Security Bits Logo no alpha channel

Security Bits — 13 November 2022

Feedback & Followups

Deep Dive 1 — 🧯That Apple App Store Tracking Story

A rather sensationalistic story is doing the rounds which accuses Apple of nefariously tracking users in the App Store against their own rules. But, this story just doesn’t stack up. It conflates a bunch of things and strikes me as clickbait rather than news.

The basis for the story is code found in an old version of the App store from a few years ago that does normal app analytics. This mundane fact is presented as being a scandal of some sort, but there is just no there there that I can see.

When any developer wants to figure out how well or poorly their user interface is working they enable analytics. This helps them figure out what is working, and what’s not. It may be used for A/B testing where some users get one version of the interface, and some another, to find pain points, or to verify that a change has had the expected effect. This is information about how users are using an app captured by that app and sent to the developers of that app. There are no third parties involved here.

Apple know what you do in Apple’s apps, Google know what you are doing in Google’s apps, Meta know what you are doing in their apps, and so on and so forth. Nothing in Apple’s privacy push is about stopping the app you are using knowing what you do in that app, because that would make no sense at all!

So what is App Tracking Transparency about again? It simply requires third parties as for permission before tracking a user’s activity across apps and across the web.

Nothing in this report says Apple is performing any kind of cross-app tracking, nor that they are sharing it with a third party, so it literally has nothing whatsoever to do with App Tracking Transparency.

The other clanger is that this behaviour pre-dates the launch of App Tracking Transparency, and the researchers don’t know if more recent versions of the app store behave in the same way!

Links

Deep Dive 2 — Twitter is now the Wild West, Tread with Care!

I’m not going to waste your time or mine by cataloging the list of rash and ill-advised decisions and U-turns Elon Musk has made since our previous instalment. Others have done a better job than I could (see links below), and it would probably be out of date a few minutes after I finished typing anyway!

The key points are:

  1. Many if not most of the key staff who keep Twitter both running and safe are gone.
  2. The changes are coming so quickly that not even Twitter’s employees can possibly keep on top of things.
  3. Badges have effectively lost all meaning since their official appearance and meaning is changing almost daily.

IMO, you simply cannot trust anything on Twitter anymore. You have no way to know what accounts are fake or real, so anything and everything of importance must be assumed to be a lie. By all means continue to have fun with friends, but don’t rely on Twitter for information or anything of any importance what so ever!

Links

Deep Dive 3 — Considering Mastodon?

If Twitter has gone to heck in a handcart, where can we go? Today, the obvious choice seems to be Mastodon, but while it is a microblogging platform where people share short messages and can follow each other, it has a fundamentally different architecture, and it’s important to understand the difference.

I’ve heard a lot of people tie themselves in knots explaining how Mastodon works as if it’s somehow an exotic or new model, but it really isn’t, it’s a model that’s so old and well-established we ignore it as much as we ignore the air that’s always around us.

Mastodon is a protocol that allows users to publish short posts, and subscribe to the posts made by others. To use the protocol you need an account on a server, then, you can share with and subscribe to anyone on any other Mastodon server.

Email is a protocol that allows users to send messages to each other. To use email you need an account on a server, then, you can exchange messages with anyone else with an account on another email server.

To get an email account, you need to pick a provider and sign up. To get a Mastodon account you need to pick a server and sign up. Your email address is your username at your server, your Mastodon account is your username at your server.

Now, the important part — you must trust your email provider to treat your data with respect and care because your data is on their server! Similarly, you must trust your Mastodon server provider.

When you think about how other single-provider social media services work, the fact that you must trust your provider is not what’s changed — Twitter know what you do on their servers, Meta know what you do on their Facebook, Instagram, and WhatsApp servers, etc. What’s different is not that you must trust, but that you get to choose who to trust! Moving to Mastodon does not require more or less trust, but it gives you the freedom to choose who to give that same trust.

Like there is no central email authority, there is no central Mastodon authority — each server enforces its own rules. This means those who think radically free speech is utopian and those who think it’s dystopian can find servers that align with their views.

A potential downside to the decentralised model is the lack of an authority to provide any kind of official verification. But, the same model provides an interesting new avenue for verification — trusted servers. Like email addresses impart trust based on their domain, so can Mastodon servers. If someone has an @whitehouse.gov email address you know they work for the Whitehouse, if someone has an @intel.com address you know they’re with Intel, etc. Organisation can do the same with Mastodon! The EU is leading the way here, with an official Mastodon server at social.network.europa.eu — only actual EU officials can get accounts there, so all accounts on that server are, by definition, verified! (Source)

So, if you decide you want to give Mastodon a try, I strongly recommend you take the time to carefully choose your server so it aligns with your priorities. As an example, my criteria were:

  1. The server must be community-owned or run by a registered charitable foundation; it must not be a commercial entity out to make money from my data
  2. The server must have what I consider to be sane rules
  3. The server must be in the EU so they are covered by the GDPR and other EU protections
  4. The server must have a good data privacy policy
  5. The server must be reliable

While it is valuable to take the time to choose wisely, it’s not the end of the world if you get it wrong, the Mastodon protocol provides a mechanism for migrating accounts between servers, so you can take your content with you should you choose to move to a new server later!

Anyway, my advice is simply to think about your own requirements before you start looking for a server. If you don’t know what you want, how can you know when you’ve found it?

Further reading

❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

1 thought on “Security Bits — 13 November 2022

  1. Rally Barnard - November 15, 2022

    Just read the Tips section about protecting newly connected TB and USB-C devices on my Mac Studio running Ventura 13.0.
    Guess what — under Security there is NO OPTION to follow the instructions for specifying how to treat newly connected devices. Only FileVault and Lockdown are listed. What version of the OS is the AppleInsider using?

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top