Lit Apple Mac, iPhone, iPad User Group

[sultrysandy]

Zoom iOS update removes 'feature' that sent user data to Facebook

.
Video conferencing service Zoom on Friday issued an update for its iOS app, removing an SDK that sent users' data to Facebook without their express consent.



On Thursday, a report from Motherboard revealed Zoom's iOS app was sharing user analytics data with Facebook without noting the practice in its privacy policy.

Specifically, the app used Facebook's SDK to integrate "Login with Facebook," a feature that provides quick and easy sign-in capabilities. By including the SDK, however, Zoom automatically connected to and shared information with the Facebook Graph API, even if a user did not maintain Facebook account.

The company also failed to adequately inform users of its data sharing practices.

After the revelation was made public, Zoom on Friday removed Facebook's SDK for "collecting unnecessary device data."

"The data collected by the Facebook SDK did not include any personal user information, but rather included data about users' devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space," Zoom said in a statement to Motherboard.

Zoom is "reconfiguring" the Facebook login feature to allow users to sign on with Facebook through a web browser. Users will need to download an updated version of Zoom's iOS app in order for the changes to take effect.

"We sincerely apologize for this oversight, and remain firmly committed to the protection of our users' data," Zoom said in its statement.






What a crock of crappola! This bunch of fucking liars.

When Zoom signed the agreement with Facebook, Zoom knew full well they were being compensated by Facebook integrating Facebook's SDK that it is sending users info to Facebook. This is the only reason companies sign agreements with Facebook, Google, Twitter, Snapchat, and all of the other social media websites. loading trackers on their web pages, is to share peoples data.

The only oversight is that they've were finally caught. Same as Facebook was caught, calling it "sharing user data" with Cambridge-Analytica, and they weren't selling it to them and they were caught trying to play semantics.
.

 

[sultrysandy]

US officials, tech companies in talks to use location data to fight COVID-19

.
U.S. officials are currently in active talks with Google, Facebook, and other tech companies about the possibility of leveraging Americans' smartphone location data to help fight the coronavirus, a new report indicates.'



Despite Apple's pro-privacy efforts, there still have been various ways for app makers, internet service providers and federal agencies to obtain iPhone location data. Now, tech firms and the U.S. government are hashing out whether that data can be used for public health purposes.

More specifically, the U.S. government is discussing the use of location data to track and map the spread of the outbreak with Google and Facebook, The Washington Post reported on Tuesday. For example, aggregated and anonymized location data could be used to help experts understand the patterns of people's movements and predict potential virus hotspots.

The idea was apparently proposed during a private meeting at the White House on Sunday, in which a task force of tech executives and investors presented a range of ideas about disease mapping and telemedicine.

Still, that idea may not sit well with Americans already cautious of the ways they're being tracked. But the Post's sources stressed that the data isn't going to be used to create a government database.

In the past, tech companies like Facebook have provided similar anonymized data to researchers in the form of statistics.

This week, a coalition of medical professionals, disease experts and tech executives penned an open letter urging technology companies to play their part in fighting COVID-19.

And the COVID-19 pandemic has already fostered unusually close cooperation between tech companies and government entities. Corporations are working to together to clamp down on the spread of misinformation and President Trump on Friday touted a Google-developed website that could help users guide users through the coronavirus testing process.

Privacy advocates caution that there's a balance between civil liberties and pandemic response. On Monday, The New York Times reported about the Israeli government tapping a secret database of cellphone data, originally intended for counterterrorism, to track people who had contracted COVID-19.
.

 

[sultrysandy]

Smartphone location data used by US government to track coronavirus spread

.
The US government is allegedly attempting to track the coronavirus pandemic by taking advantage of geolocation data generated by online advertising shown on iPhones and other smartphones, intending to learn how the virus is spreading throughout the country.



On Wednesday, it was announced a collection of mobile carriers in Europe will share customer location data with the European Commission to monitor the spread of the coronavirus. On Saturday, a report surfaced suggesting a similar program is being carried out in the United States, but in a slightly different manner.

According to the Wall Street Journal, several government officials have acquired the location data for millions of smartphones and mobile devices across the country. Sources claim the federal government, Centers for Disease Control and Prevention, and state and local governments are receiving reports about the presence and movement of mobile phone users in specific areas of interest.

It is unclear if the effort is linked to a March 17 report about the US government discussing the use of location data sourced from Google and Facebook for similar efforts. In that instance, there was the suggestion of anonymized location data being handed over to map the spread of the outbreak, allowing experts to understand patterns of people's movements and to predict probable hotspots for viral activity.

Rather than being sourced from the carriers directly, as with the European program, the US version acquires its data from mobile advertising trackers. An area that Apple and privacy advocates have fought against, the tracking usually allows a marketer to determine where customers physically go to, which can allow for regionalized targeted advertising campaigns to run, as well as to monitor a campaign's effectiveness.

The data is said to be anonymized, meaning the location data will be able to show where someone travels, but not their identity. Such anonymous and aggregated data is useful in showing general trends, without revealing an individual's specific movements or motives.

It is suggested the project is aiming to collect data for as many as 500 US cities, including which retailers and public places are still being visited by large numbers of people, making them a breeding ground for virus transmission. Some researchers are already discovering areas like Brooklyn's Prospect Park that still draw crowds.

