{"id":32923,"date":"2025-01-19T12:08:12","date_gmt":"2025-01-19T20:08:12","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=32923"},"modified":"2025-01-27T05:29:41","modified_gmt":"2025-01-27T13:29:41","slug":"sb-2025-01-19","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/01\/sb-2025-01-19\/","title":{"rendered":"Security Bits \u2014 19 January 2025"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Following on from Apple&#8217;s choice to settle a US class action suit over privacy breaches caused by accidental Siri activations, Apple released a press release confirming my interpretation of the case, and verifying that the more conspiratorial allegations that some media reporting chose to focus on were not true \u2014 <a href=\"https:\/\/www.apple.com\/ie\/newsroom\/2025\/01\/our-longstanding-privacy-commitment-with-siri\/\">www.apple.com\/\u2026<\/a>\n<ul>\n<li>This might be one to bookmark for sharing with worried friends or family who were spooked by some of the more sensationalist reporting on this case by some of the less scrupulous news outlets, or by some of the conspiratorial nonsense on social media.<\/li>\n<li><strong>Related:<\/strong> \ud83e\uddef In case friends or family get scared by this sensationalist nonsense spreading on social media: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/no-siris-learn-from-this-app-setting-is-not-sending-data-from-your-apps-to-third-parties\/\">No, Siri&#8217;s &#8220;Learn from this app&#8221; Setting Is Not Sending Data From Your Apps to Third Parties \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\udde8\ud83c\uddf3 The recent <em>Salt Typhoon<\/em> spate of hacks of Western telecommunications companies by Chinese state actors continues to evolve:\n<ul>\n<li>\ud83c\uddfa\ud83c\uddf8 Two more US telcos have been confirmed compromised (Charter &amp; Windstream) \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/charter-and-windstream-among-nine-us-telecoms-hacked-by-china\/\">Chinese hackers also breached Charter and Windstream networks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fcc-orders-telecoms-to-secure-their-networks-after-salt-tyhpoon-hacks\/\">FCC orders telecoms to secure their networks after Salt Typhoon hacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 \ud83c\udde8\ud83c\uddf3 The FBI has followed French law enforcement&#8217;s lead and pro-actively reached in and removed <em>PlugX<\/em> malware infections connected to Chinese state actors from US computers in the US \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fbi-wipes-chinese-plugx-malware-from-over-4-000-us-computers\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>These actions were all taken with now un-sealed approval from US courts<\/li>\n<li>The FBI has let US ISPs know which IP addresses were cleaned up so they can inform the affected customers<\/li>\n<li>\ud83c\uddeb\ud83c\uddf7 We covered France taking this dramatic action on the eve of the Paris Olympics last summer<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 Data Breach Exposes Elicit Location Tracking via Ad Auctions<\/h2>\n<p><em><strong>TL;DR<\/strong> \u2014 if you see an ad in an <strong>app<\/strong> it can track you, and your only effective defence is avoiding all apps with ads.<\/em><\/p>\n<p>A data breach at a data broker has has exposed a nefarious abuse of the real time bidding system used by ad brokers to sell ad spots in apps. This technique allows malicious ad agencies to disregard user preferences and track smart phone user\u2019s location as they used apps with ads without the app developers\u2019 awareness, let alone consent. In fact, the ad agencies didn\u2019t even need to win the auctions to steal the data, they just had to bit on the ad slots.<\/p>\n<p>The key to this tracking technique is capturing the data and metadata presented to ad brokers during the auctions. This data includes the name of the app, and the IP address of the device running the app. With all the other data these ad brokers have about users they were able to join the dots and add more or less accurate locations to the profiles they build on users, which they could then sell to location brokers.<\/p>\n<p>Because this is happening within the ad industry\u2019s back-end, not collaboration is required from app developers (other than choosing to embed ad). There are no explicit API calls to the data brokers, and it\u2019s not even that location tracking API calls have been snuck into other useful code libraries. From the app\u2019s point of view they\u2019re just sending entirely normal ad placement offers to their ad broker and receiving the ads that win the bid in response.<\/p>\n<p>Because the developers are out of the loop, the leaked data reveals that really major apps are being abused to track users without their consent including:<\/p>\n<ul>\n<li>CandyCrush<\/li>\n<li>Temple Run<\/li>\n<li>My Fitness Pal<\/li>\n<li>My Period Calendar &amp; Tracker<\/li>\n<li>Tinder<\/li>\n<li>Tumblr<\/li>\n<li>Office365 apps<\/li>\n<li>Yahoo Email<\/li>\n<li>FlightRadar24<\/li>\n<li>Various Christian &amp; Muslim prayer book apps<\/li>\n<li>Many VPN apps<\/li>\n<\/ul>\n<p>The ad companies have no permission or consent to do any of this, they just abuse any and all crumbs of data and metadata the can glean from the massive  back-end the powers the modern ad ecosystem to track users anyway.