Lit Apple Mac, iPhone, iPad User Group

[sultrysandy]

These email apps are scraping information from your inbox and selling the data for a

.
Apps such as Edison Mail are gathering data under the guise of providing personalized features, but then turn around and sell this information to advertisers and big business.

Two years after it was revealed that Google allows third-party companies to read the emails in users' Gmail accounts, more apps have been found to be doing the same when used with any email account.

The best-known of these is Edison Mail, which is an email client for both Mac and iOS. It has time-saving features such as providing one-click buttons for the people users most often email. Similarly to how iOS provides suggested next-word responses, Edison Mail prompts users with complete and appropriate canned responses.

Edison Mail's developers have been clear that this is achieved by parsing users' emails to build these lists, and offer relevant automatic responses. However, it has not said that it then uses that data for its own profit.

According to research, the Edison Mail company sells products to finance, travel and e-commerce customers that is derived by scraping users' emails.

Edison's website explicitly states that data is collected from users, and it extensively details all the use that users' agree to by signing up to the service. At no point, however, does it say that it will sell this data.

It does refer repeatedly to service providers that it calls "partners."

"These service providers are authorized to use your information only as necessary to provide their services to us," it says.

Having obtained a document from the JP Morgan financial services company, which says that data is bought from Edison for the purpose of helping companies make investment decisions.

The document reportedly refers explicitly to Edison Mail as the source of data.

"[The data features] consumer purchase metric including brand loyalty, wallet share, purchase preferences etc," it says.



Edison has not responded to questions. However, after publication of that research, Edison has released an updated blog about its working practices.

"To keep our Edison Mail app free, and to protect your privacy by rejecting an advertising-based business model," it says, "our company Edison Software, measures e-commerce through a technology that automatically recognizes commercial emails and extracts anonymous purchase information from them. Our technology is designed to ignore personal and work email, which does not help us measure market trends."

"We do not participate in any ad targeting of our users and do not allow others to do ad targeting of our users," it continues.

The research also reveals that email add-on services including Slice and Cleanfox sell data products to corporate clients based on user's emails. Cleanfox's parent company, Foxintelligence.

"From a higher perspective, we believe crowd-sourced transaction data has a transformational power both for consumers and for companies and that a marketplace where value can be created for both sides without making any compromise on privacy is possible," Florian Cleyet-Merle, Foxintelligence Chief Operating Officer said.

 

[sultrysandy]

Mac malware outpaced Windows PCs threats for first time in 2019, report says

.
According to a report from Malwarebytes, the number of malware threats detected on Mac endpoints outpaced those targeting Windows PCs for the first time in 2019, with adware accounting for a bulk of all detected threats.

In its annual State of Malware Report, antivirus software maker Malwarebytes tracked a more than 400% increase in detected Mac malware on a year-over-year basis.

Tallying up threat detections on a per endpoint basis, calculus applied to account for growth in the number of Macs running Malwarebytes software, the firm found 11 threats per Mac endpoint in 2019, up from 4.8 in 2018. By comparison, results show an average of 5.8 threats detected per Windows endpoint over the same period.

The report speculates Macs are quickly becoming a sweet target for cybercriminals due to increased marketshare, though recent industry estimates show Apple's slice of market shrank over the past two quarters.

Perhaps more likely is a notable increase in fringe software. Malwarebytes notes Apple's standard macOS security safeguards are more focused on thwarting serious malware than "borderline" adware and potentially unwanted programs (PUPs), allowing the latter two families to propagate at speed.

"Macs differ drastically from Windows in terms of the types of threats seen," the report reads. "Where we found several different categories and families in our top detections of Windows threats that classify as traditional malware , especially those aimed at businesses, most Mac threats, and certainly the most prevalent ones of 2019, are families of adware and potentially unwanted programs (PUPs)."

Indeed, the most prevalent Mac threat, NewTab, is a particularly insidious family of adware that was detected nearly 30 million times in 2019. PCVARK, a PUP that took third place on cross-platform detections, ranked second in the Mac category with almost as many detections as NewTab during the same period.

MacKeeper, an infamous system "cleaning" program that was previously No. 1 on Malwarebytes' list of top Mac detections, fell to the third spot, while fellow PUPs JDI and MacBooster took fourth and fifth, respectively.

The top "traditional malware," sometimes defined as a backdoor, cryptominer or spyware, was OSX.Generic.Suspicious, a group of files that exhibited similar malicious behavior. OSX.Generic.Suspicious and scam-enabling software FakeFileOpener both topped 300,000 detections in 2019.

Despite the growing number of malware detections, at least as discovered on Malwarebytes' platform, Mac is still a safe environment as long as users remain conscious of bad actors. As noted in the report, all but one malware incident in 2019 involved duping users into downloading and opening offending software. The lone vulnerability that impacted Mac, according to Malwarebytes, was a Firefox zeroday targeting cryptocurrency companies.
.

 

[sultrysandy]

Ex-Apple designers detail how the original iPad was created

.
Bethany Bongiorno and Imran Chaudhri worked on the first iPad back in 2010. Now having left Apple, they've revealed how Steve Jobs drove the teams and what they were surprised by in that original iPad.

Imran Chaudhri (left) and Bethany Bongiorno (right) with the original iPad they worked on (inset)



Now partners in the technology firm Humane, Bethany Bongiorno and Imran Chaudhri were deeply involved in the creation of the first iPad. Bongiorno joined Apple in time to become software engineering director for the iPad project, while Chaudhri is credited with the user interface of the iPhone.

"Steve had this pet project that he was really excited about," Bongiorno told Input magazine. "[It] would be a small team to build this new project codenamed K48. K48 was hardware and Wildcat was the codename for the software. They asked me to lead that initiative, to build the engineering team and to lead the effort for the K48 project, which ultimately became the iPad."

"I think what we originally envisioned was designed as a consumption device," says Chaudhri. "One of the things that Steve had in his, like, mini-brief for it was 'I really want to be able to use this for mail while sitting on the toilet' and that level of consumption and ease was something that went into us wanting it to replace your newspaper and wanting it to replace the books in your life."

Bongiorno and Chaudhri say that what became the iPad was originally worked on much earlier than generally believed. While it's well known now that the iPad efforts predated the iPhone, the designers say it began with a plan to make a multi-touch Mac.


Subscribe to AppleInsider on YouTube


"The story of the iPad goes way back beyond before the phone," says Chaudhri. "It started out as this project called Q79. Q79 was the product that was built around multitouch exploration... At the time, it was looking at bringing a multitouch screen to a Macintosh laptop. Specifically the iBook, at the time."

"It turned out that was a really, really expensive endeavor," he continues, "and it just wasn't really going to be successful for Apple to build a super expensive computer coming off of having released the Cube, which didn't do well. We kind of pulled away from that effort and focused on a much smaller thing, which was the phone."

That original aim was not forgotten, however, and the idea of a desktop computer with multi-touch influenced how the iPad was created.

"When we resurrected the iPad," says Chaudhri, "we knew that it was always designed as a computer and it was literally the perfect playground for multitouch. The phone was the first delivery mechanism but we always knew that we wanted a desktop class face to run applications for multitouch."



The iPad went through countless redesigns. "There were a lot of things that weren't working as we were building it that we completely threw out, fully implemented designs that we had started with, to redefine, and redefine, and redevelop as we were doing it," says Bongiorno.

Even so, it is only when you see customers using a product that you know what is working. Bongiorno says she was surprised to find customers taking photographs with the camera in this large device.

"We actually didn't believe that people would walk around taking pictures with their iPad. It was actually a funny internal conversation when we started seeing people outside taking their iPad with them and taking photos on vacation," she says.

The original iPad from 2010



"I remember very clearly at the 2012 Olympics in London," says Chaudhri, "if you looked around the stadium, you saw a lot of people using an iPad as a camera and generally that was people that just needed to have a bigger viewfinder for vision reasons, etc. Then seeing that, we went back in and redesigned the camera experience on the iPad."

The two are able to recount their iPad stories since they have left Apple to found their new Humane company. They both say that their decision to leave was the desire to form this new firm rather than anything at Apple. However, Input did ask them about the change when Steve Jobs died and Tim Cook took over.

Chaudhri chose to praise Tim Cook's charitable efforts. "I think one of the things I love a lot about Tim's passions is his passion for philanthropy and giving back to a community," he says. "In Steve's days, Apple wasn't as well off, so that wasn't something that was a focus for Steve. But I think the way Tim is doing that is incredibly remarkable. I hope it continues.

Steve Jobs reveals the iPad



Bongiorno equally praises Cook, but does say the company has changed since he replaced Jobs.

