Category Archives: Security

I remain a WhatsApp curmodgeon

Posted on by
3

My six days in Barcelona for MWC had me using one app far more than usual: WhatsApp. But while I often delight in seeing people route their communications out from under the control of incumbent telecom operators, every time somebody asked me to message or call them in that Meta-owned app, I felt a little more grumpy.

That’s because WhatsApp continues to lack a feature found on any 1970s Trimline phone or on a turn-of-the-century, five-line-display cell phone: You cannot text or call a random set of digits unless you first let this app ingest your entire contacts list.

My phone's screen shows the Android system permissions dialog asking if WhatsApp should have access to my contacts, with MWC attendees in the background.

As WhatsApp says in two of the more shameful dialogs around: “To make a call, allow WhatsApp access to your contacts” and “To help you message friends and family on WhatsApp, allow WhatsApp access to your contacts.”

I got tired years ago of apps making sweeping demands for my data and don’t see any reason for contacts upload to be a prerequisite to pinging somebody I just met and may never run into again, so I keep declining that request.

WhatsApp’s FAQ item about contact upload makes a respectable argument for its stewardship of this data, saying it doesn’t collect non-phone-number contact details and deletes the numbers of non-WhatsApp-using people after saving a cryptographic hash of their digits for future cross-referencing should they join later.

But WhatsApp’s parent firm has racked up quite a list of privacy violations, some of which led to the Federal Trade Commission hitting it with a $5 billion fine in 2019 that still stands as a record penalty.

And that WhatsApp FAQ item doesn’t even try to answer why without contacts permission, the app won’t let you punch in any random phone number to start a chat or call. Or how if you revoke that permission, it will stop showing the names of contacts–a creepy move that in 2019 Fast Company’s Michael Grothaus called “one of the most manipulative things Facebook does with WhatsApp.”

In the U.S., being a WhatsApp contacts-access refusenik isn’t so bad, because most people still use carrier texting services. But in the rest of the world, historically higher carrier prices for messaging have made WhatsApp far more widely used. And at MWC that led to some awkward moments.

Most of the time, I could socially engineer my way out of them by asking my new acuaintance to message me from their copy of WhatsApp, at which point I could reply from my copy. One MWC attendee then pointed me to the option to have WhatsApp show a QR code that other people can scan to add you to their contacts lists.

And after coming home, I learned of the click-to-chat option in which you can type in a wa.me Web address in your phone’s browser that ends with a contact’s number (no dashes or spaces) to have the app open a chat thread with that individual.

It’s good, I guess, that WhatsApp provides workarounds for its own demand for the data of people who may have zero interest in seeing their numbers get uploaded even briefly. It would be better if WhatsApp would show a little humility and end this gropey, growth-hacking nonsense.

Apple and Google could be a lot clearer about their security patches

Posted on by
1

Multiple times this week, I’ve updated mobile devices with security patches from Apple and Google. And every time, the user experience has left me feeling that these companies don’t think I need to know anything about the content of those patches.

On my iPad mini 6 and my Google Pixel 5a, and then later on a review iPhone 11 (I don’t know why Apple PR hasn’t started charging me late fees on that loaner), the notice of a security patch came with a description no more specific than “bug fixes and security updates,” the vague phrasing shown on my tablet.

Photo of Google Pixel 5a and Apple iPhone 11 with each phone open to the respective company's page purporting to describe the update. The phone are seen from above, resting on a brown background.

Each update notice also came with a link that should have provided more details but did not. On the iPad and iPhone (plus the Mac mini on which I’m typing this post), Apple sent me to the same “Apple security updates” page I’ve been visiting for years–“a dusty bookshelf of a page indexing patches going back to Jan. 8, 2020,” as I described it at PCMag. My Android phone’s notification, meanwhile, sent me to a “Pixel Community” page that led off with a “Featured Posts” list of the past few months’ worth of updates for Pixel devices.

So on each device, I had to tap further to see just what was getting patched. In Apple’s case, it was a serious vulnerability in its WebKit browser framework: “Processing maliciously crafted web content may lead to arbitrary code execution.” And somebody was already exploiting this to attack users: “Apple is aware of a report that this issue may have been actively exploited.”