<\/p>\n<h3>How Can we Defend Ourselves?<\/h3>\n<p>Note that <strong>this attack vector is specific to ads in apps<\/strong>, so our exiting browser protections and ad blocking plugins are not in play here.<\/p>\n<p>It\u2019s important to underscore the fact that this is happening within the advertising industry\u2019s back-end, not on user devices, so things like iOS App Tracking Transparency and App Store review processes can\u2019t stop this (at least not with anything short of OS-level blocking of all connections to ad-related IP addresses which is not practical or realistic!)<\/p>\n<p>That said <strong>iOS can dent the effectiveness of these attacks using App Tracking Transparency<\/strong> because when you ask an app not to track the OS stops the app from using the location services API to add explicit location data to the ad metadata, limiting the malicious trackers to approximate location data inferred from your IP address.<\/p>\n<p>At this stage we simply have to <strong>assume that every ad we see in any app is an opportunity for hostile actors to track us<\/strong>, so the best we can do is avoid all in-app ads by not using apps that monetise with ads, or upgrading to ad-free versions with in-app purchases or paid memberships\/subscriptions.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>A nice short summary: <a href=\"https:\/\/appleinsider.com\/articles\/25\/01\/10\/advertisers-are-hijacking-apps-to-beat-apple-and-developers-privacy-efforts\">Advertisers are hijacking apps to beat Apple and developers&#8217; privacy efforts \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>A detailed report: <a href=\"https:\/\/www.wired.com\/story\/gravy-location-data-app-leak-rtb\/\">Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location \u2014 www.wired.com\/\u2026<\/a><\/li>\n<li>An important observation: <a href=\"https:\/\/www.cultofmac.com\/news\/location-data-breach\">Why the latest location data leak won\u2019t hit iPhone users as hard \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 A Massive New Password Leak and an Important New Feature in Have I Been Pwned (HIBP)<\/h2>\n<p>Data stealer malware is on the rise, and, one of the kinds of data these malicious tools steal is login information. By various means including keyboard loggers, scans of files, and browser hacks, attackers build up databases of website, email address, and password records, which they can then sell on the dark web.<\/p>\n<p>Like all organisations, cybercrime gangs make mistakes, so from time to time these databases of stolen passwords leak. That happened recently when 71 million login credentials were leaked to Troy Hunt&#8217;s <a href=\"https:\/\/haveibeenpwned.com\/PwnedWebsites#StealerLogsJan2025\">Have-I-Been-Pwnd<\/a> service.<\/p>\n<p>The problem for Troy was that this new type of data breach didn&#8217;t fit nicely into HIBP&#8217;s original design. The service was designed to let people know when a specific website lost their details, so each breach was tied to a single website implicitly. If you were in one of the LinkedIn breaches then it was your LinkedIn account that was compromised!<\/p>\n<p>Stealer logs break this one-to-one mapping between websites and data breaches. Knowing that an account with your email address was included in a database of username and password pairs for millions of sites is not really that useful,  the obvious next question has to be <em>&#8220;on what sites?&#8221;<\/em>!<\/p>\n<p>That&#8217;s the problem HIBP have just addressed with a new set of related features for individuals and organisations:<\/p>\n<ul>\n<li><strong>Individuals<\/strong> can now see the websites their email address was associated with in any stealer logs added to HIBP. This new functionality has simply been added to the existing <strong>free<\/strong> report anyone can get for an email address they have access to \u2014 simply request a report for your email address, complete the ownership verification challenge, and see just how pwned your address is \ud83d\ude42<\/li>\n<li><strong>Organisations<\/strong> with <strong>paid subscriptions<\/strong> (not the free up-to-10-compromised-users tier) can access this updated information via a new API end-point for all email addresses on all domains they have proven ownership of and added to their accounts.<\/li>\n<\/ul>\n<p>If you haven&#8217;t done so already, I&#8217;d recommend signing up for free breach notifications on your primary email address or addresses using the <em>Notify Me<\/em> button on the banner at the top of the <a href=\"https:\/\/haveibeenpwned.com\">Have-I-Been-Pwnd home page<\/a>. While you&#8217;re there you might want to see your current report by entering your address into the giant big search box at the top of this page.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>Troy Hunt&#8217;s explanation of why HIBP needed this new feature, and how it works \u2014 <a href=\"https:\/\/www.troyhunt.com\/experimenting-with-stealer-logs-in-have-i-been-pwned\/\">www.troyhunt.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>January Microsoft Patch Tuesday has been and gone, and it was a big one!