App Tracking? Sure, Why Not?
May 4, 2022
Big tech companies, including Google, Facebook, and Apple, are supposed to cut back on the amount of data they collect from users via apps. Despite the lip service to users, apps are still collecting data and it appears these companies will not stop anytime soon. Daiji World explains how much data apps are still gathering in: “Apps Still tracking Users’ Data On Apple App Store.”
A University of Oxford research term investigated 1759 Apple IOS apps in the United Kingdom App Store. The team monitored these apps before and after Apple implemented new tracking policies that supposedly make it harder to track users. Unfortunately, these apps are still tracking users as well as collecting user fingerprinting. The team found hard evidence of user tracking:
“The researchers found real-world evidence of apps computing a mutual fingerprinting-derived identifier through the use of “server-side code” — a violation of Apple’s new policies and highlighting the limits of Apple’s enforcement power as a privately-owned data protection regulator. ‘Indeed, Apple itself engages in some forms of user tracking and exempts invasive data practices like first-party tracking and credit scoring from its new privacy rules,’ claimed Konrad Kollnig, Department of Computer Science, University of Oxford.”
Apple’s Privacy Nutrition Labels are also inaccurate and are in direct conflict with Apple’s marketing claims. It is a disappointment that Apple is purposely misleading its users. Enforcing user privacy laws is sporadic, and tech companies barely follow what they set for themselves. Apple has its own OS, so they have a closed technology domain that they control:
“ ‘Apple’s privacy efforts are hampered by its closed-source philosophy on iOS and the opacity around its enforcement of its App Store review policies. These decisions by Apple remain an important driver behind limited transparency around iOS privacy,” [the research team] emphasised.”
Does this come as a surprise for anyone? Nope.
Apple can d whatever it wants because it is a prime technology company and it develops everything in-house. The only way to enforce privacy laws is transparency, but Apple will not become crystal clear because it will mean the company will lose profits.
Whitney Grace, May 4, 2022
Apple and Stalking? The Privacy Outfit?
May 3, 2022
Here is a tale of unintended, though not unanticipated, consequences. Engadget tells us “Police Reports Suggest a Larger Pattern of AirTag Stalking.” A few isolated cases of bad actors using Apple AirTags to facilitate stalking or car theft have come to light since the device was released in April 2021. To learn how widespread the problem is, Motherboard requested any records mentioning the technology from dozens of police departments around the country. Writer K. Holt summarizes:
“Motherboard received 150 reports from eight police departments and found that, in 50 cases, women called the cops because they received notifications suggesting that someone was tracking them with an AirTag or they heard the device chiming. (An AirTag will chime after it has been separated from its owner for between eight and 24 hours.) Half of those women suspected the tags were planted in their car by a man they knew, such as a current or former romantic partner or their boss. The vast majority of the reports were filed by women. There was just one case in which a man made a report after suspecting that an ex was using an AirTag (which costs just $29) to stalk him. Around half of the reports mentioned AirTags in the contexts of thefts or robberies. Just one instance of AirTag-related stalking would be bad enough. Fifty reports in eight jurisdictions in eight months is a not insignificant number and there are likely other cases elsewhere that haven’t been disclosed.”
Apple was aware the product had the potential to be abused, which is why the alerts cited by victims were built into it from the start. The company has since made some tweaks to make it more obvious if its product has been slipped into one’s belongings, like chiming sooner or making those notification messages clearer. At first the notifications only worked on iOS devices, leaving Android users in the dark. An Android app has since been released, but those users must be aware of the problem, and remember to manually scan for potential AirTag-alongs, for it to be of any use. Google is reportedly working on OS-level detection, which would be some consolation.
And the bad actors? Probably beavering away.
Cynthia Murrell, May 3, 2022
Infrared Tags Hide Information Like Magic: Will Bad Actors Respond?
April 26, 2022
A trope in fantasy stories is when an object is enchanted with information and will only reveal it to the “chosen hero” or under specific circumstances. A famous example of this trope is from Tolkien’s The Hobbit when Elrond reads the Thrór’s Map at Rivendell. Humans have found ways to hide information for centuries using chemistry, physics, and physical/pictorial illusions.
These hiding tricks are described as magical, but it is really human ingenuity that casts the true spell. Wonderful Engineering explains a new way to render information invisible: “These New Infrared Tags Can Embed ‘Invisible’ Info Within 3D-Printed Objects.”