"There's no doubt that Tim has built a very successful company and has brought a lot of wealth to Apple shareholders and to the company overall," she says, "and I think that's a testament to the fact that he is the best in the world at operations is he's incredibly innovative on operations."

"But his specialty and his skill set is not in building innovative products, right?" she continues. "Product definition and product development. I think that's something that is just a fact of the change in leadership between him and Steve and the kinds of things that Steve really cared about versus the things that Tim really cares about."

"And I think for people like us who are, you know, really on the creative side and really want to push things," she concludes, "that was definitely more in line with Steve's mission than it was Tim's."
.

 

[Stillrandy]

.
Bethany Bongiorno and Imran Chaudhri worked on the first iPad back in 2010. Now having left Apple, they've revealed how Steve Jobs drove the teams and what they were surprised by in that original iPad.

That was really interesting, thanks Sandy. I don't go anywhere without my iPad. My companion everywhere. Mine is an iPad 4, now 6+ years old. Last year I went in to an Apple store and invited the sales person to sell me on a newer model. We wound up agreeing that for the things for which I use it, the iPad 4 is perfectly adequate.

Still works great, although I sense it is starting to lose charge faster than in earlier years. And it is limited to iOS 10.3.4, whereas some of my apps now require iOS 11 or higher, so that may eventually force me to a later model. But so far so good.

I had to buy a replacement Smart Cover last year and had to go to eBay to find one!

 

[sultrysandy]

500 Chrome extensions secretly uploaded private data

.
USER BEWARE —
500 Chrome extensions secretly uploaded private data from millions of users
Extensions were part of a long-running ad-fraud and malvertising network.

More than 500 browser extensions downloaded millions of times from Google’s Chrome Web Store surreptitiously uploaded private browsing data to attacker-controlled servers, researchers said on Thursday.

The extensions were part of a long-running malvertising and ad-fraud scheme that was discovered by independent researcher Jamila Kaya. She and researchers from Cisco-owned Duo Security eventually identified 71 Chrome Web Store extensions that had more than 1.7 million installations. After the researchers privately reported their findings to Google, the company identified more than 430 additional extensions. Google has since removed all known extensions.

“In the case reported here, the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users,” Kaya and Duo Security researcher Jacob Rickerd wrote in a report. “This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users’ knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”


A maze of redirects, malware, and more

The extensions were mostly presented as tools that provided various promotion- and advertising-as-a service utilities. In fact, they engaged in ad fraud and malvertising by shuffling infected browsers through a maze of sketchy domains. Each plugin first connected to a domain that used the same name as the plugin (e.g.: Mapstrek[.]com or ArcadeYum[.]com) to check for instructions on whether to uninstall themselves.

The plugins then redirected browsers to one of a handful of hard-coded control servers to receive additional instructions, locations to upload data, advertisement feed lists, and domains for future redirects. Infected browsers then uploaded user data, updated plugin configurations, and flowed through a stream of site redirections.



Thursday’s report continued:

The user regularly receives new redirector domains, as they are created in batches, with multiple of the earlier domains being created on the same day and hour. They all operate in the same way, receiving the signal from the host and then sending them to a series of ad streams, and subsequently to legitimate and illegitimate ads. Some of these are listed in the “End domains” section of the IOCs, though they are too numerous to list.

Many of the redirections led to benign ads for products from Macy’s, Dell, and Best Buy. What made the scheme malicious and fraudulent was (a) the large volume of ad content (as many as 30 redirects in some cases), (b) the deliberate concealment of most ads from end users, and (c) the use of the ad redirect streams to send infected browsers to malware and phishing sites. Two malware samples tied to the plugin sites were:

• ARCADEYUMGAMES.exe, which reads terminal service related keys and accesses potentially sensitive information from local browsers, and
  
  
• MapsTrek.exe, which has the ability to open the clipboard

All but one of the sites used in the scheme weren’t previously categorized as malicious or fraudulent by threat intelligence services. The exception was the state of Missouri, which listed DTSINCE[.]com, one of the handful of hard-coded control servers, as a phishing site.

The researchers found evidence that the campaign has been operating since at least January 2019 and grew rapidly, particularly from March through June. It’s possible the operators were active for a much longer period, possibly as early as 2017.

While each of the 500 plugins appeared to be different, all contained almost identical source code, with the exception of the function names, which were unique. Kaya discovered the malicious plugins with the help of CRXcavator, a tool for assessing the security of Chrome extensions. It was developed by Duo Security and was made freely available last year. Almost none of the plugins have any user ratings, a trait that left the researchers unsure of precisely how the extensions got installed. Google thanked the researchers for reporting their findings.


Beware of extensions

This latest discovery comes seven months after a different independent researcher documented browser extensions that lifted browsing histories from more than 4 million infected machines. While the vast majority of installations affected Chrome users, some Firefox users also got swept up. Nacho Analytics, the company that aggregated the data and openly sold it, shut down following the coverage of the operation.

Thursday’s report has a list of 71 malicious extensions, along with their associated domains. Following a long practice, Google didn’t identify any of the extensions or domains it found in its own investigation. Computers that had one of the plugins received a popup notification that said it had been "automatically disabled." People who followed a link got a red warning that said: "This extension contains malware."

The discovery of more malicious and fraudulent browser extensions is a reminder that people should be cautious when installing these tools and use them only when they provide true benefit. It’s always a good idea to read user reviews to check for reports of suspicious behavior. People should regularly check for extensions they don’t recognize or haven’t used recently and remove them.






Sandy comment -
Uh, how can a company In it's most recently reported fiscal year (Feb 5, 2020), Google's revenue amounted to 160.74 billion US dollars, with a market capitalization of 741 billion U.S. dollars, and 118,899 full-time employees (not including part-time employees or contractors) not catch this themselves? It's even their on-line store and web browser. They don't care?


Tomorrow want to post browser extensions that lifted browsing histories from more than 4 million infected machines.



https://www.statista.com/statistics/266206/googles-annual-global-revenue/
https://www.statista.com/statistics/273744/number-of-full-time-google-employees/
.

 

[sultrysandy]

Don't trust extensions —

.
This is quite long. Still working on removing parts prior to posting on pieces.



My browser, the spy: How extensions slurped up browsing histories from 4M users

Have your tax returns, Nest videos, and medical info been made public?

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords—but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.)

According to the researcher who discovered and extensively documented the problem, this non-stop flow of sensitive data over the past seven months has resulted in the publication of links to:

• Home and business surveillance videos hosted on Nest and other security services
  
  
• Tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive, Intuit.com, and other online services
  
  
• Vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers
  
  
• Patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services
  
  
• Travel itineraries hosted on Priceline, Booking.com, and airline websites
  
  
• Facebook Messenger attachments and Facebook photos, even when the photos were set to be private.

In other cases, the published URLs wouldn’t open a page unless the person following them supplied an account password or had access to the private network that hosted the content. But even in these cases, the combination of the full URL and the corresponding page name sometimes divulged sensitive internal information. DataSpii is known to have affected 50 companies, but that number was limited only by the time and money required to find more. Examples include:

• URLs referencing teslamotors.com subdomains that aren’t reachable by the outside Internet. When combined with corresponding page titles, these URLs showed employees troubleshooting a “pump motorstall fault,” a “Raven front Drivetrain vibration,” and other problems. Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed Tesla products or features that had not yet been made public. (See image below)
  
  
• Internal URLs for pharmaceutical companies Amgen, Merck, Pfizer, and Roche; health providers AthenaHealth and Epic Systems; and security companies FireEye, Symantec, Palo Alto Networks, and Trend Micro. Like the internal URLs for Tesla, these links routinely revealed internal development or product details. A page title captured from an Apple subdomain read: "Issue where [REDACTED] and [REDACTED] field are getting updated in response of story and collection update APIs by [REDACTED]"
  
  
• URLs for JIRA, a project management service provided by Atlassian, that showed Blue Origin, Jeff Bezos’ aerospace manufacturer and sub-orbital spaceflight services company, discussing a competitor and the failure of speed sensors, calibration equipment, and manifolds. Other JIRA customers exposed included security company FireEye, BuzzFeed, NBCdigital, AlienVault, CardinalHealth, TMobile, Reddit, and UnderArmour.

So not to gunk up this post, these images are referenced and are included as links


[URL="https://cdn.arstechnica.net/wp-content/uploads/2019/07/tesla2-1440x759.png"]DataSpii revealing Raven in late March, about a week before it became widely known as a Tesla code name.[/URL]

The history of Tesla pages being opened.

Trend Micro project management issues from a non-public domain.

Symantec was exposed by DataSpii as well.

Project management issues from a non-public FireEye domain.

Browsing data published for Blue Origin showing project management items and non-public subdomains.