The same data may also be able to help assist in monitoring the economic impact of the pandemic, showing reduced retail visits and vehicle journeys, among other metrics.

The use of advertising-derived location tracking data has led some privacy advocates to suggest the industry was using the coronavirus to try and make the privacy infringement technology more acceptable to regular users.

Privacy researcher Wolfie Christl admits there are some advantages to using aggregated data in this way, "even if the data is being gathered secretly or illegally by companies," but warns there are still risks. "As true anonymization of location data is nearly impossible, strong legal safeguards are mandatory," Christl urges, due to the possibility of combining the data with other information to identify and track specific people.
.

 

[sultrysandy]

Zoom macOS install 'shady,' plus video chats aren't end-to-end encrypted

.
Video conferencing service Zoom reportedly installs itself on Macs by working around Apple's regular security, and also promotes that it has end-to-end encryption, but demonstrably does not.



Increased usage of video conferencing app and service Zoom during the coronavirus outbreak is leading to more security issues being uncovered. As well as previously sending user data to Facebook, which it says it has fixed, it has now been accused of two separate security issues.

In one, it is reportedly working around Apple security to be installed, and in another it is purporting end-to-end encryption that it doesn't have.

Twitter user @c1truz_, technical lead for malware tracker VMRay, reports that Zoom's Mac app installer uses preinstallation scripts and allegedly displays a faked macOS system message.

Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
— Felix (@c1truz_) March 30, 2020

"This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste," continues @c1truz_, "The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges."

"[These are the] same tricks that are being used by macOS malware," he concludes.

Zoom as yet to comment regarding the allegation. Apple has not publicly commented either, but this accusation follows previous issues where Apple forced a macOS update on users in order to remedy a Zoom security problem.

Previously, another security workaround within the Zoom app meant that it was possible for websites to turn on user's cameras without permission. Initially, Zoom defended this as being a deliberate way to make video conferencing easier for users. It then backed down, and said it would remove the feature.

Before it did so, however, Apple intervened and used a forced silent update to macOS, the method by which it typically addresses malware.

Separately, The Intercept alleges that Zoom is claiming to have end-to-end encryption for its video conference calls, but does not.

Rather than truly end to end encryption, where the entire video chat can only be seen by the caller and his or her recipients, Zoom is reportedly doing what's called transport encryption. This makes the connection between the users and Zoom's servers encrypted, but doesn't prevent Zoom itself seeing the calls.

"In fact, Zoom is using its own definition of the term," The Intercept says, "one that lets Zoom itself access unencrypted video and audio from meetings."

A Zoom spokesperson confirmed this to The Intercept, responding that "currently, it is not possible to enable E2E encryption for Zoom video meetings."

"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point," the Zoom spokesperson continued.
.

 

[sultrysandy]

How to listen to Sirius XM free on your Mac or iPhone

.
SiriusXM is offering free access to its premium streaming service until May 15, giving users the ability to tune in to over 300 channels conveniently from their Mac or iPhone. Here's how to take advantage of the offer.

SiriusXM is a premium streaming radio service that features over 300 channels that offer news, information, entertainment, ad-free music, comedy, sports talk, politics, and more.

The company is now launching its "Stream Free" offering, which allows anyone to listen to the premium content for free until May 15, with no credit card or commitment required.

The announcement was made by Howard Stern, who has taken to broadcasting from his home during the COVID-19 pandemic.

"With so many people asked to stay at home, we are making our full streaming lineup of music, entertainment, news, and information easily accessible to everyone," said Jim Meyer, SiriusXM CEO. "In the days ahead, we hope it's a valuable source of information or diversion, a generous mix of fresh live content, and a source of companionship that comes from the hosts on our many shows and channels. And there was no better way to launch the Stream Free content than with Howard this morning."

The service is also launching #StayHome Radio, a feel-good, ad-free music channel on Channel 129. It will feature uplifting music from artists like Lizzo, Coldplay, and Bob Marley. They are also relaunching the Billy Joel Channel, Dave Mathews Band Radio, and a new channel for the "Top 1000."

If you'd like to take advantage of the no-commitment trial, here's how to get started on the Mac as well as iPad and iPhone.


How to listen to free SiriusXM radio on the Mac:

• Open your browser of choice
  
  
• Head to SiriusXM.com/streamfree
  
  
• Click on Start Streaming
  
  
• Click on Start Free Preview

How to listen to free SiriusXM radio on the iPhone or iPad:

• On your iPhone or iPad, head to SiriusXM.com/streamfree
  
  
• Create an account following the on-screen prompts
  
  
• Set your password by following the directions in SiriusXM's email sent to your account on file
  
  
• Download and launch the SiriusXM App
  
  
• Log in using your credentials

If you create a free account with SiriusXM via your iPhone, you can use that account to browse SiriusXM for free on your Mac as well.
.

 

[sultrysandy]

Apple Card customers can defer their April payments interest-free

.
For as strange as this may sound, had two more posts for today, but two newer posts that are more important. Please be patient, will post the second when I can.



