Lit Apple Mac, iPhone, iPad User Group

“Expert” hackers used 11 0-days to infect Windows, iOS, and Android users

zeroday.jpg



MASTER HACKERS —

The breadth and abundance of exploits for unknown vulnerabilities sets group apart.


A team of advanced hackers exploited no fewer than 11 zero-day vulnerabilities in a nine-month campaign that used compromised websites to infect fully patched devices running Windows, iOS, and Android, a Google researcher said.

Using novel exploitation and obfuscation techniques, a mastery of a wide range of vulnerability types, and a complex delivery infrastructure, the group exploited four zero-days in February 2020. The hackers’ ability to chain together multiple exploits that compromised fully patched Windows and Android devices led members of Google’s Project Zero and Threat Analysis Group to call the group “highly sophisticated.”
Not over yet

On Thursday, Project Zero researcher Maddie Stone said that, in the eight months that followed the February attacks, the same group exploited seven more previously unknown vulnerabilities, which this time also resided in iOS. As was the case in February, the hackers delivered the exploits through watering-hole attacks, which compromise websites frequented by targets of interest and add code that installs malware on visitors’ devices.

In all the attacks, the watering-hole sites redirected visitors to a sprawling infrastructure that installed different exploits depending on the devices and browsers visitors were using. Whereas the two servers used in February exploited only Windows and Android devices, the later attacks also exploited devices running iOS. Below is a diagram of how it worked:


device-flow-diagram-640x260.jpg


1,529px × 622px


The ability to pierce advanced defenses built into well-fortified OSes and apps that were fully patched—for example, Chrome running on Windows 10 and Safari running on iOS—was one testament to the group’s skill. Another testament was the group’s abundance of zero-days. After Google patched a code-execution vulnerability the attackers had been exploiting in the Chrome renderer in February, the hackers quickly added a new code-execution exploit for the Chrome V8 engine.

In a blog post published Thursday, Stone wrote:

The vulnerabilities cover a fairly broad spectrum of issues—from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out.

In all, Google researchers gathered:



  • One full chain targeting fully patched Windows 10 using Google Chrome

  • Two partial chains targeting two different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser, and

  • RCE exploits for iOS 11-13 and privilege escalation exploit for iOS 13

The seven zero-days were:



  • CVE-2020-15999 - Chrome Freetype heap buffer overflow

  • CVE-2020-17087 - Windows heap buffer overflow in cng.sys

  • CVE-2020-16009 - Chrome type confusion in TurboFan map deprecation

  • CVE-2020-16010 - Chrome for Android heap buffer overflow

  • CVE-2020-27930 - Safari arbitrary stack read/write via Type 1 fonts

  • CVE-2020-27950 - iOS XNU kernel memory disclosure in mach message trailers

  • CVE-2020-27932 - iOS kernel type confusion with turnstiles


Piercing defenses

The complex chain of exploits is required to break through layers of defenses that are built into modern OSes and apps. Typically, the series of exploits are needed to exploit code on a targeted device, have that code break out of a browser security sandbox, and elevate privileges so the code can access sensitive parts of the OS.

Thursday’s post offered no details on the group responsible for the attacks. It would be especially interesting to know if the hackers are part of a group that’s already known to researchers or if it’s a previously unseen team. Also useful would be information about the people who were targeted.

The importance of keeping apps and OSes up to date and avoiding suspicious websites still stands. Unfortunately, neither of those things would have helped the victims hacked by this unknown group.
 
Angry MacBook owners get class action status for butterfly keyboard suit

vpavic_4291_20201113_0428.0.0.jpg




The suit says Apple knew its thinner keyboard was rotten



A judge has certified a class action suit against Apple for its fragile butterfly keyboard design. The suit covers anyone who purchased an Apple MacBook with a butterfly keyboard in seven states: California, New York, Florida, Illinois, New Jersey, Washington, and Michigan. That includes people who bought a MacBook model dating between 2015 and 2017, a MacBook Pro model between 2016 and 2019, or a MacBook Air between 2018 and 2019.

Judge Edward Davila certified the case with seven subclasses on March 8th in California, but the order remained sealed until late last week. It raises the stakes for a suit that was first filed in 2018, three years after Apple added the controversial butterfly switches to its laptops.

The butterfly keyboard was slimmer than Apple’s previous design, which used industry-standard scissor switches. But many disgruntled MacBook users found that Apple’s revamped keyboard failed when even tiny particles of dust accumulated around the switches. That resulted in keys that felt “sticky,” failed to register keypresses, or registered multiple presses with a single hit. Apple tweaked its butterfly keyboard multiple times, but after continued complaints, it abandoned the switches in 2020.

This suit claims Apple knew for years that its butterfly switches were defective — and that its incremental changes weren’t fixing the core problem. It cites internal communications inside Apple, including an executive who wrote that “no matter how much lipstick you try to put on this pig [referring to the butterfly keyboard] . . . it’s still ugly.”

The plaintiffs accuse Apple of violating several laws across the seven states mentioned above, including California’s Unfair Competition Law, the Florida Deceptive and Unfair Trade Practices Act, and the Michigan Consumer Protection Act. They aren’t asking for a nationwide certification at this time, but the law firm behind the suit has invited any US buyer of an affected MacBook to complete a survey.

Apple argued against class action certification, saying one consolidated suit shouldn’t cover multiple tweaks to the butterfly keyboard. But the plaintiffs successfully argued that all butterfly keyboards may have the same fundamental problems due to their shallow design and narrow gaps between keys. “None of the design differences that Apple points to changed the tight spaces between the keys, nor the low-travel aspect of the design,” the order reads. Apple will have to argue later that these basic features didn’t actually make the design unreliable — and that it didn’t spend years knowingly making defective keyboards.
 
The FCC no longer trusts ISPs: It wants you to describe your broadband service

You can now tell the FCC just how broken the internet is for you

The FCC is turning to average citizens to learn the state of internet service in the US



acastro_170711_1777_0004.0.0.jpg



It’s not at all controversial to say that internet service sucks in the United States. As part of its plan to update coverage maps in the US, the Federal Communications Commission (FCC), in a break from tradition, is finally asking average Americans to report which internet services are actually available where they live.

In the past, the FCC has made these coverage maps with self-reported data from the ISPs themselves, an inherently compromising decision because internet service providers will naturally want to paint the rosiest picture possible. Since the FCC uses these maps as evidence for proposed regulation, it can seriously hinder the FCC’s ability to make sure there’s actual competition in the market and that the internet is being responsibly distributed. For instance, a map might show that you have 11 broadband providers when you actually only have one or two real options.


Take note. We're going straight to consumers. https:// t . c o /bZzsFo46ap
https:// t . c o /bZzsFo46ap

— Jessica Rosenworcel (@JRosenworcel) March 22, 2021


Now, the FCC will finally go to the people actually using the internet to learn what’s up, though you may need to communicate clearly to be heard. The form the FCC is using for your responses is decidedly rudimentary; it looks like a general complaint form, and doesn’t ask any specific questions about broadband at all (the only reference is in the header). But the FCC says it’s a stopgap on the path to a more detailed and specific reporting tool. For now, perhaps you can take a look at the FCC’s current crappy maps at your address, and tell the FCC whether you actually have the kinds of choices that the ISPs claim you have.

Hopefully, once the Broadband Data Task Force finishes collecting these new data points, we’ll have more accurate maps that show the worrying reality of American internet, and be able to do something about it.
 
It’s not just you, sharing shortcuts via iCloud is completely broken right now

shortcuts-broken-icloud-sharing.jpg




If you’re facing problems when sharing automations via the Shortcuts app, or when trying to access shortcuts shared with you, you’re not alone. A bizarre issue has surfaced that causes the Shortcuts app to throw an error message when trying to open a shared shortcut.

This problem has been noted by a variety of prominent shortcuts users and creators, including Federico Viticci of MacStories and Matthew Cassinelli. For example, in the case of Viticci, the entire MacStories Shortcuts Archive is broken because of this issue.

iCloud shortcut sharing is designed to make it easy for creators to share shortcuts with readers and followers. You can create an iCloud sharing link in the Shortcuts app, and share that link with other users so they can add it to their Shortcuts library.

Unfortunately, this is the process that is completely broken for some reason. When a user goes to add a shortcut that has been shared via iCloud, they’re presented with an error message that reads: “Shortcut Not Found. The shortcut link may be invalid, or it may have been deleted.”

Shortcuts that have already been saved to the Shortcuts app are still functioning, with this problem affecting adding new automations to your Shortcuts app. This problem has also been widely reported on Reddit by Shortcuts users there as well.