Ph.D. candidate Mustafa Doga Dogan heads a MIT team working on “Infrared Tags.” Essentially these Infrared Tags will contain all the same information as a barcode, but instead of being unattractive or coming off an item they are hidden. The Infrared Tags are invisible to human eyesight, but are visible with an infrared camera. The Infrared Tags can be printed within any object and can be manufactured in two ways:
“MIT team has developed the tags, that seem like regular barcodes, using an infrared-transmitting filament interspersed with air gaps. Such filament appears opaque in visible light but looks translucent in Infrared Light. It was printed inside the walls of the 3D object. One approach involves carving a pattern of tiny air gaps out of a layer of plastic, covered with a smooth protective layer. These gaps represent ones and zeroes, so they can be read like binary code by an IR Camera. There is another approach as well. It involves the utilization of a second plastic. Such plastic is opaque to IR light to create more traditional QR codes. These are covered with an outer layer of the main plastic.”
The Infrared Tags are actually built into the item. It makes an object more appealing, because a barcode is not printed on it. The tags are also more durable as they cannot be removed through physical means.
If mobile devices are built with infrared cameras, then these tags would return design to pre-barcode days. Barcodes contain an extraordinary amount of information, especially for entertainment mediums, retail, and organization systems. What would it mean if they were rendered invisible? The proper magical device may inspire bad actors. The digital sword of Damocles is swinging.
Whitney Grace, April 26, 2022
Dark Patterns and Possible Digital Roach Motels
April 22, 2022
Online subscriptions are a convenient way to receive goods and services, from streaming media to household staples. They are easy to sign up for and, as long as there are adequate funds in one’s account, easy to continue enjoying month after month without lifting a finger. Ending a subscription, on the other hand, can be a calculated nightmare. CNet examines how and why “Canceling Online Subscriptions is Confusing, Difficult, and Absurd… by Design.”
Reporter Attila Tomaschek begins with the saga of cancelling his family’s meal-kit subscription, an ordeal that, he writes, involved a confusing maze of “surveys, guilt trips, oversized green buttons prompting me to stay on board and tiny gray cancellation confirmation links that I had to scroll seemingly endlessly to find.” Such tactics rely on customer retention through exasperation, and they are part of a devious set of techniques called dark patterns. The term refers to steering or tricking users into taking certain actions, like divulging personal data or agreeing to charges one never intended to incur. Or abandoning the quest to cancel a subscription, a sub pattern known as the roach motel. Tomaschek notes:
“And it’s not just the small-time players that are resorting to these tactics. Have you ever tried canceling your Amazon Prime account? Good luck figuring out how to do it — and actually getting through the process without wanting to tear all your hair out. Want to cancel your New York Times subscription? Make sure you have 8 minutes to spare as you wait for a live chat representative to do it for you. This type of dark pattern is sometimes referred to as a roach motel — a design that makes it easy to sign up for a service but outrageously difficult to cancel that service. The cancellation funnel is typically a multi-step process that includes intentionally confusing language and ambiguous navigation buttons. Companies may also sprinkle in cancellation buttons that say things like ‘I don’t care about losing premium features,’ or ‘I don’t like saving money,’ for good measure — preying on the fear of missing out to keep their customers. Then, once the customer has finally navigated the cancellation funnel, they’ll often have to call a phone number or send an email or contact a support agent via chat to finalize the process, adding yet another step to an already lengthy process.”
Not all online subscription providers stoop to this level. Some make the cancellation process easy and transparent, relying on customer satisfaction for customer retention. Imagine that! The hugely successful streaming service Netflix and popular online collaboration platform Basecamp are two examples. For those that do treat would-be former users like roaches, a scant few have faced legal consequences. Examples include the children’s learning platform ABCmouse and weight loss app Noom. Those cases are not the norm, though, as legislation has yet to catch up to the very concept of dark patterns. Until it does, Tomaschek suggests readers examine a company’s cancellation procedure before subscribing to any online service. If it is clear as mud, one would be wise not to set foot in that potential labyrinth.
Cynthia Murrell, April 22, 2022
Is This a Wake Up Call for Cyber Crime Experts?
April 20, 2022
Do you want to be an in-demand cyber expert? You can. You can learn what you need by watching, downloading, or paying for online courses. Then go for the real money: Consulting, training, and explaining to law enforcement, intelligence, and security professionals. Easy, right.
Just be selective about your customers.
“U.S. Hacker Sentenced to Five Years Following Crypto Lessons in North Korea” reports an actual factual situation involving “expert knowledge.” The write up states:
… crypto currency expert and hacker Virgil Griffith was sentenced to five years in prison this Tuesday for aiding North Korea in avoiding U.S. sanctions. The sentence comes in wake of his participation in a crypto currency-focused conference held in North Korea’s capital city, Pyongyang in April 2019, which the U.S. citizen attended even after being denied a travel permit for the purpose. Griffith pled guilty to conspiracy last year, which accelerated his sentencing.
