The Blinding Light of the IT Privacy and Security Weekly update for the week ending December 13th., 2022


In perhaps our brightest update yet, we leap from the uninvited into bright, radiant light.


We travel from a somewhat naughty confederation to a blazing anonymous number migration.

We receive creative illumination for making deepfakes the “right way” from a group we didn’t even realize was in the film production business.

We’ve got Microsoft aglow in a buying spree and then illuminate you with so many glaring phone tales that you could be forgiven for lighting up your next call to your mother on a tin can and a piece of string.

Finally, we couldn’t resist one more update on that blinding crash down on the sunny shores of the Bahamas.

We have a dazzling update for you this week, so grab those Ray-Bans, and let’s beam!

EU: The EU hosted a 24-hour party in its $400,000 metaverse to appeal to young people, but pretty much no one showed up

The European Union hosted a 24-hour party in its $407,000 metaverse, but only a handful of people turned up, according to journalist Vince Chadwick, one of the attendees.

The other attendees then gave up – leaving the singular journalist as the only person at the gala, less than an hour after its advertised start.

Last week’s event was billed as a “beach party” offering “music and fun” to launch the EU’s “Global Gateway” strategy.

When the costly virtual-reality world was first shown in October, EU staff were already raising concerns.

“Depressing and embarrassing” and “digital garbage” were among the department’s first responses to the underwhelming €387,000 venue.

The EU told the news site that its metaverse aimed to increase awareness among 18-35-year-olds “primarily on TikTok and Instagram” who aren’t politically engaged.

But as it moved from promotional video to virtual reality, it seems the message didn’t reach too many people.

So what’s the upshot for you? We missed it too.
Wonder how they announced it.

CH: Swiss Data Protection Commissioner Orders Government To Publicly Release Surveillance Tech Export Licenses

"In an enormous breakthrough for those seeking transparency and accountability to the shadowy surveillance industry, the Swiss Government has been forced to publish the list of export licenses for surveillance technologies and other equipment, including details of their cost and destination.

The decision by the Federal Information and Data Protection Commissioner comes on the heels of consistent pressure from Privacy International, Swiss journalists, and several Members of Parliament on policymakers, government officials, and companies in Switzerland over the past year and a half.

The commissioner’s decision was the result of a FOI challenge filed against the State Secretariat for Economic Affairs (SECO) for its refusal to reveal information regarding the destination of the pending exports for surveillance technologies."

The beneficiary of this release by SECO is, of course, everyone who’s interested in government accountability and transparency, especially when it involves an area of government work that tends to be shrouded in often impenetrable secrecy.

The most direct beneficiary – Swiss news agency Tagblatt – has plenty to say about the release of this information, including how much SECO simply did not want to reveal the countries Swiss surveillance tech providers sell to.

The Seco does not act entirely voluntarily: Our newspaper only received the list after it requested access to the administration in 2013 based on the principle of transparency.

At the end of 2014, the federal data protection officer recommended granting access, although Seco wanted to refuse this.

[The Data Protection Commissioner] picks [Seco’s] arguments to pieces. It didn’t even provide a minimal justification.

But that’s not all: Seco was unable to prove why the announcement of the recipients was affecting Switzerland’s foreign policy relations.

The technology these countries acquired from Swiss tech purveyors are IMSI catchers – cell tower spoofers capable of forcing all phones in the area to connect to it so investigators can locate sought devices or (if enabled) intercept communications.

Twenty-one export licenses were issued in 2014, with the list encompassing a long list of human rights abusers.

The approved list for full licenses doesn’t exactly suggest a whole lot of discretion from Swiss IMSI manufacturers.

Nor does it say much about SECO, which allowed these sales (and demonstrations) to happen.

The list of denied license applications (which includes Russia, Yemen, and Turkmenistan) suggests some restraint by SECO. But the fact that Swiss spy tech makers requested the licenses shows they are just as willing to sell to terrible governments as other surveillance tech purveyors who’ve made international headlines repeatedly.

(Yes, we’re talking about Israel’s NSO Group. And, to a lesser extent, Italy’s Hacking Team.)

“And it’s not just IMSI catchers,” says Techdirt’s Tim Cushing. "Plenty of human rights violators were on the list of potential customers for internet surveillance tech sold by Swiss companies.

That those violators were unable to access this tech is largely due to the Snowden leaks, which forced a lot of countries to look more closely at their own spying efforts and surveillance contractors."

“That’s a pretty nasty group of customers to want to sell to. And that the companies appear to have been deterred by a series of leaks suggests they were more motivated by potential backlash from the Snowden revelations, rather than any sense of responsibility or propriety.”

