoft delays Windows Recall amid privacy and security concerns \u2014 www.bleepingcomputer.com\/\u2026<\/a> (Initially only to <em>Windows Insiders<\/em> AKA beta testers)<\/li>\n<li>The scale of the Snowflake breach we discussed last time becomes clearer: <a href=\"https:\/\/thehackernews.com\/2024\/06\/snowflake-breach-exposes-165-customers.html\">Snowflake Breach Exposes 165 Customers&#8217; Data in Ongoing Extortion Campaign \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddea\ud83c\uddfa As I predicted last time, Meta&#8217;s updated terms did not hold water in Europe: <a href=\"https:\/\/thehackernews.com\/2024\/06\/meta-halts-ai-training-on-eu-user-data.html\">Meta Pauses AI Training on EU User Data Amid Privacy Concerns \u2014 thehackernews.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> \ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/appleinsider.com\/articles\/24\/06\/15\/sonos-removes-a-promise-to-not-sell-personal-data-gets-busted-by-users\">Sonos removes a promise to not sell personal data, gets busted by users \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A nice example (with screenshot), of the new trojan-spreading technique discussed last time: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-google-chrome-errors-trick-you-into-running-malicious-powershell-scripts\/\">Fake Google Chrome errors trick you into running malicious PowerShell scripts \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p>\ud83c\uddec\ud83c\udde7 \ud83c\udde8\ud83c\udde6 The UK &amp; Canada have launched formal investigations into the 23andMe breach \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/23andme-data-breach-under-investigation-in-uk-and-canada\/\">www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\ud83c\udde6\ud83c\uddf9 A complaint filed with the Austrian Data Protection Authority regarding the details of Google&#8217;s <em>Privacy Sandbox<\/em> could slow down the removal of third-party cookies further \u2014 <a href=\"https:\/\/thehackernews.com\/2024\/06\/googles-privacy-sandbox-accused-of-user.html\">thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Deep Dive \u2014 Modern Authentication<\/h1>\n<p>Microsoft have just announced that they are moving their home email users over to <em>Modern Authentication<\/em>, so this seems like a good time to explain what that means.<\/p>\n<p>Firstly, the changes Microsoft are making:<\/p>\n<ol>\n<li>Users of Outlook.com, Hotmail.com &amp; Live.com email will need to switch to mail clients that support modern auth before the 16th of September 2024 (all modern mail apps do, including Outlook on all platforms, Mail.app on Apple&#8217;s platforms, and Thunderbird).<\/li>\n<li>Support for Microsoft&#8217;s stand-alone Mail and Calendar apps is ending at the end of 2024, with users being migrated over to Outlook.<\/li>\n<\/ol>\n<p>Full details: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-new-outlook-security-changes-coming-to-personal-accounts\/\">www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<p>Modern Authentication is both a somewhat vague industry buzzword and a piece of very specific Microsoft jargon for a collection of protocols and processes within their services. I&#8217;m going to take the broader view here.<\/p>\n<p>The best way to explain modern auth is to contrast it with what has come before. I&#8217;m going to refer to the old approach as <em>legacy authentication<\/em>, though Microsoft&#8217;s official jargon is the less judgemental <em>basic authentication<\/em>.<\/p>\n<h2>The Old Way (Legacy Auth)<\/h2>\n<p>One account has one password, and every time a user or any app acting on their behalf tries to log in they send both their username and their password to the website or server.<\/p>\n<p>What&#8217;s wrong with this?<\/p>\n<ol>\n<li>Every app needs a copy of your password saved in it somewhere! You have to trust all of them to do that securely, and not to phone home with a copy of the password.<\/li>\n<li>You can&#8217;t revoke access on an app-by-app basis, your one password is all you have, so your only option ever is to change your password and re-configure every app<\/li>\n<li>If apps authenticate via usernames+passwords, then there&#8217;s nowhere to hook in additional protections like 2-factor\/multi-factor authentication, or entirely new alternatives like Passkeys<\/li>\n<\/ol>\n<p>The workaround for these shortcomings has been app-specific passwords, which are just very very long truly random passwords. These are less bad than human-chosen passwords, but only a little.<\/p>\n<h2>The New Way (Modern Auth)<\/h2>\n<p>Modern Auth separates two important concepts \u2014 Authentication &amp; Authorisation.<\/p>\n<p><strong>Authentication is about proving your identity<\/strong>, while <strong>authorisation is about granting specific permissions<\/strong>.<\/p>\n<p>There are a few protocols that enable modern authentication, but regardless of the protocol, the key concepts are the same.<\/p>\n<p>With modern authentication there is a single <em>identity provider<\/em> (IDP) for all sites and services associated with an account, and that identity provider is the only place where authorisation happens. Instead of the mail server and web server doing their own authentication, it&#8217;s always done by the identity provider.