In effort to ease any coronavirus-related burden on their customers, Apple and Goldman Sachs are allowing Apple Card cardholders the ability to defer their April payments without penalty.

With unemployment surging during the COVID-19 pandemic, many people are being forced to choose which payments to make and which they'll have to miss. Apple, along with their financial partner Goldman Sachs, aims to help offer Apple Card customers some relief.

Apple Card customers are now allowed to defer their April payments without incurring interest, which should give many customers some peace of mind.

In order to opt into the Customer Assistance Program, Apple Card users will need to reach out to a support representative via the Wallet app on their iPhone.

"We understand that the Covid-19 situation poses unique challenges for everyone and some customers may have difficulty making their monthly payments," read Apple's statement to customers. "If you previously enrolled in the Customer Assistance Program in March, you will need to enroll again."

Apple Card customers were allowed to defer payments in March as well. It is likely that Apple and Goldman Sachs will continue to allow deferments throughout the duration of the pandemic.

Launched on August 20, 2019, the Apple Card was designed by Apple and developed by Goldman Sachs. While it's primarily designed to work with Apple Pay, Apple provides each Apple Card customer with a physical, titanium card.






Sandy note -
From what I understand, this is not a scheme same as Bank of America's defer mortgage payments, when after three months would need to pay all suspended payments at once plus the fourth payment.
.

 

[sultrysandy]

Two more macOS Zoom flaws surface, as lawsuit & government probe loom

.
As New York launches a probe and a class action lawsuit is levied against video conferencing app Zoom, a security researcher has discovered two vulnerabilities in its macOS client.




Zoom has become wildly popular in the midst of the COVID-19 pandemic, despite its questionable security and privacy reputation. And now, when more and more users are turning to the app for work meetings or chats with friends, hackers and governments are raising new concerns about the platform.



Security vulnerabilities


Patrick Wardle, a macOS security researcher and former hacker for the National Security Agency, has uncovered two new local security vulnerabilities in the latest version of the Mac Zoom client.

The first flaw relies on the "shady" way that Zoom installs itself on a Mac. By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer — the highest level of privilege.

The second flaw, which is arguably more concerning, allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.



While local exploits like these typically require physical access to a computer, they're usually much more common and difficult to prevent should the rest of the criteria that are needed are fulfilled.

This isn't Zoom's first security blunder, either. In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.



Privacy concerns


Along with the security flaws, Zoom has also recently caught flack for its privacy practices. Earlier in March, Motherboard found that the Zoom for iOS app was sending off user data to Facebook, even if users didn't have a Facebook account.

While Zoom has since removed that "feature," New York has opened an investigation into the app and a class-action lawsuit has been lodged in California.

The class action, filed in the U.S. District Court for the Northern District of California, alleges that Zoom gave personal user information to third parties without being explicitly clear about the data-sharing practices, CBS News reported. New York Attorney General Letitia James has also launched a probe into Zoom's privacy policies.

In a separate development, Zoom may also be inadvertently leaking user email addresses and photos to complete strangers.

This appears to be happening, because Zoom treats all email addresses with "non-standard providers" (Gmail, Yahoo or Hotmail) as single companies. Users with those non-standard addresses are able to see the full names, profile pictures and statuses of other users with the same email provider. They're also able to start video chats with those users.

On Tuesday, The Intercept also alleged that Zoom was misleading customers by claiming that video calls were end-to-end encrypted. They aren't. Instead, Zoom is using transport encryption, which encrypts the connection but doesn't hide calls from Zoom itself.






Zoom Sued for Allegedly Illegally Disclosing Personal Data
https://www.bloomberg.com/news/articles/2020-03-31/zoom-sued-for-allegedly-illegally-disclosing-personal-data

New York Attorney General Looks Into Zoom’s Privacy Practices
https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html?partner=IFTTT
.

 

[sultrysandy]

Zoom freezing development to fix security & privacy flaws

.
Popular video conferencing app Zoom has come under fire for numerous security flaws in the last few days, and has now issued a public apology plus a plan of action for resolving the issues.



The announcement came in a blog post released to Zoom's website on April 1 and attempts to mitigate some of the bad press the company has received over the last two weeks.

The blog post serves a few purposes. The first is to act as a repository to previously acknowledged issues, citing that the company has been working to fix security issues as they arise. The announcement also explains what the company has been working on, including an extensive section on Zoom's role in elementary and secondary classrooms.

The second purpose of the blog is to outline the company's plan of action for addressing ongoing issues. The Zoom team is giving themselves 90 days to fix existing problems.

In those 90 days, Zoom is enacting a feature freeze —no further development will happen on Zoom products until security issues have been resolved. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.

Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." They plan on preparing a transparency report to handle requests for data, records, and content. The company plans on hosting a weekly webinar to provide security updates to Zoom users.

"We are actively investigating and working to address these issues," A Zoom representative told AppleInsider in an email. "We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."

The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.

Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.

Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.

On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.

In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.






What a crock of greedy corporate bastards bullshit!. There's no admitting all they've been caught doing that they are wrong. Or any apologies for anything. It's merely PR crap.


After reading their blog, will comment only on two parts:

blog:
On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users.
On March 29th, we updated our privacy policy to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.