That kind of “zero-day” vulnerability deserves a more direct description, so people will know that it’s worth having their devices unusable during the install process (more than 6 minutes on the iPhone 11) to lower the odds of getting hacked.

Google’s February 2023 patch, meanwhile, revealed itself to include patches for accessibility, audio, Bluetooth, and calendar features, plus security fixes that were not specified in any way until after three more taps of links. Except that the Pixel update bulletin I unearthed itself only listed the vulnerabilities by “CVE” (Common Vulnerabilities and Exposures) numbers that I then had to Google for more details.

The one issue that the Pixel bulletin labeled a “high” risk turned out to be a memory bug that, per the National Institute of Standards and Technology’s vulnerabilies database, could allow “local information disclosure with no additional execution privileges needed.” I read that as an opportunity for a hostile app to snoop on my data and was then relieved to see that NIST did not describe this “vuln” as already being exploited.

I’m not saying that you should hold off on security fixes until you get a detailed breakdown of their code; your safest course is to trust Apple, Google and Microsoft and install their patches as soon as possible, because the developers there spend more time on this than you possibly can. I am saying that it should be basic software manners for these companies to allow their more curious customers to enlighten themselves about these updates as fast as possible. That means in one click, not two, four, or more.

Whither Twitter

Posted on by
5

Twitter has occupied an embarrassingly large part of my online existence since the spring of 2008–a span of years that somehow exceeds my active tenure on Usenet. But the past two weeks of Twitter leave me a lot less certain about how much time I will or should spend on that service.

I did not have high expectations in April when Elon Musk–who, never forget, already has two full-time jobs at just Tesla and SpaceX–offered to buy Twitter. He had already revealed a low-resolution understanding of content moderation on social platforms but took the advice of a clique of tech bros and told Twitter’s board that he had the answers: “Twitter has extraordinary potential. I will unlock it.”

Photo of Twitter's site showing the "fail whale" error graphic and a "Twitter is over capacity" message, as seen in a phone's Web browser at CES 2010.

Seeing Musk then spend months and what could be $100 million in legal fees trying to squirm out of his accepted, above-market offer of $54.20 a share did not elevate those expectations.

Just before a court case he probably would have lost, Musk gave in, threw $44 billion ($13 billion borrowed) on the table and took over Twitter on Oct. 28. He quickly sacked a handful of top executives before firing about half of the workforce with careless cruelty. One friend figured he’d gotten canned when he couldn’t log into his work laptop.

Things have skidded downhill since. On Twitter, Musk keeps showing himself an easy mark for far-right conspiracy liars and the phony complaints of online trolls; in its offices, he’s ordered a rushed rollout of an $8/month subscription scheme that grants the blue-circled checkmark of a verified account, on the assumption that credit-card payment processors will catch fraudsters.

The predictable result: a wave of fake but “verified” accounts impersonating the likes of Eli Lilly, Nintendo, George W. Bush, Lockheed Martin, Telsa and Musk himself.

Also predictable: Twitter advertisers reacting to this chaos and their fear of wobbly content moderation (rejected by Musk) by smashing the Esc key on their spending plans until they can figure out what’s going on. Musk has responded by whining that companies pausing ad campaigns amounts to them “trying to destroy free speech in America.”

As for legacy verified accounts like my own, Musk has oscillated from saying that they’d require the same $8/month charge to suggesting they’d continue to saying they will be dropped–while also introducing, yanking and then resurfacing gray-checkmark icons for certain larger organizations over a 36-hour period. Oh, and not paying your $8 a month might mean your tweets fall down a bit bucket.

After a Thursday that saw Twitter’s chief information security officer, chief privacy officer, and chief complaince officer resign by early morning, Musk told the remaining employees at an all-hands meeting that “Bankruptcy isn’t out of the question.” Since Twitter now owes more than $1 billion a year in interest on the debt from Musk’s acquisition, that warning seems reasonable.

I am not writing this out of schadenfreude. As much as Twitter can drive me nuts (what is it with the militantly stupid people in my replies?), I’ve found it enormously helpful as a public notebook, a shortcut to subject-matter experts, an on-demand focus group, and an ongoing exercise in short-form prose. As (I think) my Washington Post colleague Frank Ahrens once observed, Twitter lets journalists write the New York City tabloid headlines we couldn’t get away with in our own newsrooms.

