Connect with us

Biz & IT

Apple still has work to do on privacy

Published

on

There’s no doubt that Apple’s self-polished reputation for privacy and security has taken a bit of a battering recently.

On the security front, Google researchers just disclosed a major flaw in the iPhone, finding a number of malicious websites that could hack into a victim’s device by exploiting a set of previously undisclosed software bugs. When visited, the sites infected iPhones with an implant designed to harvest personal data — such as location, contacts and messages.

As flaws go, it looks like a very bad one. And when security fails so spectacularly, all those shiny privacy promises naturally go straight out the window.

And while that particular cold-sweat-inducing iPhone security snafu has now been patched, it does raise questions about what else might be lurking out there. More broadly, it also tests the generally held assumption that iPhones are superior to Android devices when it comes to security.

Are we really so sure that thesis holds?

But imagine for a second you could unlink security considerations and purely focus on privacy. Wouldn’t Apple have a robust claim there?

On the surface, the notion of Apple having a stronger claim to privacy versus Google — an adtech giant that makes its money by pervasively profiling internet users, whereas Apple sells premium hardware and services (including essentially now ‘privacy as a service‘) — seems a safe (or, well, safer) assumption. Or at least, until iOS security fails spectacularly and leaks users’ privacy anyway. Then of course affected iOS users can just kiss their privacy goodbye. That’s why this is a thought experiment.

But even directly on privacy, Apple is running into problems, too.

To wit: Siri, its nearly decade-old voice assistant technology, now sits under a penetrating spotlight — having been revealed to contain a not-so-private ‘mechanical turk’ layer of actual humans paid to listen to the stuff people tell it. (Or indeed the personal stuff Siri accidentally records.)

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Android users now have an easy way to check the security of their passwords

Published

on

Getty Images

Google is adding its password checkup feature to Android, making the mobile OS the latest company offering to give users an easy way to check if the passcodes they’re using have been compromised.

Password Checkup works by checking credentials entered into apps against a list of billions of credentials compromised in the innumerable website breaches that have occurred in recent years. In the event there’s a match, users receive an alert, along with a prompt that can take them to Google’s password manager page, which offers a way to review the security of all saved credentials.

Alerts look like this:

Google

Google introduced Password Checkup in early 2019, in the form of a Chrome extension. In October of that year, the feature made its way into the Google Password Manager, a dashboard that examines Web passwords saved within Chrome that are synchronized using a Google account. Two months later, the company added it to Chrome.

Google’s Password Manager makes it easy for users to directly visit sites using bad passwords by clicking the “Change Password” button displayed next to each compromised or weak password. The password manager is accessible from any browser, but it works only when users sync credentials using their Google account password, rather than an optional standalone password.

The new password checkup was available as of Tuesday on Android 9 and above for users of autofill with Android, a feature that automatically adds passwords, addresses, payment details, and other information commonly entered into Web and app forms.

The Android autofill framework uses advanced encryption to ensure that passwords and other information are available only to authorized users. Google has access to user credentials only when users 1) have already saved a credential to their Google account and 2) were offered to save a new credential by the Android OS and chose to save it to their account.

When a user interacts with a password by either filling it into a form or saving it for the first time, Google uses the same encryption that powers the Privacy Checkup in Chrome to check if the credential is part of a list of known compromised passwords. The Web application interface sends only passwords that are cryptographically hashed using the Argon2 function to create a search key that’s encrypted with Elliptic Curve cryptography.

In a post published Tuesday, Google said that the implementation ensures that:

  • Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
  • The server returns a list of encrypted hashes of known breached credentials that share the same prefix
  • The actual determination of whether the credential has been breached happens locally on the user’s device
  • The server (Google) does not have access to the unencrypted hash of the user’s password and the client (User) does not have access to the list of unencrypted hashes of potentially breached credentials

Google has written more about how the implementation works here.

On most Android devices, autofill can be enabled by:

  1. Opening Settings
  2. Tapping System > Languages & input > Advanced
  3. Tapping Autofill service
  4. Tapping Google to make sure the setting is enabled

Separately, Google on Tuesday reminded users of two other security features added to Android autofill last September. The first is a password generator that will automatically choose a strong and unique password and save it to users’ Google accounts. The generator can be accessed by long-pressing the password field and selecting Autofill in the pop-up menu.

Users can also configure the Android autofill to require biometric authentication before it will add credentials or payment information to an app or Web field. Biometric authentication can be enabled inside of the Autofill with Google settings.

Continue Reading

Biz & IT

Report: Fry’s Electronics going out of business, shutting down all stores

Published

on

Enlarge / Fry’s Electronics in Fremont, CA.

Getty Images

Fry’s Electronics, the decades-old superstore chain with locations in nine American states, appears to have gone defunct. Bay Area TV station KRON-4 was the first press outlet to confirm the news late Tuesday, saying that Fry’s will shut down all 30 of its American locations. The retailer will reportedly make an announcement at some time on Wednesday via the Fry’s website.