Additionally, if you create a new link in the Shortcuts app today, it works properly, but existing links that are already available on the web are what’s completely broken.

YouTuber Chris Lawley
is optimistic this is something Apple can fix:

Putting back on my enterprise IT hat for a hot minute. It looks like the Shortcuts gallery is also broken. So I’m guessing this was a bug. So they should be able to restore the database from a backup. Here’s hoping this is a bug and they can fix it!

It’s unclear exactly what’s happening here, but the issue is clearly on Apple’s side because it’s affecting iCloud shortcut links of all types, made by all different creators. Ideally, this is something that Apple can quickly fix on the backend, but the company has not yet commented.


R9d1FQt.png


44bUWNQ.png


t9dRJyq.png


xSdjm1t.png


nBUqkEa.png
 
Apple says it is working to fix Shortcuts bug that broke sharing links

shortcuts-app-ios-14-new-triggers-apple-watch-app-more.png



Yesterday, a bunch of people noticed that iCloud sharing links to their shortcuts were no longer working, instead reporting a ‘Shortcut Not Found’ error message. For people that have built up archives of hundreds of hundreds of shortcuts online, this was pretty concerning.

Apple was not immediately responsive to the community and the issue persisted through all of yesterday with no official comment on the matter, leaving a few people to worry that the links would be broken indefinitely.

Late last night however, Apple gave a statement to Federico Viticci at MacStories to confirm they are working on a fix.

“We are aware of an issue where previously shared shortcuts are currently unavailable. Newly shared shortcuts are available, and we are working to restore previously shared shortcuts as quickly as possible.”

The statement does not offer a timeframe as to when shared shortcuts will once again be ‘available’ but at least it allays concerns that the old Shortcuts links would never work again. In the meantime, users can create a fresh new iCloud Sharing Link if they want, which does work.

Last week, the Shortcuts Gallery went down for a day or so and it seems that when that was restored, it coincided with the breakage of Shortcuts sharing links. Although Apple will never be drawn on the specifics, it does suggest that the company changed something on the backend recently and this has caused some unintended consequences.
 
Apple Fixes iCloud Links for Sharing Shortcuts

There was a major issue with Shortcuts earlier this week, which prevented all Shortcut links shared through iCloud to stop working properly. Apple has now fixed the problem, and links to Shortcuts on the web should be largely functional again.


shortcut-not-found-better.jpg



The Shortcut issue affected links to shared shortcuts that were created prior to the last couple of weeks. When attempting to download a Shortcut from one of these links, there was an error about the shortcut link being invalid.

This impacted many websites that share various Shortcuts, such as MacStories, which houses a repository of useful shortcuts created by Federico Viticci. Last night, Apple told Viticci it was working on a fix to restore the broken shortcuts.

We are aware of an issue where previously shared shortcuts are currently unavailable. Newly shared shortcuts are available, and we are working to restore previously shared shortcuts as quickly as possible.

As of this morning, Viticci said that many of the MacStories shortcuts are once again functional, and we can confirm that most of the Shortcut links we tested from MacStories, RoutineHub, and Reddit are working.


aen5Uid.png
 
Apple releases iOS 14.4.2 and iOS 12.5.2 to fix critical security vulnerability

how-to-use-ios-14-popular-features.jpg



Apple today released iOS 14.4.2 for iPhone and iPad, and watchOS 7.3.3 for Apple Watch. The updates includes an important security fix for WebKit, which Apple says may have been actively exploited.

The company also released a patch update to iOS 12, version 12.5.2, so that iPhone 6, iPhone 5s, third-generation iPad mini, first-generation iPad Air and the sixth-generation iPod touch users can also benefit from the security fixes.

Apple said that a bug in WebKit could allow malicious web site to perform activate arbitrary cross-site scripting. The company said it is aware of a report that this bug was being exploited in the wild.

This bug-fix update comes amidst ongoing developer beta seeds of the next major release, iOS 14.5, which we expect to be released to the public in April.

iOS 14.5 includes a handful of feature enhancements, most notably the ability to unlock your iPhone using your Apple Watch whilst wearing a face mask, circumventing a common grievance with Face ID. It will also introduce App Tracking Transparency, a new permissions dialogs that apps must show before they share user identifying information with third-parties.


ios-14-4-2-software-update.jpg



You can update to the latest version of iOS 14 now by going to Settings -> General -> Software Update on your devices.
 
Feature Request: The 2021 iPad Pro will need iPadOS 15 to unleash its full potential

Smart-Keyboard-for-iPad-Pro.jpg



Apple has yet to announce the 2021 iPad Pro upgrade, but things are looking good for the company’s new tablet. could be unveiled as early as April. With a processor that will likely be compared to the M1 Macs, the iPad Pro is a powerful tool for professionals, but it still lacks more Mac apps and software upgrades.

As the rumors suggest, the 2021 iPad Pro will have some notable new features: the 12.9-inch model is set to use mini-LED display technology, and both models will switch the USB-C port to a Thunderbolt one and use the A14X processor. As 9to5Mac reported this week, the A14X is likely to be based on Apple’s M1 processor.

If you mix all of these features with the Apple Pencil and Magic Keyboard, Apple’s “What’s a computer?” ad makes much more sense.

But even if the fifth-generation iPad Pro introduces all of these new features, users have been complaining for a while that Apple doesn’t take advantage of the bigger screen and massive power processor.


iPadOS-13.4-Trackpad-and-Mouse-Support.jpg



At WWDC19, the company introduced the iPadOS 13, breaking the iPad operating system out from iOS for the first time. This included multiple new features:

  • Multiple windows opened in split view

  • External disk drives support

  • A brand new Files app which included column view

  • “Desktop-class” browsing

  • New keyboard shortcuts

  • Mouse and trackpad support (added in iPadOS 13.5)


Last year, iPadOS 14 brought even more features, including a new three-column design for apps. But what users are really asking for, Apple didn’t add.


iPadOS 15: time to unleash iPad Pro’s true power


apple-releases-ipados-14-for-ipad.jpg



Let’s start with something basic like the App Library introduced on iOS 14. It would look great on the giant iPad Pro screen, but Apple didn’t include this feature in iPadOS 14. The same happened with customizable widgets on the Home screen. This feature is available on the iPhone, but not on the iPad.

Next: Adobe and Microsoft are helping Apple to push iPad Pro’s limit but even with a full Photoshop app available for the iPad, many features are still missing. So if you’re a professional who relies on the Photoshop app on your Mac, you may not be able to use all the features you need, even if your iPad is more powerful than your Mac.

Then there’s Apple. None of Apple’s pro applications, such as Final Cut Pro or Logic Pro, are available on the iPad. Xcode is also missing from the tablet, which means developers can’t take advantage of the device’s size and power for coding work.

It’s time for Apple to push even further and give users more powerful apps. I’m all-in on trying to use iPad as my main computer, but I have to use so many tweaks that it’s easier to go with the Mac. The M1-powered MacBook Air is also the same price as the entry-level 12.9-inch iPad Pro nowadays.

Not to mention, you’ll also need the Magic Keyboard and Apple Pencil to get the “full” iPad Pro experience.


studiodock-ipad-air-pro-kensington-hub-stand.jpg



Apple could take an approach closer to what Samsung does: including more accessories with the tablet’s full price, or it could give users a discount when buying the Magic Keyboard and/or the Apple Pencil alongside a new iPad Pro.


Wrap up

As the iPad Pro approaches its fifth-generation, there’s so much work left to be done by Apple. And as the rumors suggest, the next wave of MacBook and iMac updates with Apple Silicon is going to have a redesign with even powerful processors.

The iPad Pro is in a tricky position right now. The Apple Silicon Macs are encroaching in areas like performance and battery life, and the iPad Air features a similar design but at a lower price. iPadOS 15 needs to bring new features and apps to truly take advantage of the upcoming A14X-powered iPad Pro’s potential.
 
Mac OS X: An act of desperation that formed the foundation for the modern Mac

wanted to post this Wednesday, but a lot going on now, and planning out until beginning of August



Mac OS X: An act of desperation that formed the foundation for the modern Mac

And it also brought back Steve Jobs.



mac-os-x-20-1-5.jpg




To understand the desperation Apple felt in the mid-to-late 1990s, look no further than to one particular t-shirt. On the front was a 3-D rendered numeral eight. On the back, the words “Hands-On Experience” and Mac OS 8 logo.

At Apple’s Worldwide Developer Conference in June 1996, many of us got to experience the future of the Mac for the first time. We got the t-shirt for test driving Apple’s transformational new operating system, one that replaced the woefully out-of-date classic Mac OS with something that could compete with Microsoft. The operating system was nicknamed Copland and it never shipped. The “Hands-On Experience” shirts and an accompanying book, “Mac OS 8 Revealed,” were as good it was ever going to get.

