Doordash is the latest of the “services you probably use, or at least have an account with” companies to suffer a large data breach. And while your passwords likely haven’t been compromised, it’s possible that your physical address is floating around in the Internet somewhere, among other identifying information.
As Doordash wrote yesterday, an unknown individual accessed data they shouldn’t have on May 4. Among the information that was compromised included:
“Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.”
Approximately 4.9 million Doordash customers were affected by the breach, but only those who joined the site prior to April 5, 2018. If you signed up for Doordash after that, you’re in the clear.
However, the leaked information doesn’t stop with emails, phone numbers, and names—to name a few. For a subset of those affected, the attacker was able to access the last four digits of their stored credit card, their bank account number, or their drivers’ license numbers.
Doordash is currently reaching out to those whose data might have been compromised; if you haven’t received an email yet, you might be in the clear, but it’s also taking the company a bit of time to send these, so it’s OK to be slightly anxious.
As Doordash notes:
“The information accessed is not sufficient to make fraudulent charges on payment cards or fraudulent withdrawals from bank accounts. Regardless, it is a security best practice to always be vigilant and regularly check your payment card and bank accounts for unusual activity. If you see something suspicious, you should promptly report it to your financial institution.”
Nevertheless, the company still recommends you change your Doordash password, at minimum, out of an abundance of caution. I’d second that recommendation, but that’s probably all you have to freak out about right now. Keep a watchful eye on your bank accounts or credit card information, but it’s highly unlikely they will be affected by this breach.
As for your driver’s license number, that’s a bit more frustrating. If Doordash notifies you that your number was leaked as a result of this breach, you might to take a stronger measure—like a credit freeze, suggests Experian—or make a note to request a copy of your driving record from the DMV anywhere from six months to a year from now, just to make sure nobody was using your number to get out of a traffic violation.
(Similarly, it might be worth contacting your DMV and letting them know your number was stolen as part of a data breach; they might be able to make a note about that, or at least offer additional advice on what you could do, if anything.)
Alternate InternetThis week, we look at the ways the internet could have been—and could be—different.
The quantum internet is coming sooner than you think—even sooner than quantum computing itself. When things change over, you might not even notice. But when they do, new rules will protect your data against attacks from computers that don’t even exist yet.
Despite the fancy name, the “quantum internet” won’t be some futuristic new way to navigate online. It won’t produce any mind-blowing new content, at least not for decades. The quantum internet will look more or less the same as the internet you’re using now, but scientists and cryptographers hope it could provide protection against not only theoretical threats but also those we haven’t dreamed up yet.
“The main contribution of a quantum internet is to allow encrypted communication in a perfectly secure fashion that can’t be broken in principle, even if in the future we develop a more fundamental theory of physics,” Ciarán Lee, a researcher at University College, London, explained to Gizmodo. In short, the quantum internet would hopefully protect us from planned new computers, along with every theoretical computer for the foreseeable future.
So what’s the quantum internet? It’s what happens when you apply the weird rules of quantum mechanics to the way computers communicate with one another.
Quantum mechanics says that the smallest things, like subatomic particles, are restricted to a list of distinct values for certain properties (their energy, for example). When you’re not looking at them, they might enter a superposition of states, meaning taking on several values simultaneously—both the lowest and the second-lowest energy states, for example. But once they are measured, they assume only one of the values. The value you see is determined based on some innate probability. But you can also entangle these particles’ states, meaning when you repeat the measurements many times, they seem more related than you’d expect from two independent things following the usual rules of probability.
Researchers are working toward incorporating these weird rules into computing and networking. Computers that rely on quantum processors, based on quantum bits that can take on a superposition of states or entangle, might quickly create accurate simulations of molecules, enhance artificial intelligence, and solve other problems faster than regular computers can. No company has yet experimentally demonstrated that quantum computers can beat classical computers at anything, though they’re trying and may do so soon. A quantum computer worth worrying about is likely decades away.
Some of the potential problems that researchers think a quantum computer would excel at solving form the very basis of present-day encryption. And that is concerning.