The original article provides additional information. I just want to focus on the risks of not keeping information confidential and out of certain channels. The issues related to incidents associated with FinFisher, Hacking Team, NSO Group, and other companies have not had much impact on specialized software and services never intended for a nation state at odds with the US or not created for commercial use.
The cyber crime training sector is booming. But certain information can blow up in one’s face. One can recover after five years of rest I suppose. But where was the fabric of clear decision making? In a Pyongyang relaxation spa? Perhaps with McKinsey & Company in Paris, a fave destination for some North Koreans?
Stephen E Arnold, April 20, 2022
TikTok: A Murky, Poorly Lit Space
April 15, 2022
TikTok, according to its champions, is in the words of Ernie (Endurance) Hemingway:
You do not understand. This is a clean and pleasant café. It is well lighted. (Quote from “A Clean, Well-Lighted Place”)
No, I understand. If the information in “TikTok under US Government Investigation on Child Sexual Abuse Material” is on the money, the Department of Justice and the US Department of Homeland Security, TikTok may not be a “clean and pleasant café.”
The paywalled story says that TikTok is a digital watering hole for bad actors who have an unusually keen interest in young people. The write up points out that TikTok is sort of trying to deal with its content stream. However, there is the matter of a connection with China and that country’s interest in metadata. Then there is the money which just keeps flowing and growing. (Facebook and Google are now breathing TikTok’s diesel exhaust. Those sleek EV-loving companies are forced to stop and recharge as the TikTok tractor trailer barrels down the information highway.
For those Sillycon Valley types who see TikTok as benign, check out some of TikTok’s offers to young people. Give wlw a whirl. Oh, and the three letters work like a champ on YouTube. Alternatively ask some young people. Yeah, that’s a super idea, isn’t it. Now about unclean, poorly illuminated digital spaces.
Stephen E Arnold, April 15, 2022
Google Hits Microsoft in the Nose: Alleges Security Issues
April 15, 2022
The Google wants to be the new Microsoft. Google wanted to be the big dog in social media. How did that turn out? Google wanted to diversify its revenue streams so that online advertising was not the main money gusher. How did that work out? Now there is a new dust up, and it will be more fun than watching the antics of coaches of Final Four teams. Go, Coach K!
The real news outfit NBC published “Attacking Rival, Google Says Microsoft’s Hold on Government Security Is a Problem.” The article presents as actual factual information:
Jeanette Manfra, director of risk and compliance for Google’s cloud services and a former top U.S. cybersecurity official, said Thursday that the government’s reliance on Microsoft — one of Google’s top business rivals — is an ongoing security threat. Manfra also said in a blog post published Thursday that a survey commissioned by Google found that a majority of federal employees believe that the government’s reliance on Microsoft products is a cybersecurity vulnerability.
There you go. A monoculture is vulnerable to parasites and other predations. So what’s the fix? Replace the existing monoculture with another one.
That’s a Googley point of view from Google’s cloud services unit.
And there are data to back up this assertion, at least data that NBC finds actual factual; for instance:
Last year, researchers discovered 21 “zero-days” — an industry term for a critical vulnerability that a company doesn’t have a ready solution for — actively in use against Microsoft products, compared to 16 against Google and 12 against Apple.
I don’t want to be a person who dismisses the value of my Google mouse pad, but I would offer:
- How are the anti ad fraud mechanisms working?
- What’s the issue with YouTube creators’ allegations of algorithmic oddity?
- What’s the issue with malware in approved Google Play apps?
- Are the incidents reported by Firewall Times resolved?
Microsoft has been reasonably successful in selling to the US government. How would the US military operate without PowerPoint slide decks?
From my point of view, Google’s aggressive security questions could be directed at itself? Does Google do the know thyself thing? Not when it comes to money is my answer. My view is that none of the Big Tech outfits are significantly different from one another.
Stephen E Arnold, April 15, 2022
Amazon: Is the Company Losing Control of Essentials?
April 11, 2022
Here’s a test question? Which is the computer product in the image below?
|
[a] |
[b] |
 |
 |
If you picked [a], you qualify for work at TopCharm, an Amazon service located in lovely Brooklyn at 3912 New Utrecht Avenue, zip 11219. Item [b] is the Ryzen cpu I ordered, paid for, and expected to arrive. TopCharm delivered: Panties, not the CPU. Is it easy to confuse a Ryzen 5900X with these really big, lacy, red “unmentionables”? One of my team asked me, “Do you want me to connect the red lace cpu to the ASUS motherboard?”
