TSMC has stopped taking chip orders from Huawei following its plans to open a US factory.
TSMC made headlines last week when it announced it was building a factory in Arizona. The factory, slated to begin construction in 2021, will begin production in 2024. The move is aimed at helping increase US-based semiconductor manufacturing and minimizing dependance on overseas factories.
Meanwhile, the US has ramped up its war against Huawei, a company it accuses of helping Beijing spy on governments around the world. The latest effort was an announcement by the Commerce Department on May 15 that it was modifying the Entity List and Foreign Direct Product Rule to ban Huawei from buying semiconductors that use US technology, even those made by foreign companies.
In view of the announcement, a source told Nikkei Asian Review that ”TSMC has stopped taking new orders from Huawei after the new rule change was announced to fully comply with the latest export control regulation. But those already in production and those orders which TSMC took before the new ban are not impacted and could continue to proceed if those chips could be shipped before mid-September.”
Huawei was already beginning to feel the pressure from the US bans before this development and had warned of fallout if this measure was taken. The next few months should be interesting.
TikTok is in hot water yet again, with consumer groups accusing the social media company of violating child privacy.
The Center for Digital Democracy and the Campaign for a Commercial Free Childhood are leading a coalition of some 20 children’s and consumer groups that have filed a complaint with the Federal Trade Commission (FTC), accusing TikTok of violating a previous agreement with the FTC.
In 2019 TikTok was fined $5.7 million for violating child privacy. As The New York Times reports, TikTok agreed to a number of changes designed to better protect the privacy of children.
According to the NYT, “as part of the settlement, the video-sharing app agreed to obtain a parent’s permission before collecting their child’s personal information. It also agreed to delete personal information, including videos, of any children identified as younger than 13 and to remove videos and other personal details of users whose ages were unknown.”
In spite of the agreement, it appears that TikTok has not followed through on its promise. This is just the latest issue the social media app has dealt with, as it has faced ongoing scrutiny over security and privacy concerns, with the Pentagon and some government agencies banning the app from employees’ devices.
If the FTC finds that TikTok has reneged on its agreement, the company’s problems will only go from bad to worse.
Austrian privacy advocate Max Schrems has levied a complaint against Google, accusing the search giant of tracking users and passing the info to advertisers.
Google has been mired in privacy and antitrust issues in the EU, generally considered to be the most privacy and consumer-focused part of the world. EU regulators have repeatedly hit Google with billions of dollars in fines, in 2017, ’18 and ’19.
Now Bloomberg is reporting that Schrems campaign group Noyb has accused Google of using a unique ID to track Android users without the proper opt-in consent.
“Google does not collect valid ‘opt-in’ consent before generating the tracking ID, but seems to generate these IDs without user consent,” according to the group.
“Android does not allow deleting the tracking ID. It only allows users to generate a new tracking ID to replace the existing tracking ID. This neither deletes the data that was collected before, nor stops tracking going forward.”
If the claim has merit, the EU’s GDPR laws allow for fines up to “4% of a company’s global annual sales.” If Google is found guilty, the result could be one of its biggest fines yet.
A researcher has discovered seven critical security vulnerabilities with Thunderbolt that impact Windows, Linux and, to a lesser extent, macOS.
In late April it was reported that one of Microsoft’s reasons for not including Thunderbolt on its Surface devices was concerns over security. Specifically, Microsoft had concerns that, because Thunderbolt acts as a direct memory access port, a hacker could use a memory stick or other peripheral to gain direct access to the device’s memory.
It seems Microsoft’s concerns may not have been so far-fetched after all. Björn Ruytenberg, researcher at Eindhoven University of Technology, has published a report detailing seven Thunderbolt vulnerabilities that could allow a hacker to theoretically steal all data on a computer, regardless of what security measures are in place, such as password protection or encryption. In a video demonstrating the vulnerabilities, Ruytenberg gains access in roughly five minutes.