A "Keep Calm and Tweet #ONA12" badge from the 2012 Online News Association conference.

If Twitter really does implode, which now seems a much more real possibility even if a roundtrip through Chapter 11 is more likely, I don’t know how I’d replace it.

Many of the people I follow there are advancing evacuation plans on a federated, non-commercial, somewhat confusing social platform–not Usenet, but Mastodon.

I have taken tentative steps to do likewise, in the sense that I created one account on the well-known server Mastodon.Social and then realized I’d created a separate account on the xoxo.zone server in 2018 after hearing Mastodon talked up at a meetup during the XOXO conference in Portland. Now I need to decide which account to keep and which one to migrate, and indecision over that makes it easier to stay on Twitter and watch it burn.

Meanwhile, seeing Musk’s stark, public display of incompetence continues to leave me baffled when I compare that to the Musk venture I know best, SpaceX. If Musk ran SpaceX this impulsively and with this little willingness to learn from others, multiple launch pads at Cape Canaveral would be smoking holes in the ground.

Instead, SpaceX is the leading provider of launch services in the world, sending Falcon 9 rockets to space and landing their first stages for reuse on a better-than-weekly basis. “Transformational” is not too strong of a word for what SpaceX has accomplished since it first orbited a prototype Dragon capsule in December of 2010; this part of Musk’s career ought to be Presidential Medal of Freedom material, with bipartisan applause.

(I got to see that reentry-singed Dragon capsule up close in July of 2011 when NASA hosted a Tweetup at the Kennedy Space Center for the final Space Shuttle launch, yet another experience I owe in some way to Twitter.)

I keep hoping that I will see this sort of steely-eyed focus in Musk’s stewardship of Twitter. Instead, he appears to be off to an even worse start than I could have imagined. And I can imagine quite a bit.

Late or never Android updates remain a problem

Posted on by
Reply

Here’s yet another unintentional benefit of my shattering my Pixel 5a’s screen last weekend: an opportunity to reacquaint myself with how slowly many Android smartphone manufacturers still ooze out Google’s system updates.

This is not a new problem, as I can see from re-reading a piece I wrote almost 10 years ago that’s aged a little too well. I had thought that architectural changes Google made to Android starting back in 2017 would have put a dent into this problem by removing much of the recoding work from manufacturers. But dusting off the budget-priced Android phones I reviewed for CNN Underscored early this year (most of which I had not yet returned to the companies responsible, because my desk is a mess) revealed the error of that thought.

Photo shows Android phones stacked on a wooden floor, each showing their software-information screen. The Samsung Galaxy A13's screen is most visible, showing it's running Android 12 with the July 1 security patch.

After multiple cycles of checking for updates on these six phones, installing these updates, rebooting these phones, and checking for updates again until every device reported it was current, here’s where they wound up:

  • Moto G Power: Android 11, August 1 security update
  • Nokia X100: Android 11, August 1 security update
  • OnePlus Nord N200 5G: Android 12, September 5 security update
  • Samsung Galaxy A13 5G: Android 12, July 1security update
  • TCL 20 SE: Android 11, August 1 security update
  • TCL 20 Pro 5G: Android 11, April security update

The current month is October and the current Android version is 13, so the problem should be immediately obvious. And not only did none of these devices have the Android release that I installed on my beloved, now battered Pixel 5a in the middle of August, only one of these devices had Google’s latest security fixes–and only two had the Android release that Google shipped a year ago.

The good news, such as it may be, is that a low price doesn’t condem an Android phone to obsolescence. The A13 sells for $250 and the N200 $240, but both have aged better, software-wise, than the pricier Android devices in that review. You may want to consider that a factor in favor of OnePlus and Samsung if you’re shopping for a low-cost Android phone–while the lagging performance of those other vendors should rate as a serious strike against them.

Some Time Machine backup-volume trial and error

Posted on by
Reply

The Mac-maintenance task that has taken care of itself for most of the last four years brought itself to my attention Wednesday, and I wish it had not. Two days of troubleshooting later, I think I once again have a working backup routine–but I still don’t know what went wrong here.

My first hint that Apple’s Time Machine backup system had shifted out of its usual orbit was an error message Wednesday night reporting that my backup volume had become read-only, making further backup cycles impossible.