So what’s the upshot for you? In closing, Cushing writes: "You don’t have to sell to the worst governments in the world.

But, like far too many other surveillance tech purveyors, Swiss companies seemed more than willing to sell powerful spy tech to governments they knew with certainty would abuse it."

Global: You’ve heard of Passkeys, try the demo!

If you’d like to glean a better understanding of what it will be like to use a “Passkey” instead of a password, try this demo. In less than a minute you’ll be one of the few in your office that can say you tried it/them. For more on passkeys, see the following story.

So what’s the upshot for you? You too can be an early adopter…

Global: Passkey Support Rolls Out To Chrome Stable

Following Google’s beta rollout of the feature in October, passkeys are now hitting Chrome stable M108.

“Passkey” is built on industry standards and backed by all the big platform vendors – Google, Apple, Microsoft – along with the FIDO Alliance.

Google’s latest blog says: “With the latest version of Chrome, we’re enabling passkeys on Windows 11, macOS, and Android.”

The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign in to something with a passkey.

Now that this is up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the “autofill” section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar).

Next up we’ll need more websites and services to support using a passkey instead of a password to sign in.

Google Account support would be a good first step – right now you can use a passkey for two-factor authentication with Google, but you can’t replace your password yet.

So what’s the upshot for you? This might be the remedy to having to rename your dog every 3 months.

US: Apple sued by stalking victims over alleged AirTag tracking

Two women filed a potential class action lawsuit against Apple, alleging the company has ignored critics’ and security experts’ repeated warnings that the company’s AirTag devices are being repeatedly used to stalk and harass people.

Both individuals were targets of past abuse from ex-partners and argued in the filing that Apple’s subsequent safeguard solutions remain wholly inadequate for consumers. “With a price point of just $29, it has become the weapon of choice of stalkers and abusers.”

Apple first debuted AirTags in April 2021.

Within the ensuing eight months, at least 150 police reports from just eight precincts reviewed by Motherboard explicitly mentioned abusers utilizing the tracking devices to stalk and harass women.

In the new lawsuit, plaintiffs allege that one woman’s abuser hid the location devices within her car’s wheel well.

At the same time, the other woman’s abuser placed one in their child’s backpack following a contentious divorce, according to the suit.

Security experts have since cautioned that hundreds more similar situations likely remain unreported or even undetected.

The lawsuit (PDF), published by Ars Technica, cites them as “one of the products that has revolutionized the scope, breadth, and ease of location-based stalking,” arguing that “what separates the AirTag from any competitor product is its unparalleled accuracy, ease of use (it fits seamlessly into Apple’s existing suite of products), and affordability.”

The proposed class action lawsuit seeks unspecified damages for owners of iOS or Android devices which have been tracked with an AirTag or are at risk of being stalked.

Since AirTags’ introduction last year, at least two murders have occurred directly involving using Apple’s surveillance gadget, according to the lawsuit.

So what’s the upshot for you? Critics and the lawsuit argue that a subsequent series of minor updates—such as text alerts when AirTags are detected nearby and the introduction of a 60-decibel location chime—fail to address the vast majority of victims’ issues.

The complaint also notes that Apple’s unspecified, previously promised updates due by the end of the year have yet to materialize.

None of the stopgaps are particularly helpful for Android users, either, who must download a Tracker Detector app and manually search for AirTags nearby.

The lawsuit reminds readers that this is “something a person being unknowingly tracked would be unlikely to do.”

PK: Xnspy Stalkerware Spied on Thousands of iPhones and Android Devices

A little-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority of whose owners are unaware that their data has been compromised.

Konext is a small development startup in Lahore, Pakistan, manned by a dozen employees, according to its LinkedIn page.

The startup’s website says the startup specializes in “bespoke software for businesses that seek all-in-one solutions,” and claims to have built dozens of mobile apps and games.

What Konext doesn’t advertise is that it develops and maintains the Xnspy stalkerware.

Xnspy is one of many apps sold under the guise of allowing a parent to monitor their child’s activities, but are explicitly marketed for spying on a spouse or domestic partner’s devices without their permission.

Its website boasts, “to catch a cheating spouse, you need Xnspy on your side,” and, “Xnspy makes reporting and data extraction simple for you.”

Stalkerware apps, also known as spouseware, are surreptitiously planted by someone with physical access to a person’s phone, bypassing the on-device security protections, and are designed to stay hidden from home screens, which makes them difficult to detect.

Once installed, these apps will silently and continually upload the contents of a person’s phone, including their call records, text messages, photos, browsing history, and precise location data, allowing the person who planted the app near-complete access to their victim’s data.