Sandy:
Then why were they sending users info to Facebook? If not being financially compensated then what were they getting for it? They weren't sending it out of the kindness and generosity.


blog:
Published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion.

Sandy:
There was no confusion. They intentionally mislead user on encryption so they could collect more data.



Preparing another post from an interview the CEO gave this morning. I've nothing good to say about him, or the company he founded.
.

 

[sultrysandy]

Apple Stores in US to remain closed until early May

.
Apple in a memo to employees on Thursday said it plans to keep all U.S. retail stores closed until early May as the COVID-19 pandemic continues to wreak havoc on the nation.



Addressing employees directly, Apple SVP of Retail and People Deirdre O'Brien said the company is monitoring local conditions at both office and retail facilities on a daily basis and will decide to reopen stores only after "thorough, thoughtful reviews and the latest guidance from local governments and public health experts," reports Bloomberg.

In the interim, employees will continue to adhere to work-from-home protocols, which for retail workers like Geniuses includes remote tech support options. Corporate employees, like those based out of Apple Park, are also working remote to prevent spreading the virus.

Apple is developing flexible work options to ensure parents "have the support and the flexibility to adjust their schedules as needed," the note reads. As noted by O'Brien, many parents have found themselves in a predicament as they balance work with caring for children who are home from school as the crisis plays out. Apple is encouraging all employees to express any potential conflicts with management, the report said.

The Cupertino-based tech giant shuttered all branded retail outlets outside of Greater China on March 14 in a bid to protect customers and team members from the fast-spreading coronavirus. Initial plans were to reopen Apple Stores on March 27.

More recently, O'Brien in a memo last month said a revised timeline would see some Apple Stores open in the first half of April, but that, too, proved overly optimistic for U.S. locations.
.

 

[stickygirl]

Good work Sandy - keep at it

 

[sultrysandy]

Good work Sandy - keep at it

Glad you enjoy it. Would think with all that's going on longer than the past three weeks there wouldn't be much to post. Instead even with multiple posts daily, things are stacking up.



Difficult finding PC or smartphone humor or memes that don't insult other devices or OS's.
I think this is funny. Forxtrot comic strip has an iFruit computer.

Remember first kernel panic I experienced, asked "WTF is this shit?"
.

 

[sultrysandy]

Apple patches vulnerability where iPhone & MacBook cameras could be hijacked

.
An ethical "white-hat" hacker exploited Apple's own apps in December to show how a malicious website could gain unrestricted access to a user's camera and microphone without consent using flaws that have since been patched.

Former Amazon Web Services security engineer, Ryan Pickren, discovered seven zero-day vulnerabilities in Apple's Safari that could be used to hijack users' cameras. The vulnerabilities exploited the way Safari parsed Uniform Resource Identifiers, managed web origins, and initialized secure contexts.

The only requirement was that the user's camera would have had to trust a video conferencing site, like Zoom. If that criteria was met, a user could visit a site that utilized the attack chain, and a hacker could gain access to a users camera —both on iOS and macOS.

Pickren had submitted his research to the Apple Bug Bounty program and was paid $75,000 for his contribution. Apple fixed three of the security flaws —the ones that allowed for camera hijacking —in the January 28 Safari 13.0.5 update. The four remaining flaws were not fixed until the Safari 13.1 release on March 24.

"A bug like this shows why users should never feel totally confident that their camera is secure," Pickren told Forbes, "regardless of operating system or manufacturer."

Pickren had discovered the bug by "finding assumptions in software and violating those assumptions to see what happens." He noted that the camera security model was difficult to crack, as Apple requires nearly every app to be granted explicit permission to the microphone and camera. This makes it far less likely that a malicious third-party app could gain access without a users express permission.

The exception to the rule, however, is Apple's own apps, such as Safari. Pickren was able to exploit this exception to uncover the bugs. He managed to "hammer the browser with obscure corner cases" until he gained access to the camera.
.

 

[Stillrandy]

Glad you enjoy it. Would think with all that's going on longer than the past three weeks there wouldn't be much to post. Instead even with multiple posts daily, things are stacking up.

Difficult finding PC or smartphone humor or memes that don't insult other devices or OS's.
I think this is funny. Forxtrot comic strip has an iFruit computer.

Remember first kernel panic I experienced, asked "WTF is this shit?"
.

Had to do a 'Search Google for' kernel panic -- the things you learn about in Lit (especially Sandy's thread)

 

[sultrysandy]

Had to do a 'Search Google for' kernel panic -- the things you learn about in Lit (especially Sandy's thread)

Fortunately in my experience, kernel panics in macOS are rare. Same as application or OS freezes and crashes. Nothing like they were in Classic Mac OS.

 

[sultrysandy]

Apple acquires popular weather app Dark Sky

.
Dark Sky, a popular weather app for iOS, Android, and the web, has been purchased by Apple.

Screen captures from the existing iPhone version of Dark Sky



The announcement was made by Adam Grossman on Dark Sky's blog on Tuesday and reads,

Today we have some important and exciting news to share: Dark Sky has joined Apple.

Our goal has always been to provide the world with the best weather information possible, to help as many people as we can stay dry and safe, and to do so in a way that respects your privacy.