Atlassian domains.


One of thousands of mailers showing the names and addresses of car buyers, along with how many more payments they had left and the identification numbers of their vehicles.

Travel itineraries containing passengers' full names and email addresses are a common DataSpii occurrence.



Altering the deal

The data collected by these extensions is not fixed; a simple update can drastically alter what they harvest—and where it goes. In recent weeks, both Hover Zoom and SpeakIt! started collecting all hyperlinks contained in a visited page. This was not a small matter, as Google figures showed that the two extensions collectively had as many as 2.2 million users.

The extensions, forensic testing showed, then uploaded this data to pnldsk.adclarity.com, a subdomain owned by AdClarity, an Israel-based maker of marketing intelligence tools. (There's no evidence that these hyperlinks collected by Hover Zoom and SpeakIt! were published by, or even shared with, Nacho Analytics.)

The security and privacy consequences of such data collection are alarming, because hyperlinks inside visited pages often divulge highly sensitive data, especially when the pages are viewable only inside a private network.

“This means if you are an IT Admin with Hover Zoom [installed on your browser], and you visit your firewall page, the extension will collect not just the URL to the firewall page, but it will also collect the links and resources that exist within the page content as well,” Jadali said. “A single page visit can result in the collection of the entire site map of the firewall system.”

AdClarity said that it did collect the data. The company "signed a deal with an aggregator and wasn’t exposed to the actual extensions that our plugin was deployed into," a spokesperson wrote. "It’s actually the first time we see the extension names."

The company claims that the data was collected as part of a trial to survey online ads "displayed to real users" in order to enhance the accuracy of ad delivery and targeting. AdClarity insists that it employs "a very strict privacy and compliance program which every partner must sign and officially commit for" and that it has no interest in personal data on individuals. The trial project, the company says, "failed to work and we have cancelled our contract with this provider early on in the process, before you even approached us, and no longer work with them."





Think there will be four more parts.
.

 

[sultrysandy]

An Anti-Smartphone With a Rotary

.
On the lighter side


Macworld San Francisco Keynote Address January 9th, 2007 Steve Jobs introduces iPhone

And we are calling it iPhone. Today Apple is going to reinvent the phone. And here it is

Watch 2:56 - 3:26

https://www.youtube.com/watch?v=MnrJzXM7a6o - 10:19






Then five days ago

An Anti-Smartphone With a Rotary Designed and Built by Space Engineer Justine Haupt

 

[sultrysandy]

.
The data spy


The term DataSpii was coined by Sam Jadali, the researcher who discovered—or more accurately re-discovered—the browser extension privacy issue. Jadali intended for the DataSpii name to capture the unseen collection of both internal corporate data and personally identifiable information (PII).

As the founder of Internet hosting service Host Duplex, Jadali first looked into Nacho Analytics late last year after it published a series of links that listed one of his client domains. Jadali said he was concerned because those URLs led to private forum conversations—and only the senders and recipients of the links would have known of the URLs or would have the credentials needed to access the discussion. So how had they ended up on Nacho Analytics?

An ad for Nacho Analytics.



Jadali suspected that the links were collected by one or more extensions installed on the browsers of people viewing the specialized URLs. He forensically tested more than 200 different extensions, including one called "Hover Zoom"—and found several that uploaded a user's browsing behavior to developer-designated servers. But none of the extensions sent the specific links that would later be published by Nacho Analytics.

Still curious how Nacho Analytics was obtaining these URLs from his client’s domain, Jadali tracked down three people who had initial access to the published links. He correlated time stamps posted by Nacho Analytics with the time stamps in his own server logs, which were monitoring the client’s domain. That’s when Jadali got the first indication he was on to something; two of his three users told him they had viewed the leaked forum pages with a browser that used Hover Zoom.

Web searches such as this one have reported the extension’s earlier history of data collection. Suspicious that Hover Zoom might be doing the same thing again, Jadali set out to more rigorously test the extension.

He set up a fresh installation of Windows and Chrome, then used the Burp Suite security tool and the FoxyProxy Chrome extension to observe how Hover Zoom behaved. This time, though, he found no initial sign of data collection, so he remained patient. Then, he said, after more than three weeks of lying dormant, the extension uploaded its first batch of visited URLs. Within a couple of hours, he said, the visited links, which referenced domains controlled by Jadali, were published on Nacho Analytics. Soon after, each URL was visited by a third party that often went on to download the page contents.

Jadali eventually tested browser extensions for Firefox and also set up test machines running both macOS and the Ubuntu operating system. In the end, he said, the extensions that he found to have collected browsing histories that later appeared on Nacho Analytics include:

• Fairshare Unlock, a Chrome extension for accessing premium content for free. (A Firefox version of the extension, available here, collects the same browsing data.)
  
  
• SpeakIt!, a text-to-speech extension for Chrome.
  
  
• Hover Zoom, a Chrome extension for enlarging images.
  
  
• PanelMeasurement, a Chrome extension for finding market research surveys
  
  
• Super Zoom, another image extension for both Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-ons stores in February or March, after Jadali reported its data collection behavior. Even after that removal, the extension continued to collect browsing behavior on the researcher’s lab computer weeks later.
  
  
• SaveFrom.net Helper a Firefox extension that promises to make Internet downloading easier. Jadali observed the data collection only in an extension version downloaded from the developer. He did not observe the behavior in the version that was previously available from Mozilla’s add-ons store.
  
  
• Branded Surveys, which offers chances to receive cash and other prizes in return for completing online surveys.
  
  
• Panel Community Surveys, another app that offers rewards for answering online surveys.

While Jadali can’t be certain how Nacho Analytics obtained URLs for pages that can only be accessed by people authorized by companies like Apple, Tesla, Blue Origin, or Symantec, the most likely explanation is that one or more of them had a browser with an affected extension. Jadali has confirmed with four affected companies that employees did, in fact, have one or more of the extensions installed. Palo Alto Networks also confirmed that browsers inside its network used an affected extension. All five companies have since removed the extensions. Google, citing violations to its terms of service, has also removed the six extensions it hosted in its Chrome Web Store.

A small sample of affected companies were contacted , including Apple, Symantec, FireEye, Palo Alto Networks, Trend Micro, Tesla, and Blue Origin. Symantec, Trend Micro, and Palo Alto Networks were the only ones who provided a comment.

Symantec's statement read: "We want to thank the researcher for alerting us to this issue and sharing his findings. We have taken immediate steps to remediate this issue." Trend Micro officials said: "Trend Micro appreciates being made aware of this and has remedied the issue." A Palo Alto Networks representative wrote: "On the day we were notified of the issue, Palo Alto Networks deleted the browser extensions and blocked the outbound traffic associated with the add-on extensions to prevent any further potential impact."

Investigating DataSpii over the past six months has eclipsed Jadali’s full-time job and much of his personal life.

Jadali said the new vocation has so far cost him nearly $30,000 in personal expenses, since the research is not tied to his responsibilities at Host Duplex. Jadali estimates that about 60% of the cost has been in fees from Nacho Analytics. The rest has been for travel and for various consultants.

“It became my number one priority,” he said. “Almost as if it was out of my control.”


Reading the fine print

Principals with both Nacho Analytics and the browser extensions say that any data collection is strictly "opt in." They also insist that links are anonymized and scrubbed of sensitive data before being published. However, saw numerous cases where names, locations, and other sensitive data appeared directly in URLs, in page titles, or by clicking on the links.

The privacy policies for the browser extensions do give fair warning that some sort of data collection will occur. The Fairshare Unlock policy, for example, says that the extension “collects your digital behavior data and shares it with 3rd parties to enable better survey targeting and other market research activities.” (This and other policies mentioned in this article were recently taken down.)

The collected information expressly includes “URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software, and hardware information.” At the same time, the policy promises that Fairshare will take steps to anonymize the data.

“For our primary use-case of research, PII scrubbers attempt to remove all personally identifiable information before analysis and archiving,” the Fairshare Unlock policy states. “Individual users are regularly re-assigned randomly generated identifiers which, when combined with PII scrubbing, provides anonymity.”

Privacy policies for SpeakIt!, PanelMeasurement, Hover Zoom, Panel Community Surveys, and Branded Surveys contain language that’s largely identical to that cited above. Savefrom.net’s policy also makes clear it will collect the “URL of the particular Web page you visited.” (The policy for Super Zoom is no longer available.) Below are images that some of the extensions display when being installed:
.

 

[Knoturnal]

.
Apps such as Edison Mail are gathering data under the guise of providing personalized features, but then turn around and sell this information to advertisers and big business.

Two years after it was revealed that Google allows third-party companies to read the emails in users' Gmail accounts, more apps have been found to be doing the same when used with any email account.