“If quantum computers are on the horizon, then we need to prepare the internet to be secure against quantum computers,” Lily Chen, project leader at the National Institute of Standards and Technology (NIST)’s Cryptographic Technology Group, told Gizmodo.
Today, internet communications are secured by algorithms like (Diffie–Hellman) key exchange or the RSA (Rivest–Shamir–Adleman) system. These algorithms scramble the message using a mathematical formula with some non-secret key number plugged in. Unscrambling the message requires plugging the ciphered text back into a formula and plugging in a private key, known only by the message recipient. The private key and the public key are mathematically related, but it’s incredibly difficult to figure out what the private key is.
Today’s encryption schemes would not be secure to quantum attacks, thanks to a quantum algorithm called Shor’s algorithm.No quantum computer exists that’s big enough to run Shor’s algorithm in a way that would crack present-day encryption, and there probably won’t be one for decades. But the fact that it could exist, in theory, means that it’s time for cryptographers to devise a new way to encrypt data so that we’re prepared. The first step toward a quantum internet will barely be visible to you; maybe, instead of secure web pages beginning with https, they’ll begin with httpq. But on the back end, a new algorithm not believed to be solvable by quantum computers will encrypt online communications.
These changes, called post-quantum cryptography, are coming soon. NIST received its first submissions for post-quantum cryptography strategies in late 2017. A month later, NIST scientists selected 69 “complete and proper” candidates, and then announced 26 second-round candidates in January of this year. Round 3 (or the final algorithm selection process) is scheduled for 2020 to 2021, and the new post-quantum standards will be available before 2024.
You’ll notice that this isn’t especially “quantum;” NIST is just looking for a classical algorithm that a quantum computer can’t crack. If this seems disappointing, just know that post-quantum cryptography could be the most important and relevant change that quantum computing will bring to your life. Even bitcoin’s encryption faces threats from quantum attacks.The change will be good for cybersecurity overall.
“On the one side, it’s like, gosh, we’re doing all of this work just to reestablish the status quo,” Michele Mosca, faculty and university research chair at the University of Waterloo’s Institute for Quantum Computing, told Gizmodo. “Well, yeah, that’s life. We better do it or else. But there really is a positive aspect and it could be a blessing in disguise. What cryptographers are doing is rebuilding some of the foundational pieces [of cybersecurity]. This process of retooling our very fundamental cryptography across all of our digital platforms is good for our cyber health.”
Post-quantum cryptography is only the first step. Researchers have already put together a roadmap detailing what the addition of quantum technology to computer networks will actually entail. The Micius quantum satellite has already allowed researchers to pass encrypted messages by sending entangled photons between two locations, and upon confirming the entanglement, generating a quantum key for researchers to decode encrypted messages. One day, quantum repeaters might send entangled particles of light, called photons, to the computers on a network in order to set up a quantum link. This might allow users to access something akin to quantum-secured private Slack channels, where every entangled computer in the network can pass secret messages, with an icon based on entanglement measurements on the screen showing users that no one is eavesdropping into the network. Lee is working on a way to test such a network without having to trust its manufacturer or the manufacturer of the repeaters.
Ultimately, researchers hope a quantum internet will mean more than just a secure network. Anne Broadbent is a university research chair in quantum information processing at the University of Ottawa; Broadbent’s most recent research demonstrates a way for a server to certify that it really deleted a file using quantum mechanics.
Broadbent explained to Gizmodo that once quantum processors are more mature, the quantum internet would allow a way to access their power via a secure quantum link over the cloud. This is important because, as far as anyone can tell, quantum processors must be stored in conditions that make them impractical for home use (such as temperatures near absolute zero).
Quantum links to quantum processors could allow the public to reap the hypothetical benefits in the far future. There’s lots of speculation as to what those benefits might be, including some very cool things like quantum algorithms that would make searching for information online faster or maybe advances in gaming thanks to quantum computers’ potential improvements to AI. Maybe it will lead to a quantum blockchain where it’s impossible (as defined by the laws of physics) to doubt the authenticity of something thanks to the quantum no-cloning theorem, which says it is physically impossible to create a copy of an unknown quantum state. None of these are a given, and maybe they’ll never happen, but they definitely won’t happen without a quantum internet.