There is no better place to accomplish these goals than at Apple. We're thrilled to have the opportunity to reach far more people, with far more impact, than we ever could alone.​

The post then goes on to discuss what will happen to the existing Dark Sky products. The iOS app will continue to be available for purchase in the App Store. The Android app, however, will shut down after July 1, 2020. Android subscribers who are still active will receive a refund.

The website will continue host weather forecasts, maps, and embeds until July 1, 2020. Afterward, it will remain active for API and iOS App customers only.

The API is no longer accepting new signups, but will continue to function for existing customers until the end of 2021.

The terms of the deal are not yet known. However, this may mean some changes to the Weather app are finally coming in a future release, likely during the iOS 14 cycle this fall.

In January of this year, Apple had obtained edge-based artificial intelligence startup Xnor.ai for $200 million. The move suggested the machine learning tools developed by the company may appear natively on iPhones and iPads in the future, with processing on-device instead of in the cloud.
.

 

[astuffedshirt_perv]

Thank you for keeping us up to date!

 

[sultrysandy]

Thank you for keeping us up to date!

Hope members are enjoying, and maybe also learning something.

There's so much going on I'm wishing the bad news slows down.Would be nice to post an iPad article Monday.
.

 

[sultrysandy]

.
Zoom CEO Eric Yuan said the company saw a huge spike in users, up to 200 million people per day in March, from about 10 million in December.

He also apologized for some of the security lapses that have been reported this week and outlined what the company is doing to fix those problems.

Shares of Zoom cratered.

Zoom CEO Eric Yuan apologized on Thursday for security lapses that have been reported this week and outlined what the company is doing to fix those problems.

He also said the company saw a huge spike in users, up to 200 million people per day in March, from about 10 million in December.

Zoom closed at $121.93 per share, down 11% on the day. Shares of Zoom were down as much as 16% on Thursday morning.

″We recognize that we have fallen short of the community’s — and our own — privacy and security expectations,” Yuan said. “For that, I am deeply sorry, and I want to share what we are doing about it.”

Zoom has been criticized for “zoombombing” intrusions and for sharing data with Facebook, abusing permissions on Mac, not properly describing how it encrypts data and having a vulnerability that allegedly exposes Windows login credentials to hackers.

Yuan said the product was designed for enterprises that run huge “security reviews” of its app. He said it wasn’t designed “with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home.”

To fix some of these issues, Yuan said Zoom will commit to working on privacy for the next 90 days and will freeze work on all other features. It will include a bug bounty program, which pays people who discover and report security flaws, and a review of the platform with third-party experts. Yuan also said he’ll host a weekly webinar on Wednesdays at 7 a.m. ET to discuss the company’s progress.

Yuan founded Zoom in 2011, and it began trading on the Nasdaq on April 18, 2019, at $36 a share. It reached a 52-week high of $164.90 on March 23. On Thursday, it was trading below $127.





Sandy comments
"″We recognize that we have fallen short of the community’s — and our own — privacy and security expectations,” Yuan said. “For that, I am deeply sorry, " - only because each day you were being caught with another thing.


"Yuan said the product was designed for enterprises that run huge “security reviews” of its app. He said it wasn’t designed “with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home.” " -he's saying designed to spy on and harvest enterprise clients, and not be used by consumers. And has nothing to do with consumers using it "in a matter of weeks". This bullshit smells to high heaven.



Here's an interesting article about Zoom executives selling their stock, coincidentally(?), when the shit was hitting the fan

Zoom Video Stock Has Surged, and Insiders Sold a Slew of It
March 25, 2020 7:00 am ET
https://www.barrons.com/articles/zoom-video-stock-is-surging-insiders-sold-a-slew-of-stock-51585072076

I want to disclose, after Zoom's IPO I looked into buying stock, but decided not when learned of their Class B stock voting structure, as I do with any other company that does the same thing. And also Yuan's stock options.
From the Barron's article:

Yuan’s personal account continues to own 25.4 million class B supervoting shares, with options to buy 500,000 supervoting shares for as little as $3.77 each. He also owns 20 million more supervoting shares through trusts that he shares control over. Class B shares carry 10 votes each, while Zoom’s publicly trade shares carry one vote each.

I don't trust him or the company as he knew the products and services were designed with not as he's calling bugs or flaws, but intentionally. He's merely attempting to save face and making up poor excuses using language to protect the company.
.

 

[sultrysandy]

NYC schools pull the plug on Zoom following FBI warning

.

There's so much going on I'm wishing the bad news slows down.Would be nice to post an iPad article Monday.
.

You know as soon as I said it what would happen. Three new higher priority things popped up: Zoom (again), Facebook, and Apple's' Covid-19 app inquiries.






Despite efforts to ramp up security measures, video conferencing software provider Zoom is finding itself banned from education departments and major corporations like SpaceX.

New York City's Department of Education has banned teachers from using the popular video conferencing tool, Zoom, to teach students remotely during the COVID-19 outbreak. Originally, teachers preferred using the platform as its minimal setup and simple design means both teachers and students have fewer issues using it compared to other conferencing platforms.

However, with the rise in "zoombombing" incidents, educators are beginning to worry for the safety of teachers and students alike.