Rumors began flying on Tuesday in the form of anecdotes from alleged Fry’s employees, who all reported that they’d been summarily fired earlier in the day with zero notice. One anonymous report posted at The Layoff alleged that every remaining Fry’s store in the US was “permanently closing tomorrow,” and that sentiment was echoed hours later at a Fry’s-related Reddit community. The Reddit post included the allegation that one store’s staffers were tasked with shipping any remaining merchandise back to suppliers during their final day at work.

Sacramento freelance journalist Matthew Keys followed these posts by citing an unnamed source—someone who had worked at Fry’s up until “this week”—who claimed that the electronics chain would make a formal announcement “this week” about closing all of its stores and liquidating any remaining assets. As the wave of rumors exploded, the official Fry’s website began serving 404 failures—yet some of its subsite content, particularly years-old press releases, remained active through Frys.com subdomains. As Tuesday wore on, the Fry’s retail site flickered into and out of normal service, even letting customers buy products after KRON-4’s report went live.

Spindles of savings

For years, Fry’s Electronics was the United States’ largest physical retailer dedicated to just about every computing and electronic device you could think of, particularly individual computer components. As the chain expanded to more stores throughout the US, particularly in taking over multiple defunct Incredible Universe locations, Fry’s rode the build-your-own boom of personal computing. If you built your own PC in the past two decades and lived within driving distance of a Fry’s, that store was likely where you began looking for motherboards, optical disc drives, RAM of all speeds and slots, and spindles of no less than 200 CD-Rs.

Additionally, the retailer was known for being the exclusive retailer partner for some odd merchandise, particularly the ill-fated Pono Player from famed musician Neil Young.

Through the ’00s, cashflow across the privately held Fry’s chain was apparently solid enough to survive a devastating internal meltdown: theft of over $65 million from the company’s coffers by its then-vice president.

But big-box retailers have long struggled in an Internet-shopping era, and the California-centric Fry’s hadn’t looked particularly strong as the pandemic wore down what appetite remained for in-person shopping. Shortly before the pandemic gripped the world, the chain shut down its Anaheim, CA location, which was followed by the November closure of its Campbell, CA store.

By 2020, the chain had already established a transition to consignment-style selling, which meant not paying manufacturers up-front for merchandise before putting it on store shelves. That practice has worked for some chains with a decades-long head start on the practice, particularly Wal-Mart. But in the case of Fry’s, this transition was met by electronics manufacturers who, in the Internet-rich era of 2019, had far less incentive to put their wares unpaid onto store shelves. (This will also reduce the defunct company’s potential to liquidate, as the consignment-based merchandise must simply be returned to original manufacturers—which may have been the final duty for remaining employees this week.)

Hence, Fry’s locations began earning a notorious reputation for barren store shelves. Now, apparently, their floors will be barren, as well. The company has yet to formally acknowledge layoffs or store closures at any of its social media channels—going so far as to delete its Facebook account and “lock” its Twitter profile—and as of press time, its website has yet to offer announcements about the company’s future.

Continue Reading

Biz & IT

Musk: Starlink will hit 300Mbps and expand to “most of Earth” this year

Published

on

Enlarge / A stack of 60 Starlink satellites launched in 2019.

Starlink broadband speeds will double to 300Mbps “later this year,” SpaceX CEO Elon Musk wrote on Twitter yesterday. SpaceX has been telling users to expect speeds of 50Mbps to 150Mbps since the beta began a few months ago.

Musk also wrote that “latency will drop to ~20ms later this year.” This is no surprise, as SpaceX promised latency of 20ms to 40ms during the beta and had said months ago that “we expect to achieve 16ms to 19ms by summer 2021.”

It sounds like the speed and latency improvements will roll out around the same time as when Starlink switches from beta to more widespread availability. Two weeks ago, Starlink opened preorders for service expected to be available in the second half of 2021, albeit with limited availability in each region.

Global coverage, but low density

Musk wrote in another tweet yesterday that Starlink will be available to “most of Earth” by the end of 2021 and the whole planet by next year. But even then, the number of slots available to users would be limited in each geographic region.

Musk wrote that “densifying coverage” is the next step after Starlink is technically available across the planet. “Important to note that cellular will always have the advantage in dense urban areas. Satellites are best for low to medium population density areas,” he wrote.

That’s consistent with Musk’s statement last year that Starlink will have limited availability in big cities like Los Angeles “because the bandwidth per cell is simply not high enough” and that “Starlink will serve the hardest-to-serve customers that telcos otherwise have trouble doing with landlines or even with… cell towers.” In the US, Internet users who must currently rely on DSL or traditional geostationary satellite service would benefit the most from Starlink’s low-Earth-orbit satellites.

SpaceX was tentatively awarded $885.51 million in Federal Communications Commission funding over 10 years to bring Starlink to 642,925 homes and businesses in 35 states. Rival ISPs have been trying to block the funding, claiming that SpaceX won’t be able to deliver the 100Mbps download and 20Mbps upload speeds required by the FCC program.

SpaceX told the FCC that it has over 10,000 users in the US and abroad so far and is already delivering the required speeds and “performance of 95 percent of network round-trip latency measurements at or below 31 milliseconds.” In another FCC filing, SpaceX said that Starlink will eventually hit 10Gbps download speeds.

Starlink recently became available in the UK.

Continue Reading

Trending