\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws\/\">Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2025\/01\/microsoft-happy-2025-heres-161-security-updates\/\">Microsoft: Happy 2025. Here\u2019s 161 Security Updates \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31590\">Microsoft January 2025 Patch Tuesday \u2014 isc.sans.edu\/\u2026<\/a><\/li>\n<li><strong>Related:<\/strong> The patches include a fix for this nasty bug with Windows: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-uefi-secure-boot-flaw-exposes-systems-to-bootkits-patch-now\/\">New UEFI Secure Boot flaw exposes systems to bootkits, patch now \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>Owners of Samsung Android devices<\/strong>, be sure you&#8217;re patched \u2013 Google&#8217;s Project Zero have released the details of a nasty zero-day they found and responsibly disclosed which was patched in December 2024 \u2014 <a href=\"https:\/\/thehackernews.com\/2025\/01\/google-project-zero-researcher-uncovers.html\">thehackernews.com\/\u2026<\/a><\/li>\n<li><strong>Mac users<\/strong> should double-check they&#8217;re fully patched, Microsoft have released details of a bug they responsibly disclosed to Apple which was patched in December: <a href=\"https:\/\/appleinsider.com\/articles\/25\/01\/15\/macos-flaw-that-allowed-attackers-to-bypass-core-system-protections-is-now-fixed\">macOS flaw that allowed attackers to bypass core system protections is now fixed \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><strong>Listeners running an rsync server<\/strong> (most likely on a NAS, Linux VM or Linux VPS) beware: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-660-000-rsync-servers-exposed-to-code-execution-attacks\/\">Over 660,000 Rsync servers exposed to code execution attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>Cybersecurity experts are warning of a <strong>new tactic being used in smishing<\/strong> (phishing over SMS) attacks to trick <strong>iPhone<\/strong> users into <strong>disabling a security feature<\/strong> in the Messages app \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/phishing-texts-trick-apple-imessage-users-into-disabling-protection\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>To fight phishing, Apple&#8217;s messages app disables links in messages coming from people that you&#8217;ve not interacted with before<\/li>\n<li>These new phishing attacks tell users to reply <code>Y<\/code> and then click the link<\/li>\n<li>The act of replying with anything at all is interaction, and that will remove the link block<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 US Tax Payers Pay Heed: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/scammers-file-first-get-your-irs-identity-protection-pin-now\/\">Scammers file first \u2014 Get your IRS Identity Protection PIN now \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <strong>US drivers<\/strong> take note:\n<ul>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/legal\/allstate-car-insurer-sued-for-tracking-drivers-without-permission\/\">Allstate car insurer sued for tracking drivers without permission \u2014 www.bleepingcomputer.com\/\u2026<\/a> (suit filed by the Texas Attorney General)<\/li>\n<li>&#8220;Allstate collected trillions of miles worth of location data from over 45 million consumers nationwide and used the data to create the world\u2019s largest driving behavior database \u2026 When a consumer requested a quote or renewed their coverage, Allstate and other insurers would use that consumer\u2019s data to justify increasing their car insurance premium.&#8221; \u2014 Court Filings<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/legal\/ftc-orders-gm-to-stop-collecting-and-selling-drivers-data\/\">FTC orders GM to stop collecting and selling driver\u2019s data \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>OnStar was collecting driver behaviour and location data every 3 seconds and setting it to insurance companies without informed consent from users<\/li>\n<li>This data was used by insurance companies to raise premiums and even deny some drivers cover<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>\ud83e\uddef Security researchers have found a critical vulnerability in a proprietary USB-C controller Apple use in many of their devices. But, at least for now, attacks are not practical, so there&#8217;s nothing regular users need to do \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/25\/01\/13\/usb-c-vulnerability-could-result-in-new-iphone-jailbreak-techniques?utm_medium=rss\">appleinsider.com\/\u2026<\/a>\n<ul>\n<li>As the bug is now known Apple are likely to at least try to patch it<\/li>\n<li>It&#8217;s possible additional weaknesses or exploit techniques will be discovered, making this a real concern for regular users in the future, and if that happens we&#8217;ll flag that in a future Security Bits<\/li>\n<li>For now, the most likely outcome may be new tethered iPhone jail breaks<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 The US government has launched the <em>US Cyber Trust Mark<\/em> smart device certification promised in 2023 \u2014 <a href=\"https:\/\/thehackernews.com\/2025\/01\/eu-commission-fined-for-transferring.html\">thehackernews.com\/\u2026<\/a> (cybersecurity baseline for internet-connected devices)\n<ul>\n<li>> <em>Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product&#8217;s minimum support period, and a notification if the manufacturer does not offer updates for the device.