Of the vulnerabilities, all seven impact both Windows and Linux, while only two impact macOS. Even then, macOS is only partially affected, as Apple’s computers use two security measures not used by Windows or Linux. The vulnerability compromises the first measure, but not the second. If running Windows or Linux in Boot Camp, however, a Mac becomes “trivially affected.”
In a follow-up blog, Ruytenberg says Intel was notified in mid-February, but has no intention of taking any further action, citing action they have already taken. In a blog post on the company’s site, Intel’s Jerry Bryant explained the mitigation efforts already in place:
“In 2019, major operating systems implemented Kernel Direct Memory Access (DMA) protection to mitigate against attacks such as these. This includes Windows (Windows 10 1803 RS4 and later), Linux (kernel 5.x and later), and MacOS (MacOS 10.12.4 and later). The researchers did not demonstrate successful DMA attacks against systems with these mitigations enabled. Please check with your system manufacturer to determine if your system has these mitigations incorporated. For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.”
While a vulnerability of this kind is disconcerting, it’s important to keep it in perspective. The vulnerability requires physical access to a machine. As we wrote in the article describing Microsoft’s decision not to include Thunderbolt, “a long-standing rule of computer security is that once physical access has been achieved, all bets are off.“ That rule still holds true.
In the meantime, if Intel’s response is accurate, it seems modern computers with the latest OS updates are largely safe. In the meantime, common sense measures, such as controlling computer access and not plugging in unknown Thunderbolt devices, should go a long way toward protecting all users.
Clearview AI has promised it will end all contracts with private companies in the face of public backlash and lawsuits.
Clearview made news as a facial recognition firm that had scraped billions of images from the web and social media, and then made them available for facial recognition searches. The company has repeatedly tried to portray itself as a responsible steward of the technology it has developed and is making available, initially claiming its service was only for law enforcement and government agencies.
In short order, however, it has become apparent Clearview cannot be trusted. Reports surfaced that the company was selling its services internationally, including to oppressive regimes. One of the more disturbing revelations was that the company was monitoring the searches performed by law enforcement and using that information to try to discourage police from talking with journalists.
Throughout it all, however, the company has continued to maintain that it only made its software available to law enforcement and select security personnel — only that wasn’t true. Reports showed the company had made its software available to a many private companies and individuals, including some who used it for their own personal benefit.
According to BuzzFeed, in an effort to deal with the lawsuit it is facing in Illinois, the company is now promising it will cancel its contracts with private organizations.
“Clearview is cancelling the accounts of every customer who was not either associated with law enforcement or some other federal, state, or local government department, office, or agency,” the company said in a filing BuzzFeed has seen. “Clearview is also cancelling all accounts belonging to any entity based in Illinois.”
There’s only one problem with this promise: It comes from a company that has already proven itself to be dishonest, unscrupulous and completely untrustworthy. Here’s to hoping the judge sees right through this latest ploy.
Zoom has acquired Keybase, the popular secure messaging and file-sharing provider in its ongoing attempt to improve its security.
In the midst of the global pandemic, Zoom has gone from 10 million daily users to over 200 million, becoming the go-to platform for communication of all kinds. Remote workers, government agencies, online students, families, friends and more have all turned to the platform to stay connected.
Unfortunately for the company, it has made a number of security missteps, losing some public confidence along the way. This caused Zoom to announce a moratorium on new features for 90 days, while it focused on beefing up security. This acquisition, the company’s first in its nine-year history, is major step in that direction.
“There are end-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once,” said Eric S. Yuan, CEO of Zoom. “The first step is getting the right team together. Keybase brings deep encryption and security expertise to Zoom, and we’re thrilled to welcome Max and his team. Bringing on a cohesive group of security engineers like this significantly advances our 90-day plan to enhance our security efforts.”
“Keybase is thrilled to join Team Zoom!” said Max Krohn, Keybase.io co-founder and developer. “Our team is passionate about security and privacy, and it is an honor to be able to bring our encryption expertise to a platform used by hundreds of millions of participants a day.”
It will be exciting to see just how Zoom integrates Keybase’s features to deliver on its security goals.