"Zoombombing" occurs when a bad actor takes control of a Zoom conference call. Many times, the hijacker will remain silent and merely observe the calls. Other times, they use it as a platform to harass viewers, posting shocking images and using hate speech. Incidents were reported to have happened in online classes, corporate gatherings, and even a virtual Alcoholics Anonymous meeting.

The FBI issued multiple public warnings about the Zoombombing. It ultimately made a public statement on their website, about using the software.

#FBI warns of Teleconferencing and Online Classroom Hijacking during #COVID19 pandemic. Find out how to report and protect against teleconference hijacking threats here: https:/*******jmMxyZZqMv pic.twitter.com/Y3h9bVZG30
— FBI Boston (@FBIBoston) March 30, 2020

Schools aren't the only ones banning Zoom, either. On March 28, Elon Musk's SpaceX banned the program, instructing employees to use email, text, or phone calls as alternative methods for communication. Additionally, the Australian Ministry of Defense has also banned any use of the software.

Zoom announced on April 2 that they would be entering a 90-day development freeze as it sought to address privacy concerns. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.

Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." The company plans on preparing a transparency report to handle requests for data, records, and content. The company will also host a weekly webinar to provide security updates to Zoom users.

The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.

Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.

Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.

On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.





Sandy note -

I find this hysterical. Used to hearing federal government agencies talking about North Korea, Russia, China et cetera sponsored hacks and so on, but now they're warning about an American company

.

 

[Bramblethorn]

The data is said to be anonymized, meaning the location data will be able to show where someone travels, but not their identity. Such anonymous and aggregated data is useful in showing general trends, without revealing an individual's specific movements or motives.

...

Privacy researcher Wolfie Christl admits there are some advantages to using aggregated data in this way, "even if the data is being gathered secretly or illegally by companies," but warns there are still risks. "As true anonymization of location data is nearly impossible, strong legal safeguards are mandatory," Christl urges, due to the possibility of combining the data with other information to identify and track specific people.

I've seen a little bit about this before.

The data is "anonymous" in the sense that no names are attached. But if you know that a particular phone is usually found at 22 Acacia Avenue between 7 pm and 8 am, then is at Fancy Flowers 9-5 every weekday, it doesn't take Sherlock Holmes to figure out who might own that phone.

People who don't want this kind of data about them available need to look closely at what apps they give permission to access location data. If there's no obvious reason why it needs that data, don't allow it. If it does have a legitimate reason for using it, check the privacy policy.

 

[sultrysandy]

I've seen a little bit about this before.

The data is "anonymous" in the sense that no names are attached. But if you know that a particular phone is usually found at 22 Acacia Avenue between 7 pm and 8 am, then is at Fancy Flowers 9-5 every weekday, it doesn't take Sherlock Holmes to figure out who might own that phone.

People who don't want this kind of data about them available need to look closely at what apps they give permission to access location data. If there's no obvious reason why it needs that data, don't allow it. If it does have a legitimate reason for using it, check the privacy policy.

Privacy policies are written for lawyers. Speaking with some and they don't understand them. You don't know who is collecting, what's being collected or what's being done with it. Also they're there only to protect the company, nothing for the consumer.
.

 

[sultrysandy]

Facebook tried to buy NSO Group's iOS spyware to monitor iPhone users

.
NSO Group, the team behind the 2019 WhatsApp spyware attack, says Facebook proposed buying "Pegasus" software to better keep tabs on iOS users' activity.

Now this guy is a fucking slime ball



Notoriously controversial NSO Group have released court documents that show Facebook had attempted to purchase a powerful piece of spyware known as Pegasus. Using Pegasus, after a user clicked a seemingly innocuous link received through a message, the target device would be jailbroken, and malware would be loaded to monitor and steal data. The data is exported, giving users —or Facebook in this case —access to sensitive user data.

Data harvested includes all messages and photos, login information, plus data concerning the entire history of the phone's location.

Allegedly, NSO only sells its products to a "sovereign government or government agency." But, according to a declaration from NSO CEO Shalev Hulio, two Facebook representatives approached NSO in October 2017 and asked to purchase the right to use specific capabilities of Pegasus, reports Vice

Facebook was interested in buying Pegasus as they were concerned that their own data-gathering software seemed less effective on Apple devices. Facebook's software that was going to get the functionality, Onavo Protect, was billed as a piece of VPN software. Onavo was used primarily to gather information about what other apps Facebook users were using on their mobile devices.

"The Facebook representatives stated that Facebook was concerned that its method for gathering user data through Onavo Protect was less effective on Apple devices than on Android devices," the court filing reads. "The Facebook representatives also stated that Facebook wanted to use purported capabilities of Pegasus to monitor users on Apple devices and were willing to pay for the ability to monitor Onavo Protect users."

Facebook had allegedly proposed to pay NSO a monthly fee for each Onavo Protect user. However, NSO maintains that they refused the sale on the grounds that Facebook is a private entity.

Onavo Protect was eventually forced off the App Store in 2019 when Apple found the app in violation of newly implemented privacy policies. Specifically, the software ran afoul of data collection restrictions and parts of the iPhone maker's developer agreement covering customer data usage.