<\/em><\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/biden-signs-executive-order-to-bolster-national-cybersecurity\/\">Biden signs executive order to bolster national cybersecurity \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Boring but important basics to give US government agencies more tools for fighting back, including sanctioning malicious attack groups<\/li>\n<li>Not a new order but an update to an existing order from the Obama administration \u2014 not controversial, so unlikely to be rolled back by the new administration<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ftc-sues-godaddy-for-years-of-poor-hosting-security-practices\/\">FTC orders GoDaddy to fix poor web hosting security practices \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/p>\n<\/li>\n<li>\n<p>\ud83c\uddee\ud83c\uddf3 India moves closer to becoming the next major market to pass broad data protection laws with the opening up for public comment of the proposed <em>Digital Personal Data Protection<\/em> (DPDP) Rules \u2014 <a href=\"https:\/\/thehackernews.com\/2025\/01\/india-proposes-digital-data-rules-with.html\">thehackernews.com\/\u2026<\/a> (quite GDPR-like all in all laying out responsibilities for those holding personal data)<\/p>\n<\/li>\n<\/ul>\n<h2>Top Tips<\/h2>\n<aside class=\"small-aside\">Tips, tricks, or advice that is likely to be useful to the NosillaCast audience or the family members and friends whose IT they support.<\/aside>\n<ul>\n<li>Given some recent moderation changes and the general state of polarisation ATM, you might be in the Mood to start the new year with a few fewer social media accounts: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/how-to-delete-your-social-media-accounts-facebook-instagram-youtube-twitter-and-more\/\">How to Delete Your Social Media Accounts: Facebook, X, Instagram, TikTok, and More \u2014 www.intego.com\/\u2026<\/a>\n<ul>\n<li><strong>Note from Bart:<\/strong> I recommend not actually deleting accounts unless they are completely anonymous, but going dormant by simply removing the app from your home screens and disabling notifications. You don&#8217;t want others to be able to steal your digital identity by re-creating an account with the same username!<\/li>\n<li><strong>Related:<\/strong> Mastodon have formally moved their copyrights, other intellectual property, and other assets into a European non-profit (making sure the Mastodon creator Eugen Rochko can&#8217;t <em>do a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Matt_Mullenweg\">Mulleweg<\/a><\/em> and get Mastodon into the kind of <a href=\"https:\/\/techcrunch.com\/2025\/01\/12\/wordpress-vs-wp-engine-drama-explained\/\">mess WordPress is now in<\/a>) \u2014 <a href=\"https:\/\/blog.joinmastodon.org\/2025\/01\/the-people-should-own-the-town-square\/\">blog.joinmastodon.org\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/the-mac-and-iphone-malware-of-2024-and-what-to-expect-in-2025\/\">The Mac and iPhone malware of 2024\u2014and what to expect in 2025 \u2014 www.intego.com\/\u2026<\/a>\n<ul>\n<li>More stealer malware as it seems to have been profitable for cybercriminals in 2024<\/li>\n<li>More fraudulent apps sneaking into the official Apple &amp; Google app stores, or bypassing them completely by side loading\/3rd-party stores, especially in Europe<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>From Nosillacastaway <strong>Jonathan Wessler<\/strong> on <a href=\"https:\/\/podfeet.com\/slack\">Slack<\/a>: <a href=\"https:\/\/eieio.games\/blog\/1Crossword\/\">1Crossword: crosswords for your password manager \u00b7 eieio.games \u2014 eieio.games\/\u2026<\/a><\/li>\n<li><strong>From Bart:<\/strong> the fascinating story of how the first version of the Dock came into being 25 years ago \u2013 turns out it was written by <a href=\"https:\/\/pcalc.com\">James Thompson of PCalc<\/a> fame from Cork in Ireland while he and his manager were pretending to Steve Jobs that he&#8217;d moved to California: <a href=\"https:\/\/tla.systems\/blog\/2025\/01\/04\/i-live-my-life-a-quarter-century-at-a-time\/\">I Live My Life a Quarter Century at a Time \u2014 tla.systems\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Following on from Apple&#8217;s choice to settle a US class action suit over privacy breaches caused by accidental Siri activations, Apple released a press release confirming my interpretation of the case, and verifying that [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[6921,2822,6922],"class_list":["post-32923","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-ad-tracking","tag-data-breach","tag-hibp"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=32923"}],"version-history":[{"count":10,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32923\/revisions"}],"predecessor-version":[{"id":32976,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/32923\/revisions\/32976"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=32923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=32923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=32923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}