The US is reviewing its military and intelligence assets in the UK and may pull them out following the UK’s decision to use Huawei.
The US has banned Huawei and engaged in a campaign to pressure its allies to do the same, especially those allies that, along with the US, constitute the Five Eyes. Comprised of the UK, Australia, New Zealand, Canada and the US, the Five Eyes work closely on the international scene and share intelligence. The UK, in particular, shares a very close relationship with the US, a relationship that has been strained with the UK’s decision to include Huawei in its 5G network.
According to The Telegraph, the UK’s decision may soon result in action on the part of the US. The Telegraph says that half a dozen sources have confirmed that a review is underway to determine what military and intelligence assets in the UK may need to be pulled out.
“This was not a bluff. You cannot mitigate the danger Boris Johnson is exposing the UK to by letting Huawei into the network,” said one of the sources.
“This review is not a punishment. This is the White House saying ‘okay, if they’re going to go down this path and put themselves at risk then how do we protect ourselves.’”
The coming weeks and months will no doubt be pivotal, in terms of the US and UK’s relationship. It’s also possible that such a review could put more pressure on Johnson to reverse the decision, something many in the British government already want to do.
A group of senators will introduce legislation to help protect consumer privacy as companies focus on using data to help combat COVID-19.
Governments and companies around the world have turned to big data in an effort to map the spread of the coronavirus, and try to get ahead of it. One of the most publicized efforts is being undertaken by Apple and Google, as the two companies work on a contact tracing API. The API, and subsequent apps, will use anonymous Bluetooth keys to keep track of the phones an individual has been in close proximity with. If a person tests positive, each person that has been in contact with them over the previous 14 days will be notified they have been exposed and need to quarantine.
Needless to say, many individuals have expressed concern over the privacy implications and, as a result, half of Americans have no intention of installing any contact tracing app.
To help ease concerns, and protect the privacy of Americans, Senators Roger Wicker, John Thune, Jerry Moran and Marsha Blackburn have announced their intention to introduce a data privacy bill. The goal is to provide much-needed transparency and give consumers a measure of control over how their data will be used, as well as hold businesses accountable for how they use it.
“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important,” said Thune. “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”
Here’s to hoping the legislation will help prevent abuses of consumer data.
Mozilla has announced it is working on Private Relay, an email alias generating service designed to protect user privacy.
As more websites and services require email addresses to sign up, customers are often inundated with mailing lists and spam. Even worse, many companies play fast and loose with security, jeopardizing people’s privacy by not protecting their personal information, such as their email address. Some individuals maintain multiple addresses, specifically for the purpose of using one or more for purchases, signups and mailing lists.
Mozilla, a longtime leader in internet privacy, wants to make the whole process a little easier with their Private Relay, a Firefox add-on that will allow users to create an email alias with a single click. The add-on will work with online forms, using the alias in the email field, and then forwarding any email to the person’s real email address. If the alias begins to receive unwanted emails, it can be disabled or deleted.
This is a welcome feature that will make web browsing and email a little more private and secure.
Reddit has pulled its newly announced “Start Chatting” features amid an uproar on the part of moderators.
Start Chatting was designed to help make it easier for people to connect with other individuals to talk about common interests. According to the official launch post, Reddit “wanted to give you a heads up about a new feature that we are launching this week called ‘Start Chatting.’ This past month, as people around the world have been at home under various shelter-in-place restrictions, redditors have been using chat at phenomenal new levels. Whether it’s about topics related to COVID-19, local news, or just their favorite games and hobbies, people all around the world are looking for others to talk to. Since Reddit is in a unique position to help in this situation, we’ve created a new tool that makes it easier to find other people who want to talk about the same things you do.”
While the goal may have been admirable, it was not well received by the community. At the time of writing, the announcement had received some 1,400 comments, many of them negative and many of them highlighting some of the very difficult issues the new feature would create. For example, one of the moderators for r/abuse pointed out that people only felt safe discussing their past abuse in that community because moderators were able to aggressively protect them from trolls, perverts and abusive individuals—protection that would not be available if members could engage in moderator-free chat.