Quantum computers today don’t have any killer apps, yet, and probably won’t pose a threat to your computer experience for decades. But the internet will slowly incorporate quantum-inspired security protocols, then maybe actual quantum links. And then maybe one day, you’ll be running programs incorporating quantum algorithms. You might not realize once it’s already happening.
Last week, online sneaker-trading platform StockX asked its users to reset their passwords due to “recently completed system updates on the StockX platform.” In actuality, the company suffered a large data breach back in May, and only finally came clean about it when pressed by reporters who had access to some of the leaked data.
In other words, StockX lied. And while it disclosed details on the breach in the end, there’s still no explanation for why it took StockX so long to figure out what happened, nor why the company felt the need to muddy the situation with its suspicious password-reset email last week.
While most companies are fairly responsible about security disclosures, there’s no question that plenty would prefer if information about massive security breaches affecting them never hit the public eye. And even when companies have to disclose the details of a breach, they can get cagey—as we saw with Capital One’s recent problems.
It’s not your job to play detective or journalist for all the companies whose services you love and use, but there are a few things you should keep in the back of your mind so you can stay safer about data breaches—especially if a company isn’t forthcoming about them.
Get skeptical about random password-reset requests
This one’s a no-brainer, but it’s still worth mentioning. If a website or service asks you to reset your password out of the blue, something is wrong. Ideally, it has detected that your email or username is part of another data breach, and it is helping you secure your account in advance if you happened to use the same password for both services. You should still get suspicious, however, and maybe check the news (or Twitter) to see if anyone is reporting a data breach about the company itself.
Make sure you’re using “Have I Been Pwned”
In the off chance that a company isn’t being forthcoming about a data breach, it never hurts to have someone else watching your back. Sign up for notifications from Have I Been Pwned, which will let you know if, or when, your email address is involved in a hack.
If you’re a 1Password user, you can also take advantage of the password manager’s built-in tool that checks to see if your credentials were involved in any breaches. It’s called Watchtower, and it’s a great way to stay on top of every weekly (daily?) breach that hits.
Perform your own threat analysis
At Lifehacker, I get to read about a lot of breaches. Some we cover; some we don’t. Typically, if a hack only affects information that isn’t all that interesting, like your email address and your shoe size, it’s not really worth talking about compared to breaches that involve more critical data like account numbers, your plaintext password, or your social security number.
Whenever a company tells you about a breach that affects your information, don’t just take their word for it. Pretend that every bit of data you sent to that company’s service has also been compromised and act accordingly—whether that means paying closer attention to spending on your associated credit cards (or setting up some kind of notification or alert), changing passwords on other sites, or putting a freeze on your credit reports. You never know when a seemingly innocent hack could spiral into something worse.
I realize this might sound a bit like “the sky is falling,” but being more proactive about your data security isn’t a bad thing. You can always take a measured response. For example, you probably don’t need to order replacement credit cards every time a website is compromised that you’ve previously purchased an item from, but you might want to make a reminder to check your credit card statement a little more closely for the next month or so.
Don’t be afraid to walk away
When a company isn’t truthful with you about issues that can have a big impact on your personal privacy and data security, you don’t have to keep using their services. Go find another company that’s willing to go the extra mile to keep your data safe—or, at the bare minimum, give you honest information about any incidents that hit. I’ll take a mea culpa over a lie any day.
A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo.
The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.
The existence of this document was first publicized in a YouTube video that journalist Sophia Narwitz posted to her personal channel on Friday night. (Narwitz has not yet responded to Kotaku’s request for more details about the discovery of this document.) In her video, Narwitz described how the file could be accessed: “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.”
Again, the E3 website has since been updated to remove this link, but cached versions of the site do indeed show that a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers.
“Before even considering making this story public, I contacted the ESA via phone within 30 minutes of having this information,” Narwitz continued in her video. “Worried that might not be enough, I also shot off an email not too long after. On top of that, I reached out to a number of journalists to make them aware of this.”