"NSO is trying to distract from the facts Facebook and WhatsApp filed in court nearly six months ago. Their attempt to avoid responsibility includes inaccurate representations about both their spyware and a discussion with people who work at Facebook," a Facebook spokesperson told AppleInsider. "Our lawsuit describes how NSO is responsible for attacking over 100 human rights activists and journalists around the world. NSO CEO Shalev Hulio has admitted his company can attack devices without a user knowing and he can see who has been targeted with Pegasus. We look forward to proving our case against NSO in court and seeking accountability for their actions."

Apple said Onavo Protect used data for purposes not directly related to app functionality or for serving up advertising to users.

Facebook is currently suing NSO for exploiting a VoIP-related vulnerability in WhatsApp that allowed Pegasus to install spyware on both iOS and Android handsets remotely.

In July, NSO made the news circuit for its government customers that its Pegasus malware could extract far more data about any given individual. As well as data on the person's smartphone, the claim is that the group can covertly retrieve all of the information that a person has stored on servers owned by Apple, Google, Microsoft, Facebook, and Amazon.






WhatsApp hacked and attackers installed NSO Group spyware on people's phones
05-14-2019, 01:50 PM #175
.

 

[sultrysandy]

This trick helps Mac users know when an Amazon Fresh delivery time slot opens up

.
A student created a computer program that tells you when an Amazon Fresh or Whole Foods delivery slot opens up



With most of the U.S. locked down at home and many people afraid to risk their health with a visit to the grocery store, it’s become almost impossible to find a delivery window for groceries. Services such as Amazon Fresh, Whole Foods delivery, Instacart and others usually let you choose a window for delivery. But with demand so high, the slots are almost impossible to find.

That’s a problem for people who are afraid to go out to grocery stores.

So Adrian Hertel, a computer science minor at Georgetown University, created a simple computer program that automatically notifies you when an Amazon Fresh or Whole Foods delivery slot opens up, letting you place your order. It works on Macs in the Safari web browser. Hertel said he built it because he was worried about his parents, both of whom have immune deficiencies.

“They hadn’t been able to get grocery slots for days,” Hertel said. “I wanted to create a solution so they wouldn’t expose themselves.”

Hertel said the program — a simple set of commands known as a “script” — doesn’t collect any information from users, and everything it does is visible for anyone to read through.

Hertel said he’s received a lot of positive feedback from people he’s helped. “I’ve had lots of stories about people who want to share it with nurses or people with immune deficiencies,”.

He said his Github page has had more than 15,600 unique visitors since he launched the script on March 26 and that he can barely keep up with all of the messages he’s received, most of them positive. “It grew way more than I expected,” he said.

“I know there could be people who have a bone to pick about skipping the line,” he said. “But, I was like, I want to practice my skills and collaborate on Github.” Hertel said some folks have helped him fix some bugs and add features since it launched.

Here’s how to set it up.

The program relies on your being ready to pay.

So, you’ll need to open Safari on your Mac and go to Amazon and fill up your Amazon Fresh or Whole Foods cart first. Get everything you need in it. Then move to the final screen, where you’d normally schedule a delivery time. You (probably) won’t see any available. Leave your web browser on this screen and proceed.



Download the script

Run this script from the folder you download.



A script is not an app. It’s code that runs in the background and automatically refreshes the Safari web browser for you.

• Visit Github where the script was published.
  
  
• Select the green “Clone or download” button.
  
  
• Choose “Download ZIP.”
  
  
• Open the ZIP file once it’s finished (it’ll only take a few seconds).
  
  
• Now leave that folder open, we’ll come back to it in a second.

Change some settings in the Safari web browser on your Mac

Change some settings in Safari first.



Next, you need to change some settings in the Safari web browser for the script to run properly.

• Open Safari on your Mac.
  
  
• Tap command and comma on your keyboard at the same time, this opens Safari Preferences.
  
  
• Choose “Advanced” on the page that pops up.
  
  
• Go to the bottom and click “Show develop menu in menu bar.”
  
  
• Go back to your Safari window.
  
  
• Click “Develop” on the top of the screen.
  
  
• Choose the option that says “Allow ********** from Apple Events” so that it’s enabled.

Make sure your Mac doesn’t go to sleep

Change your Mac power settings.



Since the script requires your Mac to be awake, make sure it’s plugged in and set not to go to sleep. To do this:

• Tap the Apple icon on the top left of the screen.
  
  
• Choose “System Preferences.”
  
  
• Select “Energy Saver.”
  
  
• Click “Power Adapter”
  
  
• Make sure the option to turn display off is set to “never.”
  
  
• Do the same under the “Battery” menu if you want to run this script on a battery, but you should leave your computer plugged in.
  
  
• Bonus tip: Turn up your Mac volume. We’re going to set up text message alerts, but if you’re near your Mac you’ll also hear an alert when a time slot becomes available.

Run the script

• Open the folder of files you downloaded.
  
  
• Open “delivery-window-finder.scpt.”
  
  
• Hit the play button at the top of the screen.
  
  
• Tap “Continue.”
  
  
• Choose whether you’d like the script to keep looking for slots if it finds items in your cart have gone out of stock, or whether you want it to proceed anyway. (If you desperately need toilet paper and don’t want the order if it runs out of stock, choose “B. wait for me to review.” Otherwise, choose “A. Keep looking for slots.”)
  