New findings show many stalkerware apps are riddled with security flaws and are exposing the data stolen from victims’ phones.

Xnspy is no different.

So what’s the upshot for you? If you use Xnspy, do remove it. Remember while you spied on them someone else was spying on you.

US: Apple announces more end-to-end encryption.

Last week Apple announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy.

iCloud end-to-end encryption, or what Apple calls “Advanced Data Protection,” encrypts users’ data stored in iCloud, meaning only a trusted device can decrypt and read the data.

iCloud data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

So what’s the upshot for you? The FBI is not happy

Global: Apple Kills Its Plan To Scan Your Photos for CSAM

In August 2021, Apple announced a plan to scan photos that users stored in iCloud for child sexual abuse material (CSAM).

The tool was meant to be privacy-preserving and allow the company to flag potentially problematic and abusive content without revealing anything else.

But the initiative was controversial, and it soon drew widespread criticism from privacy and security researchers and digital rights groups who were concerned that the surveillance capability itself could be abused to undermine the privacy and security of iCloud users around the world.

At the beginning of September 2021, Apple said it would pause the rollout of the feature to “collect input and make improvements before releasing these critically important child safety features.”

In other words, a launch was still coming.

Now the company says that in response to the feedback and guidance it received, the CSAM-detection tool for iCloud photos is dead.

Instead, it is focusing its anti-CSAM efforts and investments on its “Communication Safety” features, which the company initially announced in August 2021 and launched last December.

Parents and caregivers can opt into the protections through family iCloud accounts.

The features work in Siri, Apple’s Spotlight search, and Safari Search to warn if someone is looking at or searching for child sexual abuse materials and provide resources on the spot to report the content and seek help.

Additionally, the core of the protection is Communication Safety for Messages, which caregivers can set up to provide a warning and resources to children if they receive or attempt to send photos that contain nudity.

The goal is to stop child exploitation before it happens or becomes entrenched and reduce the creation of new CSAM.

So what’s the upshot for you? No matter the good intent, this was never a very comforting idea, to have someone indexing your content and looking for matches with illegal material.

It certainly wasn’t going to drive sales for a company pitching privacy.

Global: Telegram is Auctioning Phone Numbers To Let Users Sign Up To the Service Without Any SIM

After putting unique usernames on the auction on the TON blockchain, Telegram is now putting anonymous numbers up for bidding.

These numbers could be used to sign up for Telegram without needing any SIM card.

Just like the username auction, you can buy these virtual numbers on Fragment, which is a site specially created for Telegram-related auctions.

To buy a number, you will have to link your TON wallet (Tonkeeper) to the website.

You can buy a random number for as low as 9 toncoins, which is equivalent to roughly $16.50 at the time of writing.

Some of the premium virtual numbers – such as +888-8-888 – are selling for 31,500 toncoins (~$58,200).

Notably, you can only use this number to sign up for Telegram.

You can’t use it to receive SMS or calls or use it to register for another service.

So what’s the upshot for you? We’d be happier if it was What’s App introducing this, but Telegram’s OK too!

CN: China Bans Deepfakes Created Without Permission Or For Evil

China’s Cyberspace Administration has issued guidelines on how to do deepfakes the right way.

[T]he Cyberspace Administration (CAC) has issued regulations that prohibit their creation without the subject’s permission or to depict or utter anything that could be considered as a counter to the national interest.

Anything counter to socialist values falls under that description, as does any form of “Illegal and harmful information” or using AI-generated humans in an attempt to deceive or slander.

But the rules also suggest China expects synthetic humans will be widely used.

For instance, they allow the use of deepfakes in applications such as chatbots.

In such scenarios, deepfakes must be flagged as digital creations.

The regulations also spell out how the creators of deepfakes – who are termed “deep synthesis service providers” – must take care that their AI/ML models and algorithms are accurate and regularly revised, and ensure the security of the data they collect.

The rules also include a requirement for registration of users – including their real names.

Because allowing an unknown person to mess with deepfakes would not do.

The rules are pitched as ensuring that synthesis tech avoids the downsides and delivers benefits to China.

Or, as Beijing puts it (albeit in translation), deepfakes must “Promote the healthy development of internet information services and maintain a good ecology of cyberspace.”

The regulations come into force on January 10, 2023.

So what’s the upshot for you? Sometimes these stories seem… er… well… almost unbelievable.

US: Microsoft Acquires Startup Developing High-Speed Cables for Transmitting Data

Microsoft today announced that it acquired Lumenisity, a U.K.-based startup developing “hollow core fiber (HCF)” technologies primarily for data centers and ISPs.