<\/p>\n<p>The identity provider then issues an authorisation token that contains the following:<\/p>\n<ol>\n<li>basic account details (some mix of user ID, username, email address, name, etc.)<\/li>\n<li>an expiration time for the token<\/li>\n<li>a list of the specific things the token may be used for<\/li>\n<li>a digital signature to validate the token<\/li>\n<\/ol>\n<p>On the web these tokens get saved by the browser as first-party cookies (not the evil kind), which is not really all that different to the old-fashioned session cookies that are used with legacy auth. Where you see a real difference is in apps \u2014 with modern auth, <strong>apps do not store usernames and passwords<\/strong>, they store authentication tokens!<\/p>\n<p>Because an app now only has a token, not the actual username and password, you can revoke any app&#8217;s access at any time by revoking the token on the identity provider (usually via some kind of <em>My Account<\/em> web interface).<\/p>\n<p>The other big advantage is that <strong>an authorisation token does not give blanket access to your account<\/strong>, it only gives the access your app needs (assuming things are properly configured of course). So, if you authorise your mail client and give it permission to read your email and send email, then even if that token is stolen from the app, it can never be used to log into your account on the web and start changing your settings, or to update your calendar, or to buy a load of stuff in the store or \u2026<\/p>\n<h2>What Does Modern Auth Look Like to the User?<\/h2>\n<p>That sounds great, but how does all this work from our point of view? Let&#8217;s step through the process. As an example, let&#8217;s assume we just downloaded a copy of the wonderful Fantastical calendar app for Mac, and we want to connect it to our Google Calendar, what do we see?<\/p>\n<ol>\n<li>When we try add our account to any app the app needs to send us to the web interface for the matching identity provider. Apps can do that by bouncing us into our default browser, or, by popping up a web view in a little window within the app. These days the browser option is preferred so people can use their password managers! In our example the Google Login page would open in our browser and ask us to log in.<\/li>\n<li>After we <strong>authenticate<\/strong> our IDP it will show us the list of permissions the app is requesting, and give us a button to <strong>authorise<\/strong> the app. That will generate a token with just those permissions, and we&#8217;ll then get presented with a button to return to the app. Clicking that button will send the token to the app which will save it.<\/li>\n<li>Each time the app talks to the server it will present its token, and the server will:\n<ol>\n<li>Check with the IDP that the token hasn&#8217;t been revoked<\/li>\n<li>Check if the request made by the app is covered by the permissions in the token<\/li>\n<li>If all the checks pass, do what ever the app asked and return the result<\/li>\n<\/ol>\n<\/li>\n<li>When the token expires or is revoked the app has to send us back to the browser. If the token just expired then we simply re-authenticate to refresh the token, no need to grant permissions or anything. If the token was revoked we have to issue a whole new token so we do have to approve the permissions again.<\/li>\n<\/ol>\n<h2>How Does Modern Auth Enable 2FA\/MFA\/Dongles\/Authenticators\/Passkeys etc?<\/h2>\n<p>Once apps or services update to support modern auth, they are completely removed from the authentication process \u2014 <strong>authentication becomes the sole responsibility of the IDP<\/strong>. Now, the IDP can be updated to support any new authentication technology without any of the apps or services needing to be updated at all.<\/p>\n<p>Before modern auth, every protocol and every server had to accommodate the details of <strong>how<\/strong> users authenticated \u2014 websites, email protocols, calendaring protocols, everything, had to have the UI, data fields, and processes for dealing with usernames and passwords. Every app had to have a way to store them, every protocol had to have a way to send them, and every server had to be able to validate them. Adding something like a second factor meant re-engineering the whole thing with a new UI in the app, new fields in the protocols, and new processes on the servers. Each different scheme required different UIs, fields, and validation processes, so the end result was that most protocols and apps didn\u2019t get updated \u2014 hence the need for app-specific passwords as a workaround.<\/p>\n<p>With modern auth, apps, protocols, and servers need to be updated just once to support one or more of the token-based protocols, and then they\u2019re good for the foreseeable future! Authentication is just not their problem anymore!<\/p>\n<p>As well as enabling an ever-expanding range of authentication options by giving sole control of authentication to the IDPs, <strong>modern authentication also breaks the one-to-one mapping legacy authentication employed<\/strong> (one account, one password). IDPs can allow you to register as many authentication methods as you like on any given account, and most do. You can then authenticate with whichever is most convenient in any given situation. You could register a passkey from your phone, another from your spouse&#8217;s phone, a FIDO 2 hardware token that never leaves the office, and so on.