It seems the complaints have been heard, as Reddit has fully rolled back the feature. According to the update post, Reddit says they “will not roll the feature out within your community again without having a way for you to opt out, and will provide you with ample notice and regular updates going forward.”
Start Chatting has real potential to be a game-changer for Reddit, but it’s obvious some considerations were overlooked in the initial implementation. Here’s to hoping they get it right the second time around.
A new report has found that hackers have been loading advanced Android malware onto the Google Play Store for years.
Kaspersky Lab was first alerted to the issue in July 2019, prompting them to investigate. What they found was a variety of malware that, rather than trying to display ads or steal the victim’s money, worked to create a backdoor on infected devices that could be exploited with custom malware payloads.
The malware apps used a variety of sophisticated techniques to bypass Google’s approval process, including what essentially amounts to a bait-and-switch. The apps would often install with little to no permissions required, only to gain the necessary permissions later. In other cases, the apps would install a benign version, and then create the backdoor at a later date. Once a phone was infected with a malicious version, hackers then had an access point that provided a wealth of information.
“Functionality of all samples are similar – the main purpose of spyware was to gather sensitive information,” writes Alexey Firsh and Lev Pikman. “While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as model and OS version. Furthermore, the threat actor was able to download and execute various malicious payloads, thus, adapting the payload that would be suitable to the specific device environment, such as Android version and installed apps. This way the actor is able to avoid overloading the application with unnecessary features and at the same time gather information needed.”
This is a particularly disturbing discovery and, hopefully, Google will be quick about resolving their vetting process issues to ensure this kind of malware does not continue appearing on the Google Play Store.
Microsoft has blamed an unlikely target for Surface devices not having Thunderbolt ports or removable RAM: security.
According to WalkingCat on Twitter, a Surface engineering webinar says that security is the main reason for both features being missing from Surface tablets and laptops.
The engineer says that removable RAM poses a threat since an individual could freeze it with liquid nitrogen, remove it and then put it in a memory reader and access all the contents that were stored in memory. Similarly, because Thunderbolt is “a direct memory access port,” Microsoft does not include it over concerns someone could use a memory stick plugged into the port to gain direct access to the device’s memory, bypassing the OS and security.
The Verge was able to verify the authenticity of the leaked presentation, as well as the fact that the person narrating it is a 10+ year Microsoft veteran. Even so, as The Verge point out, it’s still surprising to hear Microsoft blaming security as the reason for not including Thunderbolt, especially since virtually every other major manufacturer deems it safe enough to include in their business-oriented machines.
A long-standing rule of computer security is that once physical access has been achieved, all bets are off. Most computer security focuses on keeping bad actors from gaining remote access. In contrast, once a device physically falls into a bad actor’s hands, aside from full-disk encryption, there’s virtually nothing to prevent them from eventually gaining access to what’s on the disk. As a result, Microsoft’s reason seems like a pointless, and possibly self-serving, justification.
In a surprise move, Zoom has chosen Oracle for its latest cloud infrastructure expansion as the company experiences unprecedented growth.
As COVID-19 has forced people to social distance, work from home, engage in remote learning and socialize digitally, Zoom has been one of the most popular platforms people have turned to. In short order, the platform went from 10 million daily users to over 300 million, putting a strain on the company’s infrastructure.
The company already uses AWS and Microsoft for cloud infrastructure but, in an effort to keep up with demand, Zoom has struck a deal with Oracle for its latest expansion. The choice is particularly surprising given Oracle’s current place in the market, far behind AWS, Microsoft and Google. One of the motivating factors was Oracle’s security, an area where Zoom has been working to improve.
“We recently experienced the most significant growth our business has ever seen, requiring massive increases in our service capacity. We explored multiple platforms, and Oracle Cloud Infrastructure was instrumental in helping us quickly scale our capacity and meet the needs of our new users,” said Zoom CEO Eric S. Yuan. “We chose Oracle Cloud Infrastructure because of its industry-leading security, outstanding performance, and unmatched level of support.”