With its back against the wall and its internal software development failing, Apple was left with only desperation moves. Fortunately, it made a good one, resulting in Mac OS X 10.0, which shipped 20 years ago this week.


Classic Mac OS had to die

Classic Mac OS—the Mac operating system before OS X—was built on a shaky foundation. As revolutionary as the original Mac was, it was also an early-1980s project that didn’t offer all sorts of features that would become commonplace by the late 1990s.

That operating system had been originally designed to fit in a small memory footprint and run one app at a time. Its multitasking system was problematic; clicking on an item in the menu bar and holding down the mouse button would effectively stop the entire computer from working. Its memory management system was primitive. Apple needed to make something new, a faster and more stable system that could keep up with Microsoft, which was coming at Apple with the user-interface improvements of Windows 95 and the modern-OS underpinnings of Windows NT.

That’s where the t-shirt came in. Copland was intended to be Mac OS 8, and it was supposed to ship in the middle of 1996. It was going to offer pre-emptive multitasking, protected memory, a redesigned user interface with multiple themes, intelligent search, broad support for OpenDoc (if you don’t know, don’t ask), and much more. The ship date slipped to the middle of 1997, and some of Copland’s more ambitious features were pushed off even further to a theoretical OS 9 code-named Gershwin. And then, a few months after Apple handed out those t-shirts, it killed the entire project.

What instead shipped as Mac OS 8 in the summer of 1997 was a version of the classic Mac OS, dressed up in the clothes of Copland. The advanced search technology, redesigned filesystem, revamped multitasking, and memory protection were nowhere to be found. While it offered some improvements over System 7, Mac OS 8 did nothing to solve Apple’s larger operating-system problem.


Shopping for a future

In a spectacularly humbling moment for Apple, the company began searching for a company from which it could buy or license an operating system or, at the least, use as the foundation of a new version of Mac OS. The company’s management, led by CEO Gil Amelio and CTO Ellen Hancock, clearly had come to the conclusion that Apple itself was incapable of building the next-generation Mac OS.

Though there were a lot of wild ideas thrown around (building Mac OS atop Microsoft’s Windows NT kernel and rebuilding the platform using Java were two of them), the two most obvious targets were small companies with operating systems that had the modern features Apple wanted most. Both were, perhaps unsurprisingly, being run by former Apple executives.

In one corner was Be, Inc., run by Jean-Louis Gasseé. Be was developing a new, modern graphical interface from scratch, and it ran on the same PowerPC chips Apple used at the time. You could even reboot from Mac OS into BeOS on certain Power Mac models. BeOS was gorgeous, fast, and offered advanced search capabilities that were far ahead of its time. Its biggest liability was that it was unfinished, so if Apple were to buy it, there would be a huge amount of development ahead of it.


steve-jobs-time.jpg


The NeXT deal not only gave Apple a modern Mac operating system, it brought Steve Jobs back to Apple.



In the other corner was NeXT, founded by Steve Jobs. Although perhaps a bit less cutting-edge than BeOS, NextStep was a more complete package, and it also had the Steve Jobs factor. Amelio and Hancock were apparently convinced, and brokered a $400 million deal to buy NeXT and bring Jobs back to Apple in an advisory role.

You know what eventually happened to Jobs. He was an “advisor” who became a board member who became the interim CEO who ultimately transformed Apple into one of the world’s biggest and most regarded companies by the time of his death in 2011.

What you might not know is that NextStep, that operating system that came over in the deal, was essentially the core of Mac OS X. The software decisions made at NeXT in the 1990s reverberate to this day, in code that runs not just on the Mac, but on all of Apple’s devices—iPhone, iPad, Apple Watch, and Apple TV.


The long road to OS X

Apple bought NeXT in December of 1996. Mac OS X 10.0 shipped in March of 2001. As powerful and sophisticated as NextStep was, it took the new Apple software organization—led by NeXT’s Avie Tevanian—more than four years from acquisition to a “completed” version of Mac OS X. (And stopping the clock 20 years ago this week is probably unfair. I’d mark the end of the Mac OS X transition as April 2002, when Steve Jobs held a funeral for Mac OS 9 because OS X was finally good enough.)

What took so long? The NeXT interface needed to be revamped to resemble Mac OS in order to get Mac users on board with the new operating system. This was an area where Mac OS really won the day. With each successive preview release, NeXT’s influence faded away. Perhaps its greatest interface legacy on macOS today is the Dock, which never existed before OS X.


macos-big-sur-dock.jpg


NeXT’s greatest legacy is on every Mac today: the Dock.


There were also several false starts, including Rhapsody and Mac OS X Server, weird hybrids of NextStep and Mac OS that didn’t get it right. Apple realized that it couldn’t just ship NeXT’s app-development environment, the Yellow Box–the ancestor of present-day Apple’s Cocoa–and expect the developers of all Mac apps to completely rewrite their software for a new platform.

Instead, Apple had to create a layer cake of an operating system, with Yellow Box (which allowed NextStep developers such as The Omni Group to become fledgling Mac developers) living alongside Blue Box, a modernized version of the existing Mac OS application environment. By creating Carbon, a set of modernized Mac-style interfaces, Mac developers could modify their existing apps to run on Mac OS X, rather than needing to rewrite them.

And of course, there was Classic, a virtualized version of the original Mac OS that would be capable of running unmodified apps. Using Classic was a supremely weird experience, but it did provide a bridge for people who couldn’t give up their old software.

This is one big reason why Mac OS X took as long as it did to make it out into the world. It needed to update the NeXT app approach (which survives to this day across Apple’s platforms) while building multiple layers of compatibility to give Mac software a place to run. And until Microsoft and Adobe publicly committed to building OS X native versions of their apps, it was an open question if Apple could pull it off.


More than Steve Jobs

It’s often said that Steve Jobs was the most valuable asset in the Apple-NeXT deal. And it’s impossible to argue that, given what happened to Apple in the several years after the deal.

But it’s also an unfair to point to make. Apple’s entire operating-system strategy for the last 20 years has used NextStep as a foundation. Every iPhone app developer who uses classes such as NSObject, NSString, and NSArray are staring it right in the face: the NS prefix comes from NextStep.

So when we celebrate the 20th anniversary of Mac OS X, it’s important to realize what we’re celebrating. We’re celebrating a software release that was the culmination of Steve Jobs’s return to Apple. We’re celebrating the operating system we still use, two decades later. But we’re also celebrating the foundation of iOS, iPadOS, tvOS, and watchOS.

In that way, this isn’t just the 20th anniversary of Mac OS X 10.0. It’s the 20th anniversary of modern Apple, and the end of the dark days when Apple couldn’t fix its own operating system. (Been there, saw that, got the t-shirt.)
 
If you can't convert a file into a PDF, maybe you shouldn't be writing tech laws

Editorial
If you can't convert a file into a PDF, maybe you shouldn't be writing laws about technology



41075-79460-QlGLk-xl.jpg



Not everyone can be trusted with the almighty power of a sudo command in the Terminal. Yet, politicians who know nothing about the inner workings of computers, software, or the internet at large have declared themselves super users, proposing dangerously misinformed policies and laws that could have disastrous effects.

In Washington's latest extended facepalm session, lawmakers have taken issue with Section 230 of the Communications Decency Act of 1996, which shields tech companies from lawsuits over the content users post on their sites. In a congressional hearing held last week, politicians on both sides of the aisle made it abundantly clear they have no idea what they are talking about.

During questioning, Rep. Gus Bilirakis of Florida asked Facebook Chief Executive Mark Zuckerberg if he had concerns about content posted on YouTube. In case you've been living under a rock, you already know that YouTube is a video hosting platform owned by Google, not Facebook.

"Congressman, are you asking me about YouTube?" Zuckerberg asked, with Bilirakis responding yes, he wanted to talk about YouTube. Perhaps Congress should have Elon Musk, the CEO of electric carmaker Tesla, give his thoughts on the safety of Huffy electric bicycles. Close enough, right?

Make no mistake — this is not an endorsement of Facebook, YouTube or Twitter, all of which are cesspools of misinformation and hate speech that have served to further sow division in the U.S. and around the world. When asked whether they felt their platforms contributed to the attack on the U.S. Capitol on Jan. 6, only Twitter CEO Jack Dorsey admitted his platform played a part, while Zuckerberg and Google CEO Sundar Pichai deflected any blame or accountability.