The best-known of these is Edison Mail, which is an email client for both Mac and iOS. It has time-saving features such as providing one-click buttons for the people users most often email. Similarly to how iOS provides suggested next-word responses, Edison Mail prompts users with complete and appropriate canned responses.

Edison Mail's developers have been clear that this is achieved by parsing users' emails to build these lists, and offer relevant automatic responses. However, it has not said that it then uses that data for its own profit.

According to research, the Edison Mail company sells products to finance, travel and e-commerce customers that is derived by scraping users' emails.

Edison's website explicitly states that data is collected from users, and it extensively details all the use that users' agree to by signing up to the service. At no point, however, does it say that it will sell this data.

It does refer repeatedly to service providers that it calls "partners."

"These service providers are authorized to use your information only as necessary to provide their services to us," it says.

Having obtained a document from the JP Morgan financial services company, which says that data is bought from Edison for the purpose of helping companies make investment decisions.

The document reportedly refers explicitly to Edison Mail as the source of data.

"[The data features] consumer purchase metric including brand loyalty, wallet share, purchase preferences etc," it says.



Edison has not responded to questions. However, after publication of that research, Edison has released an updated blog about its working practices.

"To keep our Edison Mail app free, and to protect your privacy by rejecting an advertising-based business model," it says, "our company Edison Software, measures e-commerce through a technology that automatically recognizes commercial emails and extracts anonymous purchase information from them. Our technology is designed to ignore personal and work email, which does not help us measure market trends."

"We do not participate in any ad targeting of our users and do not allow others to do ad targeting of our users," it continues.

The research also reveals that email add-on services including Slice and Cleanfox sell data products to corporate clients based on user's emails. Cleanfox's parent company, Foxintelligence.

"From a higher perspective, we believe crowd-sourced transaction data has a transformational power both for consumers and for companies and that a marketplace where value can be created for both sides without making any compromise on privacy is possible," Florian Cleyet-Merle, Foxintelligence Chief Operating Officer said.

Too bad that Apples email service is so pitiful people have to resort to others just to be able to mail someone else regularly.

 

[sultrysandy]

Too bad that Apples email service is so pitiful people have to resort to others just to be able to mail someone else regularly.

First, I am not an Apple Fangirl



That post is about an email client, not an email service.

The post is about apps which invade user's privacy, mining their personal info and data then selling it.


I know many people that are pleased with Apple service and some that don't care for it.

People don't, as you said, have to use any other besides Apple's, they decide what service to use, or not use. Or any at all for that matter.



What facts do you have Knoturnal to support your bold statement?

May I ask which smartphone and service you use?

Or do you dislike Apple products and services that much?

And why did you feel compelled to share your opinion with the thread?
.

 

[Knoturnal]

First, I am not an Apple Fangirl



That post is about an email client, not an email service.

The post is about apps which invade user's privacy, mining their personal info and data then selling it.


I know many people that are pleased with Apple service and some that don't care for it.

People don't, as you said, have to use any other besides Apple's, they decide what service to use, or not use. Or any at all for that matter.



What facts do you have Knoturnal to support your bold statement?

May I ask which smartphone and service you use?

Or do you dislike Apple products and services that much?

And why did you feel compelled to share your opinion with the thread?
.

It seems all the major players have crummy email programs though so it’s par for the course.
I wouldn’t be so upset as you seem as you said you weren’t a Apple fan girl.

 

[sultrysandy]

It seems all the major players have crummy email programs though so it’s par for the course.
I wouldn’t be so upset as you seem as you said you weren’t a Apple fan girl.

I agree, the emails clients service provides offer are much to be desired.

I'm not an Apple Fan Girl. Some products and services IMO are exorbitantly over priced (e.g. Xserve), there isn't interest for some products (i.e. Power Mac G4 Cube and iPod Hi-Fi), Mac Pro 2nd gen (Cylinder) is a bad product highlighting Apple's move disallowing users to expand or customize themselves, and Apple even denied existence of malware on Macs for a long time.


However I do use Apple products since their Operating Systems, unlike the two other majors, don't spy and record my activities then phone home with that data. And if I can't trust the base, then I've no privacy or security using a device or apps.

 

[sultrysandy]

.
Messed up last paragraph in previous post, re-posting here, along with more


Privacy policies for SpeakIt!, PanelMeasurement, Hover Zoom, Panel Community Surveys, and Branded Surveys contain language that’s largely identical to that cited above. Savefrom.net’s policy also makes clear it will collect the “URL of the particular Web page you visited.” (The policy for Super Zoom is no longer available.) Below are images that some of the extensions display when being installed:

Fairshare Unlock permissions.

Hover Zoom permissions.

Speak It! permissions.

PanelMeasurement permissions.



Nacho Analytics, for its part, has this to say in a YouTube promotion, which starts out asking "Is this legal?"

Yes, it’s 100 percent legal and completely complies with google’s terms of service. We aren’t actually hacking google or anyone’s google analytics account, though it might seem that way. Instead we are gathering data from millions of opt in users, individuals from around the world that agreed to share their browsing data anonymously. Nacho analytics scrubs this data so all personal information is deleted and so it’s GDPR compliant. This type of data gathering is far from a new innovation. On the contrary, it’s kind of how the Internet runs.

(GDPR is a reference to the strict General Data Protection Regulation that went into effect in the European Union 26 months ago. The video was removed from YouTube.)

Jadali's research found that Fairshare Unlock, PanelMeasurement, SpeakIt!, Hover Zoom, Branded Surveys, and Panel Community Surveys did redact some information on end users' computers before sending it to the developer-designated servers. But he said that an examination of data packets sent to the servers and links published on Nacho Analytics makes it clear that not all types of sensitive information were removed. Redaction seemed to happen only when Web developers use certain query string parameters in their URLs.

When a URL designated a surname with the parameter "lastname," extensions replaced the name with asterisks. This redaction failed when URLs used less standard parameter names such as "passengerLastname."

As the image above shows, strings that used "lastname=x" seemed to successfully cause last names to be replaced with asterisks. Strings that used "passengerLastName=y," however, were not removed. None of Jadali's research shows that Super Zoom or SaveFrom.net Helper performed any redactions at all.

What's more, some links published by Nacho Analytics contain what appear to be the personal information of real people. Examples of such personal information included passenger names in links from airline Southwest.com, pick-up and drop-off locations of people using the Uber.com website (but not the phone app) to hail rides, and email addresses from Apple's password reset service. While Jadali redacted sensitive information from the following screenshots, none of it was removed from the links published by Nacho Analytics.

What's more, even when the URLs published by Nacho Analytics removed names, social security numbers, or other sensitive information, clicking on the links often led to pages that revealed the same redacted information.
.

 

[sultrysandy]

Apple has been granted a temporary restraining order against a man it says has been s

.
Apple has been granted a temporary restraining order against a man it says has been stalking Tim Cook

Apple has filed a temporary restraining order against a man it says is harassing CEO Tim Cook and other members of Apple's executive team.

The court filings, which were first spotted by OneZero's Dave Gershgorn, allege that a man named Rakesh Sharma has made threats against Apple and Cook, including leaving disturbing voicemails, posting sexual photos on Twitter and tagging Cook, and showing up on the CEO's property in Palo Alto, twice. One time, Sharma attempted to deliver flowers and champagne to Cook, according to testimony by William Burns, Apple's global security specialist, which was included in the court filing.

The petition, which was filed in Santa Clara County Superior Court, asks for orders of protection for Burns, as well as other members of Apple's executive security team. The court granted the petition in part, but only to protect Cook — Sharma has been ordered to stay away from Cook's residence and Apple Park, but the court rejected the motion to ban Sharma from visiting any other Apple retail locations or homes of other Apple executives.

The temporary restraining order will expire on March 3, when a hearing is scheduled.

Neither Apple's lawyer nor a spokesperson for the company immediately responded to Business Insider's request for comment on the restraining order.
.

 

[sultrysandy]

.
Don't know if it will happen this evening, this weekend, next week, or even at all, but preparing in case.






Moritori te salutamus esse

.

 

[sultrysandy]

.
Meet the DataSpii players

DDMR

Google’s Chrome Web Store lists the developer of PanelMeasurement as DDMR.com with a mailing address in Walnut, California. The store doesn’t identify the developer of Fairshare Unlock, Hover Zoom, SpeakIt!, or Super Zoom, but the privacy policy for Fairshare Unlock also lists DDMR.com and the same Walnut, California, mailing address in a Contact Us section. The policies for Hover Zoom, SpeakIt!, and Panel Community Surveys also contain language and organization almost identical to those for the PanelMeasurement and Fairshare Unlock extensions.