“Video communications has become an essential part of our professional and personal lives, and Zoom has led this industry’s innovation,” said Oracle CEO Safra Catz. “We are proud to work with Zoom, as both their cloud infrastructure provider and as a customer, while they grow and continue to connect businesses, people and governments around the world.”
The deal is a huge win for Oracle as it endeavors to expand its market share, and wil likely lead to other companies looking to it as a viable option.
Note: Clarification added to show Zoom continues to use AWS and Microsoft.
Sophos has issued a hotfix for its XG Firewall to patch a zero-day exploit that was being actively exploited by hackers.
According to Sophos, the firm was first made aware of the issue on April 22 by a customer who noticed “a suspicious field value visible in the management interface.” After investigating, Sophos determined the value was not a bug, but indicative of an attack against both physical and virtual XG Firewall units.
“The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices,” reads the security bulletin. “It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should remediate to avoid the possibility that any data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.”
Because Sophos issued a hotfix for the vulnerability, a message should display on the XG management interface informing customers if their units were impacted. Uncompromised customers do not need to take any additional action, while compromised customers are encouraged to reset device administrator accounts, reboot the devices and reset passwords for local user accounts. If users had reused their XG passwords anywhere else, those should also be reset.
The Federal Communications Commission (FCC) has thrown down the gauntlet, going after telecom companies that have strong ties to Beijing.
The U.S. has engaged in some very public battles with Chinese firms, including Huawei and ZTE, citing issues of national security. In its latest move, the FCC has “issued Show Cause Orders to four telecom companies with ties to the communist regime in China.” A Show Cause Order gives the companies 30 days to make the case as to why their authority to operate within the U.S. should not be revoked. The companies in question are ComNet, China Telecom Americas, China Unicom Americas and Pacific Networks.
“Over the past few weeks, Americans have learned that they no longer need to page through dusty foreign policy magazines to understand the consequences that flow from communist China’s brutal crackdown on freedom and free speech,” writes Commissioner Brendan Carr. “The communist party’s silencing of critics and its disappearance of hero doctors and citizen journalists exacerbated the global spread of Covid-19. Americans are now experiencing the consequences of those oppressive actions in their own lives—whether in the loss of their jobs or their kids not being able to attend school due to Covid-19.
“Since communist China is willing to disappear its own people to advance the regime’s geopolitical agenda, it is appropriate for the FCC to closely scrutinize telecom carriers with ties to that regime. This is a prudent step to ensure the security of America’s telecom networks. In the Show Cause orders issued today, we give carriers 30 days to explain why the FCC should not initiate proceedings to revoke their authority. They now have the opportunity to provide evidence showing that they are not subject to the exploitation, influence, and control of the Chinese government such that we should not look to revoke their authority to operate in the U.S. I look forward to reviewing the record that develops and reaching a final decision on those key issues.”
It’s unknown what impact the FCC’s actions will have on trade relations with China, although Beijing has vowed retaliation in the past when action has been threatened against one of its companies.
Mozilla has announced it is raising the bug bounties it pays for Firefox to $10,000.
Bug bounties are a popular way of encouraging developers and “white hats,” the term for ethical hackers that find and report vulnerabilities, to work with companies and test their products and services. Most major companies pay significant bounties for bugs that are reported to them. In many cases, white hats are able to make a full-time income off the bounties they collect.
According to Mozilla’s blog post, the company has made use of bug bounties since 2004, paying out some $965,750 between 2017 and 2019. While the average payout was $2,775, the most common amount was $4,000.
The company is making a number of changes to make the bounty program more accessible, while also splitting bounties among duplicate reports that are filed within 72 hours of the first report. This is being done in an effort to reward individuals who may have come in second or third by mere hours. In addition, the company is raising its payouts.
“Besides rewarding duplicate submissions, we’re clarifying our payout criteria and raising the payouts for higher impact bugs,” writes Mozilla’s Tom Ritter. “Now, sandbox escapes and related bugs will be eligible for a baseline $8,000, with a high quality report up to $10,000. Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000.“
Mozilla’s announcement will likely be a big motivation for white hats to continue finding and reporting bugs in Firefox.
Apple has said a recently discovered iOS Mail vulnerability poses no immediate threat and a fix is coming soon.
As previously covered, security firm ZecOps discovered a flaw in iOS Mail, affecting both iPhones and iPads. The flaw involved a blank email being sent to a device, an email that would cause a crash and reset. The reset created an opportunity for a hacker to steal data from the device. ZecOps believes the vulnerability was being exploited as far back as 2018, and was working with a client they believed was targeted using this vulnerability in late 2019.
In spite of that, Apple reached out to Bloomberg reporter Mark Gurman to issue a statement, which Gurman tweeted:
Apple responds to ZecOps report on Mail app vulnerabilities, says it doesn’t pose immediate risk and software update coming.
”Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
Apple’s response is good news, although it still leaves a number of questions, not the least of which is what did ZecOps find in the way of vulnerabilities being exploited over the last two years?
Did you know that in a single day over 380 billion emails are sent, 85% of which is SPAM? Many of those emails may be a phishing scheme, in 2018 more than 80% of people received phishing emails. Phishing attacks are on the rise, more than doubling from 2013-2018. What do we stand to lose and what can we do in the face of the ever-growing threat of phishing?
The fact that 8 in 10 people experienced a phishing attack just 2 years ago, is reason enough to be on guard. But 2 out of 3 have received phishing emails, while 1 in 3 people have been compromised. They had a computer infected with a virus or malware, their account compromised, or a social media or email account hacked. Over 90% of social media attacks were phishing related.
Individuals aren’t the only ones who are becoming targets, more than half of businesses have experienced phishing attacks. When an attack is successful it can be costly, businesses can lose nearly $2 million per incident. They suffer one or more of decreased productivity, data loss, and damage to their reputation. It isn’t merely a bad review though, 1 out of every 3 customers will stop using a business after a security breach.
Many feel it is getting out of their control to be able to stop a phishing attack. Since 2016, 72% of employees say that protecting themselves from email attacks has become exceedingly more difficult. Why is it so tough to discern legitimate from fake? Hackers enlist psychology to phish and exploit emotions. What sorts of tricks are stuffed up their sleeve?
Mostly, hackers try to elicit fear to trip people up, e.g. urgent bills, new important information, or notice of violation. All these create a sense of urgency and preys on the fear of not having all the pertinent info. Hackers are also sending realistic messages from reputable institutions duping people into sending payments. Some phishing goes undetected like formjacking when a website form is hacked to collect private user information.
People don’t seem to know what to look for, and current procedures aren’t effective. A lot of employees send suspicious emails to the Information Technology Department. Out of all the emails forwarded to IT, only 15% are malicious. These are the results of annually trained employees, which doesn’t look like it’s enough.
After annual training, 35% of employees don’t know what phishing means. This is a fatal flaw that if left unchecked will lead to being a victim of a cyber attack. 1 in 10 employees clicked a link in a phishing email. This is why you need people not just tech to protect from cyber threats.
Over half of information security professionals believe that continued training has reduced the susceptibility to phishing attacks with almost 100% recommending to train people to identify them. People can do better with the right training, feedback on effectiveness, and the tools to apply their training. It is no secret that people learn better through practice and reinforcement, so get to it!
Researchers have discovered a flaw in the iOS version of Mail that may have left countless iPads and iPhones vulnerable to data theft.
According to Reuters, the flaw was found by San Francisco-based ZecOps, a company specializing in mobile security forensics. The investigation was prompted by a sophisticated attack against one of ZecOps clients in late 2019.
ZecOps CEO, Zuk Avraham, “said he found evidence that a malicious program was taking advantage of the vulnerability in Apple’s iOS mobile operating system as far back as January 2018.” What makes the vulnerability particularly unsettling is that it requires little to no action on the part of the victim.
The hack works through a seemingly blank email that forces a crash and reset, Reuters reports, opening “the door for hackers to steal other data on the device, such as photos and contact details.” Not even recent versions of iOS protect a user, leaving the victim vulnerable to having their data remotely stolen from their device.