One reporter who asked to remain anonymous told Kotaku that he had been one of the people Narwitz contacted before publishing her YouTube video. That reporter says that Narwitz told him she had first learned of the document’s existence because someone had emailed her anonymously to say that they had discovered it and downloaded the information. After receiving this email, Narwitz purportedly then confirmed the file’s existence herself. The reporter who says Narwitz contacted him told Kotaku that he had cautioned Narwitz against publicizing any information about this spreadsheet until after it had been removed by the ESA. That reporter then contacted an ESA representative himself. After that, the direct link to the file was removed from the website. Unfortunately, the file itself was still accessible to anyone who knew the link or could find the Google cached version of the page.
After the page containing the link to the file was removed, Narwitz published her YouTube video about the leaks, seemingly believing that the file was no longer accessible. Soon after that, users noted on social media that although the link to the file had been removed, the spreadsheet file itself was still accessible. The anonymous reporter told Kotaku that he then contacted the ESA a second time and, at that point, the ESA deleted the file from its website. However, Narwitz’s video had already unwittingly publicized the existence and continued availability of the file, the contents of which continue to be shared online.
The ESA provided Kotaku with a statement about the leak. “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,” it wrote. “Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”
The ESA representative declined to respond to Kotaku’s other questions about why the file was not properly password-protected, how long the file had been available to the public, and whether this was the way that journalists’ personal data had been treated by the organization in past years.
The Federal Trade Commission (FTC) and U.S. Justice Department (DOJ) have been taking Facebook to task regarding its recent privacy blunders, including the company’s failure to comply with a 2012 FTC ruling over how Facebook handles its users’ data.
While the DOJ lawsuit is still being litigated, Facebook recently agreed to an FTC order that requires the company to pay $5 billion in fines and submit to a 20-year oversight program—including annual reviews of its privacy and data collection practices.
The finer points of the FTC’s ruling mostly affect Facebook’s business structure and won’t have an immediate impact on the user experience (if any at all). However, there are several changes to how Facebook collects and disseminates data that will affect users—some of which build upon existing changes Facebook recently made, likely in anticipation of what was coming down the pike.
Here’s a quick rundown of the privacy changes that you should know about, and how they affect you and your Facebook data.
New rules for sharing data with third-party apps and advertisers
The FTC ruling sets stricter standards for how Facebook deals with third-party apps and advertisers. Facebook is now required to remove third-party entities that don’t comply with Facebook’s policies or cannot reasonably justify their requests for specific data from Facebook’s users.
This means that these apps and advertisers no longer have carte-blanche access to user data and must explain exactly how and why that data will be used, but the exact standards for “justifying” requests are not defined. That lack of definition could lead to a lot of grey areas regarding these rules, but Facebook users have several tools for seeing how their data is brokered, and controlling access to it. Most importantly, this ruling doesn’t place limits on how facebook can learn more about you; rather, it’s attempting to curb what Facebook sells to advertisers.
Better transparency for facial-recognition technology
Facebook now has to clearly alert users that it uses facial-recognition technology, be more forthcoming about how and why it’s used, and alert users if it updates its technology or functionality beyond what users were originally asked to agree to. The company also has to get express consent from users in order to opt them into facial recognition features in the first place—something it notoriously overlooked in the past.
Paradoxically, it was both shocking and unsurprising when reports exposed how Facebook’s poor password data protection. Thankfully, as per the FTC ruling, all password data must now be fully encrypted and the company is now required to regularly scan for plain text storage on its servers. Similarly, Facebook won’t be able to ask new users your email passwords to their other services, either.
Restricted collection of phone numbers
In the past, Facebook had ways of finding (and then distributing) your phone number, even if you didn’t supply such data in your profile. With this new FTC ruling, Facebook is now barred from “using” phone numbers it obtained through security features, such as two-step verification.