However, unless politicians ask the right questions and hold these online platforms accountable in appropriate and effective ways, true and effective reform will never happen. And it's hard to ask the right questions when you don't even know what it means to click those like and subscribe buttons on YouTube, let alone who owns YouTube.


41075-79456-maxresdefault-2-xl.jpg



It wasn't always this way. From 1972 to 1995, the U.S. Office of Technology Assessment served the United States Congress with objective analysis of complex issues related to technology and science.

And that's the way it should be. Politicians are not expected to cut together their own TikTok dance videos, nor should they be elected because of no-filter Instagram pics of their plated lunch. They have interns to handle that for them.

The OTA was ultimately dismantled because of — you guessed it — politics. Republicans in Congress viewed the office as wasteful and counter to their own interests.

Now, nearly three decades later, being baffled by technology is a bipartisan issue. Neither party has shown that it understands complex technology issues well enough to legislate on their own, without some sort of guidance from experts.

The irony of it all is that Congress is indeed on the correct path here — online platforms should be held accountable for misinformation and dangerous speech from users, particularly when their technology disseminates, promotes, and amplifies such content.


41075-79459-capitol-570653_1280-xl.jpg



The algorithms of Facebook, YouTube and Twitter are designed to increase engagement, encouraging users to spend more time on their pages, thus earning the companies more money. But studies have repeatedly shown that misinformation is among the most engaging content shared on social media. The platforms serve up extremism because visitors consume it, fueling a dangerous cycle that spreads dangerous and outright false claims from groups like QAnon, anti-vaxxers, and white supremacists.

Asking Facebook, Google and Twitter to self-regulate on these issues would be like trusting an alcoholic to captain a booze cruise. And Section 230 is a 26-word law that is older than all three of the companies who have been called to testify before Congress.

Our politicians should absolutely be examining the full complexity of these issues — but they should also be doing their homework first instead of aimlessly flailing away and posturing for the camera. Instead, the CEOs of Facebook, Google and Twitter were asked last week whether they had seen "The Social Dilemma" documentary on Netflix, and whether they have been vaccinated against Covid-19. Real pressing questions.

At one point, Arizona Representative Tom O'Halleran lobbed out a question for a "Mr. Zuckerman." If they ever find Mr. Zuckerman, perhaps they'll ask him if he's seen the 1998 film "You've Got Mail." Seems relevant enough to a law written in 1996, being critiqued by people who probably only have the ability to read their AOL email addresses.
 
Research shows Google collects 20x more data from Android than Apple collect from iOS

BIG DATA COLLECTORS —

Android sends 20x more data to Google than iOS sends to Apple, study says

Google contests the estimate, saying it's based on flawed methodology.



how-to-check-ios-app-privacy-guide.jpg



Whether you have an iPhone or an Android device, it’s continuously sending data including your location, phone number, and local network details to Apple or Google. Now, a researcher has provided a side-by-side comparison that suggests that, while both iOS and Android collect handset data around the clock—even when devices are idle, just out of the box, or after users have opted out—the Google mobile OS collects about 20 times as much data than its Apple competitor.

Both iOS and Android, researcher Douglas Leith from Trinity College in Ireland said, transmit telemetry data to their motherships even when a user hasn’t logged in or has explicitly configured privacy settings to opt out of such collection. Both OSes also send data to Apple and Google when a user does simple things such as inserting a SIM card or browsing the handset settings screen. Even when idle, each device connects to its back-end server on average every 4.5 minutes.


Apps and more

It wasn’t just the OSes that sent data to Apple or Google. Preinstalled apps or services also made network connections, even when they hadn’t been opened or used. Whereas iOS automatically sent Apple data from Siri, Safari, and iCloud, Android collected data from Chrome, YouTube, Google Docs, Safetyhub, Google Messenger, the device clock, and the Google search bar.

The table below shows a summary of handset data sent to Apple or Google when the user isn’t logged in:


summary-ios-android.jpg



Where Android stands out, Leith said, is in the amount of data it collects. At startup, an Android device sends Google about 1MB of data, compared with iOS sending Apple around 42KB. When idle, Android sends roughly 1MB of data to Google every 12 hours, compared with iOS sending Apple about 52KB over the same period. In the US alone, Android collectively gathers about 1.3TB of data every 12 hours. During the same period, iOS collects about 5.8GB.


Google disagrees

Google has contested the findings, saying that they’re based on faulty methods for measuring the data that’s collected by each OS. The company also contended that data collection is a core function of any Internet-connected device.

In a statement, a spokesperson wrote:

We identified flaws in the researcher's methodology for measuring data volume and disagree with the paper’s claims that an Android device shares 20 times more data than an iPhone. According to our research, these findings are off by an order of magnitude, and we shared our methodology concerns with the researcher before publication.

This research largely outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently.

On background (meaning Ars isn’t permitted to name or quote the spokesperson), the representative said that it’s inaccurate to say that a user can opt out of all telemetry data collection by the Google OS. The Android Usage and Diagnostics checkbox doesn’t cover telemetry data that Google considers essential for the device to operate normally. Telemetry information collected by the Device Configuration service, for instance, is required for updating and patching the OS.

The spokesperson also challenged the methods the researcher used to measure the amount of data collected by iOS. The experimental setup they used didn’t capture certain types of data, such as UDP/QUIC traffic, which is commonly transmitted by smartphones.

An Apple spokesperson also spoke on the condition it be background. The spokesperson said that Apple provides transparency and control for personal information it collects, that the report gets things wrong, that Apple offers privacy protections that prevent Apple from tracking user locations, and that Apple informs users about the collection of location-related data.
Round-the-clock collection

Leith performed his measurements using a Google Pixel 2 running Android 10 and an iPhone 8 running iOS 13.6.1. The iPhone was jailbroken using the Checm8 exploit. The Pixel had Google Play services enabled.

In all, the study, available here, measured the amount of data the devices collected:


  • on first startup following a factory reset

  • when a SIM was inserted or removed

  • when a handset was idle

  • when the settings screen was viewed

  • when location was enabled or disabled

  • when the user logged in to the preinstalled app store


Leith said the data collection by both OSes is concerning because it’s readily linked to a user’s name, email address, payment card data, and possibly to other devices the user has. What’s more, the constant connections to back-end servers necessarily reveals the IP address of the device and, by extension, the general geographic location of the user.

“Currently there are few, if any, realistic options for preventing this data sharing,” Leith wrote.
 
Editorial - Return of the Mac: How Apple Silicon will herald a new era at WWDC 2021

41115-79621-139-hero-xl.jpg



The stage is set for the next year to be the most impressive in the history of Apple's storied line of Macintosh computers, all starting with a grand virtual celebration of the future of the Mac at the company's annual Worldwide Developers Conference.

In hindsight, WWDC 2020's bombshell announcement that Apple is migrating the Mac away from Intel processors to its own custom silicon was really just a teaser to whet the appetite of developers and consumers alike. In the fall, Apple launched a trio of M1-based Macs, all sporting legacy designs in what was a clear effort to communicate: "Just you wait."

We've waited, and now WWDC 2021 is official, to be held June 7 through June 11. While there are rumors of an Apple special event before then, in April, it's likely that the company will showcase new iPads, AirPods, and perhaps its rumored "AirTags." There's even an outside chance of a new Apple TV, but new Mac hardware — and accompanying software enhancements — are a more logical fit for WWDC.

Not only will we likely get new Macs at WWDC, but there's also a good chance that Apple will begin to flex its chipmaking muscles with higher-end models intended for true "pro" users — particularly developers, who are keen to get their coding fingers on the next generations of macOS, iOS and iPadOS.

If the power-sipping, benchmark-setting M1 was a shot across the bow of Intel, AMD and the legacy PC industry, what comes next could be a full frontal assault: a lineup of products ranging from your desktop to your wrist, all on a shared architecture that will make it easier than ever for developers to create applications, and harder than ever for consumers to ignore the Mac as a viable alternative to the vast but creaky PC landscape.

It's a platform play. Just as the iPod was a Trojan horse to get customers interested in the Mac ecosystem, the iPhone has taken it to the next level. Now, with all of your apps and data synced across devices large and small, thanks to the same beating heart at the center of all of its devices, Apple will be in a position to truly own the user experience to a degree that no technology company has ever been able to achieve.


Hardware? Software? Both


41115-79620-38746-73888-Apple-Event----November-10-14-56-screenshot-xl-xl.jpg



Apple has always been known for world-class design married with world-class hardware. But there was a catch: Apple's design prowess was limited by its hardware partners.

There are some suppliers that Apple will continue to rely on for various parts, like memory and wireless connectivity, but over the years the company has taken more control over the components in its devices, in places where CEO Tim Cook and his team feel like Apple can do it better in-house.