Another link to DDMR: domains that received browsing data from all eight of the extensions resolved to the same two IP addresses—54.160.162.145 and 52.54.192.223. This page from SSL Labs, a research project by security firm Qualys, shows that 54.160.162.145 is tied to a security certificate belonging to DDMR domain ddmr.com (viewers first must click the "click here to expand" for certificate #2).

This LinkedIn profile lists Christian Rodriguez as the founder and CEO of DDMR. A 2015 article—reporting an earlier round of data collection by Chrome extensions—identifies Rodriguez as working in business development for Fairshare Labs. Fairshare Labs’ contact page lists the same Walnut, California, mailing list.

Rodriguez told me that Fairshare Labs is an abandoned project and that Fairshare Unlock is no longer actively developed (although he said it does continue to receive security and GDPR compliance updates). He pointed to the bottom of this page, which he said provides "very clear, pre-installation disclosure to users."

Rodriguez described DDMR as a "passive metering technology company" that provides market research companies with "passive metering browser extensions that they distribute to their research panelists." He went on to write in an email:

Our customers are responsible for recruiting end-users into their panels and directing them to our landing pages.

It is our responsibility to (1) ensure that we provide end-users with clear disclosure of what data is collected and how it is used, and (2) receive appropriate consent. Once consent is given, we collect the behavioral data, scrub it for sensitive information like phone numbers, social security numbers, credit card numbers, and email addresses, and then make it available to market researchers to use in their research.

If it is brought to our attention that sensitive information is leaking, we immediately take action to improve our filters and eliminate that data from our dataset.

Responsible use of behavioral data allows market researchers and the companies they serve to build better products and experiences for consumers, but it is necessary to recognize the value of this data in the context of its potentially sensitive nature.

He declined to say if Nacho Analytics was a customer, business partner, or had any other relationship with DDMR.


Nacho Analytics

Nacho Analytics, meanwhile, promises to let people “see anyone’s analytics account” and to provide “Real-Time Web Analytics For Any Website.” The company charges $49 per month, per domain, to monitor any of the top 5,000 most widely trafficked websites, although certain domains—including those for Google, YouTube, Facebook, and others—aren’t available for monitoring. For sites below this premium threshold, it costs $49 per month to monitor one domain, $99 per month for up to five domains, and $149 per month for up to 10 domains.

Once someone signs up, Nacho Analytics uses a Google-provided programming interface to deliver data to a Google Analytics account designated by the user. Several installed extensions identified by Jadali, visited sites with long-pseudorandom strings in them, and then observed Nacho Analytics populating those unique URLs into the designated Google Analytics page.

The previously mentioned video promoting Nacho Analytics on YouTube says that the service is “100-percent legal and completely complies with Google’s terms of service.” The video also asserts that the Nacho Analytics service is "GDPR compliant."

In an interview, Nacho Analytics founder and CEO Mike Roberts reiterated that the service is fully GDPR compliant and that the millions of people whose data is collected have expressly agreed to this arrangement.

“You absolutely do” click an agree button, Roberts said of all users whose data is published. What's more, he said, "we spend quite a bit of time processing every URL that we see to remove all the personally identifiable information." It was confirmed that in many cases, the URLs published by Nacho Analytics have had names, Social Security numbers, and other personal information removed. However, were also able to find numerous instances of names and other personal information remaining in published URLs.

Roberts said that he was unaware Nacho Analytics published links to webpages hosting tax returns, Nest Videos, car buyer information, and an extensive amount of other personally identifiable information. Nacho Analytics already excludes domains for Google, Facebook, YouTube, and many other services out of privacy concerns, he said, and may exclude others.

"Your report is personally disturbing to me–and [publishing sensitive data] is definitely not the purpose of Nacho Analytics," he said. "We work hard to remove personally identifiable information from URLs and page titles, and exclude sites with serious security issues. When we learn of a new issue, we have a system to remove it immediately. We’ve stopped all new sign-ups for Nacho until we can get more information on this issue. If you give me a list of the sites that have these issues, we’ll immediately disable those sites and work on a permanent solution."

He also pushed back on the idea that Nacho Analytics had ever been used by customers to harvest sensitive information. Jadali, he claimed, was the only one who had done so. (He also claimed that Jadali had violated Nacho Analytics' terms of service in doing the research.)

"Jadali looked at hundreds of websites, only a tiny fraction of which any legitimate Nacho Analytics customer ever viewed," he said. "In fact, none of the sites with the issues you’ve made me aware of have been viewed by any legitimate Nacho Analytics customer."

But Roberts defended the basic practice of publishing links that, when clicked, lead to private data—so long as that data isn't viewable in the URL itself as published by Nacho Analytics.

He put it this way:

Those pages are available. It’s just that you didn’t know how to discover them. This is just something that you’re now able to see that you weren’t able to see before. But we’re not creating a loophole. There’s no backdoor or anything. We’re just showing links that you didn’t know about before and maybe weren’t indexed, but they do exist...

That link by obfuscation thing, I don’t like it. I wish it didn’t exist because I definitely don’t want to be enabling anybody to do anything bad, only good. I’m trying to create good things in the world. And there’s the opportunity there for some people to do some damage.

Roberts said he was also unaware that Nacho Analytics was publishing links and page titles from the non-public, internal networks of companies. But, while he questioned the analytics value of this data, he didn't necessarily think publishing it was a bad thing.

"I don’t think I personally see much value in it," he said. "But just because a company may want to keep it private, I’m not sure that’s where the best value is."

He said he had never heard of any of the extensions that Jadali had identified as collecting data that later ended up on Nacho Analytics, but he declined to identify any software that collects end-user browsing data, nor would he name any companies that Nacho Analytics works with to obtain this data. (In a later email, he clarified that the data "comes from third-party data brokers. We certainly didn’t invent the method of data collection.")

"Using Nacho to look at private information or to try to hack into websites is an explicit violation of our terms of use," Roberts added. "[Nacho is] a marketing product that puts small businesses and entrepreneurs on a level playing field with large corporations that have and will continue to have access to this type of data."

"Honestly, I think you have the wrong villain here."

On July 8, five days after Google remotely disabled the extensions Jadali had reported, Roberts said on Twitter that Nacho Analytics "had an upstream data outage." A day later, Roberts said Nacho Analytics' "data partner has ended operations." Shortly after that, the Nacho Analytics front page said the service was "halting all access to any potentially sensitive data."



Next is last part, The Law and web browser organizations get involved
.

 

[sultrysandy]

.
DataSpii and the law

Despite the data collection disclosures and the fact that the companies make efforts to scrub personal information from the results, it’s clear that DataSpii published highly sensitive data. What remains unanswered is whether any of the individual parties involved breached any legal or contractual obligations. One issue clouding such questions is the murky relationship between the browser extension makers and Nacho Analytics.

“We know the end is not good,” Eric Goldman, a Santa Clara University law professor specializing in Internet issues. “Now how did we get there, and who do we blame? We might never get a clear answer to any of that because we don’t even know exactly who did what to whom.” He continued:

There are a lot of disclosures in the Fairshare privacy policy that say: ‘We’re going to do some things that on reflection you probably shouldn’t agree to.’ But do they say enough to describe the exact chain of data flows? I don’t think we’ll ever be able to answer without having proof of those data flows.

Another complication: even if an extension user fully consented to having her browsing history collected and shared, does that consent extend to third parties whose sensitive information is viewed by the consenting user and subsequently published? Ultimately, Goldman said, lawyers would need to have much more information before they could say if anyone did anything wrong in the eyes of the law.

He added:

Even if you can get the users’ consent to gather all the URLs that they visit, is that still an ethical choice? Because it will sweep up personal information, and it will pick up information from third parties who never consented, and there’s nothing that can be done to avoid either of those two outcomes.

Whitney Merrill, a privacy and security attorney who previously worked at the Federal Trade Commission, largely echoed Goldman's assessment.

"It’s hard to say any one actor is the main contributor to what seems like a very unethical practice," she said. The issue arises, instead, from a whole ecosystem of companies.
Falling down the rabbit hole

The number of browsers shown to use each extension has varied over the past six months, in part because browser makers took action after learning about DataSpii.

In February, after Jadali reported the Super Zoom data collection to Mozilla and Google, both organizations removed the extension from their add-ons offerings. Jadali’s version of Firefox even displayed a notification that Super Zoom was being “disabled due to security or stability issues.”

As for the two more recently discovered Firefox extensions collecting data—Savefrom.net and Fairshare Unlock—they were available only on developer websites. At the time this post went live, both were still available on those third-party sites. As mentioned earlier, Jadali found no evidence that a version of Savefrom.net that was (but is no longer) available from Mozilla collected data.