What’s unclear, however, is what exactly “using” means. Collecting them? Selling them? It’s hard to say, and that’s frustrating since Facebook has a habit of “accidentally” collecting phone numbers. Thankfully, there are ways to delete such information from your profile and keep Facebook from snooping around your device’s contact information.
We won’t know the full effect users will see from these changes until they’re implemented and acted upon, but it’s hard to put much faith in these changes as long as the platform subsists on collecting and selling your data. We’ll have to wait and see how it all shakes out (including the still-in-progress DOJ lawsuit), but in the meantime, it may be wise to consider whether Facebook is worth keeping—or if you should delete it for good.
While this should be common sense for anyone who has ever had to create a password, and there are plenty of tools you can use to generate, store, and recall, great passwords, there’s one little caveat to this process that you might not have thought about much. How often should you change your password?
You’ve probably experienced this at work more than anything else—some annoying notification or email letting you know that it’s time (once again) to change your password. This can be a cumbersome process, especially if you have to go and update your password across multiple apps and devices.
As it turns out, this entire process is pretty unnecessary. As long as you have a strong password to begin with, its existence doesn’t make it less strong. In a blog post detailing why Microsoft dropped password-expiration policies from its baseline security settings for Windows 10 and Windows Server 2019, Microsoft “Windows nerd” and security expert Aaron Margosis wrote:
“Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines.”
I’m an avid 1Password user—love it—and I appreciate how the app goes to great lengths to let you know when passwords you’re using might be unsafe or otherwise compromised. What it doesn’t do, in line with Microsoft’s suggestions, is give you any grief because the password you’re using is x days old (or x years old).
That said, there is one valuable reason for changing your passwords—whether that’s a forced process or one you decide to do yourself. If you’re the kind of person who doesn’t check to see if the passwords you use have been compromised, coming up with new passwords on a regular basis is at least a good catch-all for dealing with weaker ones that might be out in the open.
To that, I offer an alternative suggestion: Instead of changing your passwords according to an arbitrary schedule, you should upgrade your passwords. If you’re a perfect password creator, you probably don’t need this step. But if you’re normal, like me, and you sometimes use weaker passwords for new services you’re trying out because you don’t want to be bothered pulling up your password manager and summoning a 22-character monstrosity, you should schedule time to check and upgrade your lamer passwords to more secure ones.
It’s super-easy to do this if you’re using a password manager, because you can then just scan down your list of saved passwords and start updating anything that’s out of the ordinary: “cat12345,” as opposed to “1Jf*@4,[email protected]!04#*5vka*4&5%.” Though, you should also already have a pretty a good idea whether you’re using weak passwords for your favorite apps and services—which is probably even more likely if you aren’t using any password manager at all.
This will be a tedious process if you have a ton of weak passwords, but you can always think strategically. Start with the accounts you use most frequently and work your way down from there. (Again, a password-management app will make this process easy, and a great one will be able to tell you when it sees that you’re using a weaker password for a service.)
And, of course, even the greatest password benefits from a boost: Use multi-factor authentication wherever possible, and your accounts will be that much more secure. Then print this article—or Microsoft’s blog post—and take it over to your IT team when you’re forced change your password for eighth time this year.
Apple has been facing increased criticism of its privacy practices lately and rightfully so. During CES 2019 last year, the company tried trolling visitors of the annual conference—which it famously does not attend—with a brazenly false piece of advertising: a massive outdoor ad declaring “What happens on your iPhone stays on your iPhone.” Nothing could be further from the truth.
Last week, the Washington Post published the results of one experiment that showed thousands of trackers siphoning data off the iPhone of technology columnist Geoffrey Fowler. “In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic,” he wrote. (Yelp alone was reaching out to grab Fowler’s IP address every five minutes.)
Apple’s big privacy claim was a lie, there’s no other way to put it—even if it did look catchy on the side of a Las Vegas hotel.
This year’s Worldwide Developers Conference (WWDC) saw a few privacy-focused announcements and none that would address all of the tracking issues discovered through Fowler’s experiment. But some options, such as new location sharing features for iOS 13, are a good place for the 43-year-old company to start. Others, such as Apple’s new login system, are exciting and will undoubtedly help consumers shield themselves from data vampires like Facebook.