The switch to Apple Silicon is the biggest game-changer yet for the Mac. By swapping out the brains of its computers, Apple must no longer design based on the limitations of Intel's legacy x86 architecture.

The problems with Intel's chips were numerous, including heat dissipation and power consumption. Those considerations all affect design, leading to bigger and bulkier machines that require larger batteries and the ability to run at safe operating temperatures.


Of course, by designing its own chips, Apple has not magically defied the laws of physics. But by producing its own low-power, high-performance processors, the company now has greater flexibility to push the design of the Mac in new ways, in new form factors, with all-new looks, without sacrificing any of the horsepower.

WWDC has historically been a software-focused show, and that will likely be no different this year, with the next generation of macOS — expected to be known as macOS 12 — officially unveiled.

But Apple Silicon and the new design possibilities it presents for the Mac mean that Apple will be able to push both its hardware and software in new directions, in tandem, in ways that were not previously possible. More than ever before, WWDC 2021 will reveal the Mac and the Apple ecosystem as a true union of both hardware and software.


The GPU X-factor


41115-79624-38746-73900-Apple-Event----November-10-12-9-screenshot-xl-xl.jpg



It's expected that Apple's high-end machines will sport new Apple Silicon models beefier than the M1 chip that debuted last year in the MacBook Air, Mac mini and MacBook Pro. Whether called an "M1X," "M2" or something else, these processors will need to enable greater capabilities for developers and other professional-grade users, including expanded external monitor support, more port connectivity, and faster processing capabilities.

While faster chips are an inevitability, and we already have a hint of what Apple is truly capable of with the M1, there is still a glaring hole in the Apple Silicon strategy: graphics.

Currently, Apple relies on AMD for discrete graphics processing on its most powerful machines, including the iMac, Mac Pro, and 15-inch MacBook Pro. There is nothing preventing Apple from continuing to use AMD graphics technology for these machines in tandem with Apple Silicon. But will Apple want to continue to rely on an external partner for its GPUs?

With the M1 chip, we have seen a glimpse of Apple's System-on-a-Chip capabilities with onboard graphics. We still don't know how (or if) the company plans to deal with discrete graphics, however.

We may not get an answer on discrete graphics at WWDC 2021, or even in 2021 at all. But at the very least we will likely get a look at what is capable on a more powerful SoC GPU, whether it's the "M1X" or "M2."


Don't forget about iPhone and iPad, too


41115-79622-40731-79501-Apple_wwdc21_newsroom_article_tile_033021_bigjpglarge_2x-xl-xl.jpg



Apple's products complement each other not only from a user experience perspective, but also from a research and development perspective. Time and time again, we've seen advancements in some platforms and devices come to other products in the Apple lineup.

Touch ID was pioneered on the iPhone before expanding to the iPad and Mac. Apple Watch Force Touch (RIP) paved the way for 3D Touch on the iPhone (RIP) and Apple's Mac trackpad (still alive!). And Apple's custom silicon, dating back to the A4 processor on the first-generation iPad, was part of a long-term strategy to migrate the Mac to its ARM CPUs.

While we almost certainly won't get new iPhone hardware at WWDC 2021, we will get our first glimpse at iOS 15, as well as iPadOS 15. And with the iPhone, iPad, and Mac all running the same chip architecture, the lines between their respective software platforms will be further blurred.

Apple has said repeatedly it has no intention of converging these platforms, so don't expect one OS to rule them all. But it's likely that there will be increased feature parity across the Mac, iPhone and iPad with this year's software updates.


Just the beginning


41115-79623-40489-77998-IMG_4714-xl-xl.jpg



New designs. New form factors. New capabilities. New colors. It's all on the table for the Mac, which is why this year's WWDC is already full of so much excitement and potential.

Last year's M1 Macs were something of a stopgap, buying Apple more time before it could really showcase the next generation of Mac hardware. And that hardware will be much, much more than just the Apple Silicon powering it.

Apple won't reveal all of its cards at WWDC 2021. The Mac transition to Apple Silicon is a two-year process, and we're only one year into it.

But it's fair to say that WWDC 2021 should give us a clearer view of how Apple envisions the future of the Mac platform. Our first glimpse at the next generation of personal computing kicks off on June 7.
 
Apple was founded 45 years ago, on April 1, 1976

35159-64318-000-lead-Apple-founders-xl.jpg



The Apple of 1976 should be unrecognizable compared to today's gigantic corporation, and yet key early decisions by Steve Jobs, Steve Wozniak, and more, are still having their effect today.

Tim Cook marked the 45th anniversary of Apple with a tweet looking back to his friend and colleague, co-founder Steve Jobs.

As Apple celebrates 45 years today, I'm reminded of Steve's words from many years ago: "It's been an amazing journey so far, yet we have barely begun." Thanks to every member of our Apple family for all you've done to enrich lives. Here's to the next 45 years & beyond!
— Tim Cook (@tim_cook) April 1, 2021

Now in his tenth year as CEO, Tim Cook first joined Apple in 1998. The company was 22 years old then, and heading into a resurgence with the return of Jobs. It had already had most of its growing pains, but was yet to be the powerhouse company it would become.


Apple's three-act story

Today Apple is in the third act of its story. Back in the 1970s, it had its exciting first act, then it went through turmoil in the 1990s for its second, before ultimately becoming the textbook American success story. You can start a multinational, multi-billion dollar company in a garage.

It's not as if starting a company was the obvious move, however. In the mid 1970s, Steve Wozniak had designs for what became known as the Apple I computer, and his friend Steve Jobs had designs on selling them. Woz would've given them away to anyone interested, Jobs would not, and even so, even Steve Jobs did not set out to make a company.

Instead, both of the Steves first tried very hard to sell their ideas to the existing firms they either worked for then or had worked for. Woz was an engineer at Hewlett-Packard at the time, and he managed to get senior engineers to examine his design with a view to HP buying them.

Not only did they agree that it was workable, they also recognized that it could made cheaply — yet still they passed on it. Woz's ideas didn't fit with what they thought a Hewlett-Packard computer should be.

Atari felt the same. Jobs attempted to get his old employer Atari interested in what would become the Apple II, but he too was rejected. Except that Atari's Al Alcorn put Jobs in touch with venture capitalists, and the road to forming a company was begun.

When they did formally found Apple, it was with another Atari engineer, Ron Wayne. He would famously design the original, immensely ornate Apple logo, and then he would even more famously leave the company before it took off. It's just that he left even faster than you might imagine.

The three men officially formed Apple on April 1, 1976, and Ron Wayne resigned 12 days later. He'd been offered ten percent of Apple, but chose instead to be bought out by Steve Jobs for $800.

That would later be increased as the far more experienced businessman Mark Markkula came on board in 1977 as an investor. Under Markkula, the Apple corporation officially bought out all three of the original partners, for a total of $5,308.96. For legal reasons, Wayne got a third of that despite having already left.


35159-64320-001-Jobs-xl.jpg


It was eight years before Apple brought out the Mac.


It's impossible not to now see his leaving as a mistake, given Apple's overwhelming success. But at the time, he was paid reasonably and he was leaving a firm that had far from a certain future. Amongst the countless times he's been asked about his departure, Ron Wayne said in 2013 that he had no regrets at all.

"I count myself extremely fortunate to have been at a turning point in history," he said, "and the establishment of Apple was indeed a turning point in history, although at the time of course, nobody ever knows this."


Apple's first success

After he left but before Markkula turned it into a grownup company, Apple did have its first success — and it was one that will seem familiar if you follow how the company works today. Apple made 50 Apple II computers without having any money whatsoever, and it sold them all one day before having to pay its suppliers.

Today Apple has a supremely well-managed approach to its supply chain, but even in 1976 it was literally learning the benefits of finance. It was the first time Steve Jobs had ever heard of what was called 30 days net, meaning you had that long to pay your suppliers. He learned it then because he had to.

Jobs had pitched the Apple II to Paul Terrell, who was running the then successful Byte Shop. While Jobs wanted to sell the motherboards and kits to have hobbyists make up their own computers, Terrell wanted completed devices and he got them.

If Apple learned then about finance and supply chains, it learned about business in 1977 when ex-Intel Markkula came on board. As well as reorganizing the business, though, he did something else that is still part of Apple more than four decades later. He set down the company's philosophy.

It's probably part of Business 101 at Harvard that corporations need philosophies, and mission statements, and if you've ever worked for a corporation, you're likely to have a healthily skeptical attitude to them. Yet in Apple's case, the philosophy Markkula wrote was remarkably clear, and the company has stuck to it remarkably consistently.