Ho ho ho.
What does Clustrmaps.com say about this location””?
This address has been used for business registration by Express Repair & Towing Inc. The property belongs to Lelah Inc. [Maybe these are Lelah’s underwear? And Express Repair & Towing? Yep, that sounds like a vendor of digital panties, red and see-through at that.]
One of my team suggested I wear the garment for my lecture in April 2021 at the National Cyber Crime Conference? My wife wanted to know if Don (one of my technical team) likes red panties? A neighbor’s college-attending son asked, “Who is the babe who wears that? Can I have her contact info?”
My sense of humor about this matter is officially exhausted.
Several observations about this Amazon transaction:
- Does the phrase “too big to manage” apply in this situation to Amazon’s ecommerce business?
- What type of stocking clerk confuses a high end CPU with cheap red underwear?
- What quality assurance methods are in place to protect a consumer from cheap jokes and embarrassment when this type of misstep occurs?
Has Amazon lost control of the basics of online commerce? If one confuses CPUs with panties, how is Amazon going to ensure that its Government Cloud services for the public sector stay online? Quite a misstep in my opinion. Is this cyber fraud, an example of management lapses, a screwed up inventory system, or a perverse sense of humor?
Stephen E Arnold, April 11, 2022
The Lapsus$ Gang: Teens or a Cyber Army?
March 28, 2022
I read “Who is LAPSUS$, the Big, Bad Cybercrime Gang Hacking Tech’s Biggest Companies?https://gizmodo.com/who-is-lapsus-the-gang-hacking-microsoft-samsung-an-1848686059” The write up answers the question this way:
British authorities announced the arrest of seven people said to be connected to the gang. Authorities revealed that the unidentified suspects ranged in age from 16 to 21. The ringleader of the gang is reputed to be a 16-year-old British kid from Oxford.
True? The wheels of justice in the UK must turn.
I have another angle. I processed this news story and thought about the assorted explanations offered from some high profile bad actor behaviors; for example, SolarWinds, Microsoft Exchange, Colonial Pipeline, et al.
Here with is my imaginary recreation of the Lapsus$ actions, just explained by luminaries from companies I enjoy following:
A Microsoft-type outfit opined, “Lapsus$ is a gang of more than 1,000 programmers who have labored intensively to compromise our highly secure ecosystem. This is the work of a nation state.
A US government cyber official affiliated with the White House said, “The predatory and dangerous behavior of an unprincipled gang under the direct orders of what might be called the Axis of Evil is undermining the national security of the United States. A failure to follow the 15,000 page checklist for cyber protections will be mandated by a new Executive Order called The Definitive Checklist for Commercial, Governmental, Not-for-Profit, and Any Other Entity Including under Age Operated Fiscal Processes Such As Girl Scout Cookie Sales.”
A founder of a smart cyber security firm said, “These recent breaches would have been prevented had each of the compromised firms licensed our Bayesian anchored cyber security platform. Our smart cyber platform proactively blocks the breach mechanisms developed by world class actors regardless of their geographical location.”
So what’s the present and somewhat amusing reality: Maybe no nation state? Maybe no Axis of Evil? Maybe no massive, organized gang of disaffected technical wizards? Maybe no compromised insiders?
What have we got. A teen whose father appears to be unaware of his progeny’s extracurricular activities?
Content creators: Is it time for a podcast, a Netflix documentary, a 60 minutes segment?
Stephen E Arnold, March 28, 2022
The Promise of Curated Apps
March 17, 2022
It is much easier to describe something than it is to produce a thing that matches the slide deck. I am not sure if the information in “Vicious SharkBot Banking Trojan Discovered in Play Store Antivirus App” is spot on. The tip off for me is the description of malware as “vicious.” The metaphors of sharks, apps, and vicious don’t work, but I get the idea.
The main point of the write up strikes me as:
British IT security researchers discovered, an updated SharkBot is hiding inside an innocent-looking antivirus app which is still available on the Google Play Store as of Saturday.
The interesting function is that the malware includes a function which performs automatic transfers. The money is in an account until it is not.
How does one obtain the app? The write up alleges that one might visit the Google Play Store and download something called Antivirus Super Cleaner.”
If the story is accurate, one has to consider this question, “Who is the minder of the Google Play Store?” An intern, a snorkeling bit of smart software, a contractor obtained via Upwork, a full time employee looking for a lateral arabesque to a hot new project, no one, or some other mechanism?
Imagine. No one minding the store. A new approach to curation perhaps?
Stephen E Arnold, March 17, 2022
-
- Subscribe to Beyond Search
Feature archive
News archive
-