Here’s every privacy and/or security-related feature, big and small, announced by Apple today:
The first time we heard the word “privacy” on stage Monday it was a reference to the Noise app debuted for Apple Watch. The purpose of the app is to warn users when they’re in environments where sound levels are high enough to negatively impact hearing. “The watch can send a notification if the decibel level reaches 90 decibels, which can begin to impact hearing after four hours per week of exposure at this level, according to the World Health Organization,” Apple says.
Of course, in order for Noise to accomplish this, it needs to have its ears on. This type of always-listening technology scares a lot of people. Alexa users, for instance, freaked out when it was disclosed that actual human employees were listening to recordings taken from Echo devices.
Apple’s VP of health, Dr. Sumbul Desai, issued this promise: “It only periodically samples and does not record or save any audio.” According to Apple, none of the audio or sounds in the environment are saved by the app or sent to Apple; only decibel levels are sampled. That’s good news for users who work in loud environments and want to know if they’re potentially suffering long-term damage, but at the same time value their privacy.
Apple’s policies toward health data didn’t change on Monday, but the company announced a slew of new tracking features for the Health app, including the Noise app and the ability for women to log important information related to their menstrual cycles, called Cycle Tracking. These new features offered the company a good opportunity to emphasize its policies designed to protect what Apple’s senior vice president of software engineering, Craig Federighi, referred to as the most private of all types of personal information.
“Health is using machine learning on your iPhone to determine which highlights might be most interesting to you,” he said. “All of this health data is secured stored in your iPhone or encrypted in iCloud, and since there’s nothing more private than your health information, you control your data. You can decide if you want to share particular health data with select apps, if you’d like to share anything at all.”
Apple’s new login service is easily the biggest security and privacy announcement today. Social login options such as “Login with Facebook” are very popular because they bypass the need for users to create new identities on every single website they visit. In most cases, it’s a one-click profile creation system. But these are also very popular with companies like Facebook because they use this feature to track you and sell your information to marketers.
Apple’s promise is to not track users on “Sign in with Apple” and it will even create a buffer between consumers and the services they use. For instance, Apple will let you share your email account with a service if you want, but it can also generate a unique email address for you, which then forwards pertinent messages to your inbox.
As Gizmodo’s Patrick Howell O’Neill writes: “It’s a smart jab against spam: Not only will you be able to turn off spammy email more easily, but you’ll also be able to see who exactly is sharing and selling your email widely when that random address starts to get spam from companies buying up data.”
As someone who’s had to track down a stolen iPhone before, I’m a big proponent of Find My Phone. Apple announced an upgrade to this system that, at first blush, sounds a little nuts: the ability to locate an iPhone or Macbook, even when they aren’t receiving a signal, using other people’s devices.
According to Apple, this feature will work by forcing the device to occasionally transmit a “secure” Bluetooth signal. Other Apple products will sense the device and transmit its location.
“Let’s say you misplaced your Macbook. Even when it’s offline and sleeping it sends out a secure Bluetooth beacon that can be detected by other people’s Apple devices nearby. They can relay your Macbook’s location to the network and ultimately back to you so you can find it,” Federighi said.
“It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, data usage, or your privacy,” he added, emphasizing the entire protocol is end-to-end encrypted and anonymous.
We’ve never seen a feature like this anywhere before, so it’ll be interesting to see how it works in the wild and whether it withstands attempts by independent researchers to exploit it.
Apple is rolling out a simple, no-brainer update to the controls that users have over location data sharing. Finally, there’s a one-time location option.
“For the first time, you can share your location to an app just once and then require it to ask you again next time it wants it. If you do choose to grant an app the ability to continually monitor your location in the background, we’ll give you reports so you’ll know what they’re up to,” said Federighi.
He also noted that many apps try to bypass location-sharing restrictions by scanning for Bluetooth and WiFi signals in the area, which may reveal a users’ location. “We’re shutting the door on that abuse as well,” he said.