Beginning on July 3—about 24 hours after Jadali reported the data collection to Google—Fairshare Unlock, SpeakIt!, Hover Zoom, PanelMeasurement, Branded Surveys, and Panel Community Surveys were no longer available in the Chrome Web Store. Installations of all six of those extensions were also remotely disabled on Jadali's lab computers, a move that, after more than six months, finally curtailed the data collection.

A notice that appeared on Jadali's lab computer on July 3.



While the notices say the extensions violate the Chrome Web Store policy, they make no mention of data collection nor of the publishing of data by Nacho Analytics. The toggle button in the bottom-right of the notice allows users to "force enable" the extension. Doing so causes browsing data to be collected just as it was before.

“We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort," company officials said in a statement. "Recently, we announced technical changes to how extensions work that will mitigate or prevent this behavior, and new policies that improve user privacy."

In response to follow-up questions, a Google representative didn't explain why these technical changes failed to detect or prevent the data collection they were designed to stop. Also asked twice if company officials planned to notify Chrome users that their browsing data was collected and published by extensions that Google hosted. The representative said that Google had nothing else to add.

But removing an extension from an online marketplace doesn't necessarily stop the problems. Even after the removals of Super Zoom in February or March, Jadali said, code already installed by the Chrome and Firefox versions of the extension continued to collect visited URL information.

Eventually, the data collection performed by the Firefox version of Super Zoom stopped, at least on the computers Jadali was testing. But the Chrome version of Super Zoom continued to collect the data, months after Google removed it from the Chrome Web Store. The collection only stopped in early July, around the same time that Google remotely disabled the other extensions Jadali reported. As noted earlier, Google also disabled the other extensions, but it continues to give users the option to re-enable them.

Jadali gives Mozilla credit for eventually preventing the data collection and for providing this explanation, even if it is vague and requires infected users to actively find it. In the end, he said, he would prefer that Mozilla and Google be more explicit about the data collection—and make remote disabling a standard practice for extensions that are caught collecting sensitive information.

“They need to remotely deactivate this from people’s computers and let people know why,” he said of both companies. “Removal [from the store] is completely insufficient in this case.”

Readers who want to ensure they're not running any of the data-collecting extensions in Chrome should navigate to Extensions by typing chrome://extensions into their browser's address bar. (Depending on the version of Chrome, extensions can also be found in either the Tools or Window menus, or by clicking on the three dots in the upper right-hand of the browser and choosing More Tools.) Readers will then find a page like the one below that displays all installed extensions.

Firefox extensions, meanwhile, can be accessed by selecting "Add-ons" from the Tools menu. This will bring up a screen that looks like:

In light of the research showing the collection of browsing data, it's recommends that users strongly consider permanently removing the following extensions:

• Fairshare Unlock
  
  
• SpeakIt!
  
  
• Hover Zoom
  
  
• PanelMeasurement
  
  
• Super Zoom
  
  
• SaveFrom.net Helper
  
  
• Branded Surveys
  
  
• Panel Community Surveys

Unwanted extensions can be removed by clicking the remove button. It's not a bad idea to remove any other extensions that users don't recognize or use often. Given the problematic history of browser extensions, it makes sense to be extra cautious about installing any of them.

Two of the eight extensions identified by Jadali—Hover Zoom and SpeakIt!, with 800,000 and 1.4 million users respectively—have been reported collecting user data before. Hover Zoom (which sometimes is spelled HoverZoom) first prompted privacy concerns no later than 2013, when users observed it engaging in a wide range of unsafe behaviors, including injecting code into visited pages and sending browsing habits to developer-designated servers.

In 2015, security researchers at Sweden-based Detectify reported that both Hover Zoom and SpeakIt!—along with 10 other Chrome extensions—harvested sensitive user data, including complete browsing histories, authentication cookies used to access user accounts, and Oauth credentials. As was the case with DataSpii, the Detectify researchers said, the tracked browsing histories were being openly sold on an analytics service, although the report didn’t identify it. Google, Detectify reported, responded by removing or disabling Hover Zoom and seven other report extensions.

In 2017, researchers identified 212 Chrome extensions with 8 million users that tracked browsing behavior. One of them was SpeakIt!. Google didn't explain why it allowed Hover Zoom and SpeakIt! into the Chrome Web Store following these previous reports.


A systemic problem

DataSpii results from the way that many different individual Internet components work together. The extensions that collect browsing data in a way that's invisible to the naked eye are one key player. So too is Nacho Analytics, which published millions and millions of page links and titles, sometimes in a way that revealed personal information and internal business data.

But other participants are the individual websites—and the people using them—that were swept up by DataSpii. In many cases, webpages stored tax returns, videos, and other sensitive information that could be accessed without a password or other form of authentication. The privacy of these "links by obfuscation," as Nacho Analytics' Roberts calls them, completely breaks down when the URLs are collected and published.

There's also the issue of personal data being embedded into URLs. In February, the security firm Wandera documented a variety of airline e-ticketing systems that needlessly exposed passengers' sensitive data, including first and last names, email addresses, and passport numbers. DataSpii reveals not only how widespread this practice is; it also shows the real-word dangers posed by it.

DataSpii may also provide lessons for developers and users of project management tools and other software that's used by businesses. One possibility is to redesign apps to prevent sensitive information from leaking out of page titles.

The biggest lesson of all, though, is this: under the current system, individuals and businesses must spend much more time and resources scrutinizing the powerful browser extensions they want to install. DataSpii makes clear that up to now, browser extensions haven't been a big enough part of the security threat modeling process that individuals and organizations must perform to develop and maintain an effective security hygiene.

The current system for vetting browser extensions doesn't necessarily protect your data. In the current environment, the most prudent approach is to install extensions sparingly, if at all.

"Every time you allow a browser extension to be installed, you're opening up the door to unknown outcomes," said Goldman, the Santa Clara law professor. "It's unfortunate that the ecosystem has got this inherent lack of trust that discourages all of us from taking advantage of the value that comes from browser extensions. Why can’t we trust the browser makers to ensure that the extensions aren’t bringing along unwanted payloads? We need them to do that work because they’re the best deputies to protect users. And unfortunately we can’t."



Finally the end
.

 

[sultrysandy]

ISPs cite First Amendment as reason why they can sell customer data

.
ISPs sue Maine, claim Web-privacy law violates their free-speech rights
Law says ISPs need opt-in consent before using or sharing Web-browsing history.

Internet service providers are fighting attempts to require customers opt in to having their location and other sensitive data sold to third parties, under the claim such laws violates the free speech rights of the companies involved.



The broadband industry is suing Maine to stop a Web-browsing privacy law similar to the one killed by Congress and President Donald Trump in 2017. Industry groups claim the state law violates First Amendment protections on free speech and the Supremacy Clause of the US Constitution.

The Maine law was signed by Democratic Gov. Janet Mills in June 2019 and is scheduled to take effect on July 1, 2020. It requires ISPs to get customers' opt-in consent before using or sharing sensitive data. As Mills' announcement in June said, the state law "prohibits a provider of broadband Internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The legislation also prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access of their personal information."

Customer data protected by this law includes Web-browsing history, application-usage history, precise geolocation data, the content of customers' communications, IP addresses, device identifiers, financial and health information, and personal details used for billing.

Home Internet providers and wireless carriers don't want to seek customer permission before using Web-browsing histories and similar data for advertising or other purposes. On Friday, the four major lobby groups representing the cable, telco, and wireless industries sued the state in US District Court for the District of Maine, seeking an injunction that would prevent enforcement of the law.


ISPs claim law violates speech rights

The state law "imposes unprecedented and unduly burdensome restrictions on ISPs', and only ISPs', protected speech," while imposing no requirements on other companies that deliver services over the Internet, the groups wrote in their lawsuit. The plaintiffs are America's Communications Association, CTIA, NCTA, and USTelecom. They wrote:

Maine cannot discriminate against a subset of companies that collect and use consumer data by attempting to regulate just that subset and not others, especially given the absence of any legislative findings or other evidentiary support that would justify targeting ISPs alone. Maine's decision to impose unique burdens on ISPs' speech—while ignoring the online and offline businesses that have and use the very same information and for the same and similar purposes as ISPs—represents discrimination between similarly situated speakers that is impermissible under the First Amendment.

The law allegedly violates the First Amendment because it "limits ISPs from advertising or marketing non-communications-related services to their customers; and prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost-saving benefits in exchange for a customer's consent to use their personal information," the lawsuit claims.

"The Statute thus excessively burdens ISPs' beneficial, pro-consumer speech about a wide variety of subjects, with no offsetting privacy-protection benefits," the complaint continues. "At the same time, it imposes no restrictions at all on the use, disclosure, or sale of customer personal information, whether sensitive or not, by the many other entities in the Internet ecosystem or traditional brick-and-mortar retailers, thereby causing the Statute to diverge further from its stated purpose."