The drive in question, a 2-terabyte Seagate portable drive that I’d bought in 2018, seemed too young to be suffering from disk corruption. Especially since other partitions on this hard drive remained readable and writeable.

So I opened Apple’s Disk Utility, selected the Time Machine backup partition, and clicked “First Aid.” Several minutes later, this app returned an inscrutable, no-can-do result: 

The volume Time Machine backups could not be repaired. 

File system check exit code is 8.

Well, then.

Disk Utility’s help was of no help, reporting “No Results Found” when I searched for that error message and shorter versions of it. Googling for “check exit code is 8” yielded nothing at Apple’s support site (a fruitless result confirmed by Apple’s own search) but did surface a data-recovery firm’s explainer that this was “one of the most frustrating file system errors to encounter, and it is difficult to know if you are experiencing a logical or physical fault on the hard drive.”

Trying to repair the volume a few more times with Disk Utility–a suggestion in a Stack Exchange thread that seemed worth testing–didn’t yield a better outcome. An attempt to copy the entire Time Machine volume to the partition that I’d created on this Seagate drive last year to usher my data from my old iMac to my current Mac mini stopped early; Shirt Pocket’s SuperDuper app was less informative than usual, saying it “Failed to copy files.”

Then I realized that I was looking right at a short-term answer: wiping that no-longer-needed iMac disk-image partition, then making it my new Time Machine backup volume while leaving the old Time Machine partition alone. After a timeout to unplug the drive and then plug it back in, without which Disk Utility would not reformat the partition, this fix seems to be working. But just in case, I’ve also plugged a 1-terabyte SSD into my Mac mini as a backup to my backup.

It would be great if Apple would provide clearer explanations and more usable fixes to disk errors like this. But considering that Time Machine’s starfield file-restore interface hasn’t changed since it debuted in 2007, I will not stay up late waiting for those updates.

Conference VOD: one half-decent thing we’ve gotten out of the pandemic

Posted on by
2

LAS VEGAS

The Black Hat security conference that wrapped up here once again left me wishing I could clone myself for a few days. Its info-dense schedule put as many as nine briefings in the same timeslot, requiring me to make some tough choices and hope that I’d picked a presentation that would yield enough news and insights to turn into an article.

(Spoiler alert: I did not always choose wisely.)

In the Before Times, the panels that I had to skip would have been lost to me until the event organizers uploaded video of them to Black Hat’s YouTube channel, often months later. But this year’s conference, run like last year’s as a hybrid in-person/online event, came with both streaming access to panels as they happened and video-on-demand playback 48 hours later for attendees.

This conference, unlike too many I’ve attended, also continues to post the presentations of speakers, so attendees don’t need to take pictures of every statistic-filled slide for posterity.

So I can treat my conference FOMO and see what I missed much sooner than I could have before. That’s one small side benefit of conferences having to make themselves open to remote attendees, a welcome democratization of events that in a better world would have happened without the pressure of a worldwide pandemic. It’s also personally convenient today because I’m already getting asked on Twitter about Black Hat briefings that I did not get to.

I do, however, still need to remember to catch up on these briefings before the 30-day window to watch them expires–the mistake I made last summer, when I had a much less busy schedule.

8/14/2022: I updated this to add a compliment to the Black Hat organizers for posting speakers’ presenations.

Black Hat pitches increasingly resemble CES pitches

Posted on by
Reply

When I’m spending a sunny Saturday in front of my computer, the usual reason is that it’s beastly hot outside. But today I have an additional, also seasonally-specific reason: I’m overdue to look over and make some decisions about all of the Black Hat meeting requests that have been piling up in my inbox.

A view of the Las Vegas Strip from the Foundation Room atop the Mandalay Bay hotel--a common event venue for both CES and Black Hat receptions.

Unlike last summer, I actually am going to this information-security conference in Las Vegas. And many more infosec companies seem to have made the same decision, leading to a flood of e-mails from their publicists asking if I’d like to set up a meeting while I’m in Vegas. How many? Over the last month, I’ve received 134 messages mentioning Black Hat, a number that makes me think of the annual deluge of CES PR pitches.

(Sorry, the total is now 135.)