Lastly, Apple updates its policies on Monday officially banning the use of embedded trackers in Kids Category apps. We knew this was coming last week, but now it’s official, and here’s the language: “Apps in the Kids Category may not include third-party advertising or analytics.”
Apple also advises developers to “pay particular attention to privacy laws around the world relating to the collection of data from children online.”
Parent’s should keep in mind, this policy does not apply to apps on kids’ phones that aren’t downloaded from the Kids Category. If you don’t want your kids to be tracked, you’ll have to remain vigilant in monitoring which apps they download.
Those of you who are still running Windows 7 or earlier need to install critical patches that fix a recently-discovered security bug on older versions of Windows.
Earlier in May, Microsoft disclosed to its users that a serious security vulnerability—dubbed “BlueKeep”—was found on Windows 7 and other previous versions. BlueKeep could potentially grant hackers full remote access to someone’s PC through Windows’ Remote Desktop Protocol (RDP) by using code that exploits the vulnerability (also known as a “worm”). Such worms have recently begun to appear online, which you can see an example of in the video below.
After the BlueKeep bug was discovered, Microsoft released patches for all affected version of Windows on May 14. The problem is that only a small fraction of vulnerable users have installed these updates. According to Wired, a recent scan of Windows machines shows that at least 922,225 vulnerable PCs remain unpatched, though the actual number could be much higher. If you’re among the hundreds or thousands of users who have not updated your machine, do so now. The risk of keeping your PC unpatched is too great to ignore, even if you’re running a business and upgrading your stable of work computers is a lengthy chore.
Fun fact: Snippets of your Alexa conversations may be heard and read by thousands of Amazon employees. According to recent reports, Amazon has an international team of employees who work to help Alexa better understand your many commands and develop new ways for the AI to interact with users. This requires them to listen to snippets of what your Echo speakers and other Alexa devices are recording. Sounds eerily familiar to us.
Not only are real people listening to you talk to (and around) Alexa, but the conversations they listen in on are being transcribed and annotated by Amazon’s employees. These transcriptions are then used to “teach” the Alexa AI to recognize more commands.
If you’re sketched out by this, we understand. Especially since what you say is only kind-of, sort-of associated with your account, as Bloomberg describes:
“A screenshot reviewed by Bloomberg shows that the recordings sent to the Alexa reviewers don’t provide a user’s full name and address but are associated with an account number, as well as the user’s first name and the device’s serial number.”
While you’ll never be able to stop Amazon employees from listening in on whatever you say to your Alexa, you can at least turn off any features that make this easier. For example:
Open the Alexa mobile app
Tap the Menu button in the upper-left of the screen
Go to Alexa Account > Alexa Privacy > Manage how your data improves Alexa
Turn off “Help develop new features” and “Use messages to improve transcriptions” for all profiles on your account
Bloomberg notes that Amazon’s team might still analyze your Alexa recordings “by hand,” but this at least opts you out of some facet of Amazon’s voice study. The only real solution at this point is to ditch your Amazon devices altogether, but adjusting these privacy settings should hopefully help keep unnecessary third parties out of your business a little bit.
A 24 year-old man from England has pleaded guilty to charges of hacking into both Microsoft and Nintendo’s servers, causing an estimated $3-4 million damages.
As The Verge report, Zammis Clark—a former security researcher at Malwarebytes—went before a court in London this week accused of accessing servers at both companies, stealing user information, accessing files related to unreleased products and illegally sharing login details.
He was arrested in June 2017 for his actions against Microsoft, which included hacking into servers that contained “confidential copies of pre-release versions of Windows”.
Yet after this arrest his online access went unrestricted, and in early 2018 Clark used a VPN to get access to Nintendo’s servers, including those used for “highly confidential game development”, and which held “development code for unreleased games”.
Despite his repeat offences, and the severity of them, Clark won’t be facing prison, at least in the near term. Because he is both autistic and has “face blindness”, the judge deemed that prison would pose a risk to Clark’s safety, and taken in light of his parent’s work in attempting to care and rehabilitate him, decided to issue a suspended 15-month sentence.