35159-64321-002-Mark-Markkula's-document-xl.jpg


This was Apple in 1977 - and it's still Apple today.


Steve Jobs would later explain to his biographer Walter Isaacson, that Markkula's point was that making money shouldn't be the goal. You obviously need to, and you even more obviously want to, but if money is the first thought, the company will struggle. Whereas if you make "something you believe in" and you also concentrate on "making a company that will last," the money will follow.

Markkula's "The Apple Marketing Philosophy" is so clearly an Apple idea because it is extremely and consciously simple. The one-page document, written on January 3, 1977, has only two short directives about understand customer needs, and focusing on a few specific products instead of spreading itself too thinly.

Then it concludes with a paragraph about conveying Apple to its customers.

People DO judge a book by its cover. We may have the best product, the highest quality, the most useful software, etc.; if we present them in a slipshod manner, they will be perceived as slipshod; if we present them in a creative, professional manner, we will impute the desired qualities.

To this day, Apple is known for how well it presents its products, how carefully designed the packaging is. Today, that is still part of what makes Apple, Apple.

And it was there, written into the company, right from its very beginnings.
 
App Store rejecting apps using third-party SDKs that collect user data without consen

Apple Rejecting Apps With Fingerprinting Enabled As iOS 14 Privacy Enforcement Starts


App-Tracking-Privacy-iOS.jpg



Apple is rejecting updates to apps that conflict with its new privacy policies in iOS 14, signaling that it is now getting serious about privacy enforcement. And, likely, that iOS 14.5 is close to being released, since that’s the version of iOS 14 in which Apple will require apps that want to track users to display the App Tracking Transparency prompt and get user permission.

“Our app just got rejected by Apple’s app reviewer, blaming the MMP SDK for building a fingerprint ID,” says Aude Boscher, a growth marketing product manager at Heetch, a French transportation startup, in an industry Slack channel. “I saw other people complaining ... so it might soon come up for you as well!”

Apps that have been rejected so far include:


  • Radish Fiction

  • Heetch

  • At least one app from InnoGames

  • And potentially up to 50,000 additional apps (see below for details)


“Your app uses algorithmically converted device and usage data to create a unique identifier in order to track the user,” says the message that Apple is using to inform app developers that their update has been rejected. “The device information collected by your app may include some of the following: NSLocaleAlternateQuotationBeginDelimiterKey, NSTimeZone, NSLocaleGroupingSeparator, NSLocaleDecimalSeparator ...”


960x0.jpg


Screenshot of the rejection message Apple is sending to some app developers.


According to mobile marketing analyst Eric Seufert, a software development kit from Adjust, a mobile measurement company, is causing the problem. If so, it could impact thousands of apps.


eXtQcx-G_200x200.jpg

Eric Seufert
@eric_seufert
Per a number of developers, Apple has begun rejecting app updates that include the Adjust SDK related to its collection of data used for device fingerprinting.
12:17 PM · Apr 1, 2021 from Austin, TX
180 73 Copy link to Tweet


Adjust says that it is trusted by “over 50,000 apps” on its website, and according to AppFigures, 18% of the apps on the App Store and 11% of the apps on Google Play that use attribution providers use Adjust. (Full disclosure, I do some consulting for Singular, another mobile measurement partner.)

Device fingerprinting, sometimes called probabilistic attribution, uses a large amount of data about a device to identify it. A measurement company might, for instance, collect data on software version, time since last system update, time since last restart, location, time zone, and more: even things like battery status, charging level, and amount of disk space.

Put it all together and you have something fairly unique — estimates on degree of uniqueness vary — that you can use to track who clicked an ad, who installed an app, and potentially more. You could also use this data to potentially build a device graph which includes insights and history on every device your software interacts with.

All of that is explicitly forbidden by Apple in iOS 14, where if you want to track people and devices you need to explicitly ask for and get permission — not unlike GDPR in some ways. Before iOS 14, Apple’s IDFA (Identifier for Advertisers) was freely available without consent, and became the basis for measuring marketing and — frankly — tracking both devices and people.

The change could reduce ad networks’ revenue by billions.

Adjust has updated its SDK, which is open source and publicly available on GitHub, in the last 14 hours. The update takes out code which accesses data like CPU type, how much memory a phone has, its charging status and battery level, and more. In all, the recent update involves 36 changed files with 44 additions and 622 deletions, according to GitHub.

Theoretically, therefore, updating to the new Adjust SDK will render app updates possible for all Adjust customers.

I have reached out to both Apple and Adjust for comment.

It’s important to note that while currently customers of one mobile measurement platform are at risk of having their app updates rejected, that doesn’t mean all the others are safe. Apple is clearly taking its policies seriously and will likely have checked or be checking all measurement and analytics providers’ SDK to ensure they are complying with Apple’s policies.

While all the change associated with iOS 14 is disruptive to the industry, there is a big upside, says Rozain: a party that this benefits.

“Good for the user!”
 
533 million Facebook users' phone numbers and personal data have been leaked online

60686ea0856cd700198a30b7



A user in a low level hacking forum has published the phone numbers and personal data of hundreds of millions of Facebook users for free online.

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.

Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users' phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook's password reset feature, which can be used to partially reveal a user's phone number.

The leaked data could provide valuable information to cybercriminals who use people's personal information to impersonate them or scam them into handing over login credentials, according to Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, who first discovered the leaked data on Saturday.

"A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data to perform social engineering attacks [or] hacking attempts," Gal told Insider.

Facebook did not immediately respond to multiple requests for comment.

Gal first discovered the leaked data in January when a user in the same hacking forum advertised an automated bot that could provide phone numbers for hundreds of millions of Facebook users in exchange for a price. Motherboard reported on that bot's existence at the time and verified that the data was legitimate.

Now, the entire dataset has been posted on the hacking forum for free, making it widely available to anyone with rudimentary data skills.


pLFgqzm.png

H9hOiR1.png



It's not the first time that a huge number of Facebook users' phone numbers have been found exposed online. A vulnerability that was uncovered in 2019 allowed millions of people's phone numbers to be scraped from Facebook's servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.

Facebook previously vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook's terms of service to target voters with political ads in the 2016 election.

Gal said that, from a security standpoint, there's not much Facebook can do to help users affected by the breach since their data is already out in the open — but he added that Facebook could notify users so they could remain vigilant for possible
phishing
schemes or fraud using their personal data.

"Individuals signing up to a reputable company like Facebook are trusting them with their data and Facebook [is] supposed to treat the data with utmost respect," Gal said. "Users having their personal information leaked is a huge breach of trust and should be handled accordingly."
 
Following up on the previous post


It’s not the first time Facebook has its users’ data leaked online. In 2020, Mark Zuckerberg’s company was involved in a controversial situation regarding privacy issues and confirmed that thousands of developers had been able to access data from inactive users, which is unexpected behavior.

Jul. 1st 2020 - Facebook is once again involved in a controversial situation regarding privacy issues. The company has confirmed that thousands of developers have been able to access data from inactive users, which is an unexpected behavior.

Before that, there was the Cambridge Analytica controversy, in which the company not only got access to the data of anyone who gave permission to a third-party ‘personality quiz,’ but Facebook allowed the app some access to the data of their friends also.

The company has not addressed this new data leak yet, but it could be the worst leak Facebook’s ever been involved.



If you don't know:
What is phishing? Here's what you should know about the virtual scamming technique and how to protect yourself from data theft
  • Phishing is a form of cybercrime wherein you receive an email from a fake sender pretending to be someone else.

  • The goal of phishing emails is usually to get you to give up personal or sensitive information.

  • Phishing is easy to detect if you keep an eye out for bad spelling and grammar, email addresses that don't match the alleged sender, and requests for information you shouldn't provide over email.

  • You should never respond to a phishing email and, instead, delete the message or follow your company's policy for reporting it.
 
Last edited:
How to Find Out If Your Data Was Exposed in a Breach

How to find out if your data was exposed in an online breach — and how to protect yourself


6068b949856cd700198a30e1



More records are stored online than ever — and it's becoming increasingly common for large swaths of personal data to fall into the hands of cybercriminals.

Over 4 billion records have been stolen or accidentally leaked in the past decade, according to data collected by Privacy Rights Clearinghouse, with more than 7,000 separate breaches in that time, and the frequency of mega-breaches that compromise tens or hundreds of millions of people's data is on the rise.

Most recently, a hacker published the personal data of 533 million Facebook users online for free, it was reported Saturday, including names, phone numbers, email addresses, account IDs, and bios.

Cybercriminals use leaked personal data as a starting point for countless other scams. Stolen records are regularly circulated online by cybercriminals and used for fraud, while hackers can try to break into companies' systems to deploy ransomware or extort them.

