Feedback & Followups
- Glen Fleishmann outlines some ways in which Google’s Find My Device network is actually a little more privacy-preserving than Apple’s Find My network (and one nasty sting in the tail that makes it a lot worse – to use the network at all, you must tell Google your home address) — tidbits.com/…
- Attackers continue to target developers:
- Bogus interviews tricking developers into installing malicious coding libraries ‘coding tests’ is becoming an ever more common thing, this week it’s NPM packages, but others’ repositories have been abused similarly in recent months — thehackernews.com/…
- Attackers have found a novel way to trick GitHub into storing malicious files for them with URLs that belong to a genuinely reputable repo – start a comment in the victim repo, attach the malicious file, copy the URL from the preview, then just abandon the comment and never submit it, the file is not cleaned up, and it’s URL has the victim’s repo at its base — www.bleepingcomputer.com/…
- The popular open source GitHub clone GitLab has the same vulnerability too — www.bleepingcomputer.com/…
- Microsoft is joining Google in making changes to fight the volume of spam out there: Microsoft will limit Exchange Online bulk emails to fight spam — www.bleepingcomputer.com/…
- 🇺🇸 The US government is continuing to crack down on grey-hat spyware companies like the NSO group: US imposes visa bans on 13 spyware makers and their families — www.bleepingcomputer.com/…
- 🇺🇸 The US Federal Trade Commission (FTC) is continuing to punish privacy invaders: FTC Fines Mental Health Startup Cerebral $7 Million for Major Privacy Violations — thehackernews.com/…
- Related: The FTC is starting to send the 117,044 American Ring Video Doorbell customers whose private videos were illegally accessed by Amazon staff or contractors their share of the $5.6M settlement they reached with Amazon — www.bleepingcomputer.com/…
Deep Dive — An Interesting Insight from the Kaiser Permanente ‘Data Breach’
It was big news this week when the large US not-for-profit healthcare organisation Kaiser Permanente reported what it described as a data breach affecting 13.4 million patients — www.bleepingcomputer.com/….
Firstly, as data breaches go, this is very mild — their website had the normal tracking cookies just about every major news site has on it, and because they are a healthcare provider and a non-profit, they consider business-as-usual on the internet a data breach!
If you used the Kaiser Permanente website, then you were tracked by Google, Meta, etc., and they know you are a user of Kaiser Permanente’s services. I don’t live in the US, but if I did, this would make me more likely to choose them over a for-profit provider because:
- The use of the trackers was flagged, and remediated by entirely internal processes
- They chose to be very open about this very minor loss of privacy when they could easily done the absolute bare minimum required by law and moved on.
So, this story is not in these show notes because of what it says about Kaiser Permanente, it’s here because of what it says we, as a global community, now consider normal. Just about every major news site on the internet is invading our privacy more than this data breach. Even supposed stalwarts of liberal democracy, and supposedly ‘woke extremists’ like the New York Times are breaching our data worse than this each and every day!
I don’t know how this toxic business model ends, but I sure hope it does!
❗ Action Alerts
Worthy Warnings
- Canadian civil rights research group Citizens Lab have released a report detailing how literally billions of custom Chinese language keyboards for iOS and Android are phoning home to the Chinese government — citizenlab.ca/…
- Another reminder of why you can’t keep using out-of-support network-connected devices, and, why you need to keep your devices patched: Multiple botnets exploiting one-year-old TP-Link flaw to hack routers — www.bleepingcomputer.com/…
- LastPass are warning that there’s a sophisticated phishing campaign underway targeting people known to hold a lot of cryptocurrency by posing as LastPass staff — www.bleepingcomputer.com/…
- Another reminder of why password re-use is bad, and MFA/2FA is important: Roku leaks 576,000 accounts—its second data breach of 2024 — www.intego.com/… (Another password stuffing attack)
Notable News
- 🇺🇸 Cops can force suspect to unlock phone with thumbprint, US court rules — arstechnica.com/… (Only a thumbprint because it doesn’t require any thought)
- Editorial by Bart: I agree with John Gruber that the best response to this is not to stop using TouchID, but to internalise the squeeze & hold gesture to disable biometrics on iPhones — daringfireball.net/…
- 🇺🇸 🇨🇳 Turbulent times for TikTok in the US — A bill requiring their Chinese owners, ByteDance, to see the company within 9 months (or one year if the President grants an optional 3-month extension), or be removed from the US app stores:
- Biden signs TikTok bill into law as Chinese firm threatens legal action — appleinsider.com/…
- ByteDance would rather shut down US TikTok than sell it — appleinsider.com/…
- Some ex-TikTok employees say the social media service worked closely with its China-based parent despite claims of independence — fortune.com/…
- An investing related story: Apple Forced to Pull WhatsApp and Threads from China App Store — www.macobserver.com/…
- About ByteDance | Know a Little More by Tom Merritt
- Mixed news from Google:
- Meta have announced that Passkey support is on its way to WhatsApp on iOS — www.macobserver.com/…
- 🇺🇸 FCC votes to restore net neutrality protections in the United States — appleinsider.com/…
- 🇺🇸 Colorado has expanded its existing privacy law protecting biometrics to also include brain wave data — arstechnica.com/…
Top Tips
- The untimely death of fellow Mac podcaster and wonderful human being Charles Edge is a timely reminder that we all need to prepare our digital legacies for the sake of our loved ones when we’re gone: Preparing for the Unthinkable: A Brief Guide to Digital Legacy Planning — tidbits.com/…
Palate Cleansers
- From Allison via Steve Mattan on our Slack:
- Douglas Adams and JavaScript – Nate Dickson — poginate.github.io/… (Note from Bart: if you get this, you get bonus PBS geek points 🤓😉)
- From Bart:
- A long read, but utterly worth it: The invisible seafaring industry that keeps the internet afloat — www.theverge.com/…
- 🎦 A fascinating video from Bertrand Serlet (former Apple VP of Engineering of “Redmond, start your photocopiers” fame): WHY AI Works — www.youtube.com/…
- 🎧 One of my pet peeves is people who pervert one of the few success stories that show that we actually can all get together and mitigate a foreseeable problem, the Y2K bug, into an example of why we should do the opposite and not ‘overreact’ – don’t take my word for it, let the Malicious Life podcast walk you through the story: Malicious Life: The Y2K Bug, Part 1 — overcast.fm/… & Malicious Life: The Y2K Bug, Part 2 — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |