Security Bits Logo no alpha channel

Security Bits — 21 February 2021

Feedback & Followups

  • In the previous instalment we joined in the mockery of a Chinese railroad company that relied on Flash for their operations. Listener Tom Merit got in touch with a follow-up article which casts some doubt on the details of the Apple Daily report we linked to — it seems the problem did not stop them dispatching trains, and the fix was not a pirated version of Flash, but an older version without the self-deactivating code. They do still deserve quite a bit of mockery regardless IMO — arstechnica.com/…
  • In the previous instalment we mentioned that based on Apple’s infamous FaceTime bug a security researcher had found similar bugs in other apps and got those responsibly fixed. We’ve since learned that the same research has also revealed how Apple responded in the long-term – they completely re-architected FaceTime to harden it dramatically with a new kind of extra secure sandboxing arrangement they’ve codenamed BlastDoor (Editorial by Bart: I’m really impressed with what Apple have done, very clever!) — www.zdnet.com/… & tidbits.com/…
  • 🎦 Apple have released the video of Tim Cook’s speech to the CPDP21 EU data protection conference mentioned in the previous instalment — youtu.be/…
  • The fallout from Apple’s up-coming App Tracking Transparency feature continues:
    • A study by the Harvard Business Review has found that the numbers Facebook used in their recent anti-anti-tracking ads were false — www.imore.com/…
  • Snapchat also warns investors that requiring informed consent could cost it money — www.imore.com/…
  • Twitter seems more optimistic, warning its investors of only a ‘modest impact’ — www.imore.com/…
  • WhatsApp have launched a second attempt to roll out their controversial updated privacy policy — www.imore.com/…
  • New reporting suggests it wasn’t just the Russians making use of the SolarWinds vulnerability, Chinese government hackers may have done so too — www.msn.com/… (via listener Lynda)
  • 🦠 COVID App News (not done on of these in a while!)
    • Apple have released updated app store rules requiring ‘Health pass’ apps (apps for tracking things like vaccination status and recent test results) to be submitted to the store in conjunction with an approved health authority — www.imore.com/…
    • 🇬🇧 Data from the UK’s storied COVID-19 app shows how effective these apps can be when implemented properly — analysis of the notifications sent by the app show it instructed 1.7m people they should isolate, preventing an estimated 600k infections — www.imore.com/…
    • 🇺🇸 Utah re-Launches its COVID-19 Exposure Notification System, this time based on the Apple/Google API — www.macobserver.com/…

Deep Dive — Bloomberg Follows up on its Sensationalistic “The Big Hack” Story from 2018 (Opinion)

This entire segment is opinion, but here’s the link to the piece if you’d like to read it yourself: The Long Hack: How China Exploited a U.S. Tech Supplier — www.bloomberg.com/…

What made the original story such big news is the report that there were spying chips inserted into an entire line of popular products used in data centres around the world by massive cloud providers like Amazon and Apple. The authors hadn’t been able to find any actual chips, so they illustrated their piece with an artist’s impression of what one might look like, and the entire US security apparatus and the companies involved all issued strenuous denials of the story.

Back in 2018 when the authors were criticised for publishing such a big allegation without any actual evidence, they replied confidently that now the story was out it would just be a matter of time until the evidence flowed in as these chips started to be found all over the place. That never happened, and still hasn’t!

This new article never admits the old one was wrong. It never retracts the unfounded chip allegations, but it also doesn’t provide any new evidence to support the original claim. Instead, in a bait-and-switch maneuver, the article instead describes highly targeted malicious firmware attacks by nation-states against each other’s interests. That’s neither surprising nor news, and it wouldn’t have been either in 2018 either.

We know governments and their operatives are using highly targeted supply-chain attacks, and have known that for years. It’s nice to see an example of this described in detail, but it does not justify the original publication of the utterly unsupported and hyperbolic original piece back in 2018, nor does it justify Bloomberg’s continuing refusal to retract that sensationalistic nonsense.

I’m in complete agreement with Jon Gruber’s scathing criticism. This quote sums up my opinion nicely:

“It’s a 4,000-word exercise in journalistic sophistry. It creates the illusion of something being there, but there is nothing there. The only good purpose this report could serve is as source material for a class on critical thinking.”

❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Excellent Explainers

Interesting Insights

Palate Cleansers

  • XKCD use Star Wars to explain mRNA vaccines: xkcd.com/…
  • NASA reminds us just how cool space engineering is, and just how good they are at — they’ve done it again, used another sky crane to land an even bigger rover on Mars, and this time, in a really hazardous terrain using AI to allow the craft pick its own landing site!
    • A really cool photo of the rover dangling from the sky crane over the martian surface — apod.nasa.gov/…
    • 🎦 A great video explaining how the sky crane plays its part in the seven minutes of terror between the top of the Martian atmosphere and a safe gentle touchdown on the red planet — apod.nasa.gov/…
Steve Allison Michael Johnston Perserverance
Steve, Allison, with Michael Johnston of JPL with Perseverance
Perseverance at JPL
Perseverance at JPL”
  • Northrup Grumman named a spaceship after Katherine Johnson, the black NASA mathematician whose handwritten calculations helped launch the first Americans into space (and highlighted in the movie Hidden Figures) www.npr.org/…

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top