Here's how to determine whether your data has been exposed in a breach and how to protect yourself.


Check whether your information was exposed using free online tools

Companies are legally required to notify users when their data is breached, but those disclosures are often made through vague public statements, and individual consumers can be left in the dark. Thankfully, security researchers keep exhaustive records of past data points that you can use to check whether you were affected by a breach.

One such resource is HaveIBeenPwned.com, a database maintained by security analyst Troy Hunt. The site lets anyone enter their email address and cross-references it with more than 10 billion accounts compromised in past breaches to determine whether they've been "pwned," or compromised.

In some cases, passwords are also exposed in data breaches. Hunt's site also provides a password search that lets people know if their password has ever fallen into the hands of hackers.


If you were affected by a breach, take steps to secure your accounts

If you find out your personal information was stolen in a breach, it's time to protect your identity. Doing so depends on the severity of the data stolen — if your social security number or drivers' license number were stolen, you'll need to file a report with the appropriate government agency.

But in most cases, data breaches include less sensitive information like emails and usernames. If your email address was exposed, you should change your password to that email account and set up multifactor authentication to secure your email.

If you find out your password itself was exposed, you can no longer count on that password to keep your accounts safe, and should immediately change your passwords on all affected accounts. Setting up multifactor authentication is also a best practice.

Finally, stay alert for any suspicious activity on any of your accounts. If you do detect suspicious activity, change your password and contact that account's administrator.






note -
post if you have questions, want information, have a problem, or need help. Then hopefully someone will step up to do what they can for you.
 
Tim Cook to talk Facebook, 'Tim Apple,' more in interview airing Monday

41180-79796-210403-Cook-xl.jpg



Apple CEO Tim Cook took part in a remote interview with journalist Kara Swisher this week, with the pair discussing topics ranging from App Store policy to the now infamous "Tim Apple" incident.

Cook's virtual sit-down will air on The New York Times podcast "Sway" next Monday. The show is hosted by Swisher and regularly features high profile players in tech, politics, entertainment and beyond.

According to a tweet from Swisher, the interview covers a number of topics including Apple's decision to yank right wing social app Parler from the App Store in January. The app was pulled on concerns that it was used to help "plan, coordinate, and facilitate" the storming of the U.S. Capitol and remains off Apple's marketplace, as well as Google's Play Store and Amazon's servers. Republican lawmakers are currently scrutinizing the removal.

Cook will also speak about user privacy safeguards coming to iOS, namely a new feature called App Tracking Transparency that requires developers to gain permission before tracking a user's device advertising identifier, or Identifier for Advertiser (IDFA) tag. Many users are expected to opt for more privacy, potentially leaving companies that rely heavily on ad targeting in the lurch.

Facebook is perhaps the most outspoken critic of ATT and has persistently derided the move as an attack on its business. Cook addressed the issue with Swisher:

Swisher asked: "What is your response to Facebook's response — which is quite vehement — calling you essentially an existential crisis to their business?" Cook answered: " All we're doing, Kara, is giving the user the choice whether to be tracked or now. And I think it's hard to argue against that. I've been — I've been shocked that there's been pushback on this to this degree."

When asked what impact ATT might have on Facebook, Cook said, "Yeah, Kara, I'm not focused on Facebook. So I don't know."

Cook was also asked about an American Workforce Policy Advisory Board meeting in 2019, at which then-President Donald Trump called him "Tim Apple" in an apparent gaffe. He had a "good answer," Swisher says.



The full episode of Kara Swisher’s interview will be published on her podcast Sway at 5am ET Monday.
 
How to check if your account was part of Facebook’s 533M record leak

41234217792_93a621a7be_k-e1617601734268-796x419.jpg



Multiple reports over the weekend confirmed that an attacker published details — including names, user IDs, phone numbers, and emails — of more than 533 million Facebook users on a forum.

Alon Gal, CEO of security firm Hudson Rock, tweeted about the incident back in January, saying that the database came to the fore when a Telegram user made a bot that let users query the database for a fee.


kQyMLr0.png

BJXLfJH.png


https://twitter.com/UnderTheBreach/status/1349671417625931778


Catalin Cimpanu of The Record also independently reported that the database was available in 106 different country-wise packages. While these files are publicly available, you’ll need to buy forum credits to download them.

While most records had phone numbers attached to them, multiple email IDs were also exposed. You can use haveibeenpwned, a website that loads email IDs that were exposed in various breaches, to check if your ID was affected.

Here’s how you can do it:

  • Head to haveibeenpwned.com on your phone or desktop.

  • Enter your email ID.

  • If your email was compromised, you’ll get a warning to change the password and enable two-factor authentication. You can also scroll down on the page to see all the breaches that may have included your credentials tied to the email address you entered.

Screenshot-2021-04-05-at-10.28.44-AM-796x204.png


Warning message on haveibeenpwned indicating that your email ID has been compromised


The founder of the website is also considering loading the leaked phone numbers in the database. We’ll update the story if that happens.

It’s better to change your password as the first step. You can check here if any of your old passwords have been compromised — so you could avoid reusing them. Plus, you should start using a password manager if you’re not doing it already.






note -
While the information appears to be old, the details in the shared database include phone numbers, Facebook IDs, names, locations, birthdates and email addresses, all of which could be used in social engineering attacks or hacking attempts.


This isn't the first time that hackers have targeted Facebook for its vast trove of user date. In 2018, a security breach allowed hackers to steal data on 29 million users, including details on everything from username and relationship status, to religion, birthdate, and home town.


Facebook told The Record that this data dump originated from its 2019 breach, and the issue was fixed in August that year. Now that data is public, anyone could obtain it for a few bucks and target millions of individuals for spamming or doxxing.
 
Google finally updated its popular iOS apps’ App Store pages with Privacy Nutrition

Google has finally updated all its popular iOS apps’ App Store pages with Privacy Nutrition Labels


Google_Apps-1024x683.jpg



After an almost four-month-long wait, Google has updated the App Store pages of all of its popular apps with Apple’s Privacy Nutrition labels. This news comes as reports suggest Google might be preparing its own privacy nutrition labels for individual app pages on the Play Store.

Today, Google updated the App Store page of its last popular app—Google Photos—to reflect the app’s tracking practices to users who are about to download the app.


Screenshot-2021-04-06-205655-1024x452.jpg



Last week, Google updated Google Maps’ App Store page with Privacy Nutrition labels. It’s worth noting that some Google apps including Google Chrome, Google Maps, and Google Photos still haven’t received updates to the app themselves for about four months.

Popular Google apps on the App Store in the U.S. according to data from SensorTower’s top 100 iOS apps include (in particular order):


  1. YouTube

  2. Gmail

  3. Google Maps

  4. Google

  5. Google Chrome

  6. Google Duo

  7. Google Photos

  8. Google Drive

  9. YouTube Music


While all the apps listed above now feature Privacy Nutrition Labels on their respective App Store pages, some seemingly popular Google apps including Gboard, Google Pay, and Snapseed, still haven’t been updated to reflect those.


What are App Privacy Nutrition Labels?

App Privacy Nutrition labels are a part of Apple’s latest privacy push announced alongside iOS 14. The privacy labels appear on every app’s App Store page and share the same idea as regular nutrition labels that appear on food—users can learn from the privacy labels the data that the app uses to track you and the data that’s simply linked to your identity.

Based on the App Store Privacy Nutrition labels, users can decide whether they want to download the app or not in the first place.

Developers themselves need to update their App’s page on the App Store with Privacy Nutrition Labels which is verified by Apple.

While these labels were supposed to go live back in September during the official launch of iOS 14, Apple extended their launch until around mid-December to give developers some time to prepare for the privacy changes—which also include App Tracking Transparency prompts—amid backlash from the ad industry.

Additionally, since December, Apple made the Privacy Nutrition Labels a mandatory requirement while submitting new apps and app updates to the App Store.


Google stopped updating its iOS apps in December

Ever since Apple started enforcing App Store Privacy Nutrition Labels as a necessity for submitting app updates and new app submissions, Google stopped updating its iOS apps, which was quite unusual.

Usually, Google would update its apps every week, which made the situation all the more mysterious. Adding to that mystery and confusion, Google offered a statement to TechCrunch back in January this year stating that it would update its apps with nutrition labels in a week. Google never lived up to that promise.

Ever since January, Google has been gradually updating its apps with App Store Privacy Nutrition Labels with YouTube being one of the first popular Google apps on iOS to receive those.

here had been growing speculation as to why Google delayed updating its apps with the consensus being Google was fighting the privacy labels while that wasn’t the case. Google said that it was carefully considering how to best comply with them.