Just like at CES, accepting even half of these invitations would leave me almost no time to do anything else at the conference. But where at CES I need to save time to gawk at gadgets on and off the show floor–and to get from venue to venue at that sprawling event–at Black Hat I want to save time to watch this conference’s briefings.

In the two prior years I’ve gone to Black Hat, I’ve found that the talks there have an exceptionally high signal-to-noise ratio. And since a coherent and entertaining explanation of a vulnerability in a widely used app, service or device is something that’s relatively easy to sell as a story, I also have an economic incentive to hold off on taking any meeting requests until the organizers post the briefings schedule–which this year only happened barely two weeks ago.

In other words, now I’m out of excuses to deal with these pitches. Which I could have done this afternoon had I not waited until this afternoon to write this post…

8/24/2022: Fixed the typo in the headline that nobody seems to have noticed until my wife asked about it today.

Google-induced mail migration malaise

Posted on by
9

A week ago, I learned that one of my longest-running online freebies would end this summer. The seven days since haven’t been enough time for me to decide how to replace the no-charge Google account that’s hosted my home e-mail since early 2010–but they have allowed me to find a reason to dislike each obvious alternative.

Yes, I should have seen this coming. The Google that launched “Google Apps for Your Domain” as a free service in 2006 was a much scrappier firm that could not assume potential customers’ attention. Even in 2010, when I moved my home e-mail to a Google Apps account under a custom domain and set up (just in case!) a work e-mail address under a different custom domain at another Google Apps account, Google hadn’t risen to become an obvious choice for business collaboration.

The Gmail logo under an "Apps" banner, taken from a 2008 Google presentation.

Google did end signups for this free option in December of 2012, but it let existing Apps customers keep their free accounts. That grandfathered, privileged status continued as Google Apps became G Suite in 2016 and then Google Workspace in 2020.

The Google of 2022, however, is a different entity that’s been unplugging other free services. So I was not too surprised to learn that starting July 1, I’d have to pay to keep these two mail accounts hosted–just annoyed to read about this at the 9to5Google blog instead of in an e-mail from Google to me.

I’m fine with paying Google for my work account–make that, paying more on top of what I’ve been spending for extra storage since 2016. A Google Workspace Business Starter account will cost another $6 a month, which is reasonable considering how many other Google services I have tied to this account and how $72 a year would still rank among my cheaper business expenses.

But my home account is just an e-mail account. I don’t use it with Google’s other “workspace” tools; because I keep a separate, standard Gmail account for shopping, banking and other non-work stuff, my home account barely gets used as an e-mail service. Paying $72 a year makes a lot less sense, much less spending that much on addresses I’ve set up for family members who use them even less.

But the options I’ve evaluated first have their own issues:

iCloud+: Since my wife is already paying for extra storage on Apple’s cloud service, I could set up a custom domain there for free. But by associating my home e-mail address with iCloud, I would revive the problem of iPhone-using friends who think they’re using the Messages app to text me on my phone and instead have Apple’s iMessage system silently divert that to the Messages app on my iPad.

Microsoft 365: I already pay for Microsoft’s cloud storage to back up my Windows laptop, and adding multiple e-mail accounts by upgrading to Microsoft 365 Family would add only $30 to my yearly cost. Except Microsoft, for some inane reason that probably looked sharp on a marketing PowerPoint, limits this option to domains hosted with GoDaddy, and that’s not the registar I’ve been content with using for this domain. (One thing I don’t like about this registrar: Their own mail hosting only covers 1 gigabyte of storage per address, which is why they don’t make this list.)

Fastmail: This mail-first service isn’t tied to any larger cloud platform, a simplicity of mission that I appreciate. I also like how I could use this with 1Password to generate “masked,” disposable e-mail addresses for individual services. But with pricing for a custom domain starting at $50 a year per user for 30 GB of storage, this, too, feels like overkill for my own little use case.

Meanwhile, Google may have realized the foolishness of treating every user as one type of business customer. Wednesday afternoon, Ars Technica’s Ron Amadeo flagged an addition to Google’s support note inviting input from people who don’t use legacy Google Apps accounts for work.

Will Google offer a cheaper tier for personal use, and how long will we have to wait to find out? The May 1 deadline Google set for ex-Apps users to choose between upgrading to Workspace or moving their mail elsewhere leaves plenty of time for the indecision-making process to grind on at this company. And among perplexed customers like me.