<\/p>\n<p>Note that IDPs really are free to do whatever they want to authenticate you. They can use any open standard like TOTP (Google Auth-style codes), FIDO hardware dongles, Passkeys, etc.. But they can also do their own thing, hence custom authenticator apps like those from Adobe &amp; Microsoft, and in-app authentication options like GitHub (no separate authenticator app, but their main app can auth you to their website).<\/p>\n<h2>Modern Auth is Well-Bedded In<\/h2>\n<p>The push to move away from legacy auth started in the enterprise, and it has been in progress for over a decade.<\/p>\n<p>At this stage, we have a small well-defined, and well-tested suite of protocols. For home users, it\u2019s really mostly OAuth2, while enterprises use SAML2 and\/or OIDC to do single-signin across first and third-party sites. If a home user uses \u2018sign in with\u2019 buttons they are probably using OAuth2 (log in with Google &amp; login with Meta), but it might be OIDC (Stack Exchange supports OIDC). The user experience is the same regardless \u2014 click to log in, get bounced to your IDP&#8217;s website, prove you are you, and get redirected back. The key point is that these protocols are all very mature now.<\/p>\n<p>Microsoft actually disabled basic auth for their enterprise customers at the end of 2022, so all apps that can connect to education and corporate Office 365 accounts already support modern auth! Those 2 years of enforced modern auth on literally millions of people have pushed the apps to update \ud83d\ude42<\/p>\n<p>in case you\u2019re wondering, Google is a little behind Microsoft in terms of forcing the use of modern auth (not in supporting it, just in requiring it), but they too are <a href=\"https:\/\/support.google.com\/a\/answer\/14114704?hl=en\">ending support for legacy auth this &#8216;autumn&#8217;<\/a>.<\/p>\n<h2>A Note On Passkeys<\/h2>\n<p>There are two ways Passkeys can be used for authentication, and both fall under the broad umbrella of modern authentication:<\/p>\n<ol>\n<li>Direct Passkey support via the WebAuthn protocol. The app\/website directly supports Passkeys and there is no IDP involved.<\/li>\n<li>Passkeys as one of the registered factors on an IDP. The app\/site doesn\u2019t use WebAuthn, they use one of the modern authentication protocols to send users to an IDP instead, and the IDP uses WebAuthn to handle Passkeys.<\/li>\n<\/ol>\n<h2>The Bottom Line<\/h2>\n<p>This shouldn&#8217;t be too bumpy a ride for home users, and it will bring a lot more security.<\/p>\n<h1>\u2757 Action Alerts<\/h1>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-june-2024-patch-tuesday-fixes-51-flaws-18-rces\/\">Microsoft June 2024 Patch Tuesday fixes 51 flaws, 18 RCEs \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/arm-warns-of-actively-exploited-flaw-in-mali-gpu-kernel-drivers\/\">Arm warns of actively exploited flaw in Mali GPU kernel drivers \u2014 www.bleepingcomputer.com\/\u2026<\/a> (<strong>Editorial by Bart:<\/strong> I&#8217;m powerless to offer clear helpful advice due to Android being &#8230; Android \ud83d\ude41)<br \/>\n> &#8220;Due to the complexity of the supply chain on Android, many end users may get patched drivers with significant delays&#8221;<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-warns-of-actively-exploited-pixel-firmware-zero-day\/\">Google patches exploited Android zero-day on Pixel devices \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>PC Users \u2013 keep an eye out for a firmware update: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/phoenix-uefi-vulnerability-impacts-hundreds-of-intel-pc-models\/\">Phoenix UEFI vulnerability impacts hundreds of Intel PC models \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/asus-warns-of-critical-remote-authentication-bypass-on-7-routers\/\">ASUS warns of critical remote authentication bypass on 7 routers \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>If you&#8217;re still using one of the popular, but End-of-Life WNR614 routers from Netgear, time&#8217;s up, you need a new router ASAP! \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/netgear-wnr614-flaws-allow-device-takeover-no-fix-available\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>One for the developers in our community: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/php-fixes-critical-rce-flaw-impacting-all-versions-for-windows\/\">PHP fixes critical RCE flaw impacting all versions for Windows \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Notable News<\/h1>\n<ul>\n<li>\ud83c\uddea\ud83c\uddfa Another attempt to ban End-to-End Encryption has thankfully failed (at least for now):\n<ul>\n<li><a href=\"https:\/\/thehackernews.com\/2024\/06\/signal-foundation-warns-against-eus.html\">Signal Foundation Warns Against EU&#8217;s Plan to Scan Private Messages for CSAM \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/daringfireball.net\/linked\/2024\/06\/20\/eu-cancels-vote\">Lacking Votes, EU Postpones Vote on CSAM Law That Would Ban End-to-End-Encryption for Messaging \u2014 daringfireball.net\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The US government takes strong action against Kaspersky\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/biden-bans-kaspersky-antivirus-software-in-us-over-security-concerns\/\">Biden bans Kaspersky antivirus software in US over security concerns \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-sanctions-12-kaspersky-lab-execs-for-working-in-russian-tech-sector\/\">US sanctions 12 Kaspersky Lab execs for working in Russian tech sector \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.cultofmac.com\/860486\/1password-adds-recovery-codes-support-for-seamless-account-recovery\/\">1Password adds recovery codes support for seamless account recovery \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<li>An Important one for our geekier listeners: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/aws-adds-passkeys-support-warns-root-users-must-enable-mfa\/\">AWS adds passkeys support, warns root users must enable MFA \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Top Tips<\/h1>\n<aside class=\"small-aside\">Tip, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/top-10-online-scams-to-beware-of\/\">Top 10 online scams to beware of: from malvertising to deepfake kidnappings \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Excellent Explainers<\/h1>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li>\ud83c\udfa7 I&#8217;ve intentionally not covered any of the WWDC announcements in this instalment because nothing announced is available yet, and we&#8217;ll cover it when it launches. But, if you want a preview of what is coming you might enjoy this summary from Ken Ray: <a href=\"https:\/\/overcast.fm\/+HLr6FOPd4\">The Checklist by SecureMac: 379 &#8211; Privacy and Security at WWDC24 \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Interesting Insights<\/h1>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>\ud83c\udfa7 \ud83c\uddee\ud83c\uddea  We often hear that it would probably be better if kids didn&#8217;t have phones too early, but no one parent can really do that, all the parents need to do it, or, the whole town! An Irish town is a year into that experiment: <a href=\"https:\/\/overcast.fm\/+BE6SEPIhsU\">The Global Story: Smartphone ban &#8211; Why an Irish town is taking children\u2019s phones \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>Very insightful &amp; thought-provoking \u2013 we&#8217;re probably doing phishing tests all wrong: <a href=\"https:\/\/security.googleblog.com\/2024\/05\/on-fire-drills-and-phishing-tests.html\">Google Online Security Blog: On Fire Drills and Phishing Tests \u2014 security.googleblog.com\/\u2026<\/a><\/li>\n<\/ul>\n<h1>Palate Cleansers<\/h1>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and Allison think you might enjoy.<\/aside>\n<ul>\n<li>From <strong>Bart<\/strong>\n<ul>\n<li>I&#8217;m pretty sure this will prove to be another XKCD classic: <a href=\"https:\/\/xkcd.com\/2948\/\">Electric vs Gas \u2014 xkcd.com\/\u2026<\/a>:<br \/>\n<img decoding=\"async\" src=\"https:\/\/imgs.xkcd.com\/comics\/electric_vs_gas.png\" alt=\"An idling gas engine may be annoyingly loud, but that's the price you pay for having WAY less torque available at a standstill.\" \/><\/li>\n<li>\ud83c\udfa7 I&#8217;ve been looking for an excuse to recommend this podcast for some time, and this recent episode is the perfect opportunity: <a href=\"https:\/\/overcast.fm\/+4MLwQoztE\">Stuff You Should Know: The Big Episode on Wikipedia \u2014 overcast.fm\/\u2026<\/a><\/li>\n<li>\ud83c\udfa7 One for the many GitHub users in our community: <a href=\"https:\/\/overcast.fm\/+HZUfcYF7I\">The Changelog: Securing GitHub (Interview) \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>From <strong>Allison<\/strong>:\n<ul>\n<li>If you think you\u2019re too old to learn \u2026&#8217;I\u2019ve waited a long time for this\u2019: Woman receives master\u2019s degree from Stanford at 105 years old&#8217; \u2014 <a href=\"https:\/\/www.wcax.com\/2024\/06\/22\/ive-waited-long-time-this-woman-receives-masters-degree-stanford-105-years-old\/\">wcax.com\/&#8230;<\/a> <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Legend<\/h1>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a><\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Microsoft delays Windows Recall amid privacy and security concerns \u2014 www.bleepingcomputer.com\/\u2026 (Initially only to Windows Insiders AKA beta testers) The scale of the Snowflake breach we discussed last time becomes clearer: Snowflake Breach Exposes [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[6677,50,569,2003],"class_list":["post-31275","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-modern-authentication","tag-security","tag-security-bits","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=31275"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31275\/revisions"}],"predecessor-version":[{"id":31278,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/31275\/revisions\/31278"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=31275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=31275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=31275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}