  
• Click “Done” on the screen that tells you to set up Safari properly, since we did that in the last section.
  
  
• Select “Yes” if you want to enter in a phone number for a text message alert, otherwise just rely on your computer’s speakers to tell you when a slot is available.
  
  
• Choose whether you’re checking out with Whole Foods via Amazon.com or Amazon Fresh.
  
  
• Click “Continue.”

A window will open and will minimize itself. This is the script running. It’ll constantly refresh your checkout page until a time slot opens up.



Wait

Now it’s time to wait. The script doesn’t promise it’ll find anything. Sometimes slots disappear so quickly it won’t even catch them. Here, able to get offered a time slot, but when clicked on it and tried to check out, it vanished.

Hertel said sometimes you’ll get a “phantom alert” that shows a delivery slot open up and vanish almost immediately. He also said he’s sometimes had to wait 72 hours for an opening, but that some folks have found delivery slots within just a few minutes.

There’s also the chance Amazon could block or try to thwart it at some point, but Hertel purposefully designed the app not to flood Amazon’s servers, refreshing the page every 40 seconds instead of more constantly.

“It would be easy for Amazon to block it if they see someone logged in and refreshing constantly for hours on end, they could say it looks fishy. I purposefully made a delay so it wouldn’t be overwhelming and spamming servers.”

So far, Hertel said he’s had luck at 12:03 a.m. in New Jersey, so your luck may depend entirely on where you live.
.

 

[sultrysandy]

U.S. Senate, Google ban Zoom days after its launch of 'security council'

.
Following two weeks of escalating privacy and security concerns about video conferencing platform Zoom, the U.S. Senate and Google have both banned its members and employees from using the software.



Zoom has become a popular platform due to widespread coronavirus work-from-home policies, but it's been beset by multiple security and privacy blunders since its boom in usage.

Because of those concerns, various government entities, private corporations and public organizations have banned its members from using the app — including both Google and at least one chamber of the U.S. Congress.

It was reported that the Senate sergeant-at-arms has warned senators against using the service. On Wednesday, Google also issued a ban on Zoom for employees, according to BuzzFeed News.

Both bans come just a few days after schools in New York City's Department of Education barred teachers from using the app to teach students remotely. The FBI warned Americans last month of a practice called "Zoombombing," which entails hijacking of video conferences by uninvited guests.

Zoom said in a statement that it is now "working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic."

As part of its attempts to regain user trust, the platform has recently created a new security advisory council headed by former Facebook chief security officer Alex Stamos.

In March, a Motherboard investigation found that Zoom for iOS app was sending data to Facebook analytics without explicitly outlining the practice — and even if a user didn't have an account. Zoom eventually removed that "feature."

The conferencing app has also had trouble with a "shady" malware-like installation process, misleadings claim about end-to-end encryption, and several local security vulnerabilities.

In the wake of those discoveries, the video conferencing app has paused development to focus on patching its security and privacy issues.

As a result of Zoom's flaws, a class-action lawsuit has been levied against Zoom in California for its handling of user data. The state of New York has also launched a probe into the company's privacy and security policies.





Lets clarify few things

These haven't been "multiple security and privacy blunders", the company intentionally designed it's products without security and privacy for customers, but instead giving it access to what it wanted.

Google banning Zoom is the pot calling the kettle black. Google, along with Facebook are by far the biggest intruders and invaders of peoples privacy on the web.

"created a new security advisory council headed by former Facebook chief security officer" - yeah, new head of security is from one of the two biggest firms that steal people's info.

Zoom for iOS app was sending data to Facebook analytics — and even if a user didn't have an account. - And don't forget, the CEO said that Zoom wasn't selling that data. Guess they were just giving it away and getting absolutely nothing for all of that data longer than the recent two and a half tears.
.

 

[sultrysandy]

Apple Maps COVID-19 update refocuses local searches on hospitals, food deliveries

.
Apple has altered how Apple Maps shows nearby searches during the ongoing coronavirus pandemic, with the app now focusing on providing quicker access to food deliveries, pharmacies, and grocery locations close to the user.

The old list (left), the updated list (right)



Users of Apple Maps are likely to be familiar with how the app provides a list of often-requested services and businesses in its search results, allowing for general searches for commonly needed locations. In a bid to make things easier for people to acquire supplies and medical attention during the coronavirus pandemic, Apple has updated the app to show a different list.

Discovered by iPhone-Ticker.de, tapping the search box will bring up the list of categories to "search nearby." The list typically includes restaurants, fast food, rapid transit, cafes, and supermarkets, among other frequently-needed items, but on Tuesday the list has changed.

Tapping the search box now prioritizes default searches for pharmacies, hospitals, and urgent care near the top of the list. In some cases, the app will also show food delivery services as higher on the list than restaurants.

The change is subtle but highly useful for people who may be affected by official orders to stay at home and not to go outside, as well as to conduct social distancing. In many areas affected by the rules, food deliveries are preferred over restaurants, with the latter likely to be delivery-only or shut down entirely.

The change is slowly rolling out to users around the world. Not everyone is seeing the altered list at this time.
.