The trade groups also say Maine's law violates the US Constitution's Supremacy Clause, which gives federal law priority over state laws that conflict with US law. The Maine law "violates the Supremacy Clause because it allows consumers to dictate (by opting out or declining to opt in) when ISPs can use or disclose information that they must rely on to comply with federal law, rendering 'compliance with both' state and the foregoing federal laws 'impossible,'" the trade groups claimed.


Ongoing battle against state laws

The lawsuit is part of a larger battle between ISPs and states that are trying to impose regulations stronger than those enforced by the federal government. One factor potentially working against the ISPs is that the Federal Communications Commission's attempt to preempt all current and future state net neutrality laws was blocked by a federal appeals court ruling in October 2019.

The FCC claimed it could preempt state net neutrality laws because state-imposed rules would subvert the federal policy of non-regulation. Similarly, the new lawsuit against Maine claims the state privacy law conflicts with the Congressional decision to eliminate the Obama-era FCC's broadband rules, and it cites the Trump-era FCC's view that ISPs' privacy practices shouldn't be regulated any differently than those of other online businesses.

But while the FCC was allowed to eliminate its own net neutrality rules, judges said the commission "lacked the legal authority to categorically abolish all 50 States' statutorily conferred authority to regulate intrastate communications." When it defends its privacy law against the industry lawsuit, Maine would likely argue that it has authority to regulate broadband-industry practices that the federal government has chosen not to regulate.



The sale of data has become a hot topic for privacy advocates in recent years, where the practices of tech companies harvesting and then selling user data to other firms has come under fire. Recent examples of the practice includes Wacom's drivers harvesting data that is passed on to Google, and the active collection of data by the Avast antivirus suite for sale to marketing firms.

Apple's stance on consumer privacy is that it should not have access to the data where possible, including obfuscating the data to make it unidentifiable and only acquiring the minimum amount of data required to perform a task. Encrypting data is also a key element of Apple's stance, one that has led to its involvement in a long-running debate over its use and government demands for the implementation of backdoors.
.

 

[sultrysandy]

FTC to issue $1.7M in refunds to victims of tech support scams

.
Nearly 58,000 people will be receiving refunds after being tricked into believing their computers were infected with viruses and malware, by scammers claiming to be from Apple and Microsoft.



The FTC, along with Connecticut and Pennsylvania, allege that a scam that operated under the title "Click4Support" used search engine ads and popups to trick users into believing their computers had been compromised. The website would then direct customers to call and purchase tech support services that the customer did not need, as is typical for tech support scams in general.

This specific scam seemed to be particularly effective. According to FTC records, Click4Support scammed more than $17 million dollars out of customers by pretending to represent major tech companies, such as Apple and Microsoft, tricking and charging users for effectively useless support services they did not require.

The FTC will be providing nearly 58,000 refunds, each averaging about 30 dollars, to those who were taken advantage of by the scammers, with most paid their refunds via PayPal though but some may receive checks. It is advised that anyone who receives a check from the FTC to deposit or cash their check within 60 days.

According to the dedicated refunds page, 147 checks will be sent, while the vast majority will be made up of PayPal payments. There is a 30-day limit for people who receive the PayPal payment to accept it, while checks need to be cached within 60 days.

Furthermore, the FTC warns potential refund receivers of other scams that masquerade as FTC refund offers, and that the FTC never requires anyone to pay money or provide account information to cash a refund check at all. Questions about refunds can be made by refund administrator Rust Consulting.

The FTC, Connecticut, and Pennsylvania announced settlements with Click4Support and companies and individuals involved with the scam in May 2017, banning them from marketing tech support services and fining the companies involved. The entire affair was part of Operation Tech Trap, an international crackdown of tech support scams.
.

 

[sultrysandy]

FCC to reportedly fine US wireless carriers at least $200M for selling customer locat

.
The U.S. Federal Communications Commission is expected to propose hefty fines on AT&T, Verizon, Sprint and T-Mobile following an investigation into allegations that the U.S. cellphone carriers collected and sold real-time consumer location data.



Citing sources briefed on the matter, Reuters on Thursday reports the FCC plans to announce at least $200 million in proposed fines by Friday. The companies, which are in hot water for sharing customer location data, will have a chance to challenge the fines prior to finalization.

The expected announcement arrives nearly a month after FCC Chairman Ajit Pai revealed "one or more" U.S. carriers might face fines over illegal data practices. An investigation by the FCC's Enforcement Bureau found certain wireless carriers "apparently violated" federal law and could face fines for profiting from the collection and sale of user location data.

Reports in 2018 sparked furor over alleged illicit practices that saw telecoms like AT&T, Verizon, Sprint and T-Mobile sell off customer data to a wide range of buyers, including law enforcement agencies, bounty hunters, tracking services and alleged stalkers.

Following public outcry and multiple class action lawsuits, the named carriers promised to end their controversial data sharing programs, with Verizon being the first to take action in November 2018. AT&T, T-Mobile and Sprint followed suit in 2019. With a few minor exceptions, all major carriers stopped selling data to third-party aggregators last May.

Each of the four carriers attempted to distance themselves from any wrongdoing associated with the so-called location based services (LBS) programs, with some claiming their respective operation was in place to benefit customers.
.

 

[sultrysandy]

Newly discovered Mac malware uses “fileless” technique to remain stealthy

.
UNDER THE RADAR —

In-memory infection makes it harder for end-point protection to detect it.

Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

In-memory infections were once the sole province of state-sponsored attackers. By 2017, more advanced financially motivated hackers had adopted the technique. It has become increasingly common since then.

The malware isn’t entirely fileless. The first stage poses as a cryptocurrency app with the file name UnionCryptoTrader.dmg. When it first came to light, only two out of 57 antivirus products detected it as suspicious. According to VirusTotal, detection had only modestly improved, with 17 of 57 products flagging it.
(Sandy note - it is now at 31 of 57)

Once executed, the file uses a post-installation binary that, according to a detailed analysis by Patrick Wardle, a Mac security expert at enterprise Mac software provider Jamf, can do the following:

• move a hidden plist (.vip.unioncrypto.plist) from the application’s Resources directory into /Library/LaunchDaemons
  
  
• set it to be owned by root
  
  
• create a /Library/UnionCrypto directory
  
  
• move a hidden binary (.unioncryptoupdater) from the application’s Resources directory into /Library/UnionCrypto/
  
  
• set it to be executable
  
  
• execute this binary (/Library/UnionCrypto/unioncryptoupdater)

The result is a malicious binary named unioncryptoupdated that runs as root and has “persistence,” meaning it survives reboots to ensure it runs constantly.

Wardle said that the installation of a launch daemon whose plist and binary are stored hidden in an application’s resource directory is a technique that matches Lazarus, the name many researchers and intelligence officers use for a North Korean hacking group. Another piece of Mac malware, dubbed AppleJeus, did the same thing.

Another trait that’s consistent with North Korean involvement is the interest in cryptocurrencies. As the US Department of Treasury reported in September, industry groups have unearthed evidence that North Korean hackers have siphoned hundreds of millions of dollars' worth of cryptocurrencies from exchanges in an attempt to fund the country's nuclear weapons development programs.


Begin in-memory infection

It is around this point in the infection chain that the fileless execution starts. The infected Mac begins contacting a server at hxxps://unioncrypto[.]vip/update to check for a second-stage payload. If one is available, the malware downloads and decrypts it and then uses macOS programming interfaces to create what’s known as an object file image. The image allows the malicious payload to run in memory without ever touching the hard drive of the infected Mac.

“As the layout of an in-memory process image is different from its on disk-in image, one cannot simply copy a file into memory and directly execute it,” Wardle wrote. “Instead, one must invoke APIs such as NSCreateObjectFileImageFromMemory and NSLinkModule (which take care of preparing the in-memory mapping and linking).”

Wardle was unable to obtain a copy of the second-stage payload, so it’s not clear what it does. Given the theme of cryptocurrency in the file and domain names—and North Korean hackers’ preoccupation with stealing digital coin—it’s a decent bet the follow-on infection is used to access wallets or similar assets.

When Wardle analyzed the malware earlier this week, the control server at hxxps://unioncrypto[.]vip/ was still online, but it was responding with a 0, which signaled to infected computers that no additional payload was available. By Friday, the domain was no longer responding to pings.

While fileless infections are a further indication that Lazarus is growing increasingly more adept at developing stealthy malware, AppleJeus.c, as Wardle has dubbed the recently discovered malware, is still easy for alert users to detect. That’s because it’s not signed by an Apple-trusted developer, a shortcoming that causes macOS to display the warning below.