Google still hasn’t updated some of its crucial iOS apps

While all popular Google apps’ App Store pages have been updated to include App Privacy Nutrition Labels, some crucial apps including Google Maps, Google Photos, and Google Chrome haven’t received updates to the apps themselves so far.

Google Maps has been receiving minor over-the-server updates, but the app hasn’t been updated in its entirety on the App Store. It’s unclear as to why Google is delaying these updates, especially now that the nutrition labels are live.

That being said, despite the delay, Google keeps announcing upcoming features arriving at its apps in future updates without offering a definite date for the update. For instance, Google recently announced that its Maps app will gain AR Indoor navigation and eco-friendly route options in a future update.






It's not clear why Google delayed adding App Privacy labels to its apps for so long as it isn't exactly a surprise that the company is collecting quite a bit of data from users. Google Maps, for example, uses coarse location, search history, browsing history, identifiers, and usage data for third-party advertising purposes, with Google Search using much of the same information.
 
Mark-Zuckerbergs-contact-details.jpg



Facebook on Tuesday responded to a recently reported data leak that potentially impacted more than 530 million users, saying the information was likely scraped from its servers in a newly disclosed 2019 incident.

Facebook product management director Mike Clark, in what smacks of an attempt to downplay the massive breach, explained the situation in a blog post published to the company's newsroom. Importantly, the post and additional reporting from Wired reveals a previously unreported breach of Facebook's systems.

Clark acknowledges a report regarding a massive leak of data related to some 530 million Facebook users, but emphasizes that the information was scraped and not obtained through a hack. He adds that Facebook is "confident" that it rectified the issue.

"We believe the data in question was scraped from people's Facebook profiles by malicious actors using our contact importer prior to September 2019," Clark writes. "This feature was designed to help people easily find their friends to connect with on our services using their contact lists."

The cache of data, which included profile names, Facebook ID numbers, email addresses, locations, dates of birth, and phone numbers, appeared on a hacking forum over the weekend. Facebook initially pointed to a previously reported breach from 2019, but failed to disclose which instance it was referring to. The social network suffered a number of data-related fiascos in recent years, including the inadvertent release of 540 million records and discovered by security firm UpGuard in April 2019.

As reported by Wired, the new store of information was drawn from a vulnerability Facebook found in 2019. The problem, related to the platform's contact importer, was fixed in August 2019.

Facebook claims it disclosed the scraping operation in statements to media outlets, but Wired tracked down the reports and found they were related to an Instagram breach and a separate Facebook platform leak dating back to mid-2018. The company also failed to inform users individually or post a security bulletin on the matter.

Facebook is quickly moving past the issue of public disclosure and is pushing the narrative toward future actions it plans to take in a bid to secure users.

"We're focused on protecting people's data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible," Clark says. "While we can't always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work."
 
Scraped data of 500 million LinkedIn users being sold online

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof



500M-linkedin-leak-featured-img-750x375.jpg



Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn.

An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author.


LinkedIn-leak-forum-post.png



The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more.

While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.


hdeNE8ds-G8llc8TCCuGhe-uhelmg4wbr3YwChBOiH4Jhn-b2_01ZDyuXbu26-kq23M4yBj018Zvgk2ey7aIr7qG7q4SHCzYLtgFVv34-stEya4nod82o22qcvbpnRPHalk0ZMHA



The author of the post claims that the data was scraped from LinkedIn. Our investigation team was able to confirm this by looking at the samples provided on the hacker forum. However, it’s unclear whether the threat actor is selling up-to-date LinkedIn profiles, or if the data has been taken or aggregated from a previous breach suffered by LinkedIn or other companies.


What was leaked?

Based on the samples we saw from the leaked files, they appear to contain a variety of mostly professional information from LinkedIn profiles, including:

  • LinkedIn IDs

  • Full names

  • Email addresses

  • Phone numbers

  • Genders

  • Links to LinkedIn profiles

  • Links to other social media profiles

  • Professional titles and other work-related data

An example of leaked data:

LinkedIn-leak-sample.png



What’s the impact of the leak?

The data from the leaked files can be used by threat actors against LinkedIn users in multiple ways by:

  • Carrying out targeted phishing attacks.

  • Spamming 500 million emails and phone numbers.

  • Brute-forcing the passwords of LinkedIn profiles and email addresses.

The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.

Particularly determined attackers can combine information found in the leaked files with other data breaches in order to create detailed profiles of their potential victims. With such information in hand, they can stage much more convincing phishing and social engineering attacks or even commit identity theft against the people whose information has been exposed on the hacker forum.
 
No password required: Mobile carrier exposes data for millions of accounts

DATA UP FOR GRABS —

Q Link Wireless made data available to anyone who knows a customer's phone number.


data-leak.jpeg



Q Link Wireless, a provider of low-cost mobile phone and data services to 2 million US-based customers, has been making sensitive account data available to anyone who knows a valid phone number on the carrier’s network, an analysis of the company’s account management app shows.

Dania, Florida-based Q Link Wireless is what’s known as a Mobile Virtual Network Operator, meaning it doesn’t operate its own wireless network but rather buys services in bulk from other carriers and resells them. It provides government-subsidized phones and service to low-income consumers through the FCC’s Lifeline Program. It also offers a range of low-cost service plans through its Hello Mobile brand. In 2019, Q Link Wireless said it had 2 million customers.

The carrier offers an app called My Mobile Account (for both iOS and Android) that customers can use to monitor text and minutes histories, data and minute usage, or to buy additional minutes or data. The app also displays the customer’s:


  • First and last name

  • Home address

  • Phone call history (from/to)

  • Text message history (from/to)

  • Phone carrier account number needed for porting

  • Email address

  • Last four digits of the associated payment card


Screenshots from the iOS version look like this:



hello-mobile-account-profile.jpg


hello-mobile-usage.jpg


hello-mobile-menu.jpg


my-mobile-account-history.jpg



No password required . . . what?

Since at least December and possibly much earlier, My Mobile Account has been displaying this information for every customer account whenever it is presented with a valid Q Link Wireless phone number. That’s right—no password or anything else required.

When I first saw a Reddit thread discussing the app, I thought for sure there was some kind of mistake. So I installed the app, got the permission from another thread reader, and entered his phone number. I was immediately viewing his personal information, as the redacted images above demonstrate.

The person who started the Reddit thread said in an email that he first reported this glaring insecurity to Q Link Wireless sometime last year. Emails he provided show that he notified support twice again this year, first in February and again this month.

Feedback left in reviews for both the iOS and Android offerings also reported this issue, in several cases with a response from a Q Link Wireless representative thanking the person for the feedback.



my-mobile-account-warning-ios.jpg


my-mobile-account-warning-android-980x584.jpg




Downright negligence

The data exposure is serious because phone numbers are so easy to come by. We give them to prospective employers, car mechanics, and other strangers. And of course, phone numbers are easily obtained by private detectives, abusive spouses, stalkers, and other people who have an interest in a particular person. Q Link Wireless making customer data freely available to anyone who knows a customer's phone number is an act of downright negligence.

I began emailing the carrier about the insecurity on Wednesday and followed up with almost a dozen more messages. Q Link Wireless CEO and founder Issa Asad didn’t respond despite my noting that every hour he allowed the data exposure to continue compounded the risk to his customers.

Then late on Thursday, My Mobile Account stopped connecting to customers’ accounts. When presented with the number of a Q Link Wireless customer, the app responds with a message saying, “Phone number doesn’t match any account.” The iOS and Android versions of the app were last updated in February, suggesting that the fix is the result of a change Q Link Wireless made to a server.


number-doesnt-match.jpg



While My Mobile Account displayed customers’ personal information, it didn’t provide a means to change that data. The app also didn't display passwords. That means a person couldn’t exploit this leak to perform a SIM swap or lock users out of their accounts, although the exposure might make it easier for a would-be SIM swapper to social engineer a Q Link Wireless employee into porting a number to a new phone.

There are no indications one way or the other that this leakage was actively exploited. Researchers from security firm Intel471 found no discussions in criminal forums about the available data, but there’s no way to know if it was abused on a smaller scale, say by someone a Q Link Wireless customer knows or has interacted with.

As phone users seeking low-cost, no-frills mobile service, Q Link Customers are a part of a population that may be least able to afford data breach services and other privacy services. The carrier has yet to notify customers of the data exposure. People using the service should consider any data displayed by the app to be available to anyone who has their phone number.
 
Updated iphone to 14.4.2 and all my text messaging history is gone. If I text someone, the history come back for that number only. This seems to be a common problem, but the 'answers' are between unhelpful and useless...?
 
Back
Top