Apple did confirm to Reuters that a vulnerability does exist in Mail, and an upcoming software update would include a fix. While the fix is certainly good news, it’s worrisome that such a severe bug went undiscovered for so long while, at the same time, apparently being exploited by bad actors.
In a letter to Apple CEO Tim Cook and Google CEO Sundar Pichai, Senator Josh Hawley wants both CEOs to take personal responsibility for customer privacy.
Apple and Google recently announced their efforts to working on coronavirus tracking apps that will use a common API and eliminate the incompatibilities that often plague iOS and Android interaction. The apps will use Bluetooth and operate on a decentralized model to ensure user privacy.
Despite assurances by both companies that every effort is being made to protect privacy, Senator Hawley is not convinced. In particular, Hawley is concerned the anonymized data could be paired with other datasets to identify individuals and is calling on Cook and Pichai to put their money where their mouth is, so to speak.
“Americans are right to be skeptical of this project,” writes Hawley. “Even if this project were to prove helpful for the current crisis, how can Americans be sure that you will not change the interface after the pandemic subsides? Once downloaded onto millions of phones, the interface easily could be edited to eliminate previous privacy protections. And any privacy protection that is baked into the interface will do little good if the apps that are developed to access the interface also choose to collect other information, like real-time geolocation data. When it comes to sticking to promises, Google’s record is not exactly reassuring. Last year a Google representative had to admit, under oath, that Google still tracks location history even when a person turns location history off. As the Associated Press put it, ‘Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.’”
Interestingly, Hawley only makes mention of Google’s issues with privacy, as Apple has a well-earned reputation of being one of the strongest privacy advocates in the tech industry. Tim Cook has stated that Apple believes privacy is a fundamental human right, and the company’s actions support that claim. Even so, Hawley wants the executives of both companies to be personally liable for customer privacy, as it relates to any proposed coronavirus tracking app.
“A project this unprecedented requires an unprecedented assurance on your part,” Hawley continues. “Too often, Americans have been burned by companies who calculated that the profits they could gain by reversing privacy pledges would outweigh any later financial penalty levied against the company. The last thing Americans want is to adopt, amid a global emergency, a tracking program that then becomes a permanent feature in our lives.
“If you seek to assure the public, make your stake in this project personal. Make a commitment that you and other executives will be personally liable if you stop protecting privacy, such as by granting advertising companies access to the interface once the pandemic is over. The public statements you make now can be enforced under federal and state consumer protection laws. Do not hide behind a corporate shield like so many privacy offenders have before. Stake your personal finances on the security of this project.”
The senator clearly voices concerns that millions of individuals have expressed in the wake of Apple and Google’s announcement. Hopefully, Senator Hawley’s letter will help ensure both companies do everything possible to protect user privacy.
In its ongoing efforts to beef up security, Zoom is preparing to allow hosts to report participants who misbehave.
Zoom has become a critical component to individuals and organizations alike during the coronavirus pandemic. The company has, however, come under criticism for lax security and privacy, prompting many companies and organizations to ban the app. As a result, Zoom committed to a 90-day moratorium on new features while its engineering teams focused on security and privacy improvements.
One of the biggest issues the company has been trying to address is Zoom-bombing, where an uninvited participant gains access to a meeting and commandeers it. Zoom-bombers have subjected legitimate participants to lewd drawings, racial slurs and more.
According to notes on Zoom’s site, the company is releasing an update on April 26 that will allow hosts to report those participants who misbehave.
Setting to allow host to report participants to Zoom
Account owners and admins can now enable a setting to allow the host to report participants to Zoom. This feature will generate a report which will be sent to the Zoom Trust and Safety team to evaluate any misuse of the platform and block a user if necessary. This setting is available at the account, group, and user level and can be locked at the group or account level. This setting requires the Zoom client version which will be released on April 26, 2020.
This is another welcome improvement to Zoom and should help improve the experience for all involved.