As is typical when applications are installed, macOS also requires users to enter their Mac password. This isn’t automatically a tip-off that something suspicious is happening, but it does prevent the first stage from being installed through drive-bys or other surreptitious methods.

It’s unlikely anyone outside of a cryptocurrency exchange would be targeted by this malware. Those who want to check can look for the existence of (1) /Library/LaunchDaemons/vip.unioncrypto.plist and (2) the running process or binary /Library/UnionCrypto/unioncryptoupdater.
.

 

[sultrysandy]

Firefox turns encrypted DNS on by default to thwart snooping ISPs

.
Security upgrade —

US-based Firefox users get encrypted DNS lookups today or within a few weeks.

Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.

"Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."

DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.

Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.


ISPs protested encrypted-DNS plans

Mozilla has not been deterred by a broadband-industry lobbying campaign against encrypted DNS. The ISPs' lobbying targeted Google's plan for the Chrome browser, even though Firefox is deploying DNS over HTTPS more aggressively.

With Web users already being tracked heavily by companies like Google and Facebook, Mozilla has said it is embracing DNS over HTTPS because "we don't want to see that business model duplicated in the middle of the network" and "it's just a mistake to use DNS for those purposes."

"Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the Internet to make the shift to more secure alternatives," Mozilla said in its announcement today. "We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, [and] helps prevent data collection by third parties on the network that ties your computer to websites you visit."

While Firefox's encrypted DNS uses Cloudflare by default, users can change that to NextDNS in the Firefox settings or manually enter the address of another encrypted-DNS service. Firefox users can also disable the new default setting if they don't want to use any of the encrypted-DNS options.

Mozilla has said it is open to adding more encrypted-DNS providers as long as they meet a list of requirements for privacy and transparency and don't block or filter domains by default "unless specifically required by law in the jurisdiction in which the resolver operates."

Mozilla isn't turning encrypted DNS on automatically outside the United States. But users outside the US and US-based users who haven't gotten the new default setting yet can enable DNS over HTTPS in the Firefox settings. To do that, go to Firefox "Preferences," then "General," scroll all the way down to "Network Settings," click "Settings," then click "Enable DNS over HTTPS." After clicking that box, you can choose Cloudflare, choose NextDNS, or enter a custom server. There's a list of encrypted-DNS servers at this Github page.

Encrypted DNS will not be turned on by default in certain cases, such as when Firefox detects that enterprise policies have been set on the device or when it detects the presence of parental controls. Those and other questions about how DNS over HTTPS works in Firefox are answered in this FAQ.

Google's plan for encrypted DNS in Chrome—which is still in the experimental phase and hasn't been deployed to everyone—is a little different from Mozilla's. Instead of automatically switching users to a DNS provider chosen by Google, Chrome sticks with whichever DNS provider the user has selected. If the user-selected DNS provider offers encrypted lookups and is in this list of providers, Chrome automatically upgrades the user to that DNS provider's encrypted service. If the user-selected DNS provider isn't in the list, Chrome makes no changes.
.

 

[sultrysandy]

Google faces state lawsuit alleging misuse of schoolkids’ private data

.
classroom conundrum —

Collecting and using kids' data from educational tools is a no-go, state AG says.

Students use Google Suite apps on computers in a classroom in Groton, Mass. on May 11, 2016.


Adults who use Google products and services tend to know, at least on some background level, that the cost for access to "free" tools is paid in data. Google also provides low- and no-cost hardware and software tools to students and educators in school districts nationwide, and one state now says that children are also paying that privacy price, in violation of the law.

New Mexico Attorney General Hector Balderas filed a lawsuit (PDF) alleging Google's collection and use of data from schoolchildren in his state is in violation violation of the Children's Online Privacy Protection Act and New Mexico's Unfair Practices Act.

COPPA, one of the few US federal laws protecting data privacy, imposes certain restrictions on the collection and use of personal data associated with children under age 13. Under the law, websites, apps, and digital platforms that collect data from young users are required to post a privacy policy and have parents consent to it, to give parents the option to opt out of having their children's information shared with third parties, to let parents review their children's data, and to follow sound data storage and retention policies. The suit accuses Google of deliberately deceiving school districts and parents with regards to its data policies. A platform explicitly designed for use in elementary and middle schools, by schoolchildren, is by definition going to be associated with children under age 13.

"To drive adoption in more schools—and to alleviate legitimate concerns about its history of privacy abuses—Google has been making public statements and promises that are designed to convince parents, teachers, and school officials that Google takes student privacy seriously and that it only collects education-related data from students using its platform," the suit says, adding that Google also made public promises not to mine student data for commercial purposes.

Those promises, the suit alleges, were not kept. Instead, it says, "Google has used Google Education to spy on New Mexico children and their families" by collecting personal information for advertising purposes.

The types of data collected from and about children, according to the suit, include sensitive information such as geolocation, browsing history, search histories, viewing histories, contact lists, saved passwords, voice recordings, and "other behavioral information."

"Tracking student data without parental consent is not only illegal, it is dangerous, and my office will hold any company accountable who compromises the safety of New Mexican children," Balderas said in a statement announcing the suit.

Google said the state's claims are "factually wrong," adding that it allows schools to control access and requires the schools to seek parental consent. "We do not use personal information from users in primary and secondary schools to target ads," a company spokesperson said.






You all know how much of an idiot I am, and wish someone could explain this to me. Know schools buy the low cost Google products merely to save money, and it's either they (educators) don't know Google is collecting data (find that hard to belive), which is scary as they're educating children, or they simply don't care, which I think is the case.

Google's reply reminds me of Facebook using semantics each time they're caught in scandals.
"We do not use personal information from users in primary and secondary schools to target ads," - correct, Google sells the data to analytics firms, who resell it to other firms, who then target ads.
.

 

[Stillrandy]

You all know how much of an idiot I am, and wish someone could explain this to me. Know schools buy the low cost Google products merely to save money, and it's either they (educators) don't know Google is collecting data (find that hard to believe), which is scary as they're educating children, or they simply don't care, which I think is the case.

Google's reply reminds me of Facebook using semantics each time they're caught in scandals.
"We do not use personal information from users in primary and secondary schools to target ads," - correct, Google sells the data to analytics firms, who resell it to other firms, who then target ads.
.

You are no idiot m'dear, but a sharp cookie. There I said it again.

And you are right, re the legalese double-speak of Google/Facebook, etc. on these matters!

As far as the schools go...it could be that the data collection 'permission' is buried in the 'terms of use' or 'software agreement' which are (I think) like Rubik's cubes, designed to obfuscate. Not an excuse of course, as they are responsible for young people's minds.

 

[sultrysandy]

Apple paying up to $500 million to settle iPhone battery slowdown lawsuits

.
Myriad class action suits against Apple's battery OS update that could have resulted in a device with a depleted battery performing tasks slower may be coming to an end.

Apple's iPhone 7 lineup



Apple has agreed to pay up to $500 million to settle litigation accusing it of quietly slowing down older iPhones as it launched new models, to induce owners to buy replacement phones or batteries.

The preliminary proposed class-action settlement was disclosed on Friday night and requires approval by U.S. District Judge Edward Davila in San Jose, California.

It calls for Apple to pay consumers $25 per iPhone, which may be adjusted up or down depending on how many iPhones are eligible, with a minimum total payout of $310 million.

Apple denied wrongdoing and settled the nationwide case to avoid the burdens and costs of litigation, court papers show.

The Cupertino, California-based company did not immediately respond on Monday to requests for comment.

Friday’s settlement covers U.S. owners of the iPhone 6, 6 Plus, 6s, 6s Plus, 7, 7Plus or SE that ran the iOS 10.2.1 or later operating system. It also covers U.S. owners of the iPhone 7 and 7 Plus that ran iOS 11.2 or later before Dec. 21, 2017.

Consumers contended that their phones’ performance suffered after they installed Apple software updates. They said this misled them into believing their phones were near the end of their lifecycles, requiring replacements or new batteries.

Apple attributed the problems mainly to temperature changes, high usage and other issues, and said its engineers worked quickly and successfully to address them. Analysts sometimes refer to the slowing of iPhones as “throttling.”

Lawyers for the consumers described the settlement as “fair, reasonable, and adequate.”

They called payments of $25 per iPhone “considerable by any degree,” saying their damages expert considered $46 per iPhone the maximum possible.

The lawyers plan to seek up to $93 million, equal to 30% of $310 million, in legal fees, plus up to $1.5 million for expenses.

Following an initial outcry over slow iPhones, Apple apologized and lowered the price for replacement batteries to $29 from $79.
.