Microsoft says that the purchase, the terms of which weren’t disclosed, will “expand [its] ability to further optimize its global cloud infrastructure” and “serve Microsoft’s cloud platform and services customers with strict latency and security requirements.”

HCF cables fundamentally combine optical fiber and coaxial cable.

They’ve been around since the '90s, but what Lumenisity brings to the table is a proprietary design with an air-filled center channel surrounded by a ring of glass tubes.

The idea is that light can travel faster through the air than glass; in a trial with Comcast in April, a single strand of Lumenisity HCF was reportedly able to deliver traffic rates ranging from 10 Gbps to 400 Gbps.

“HCF can provide benefits across a broad range of industries including healthcare, financial services, manufacturing, retail, and government,” Girish Bablani, CVP of Microsoft’s Azure Core business, wrote in a blog post.

"For the public sector, HCF could provide enhanced security and intrusion detection for federal and local governments across the globe. In healthcare, because HCF can accommodate the size and volume of large data sets, it could help accelerate medical image retrieval, facilitating providers’ ability to ingest, persist and share medical imaging data in the cloud.

And with the rise of the digital economy, HCF could help international financial institutions seeking fast, secure transactions across a broad geographic region."

So what’s the upshot for you? Right, and next you’ll be telling us Microsoft has bought a 4% stake in a stock exchange.

UK: Microsoft buys near 4% stake in London Stock Exchange Group as part of 10-year cloud deal

LONDON — U.S. tech giant Microsoft on Monday announced a 10-year partnership with the London Stock Exchange Group and took a nearly 4% stake in the U.K. bourse operator.

The partnership involves next-generation data and analytics, as well as cloud computing products, according to a statement by the LSEG.

It includes a new data infrastructure for the London exchange and analytics and modeling solutions with Microsoft Azure, AI, and Microsoft Teams.

So what’s the upshot for you? Right and next you’ll be telling us Microsoft… oh, never mind.

CA: Samsung. Back Again, Hacked Again.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada.

Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung’s flagship device last week.

They executed an improper input validation attack and earned $25,000, 50% of the total cash award because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22.

In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

So what’s the upshot for you? Reassurance, that’s what this provides us.

Global: Samsung’s Android App-Signing Key Has Leaked, is Being Used To Sign Malware

The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.

Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter.

As he explains, having an app grab the same UID as the Android system isn’t quite root access, but it’s close and allows an app to break out of whatever limited sandboxing exists for system apps.

These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone.

So what’s the upshot for you? Imagine a more evil version of Google Play Services, and you get the idea.

BS/US: Out today - this is interesting reading if you are following the FTX story.

You already know that SB-F has been arrested but you also want to have a look at this:

The testimony of the new FTX CEO, John Ray III, is now public, and it includes some shocking revelations about the nature of the cryptocurrency firm.

The court documents show that Alameda Research borrowed FTX customer funds for trading and investment purposes without any limits.

In the court documents, Ray relayed a detailed account of how Alameda Research would utilize FTX customer assets.

Subsequently, the firm utilized them for trading and investment.

The document noted, “The ability of Alameda, the crypto hedge fund within the FTX Group, to borrow funds held at to be utilized for its trading or investments without any effective limits.”

As the shocking statement was reported under inappropriate business practices that Ray has uncovered amidst his disappointment.

Ray revealed that access to those funds was not at all protected from management.

The statement noted, “The use of computer infrastructure that gave individuals in senior management access to systems that stored customer assets,” according to the documents.

Furthermore, Ray revealed that “Private keys to access hundreds of millions of dollars in crypto assets,” lacked property security or description.

Conversely, Ray notes that assets were commingled, and the platform lacked proper documentation of nearly 500 investments made by the FTX group.

So what’s the upshot for you? complete stupidity or unbelievable arrogance or maybe a heady mix of both?

Global: Fusion breakthrough is a milestone for climate, clean energy

Scientists announced Tuesday that they have for the first time produced more energy in a fusion reaction than was used to ignite it—a major breakthrough in the decades-long quest to harness the process that powers the sun.

Known as a net energy gain, the goal has been elusive because fusion happens at such high temperatures and pressures that it is incredibly difficult to control.

Fusion works by pressing hydrogen atoms into each other with such force that they combine into helium, releasing enormous amounts of energy and heat.

Unlike other nuclear reactions, it doesn’t create radioactive waste.

So what’s the upshot for you? We see a bright light in our future!

Quote of the week - "Privacy is the right to the self. Privacy is what gives you the ability to share with the world who you are on your own terms.” - Edward Snowden

That’s it for this week. Stay safe, stay secure, don’t stare at the sun, and see you in se7en.