Daily Archives: December 6, 2023

Governments, Apple, Google spying on users through push notifications – they all go through Apple and Google servers (unencrypted?)!

Posted on by

In a letter to the Department of Justice, Senator Ron Wyden said foreign officials were demanding the data from Alphabet’s (GOOGL.O) Google and Apple (AAPL.O). Although details were sparse, the letter lays out yet another path by which governments can track smartphones.

Apps of all kinds rely on push notifications to alert smartphone users to incoming messages, breaking news, and other updates. These are the audible “dings” or visual indicators users get when they receive an email or their sports team wins a game. What users often do not realize is that almost all such notifications travel over Google and Apple’s servers.

That gives the two companies unique insight into the traffic flowing from those apps to their users, and in turn puts them “in a unique position to facilitate government surveillance of how users are using particular apps,” Wyden said. He asked the Department of Justice to “repeal or modify any policies” that hindered public discussions of push notification spying.

In a statement, Apple said that Wyden’s letter gave them the opening they needed to share more details with the public about how governments monitored push notifications.

“In this case, the federal government prohibited us from sharing any information,” the company said in a statement. “Now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google said that it shared Wyden’s “commitment to keeping users informed about these requests.”

The Department of Justice did not return messages seeking comment on the push notification surveillance or whether it had prevented Apple of Google from talking about it.

Wyden’s letter cited a “tip” as the source of the information about the surveillance. His staff did not elaborate on the tip, but a source familiar with the matter confirmed that both foreign and U.S. government agencies have been asking Apple and Google for metadata related to push notifications to, for example, help tie anonymous users of messaging apps to specific Apple or Google accounts.

The source declined to identify the foreign governments involved in making the requests but described them as democracies allied to the United States.

The source said they did not know how long such information had been gathered in that way.

Most users give push notifications little thought, but they have occasionally attracted attention from technologists because of the difficulty of deploying them without sending data to Google or Apple.

Earlier this year French developer David Libeau said users and developers were often unaware of how their apps emitted data to the U.S. tech giants via push notifications, calling them “a privacy nightmare.”

Source: Governments spying on Apple, Google users through push notifications – US senator | Reuters

Global Climate Tipping points: threats and opportunities accelerate and going very quickly now. Action is needed.

Posted on by

The world has reached a pivotal moment as threats from Earth system tipping points – and progress towards positive tipping points – accelerate, a new report shows

Story highlights

  • Rapid changes to nature and societies already happening, and more coming
  • The report makes six key recommendations to change course fast
  • A cascade of positive tipping points would save millions of lives

Humanity is currently on a disastrous trajectory, according to the Global Tipping Points report, the most comprehensive assessment of tipping points ever conducted.

The report makes six key recommendations to change course fast, including coordinated action to trigger positive tipping points.

Behind the report is an international team of more than 200 scientists, coordinated by the University of Exeter, in partnership with Bezos Earth Fund. Centre researchers David Armstrong McKay, Steven Lade, Laura Pereira, and Johan Rockström have all contributed to the report.

A tipping point occurs when a small change sparks an often rapid and irreversible transformation, and the effects can be positive or negative.

Based on an assessment of 26 negative Earth system tipping points, the report concludes “business as usual” is no longer possible – with rapid changes to nature and societies already happening, and more coming.

With global warming now on course to breach 1.5°C, at least five Earth system tipping points are likely to be triggered – including the collapse of major ice sheets and widespread mortality of warm-water coral reefs.

As Earth system tipping points multiply, there is a risk of catastrophic, global-scale loss of capacity to grow staple crops. Without urgent action to halt the climate and ecological crisis, societies will be overwhelmed as the natural world comes apart.

Impacts of physical tipping points could trigger social tipping such as financial destabilization, disruption of social cohesion, and violent conflict that would further amplify impacts on people.

Centre researcher Steven Lade

Positive tipping points

But there are ways forward. Emergency global action – accelerated by leaders meeting now at COP28 – can harness positive tipping points and steer us towards a thriving, sustainable future.

The report authors lay out a out a blueprint for doing this, and says bold, coordinated policies could trigger positive tipping points across multiple sectors including energy, transport, and food.

A cascade of positive tipping points would save millions of lives, billions of people from hardship, trillions of dollars in climate-related damage, and begin restoring the natural world upon which we all depend.

Read “The Global Tipping Points Report” »

Six key recommendations on global tipping points

  • Phase out fossil fuels and land-use emissions now, stopping them well before 2050.
  • Strengthen adaptation and “loss and damage” governance, recognising inequality between and within nations.
  • Include tipping points in the Global Stocktake (the world’s climate “inventory”) and Nationally Determined Contributions (each country’s efforts to tackle climate change)
  • Coordinate policy efforts to trigger positive tipping points.
  • Convene an urgent global summit on tipping points.
  • Deepen knowledge of tipping points. The research team supports calls for an IPCC Special Report on tipping points.

Source: New report: Tipping point threats and opportunities accelerate – Stockholm Resilience Centre

This report was released at COP28 and is being taken extremely seriously by scientists and news people alike – as it should be. Stuff really does need to happen and it’s positive that there are possibly points that we can use to tip the balance in our favour.

NB the official site is down with a 503 error currently, but the OECD has a copy of the report online.

AI Alliance Launches as an International Community of Leading Technology Developers, Researchers, and Adopters Collaborating Together to Advance Open, Safe, Responsible AI

Posted on by

IBM and Meta Launch the AI Alliance in collaboration with over 50 Founding Members and Collaborators globally including AMD, Anyscale, CERN, Cerebras, Cleveland Clinic, Cornell University, Dartmouth, Dell Technologies, EPFL, ETH, Hugging Face, Imperial College London, Intel, INSAIT, Linux Foundation, MLCommons, MOC Alliance operated by Boston University and Harvard University, NASA, NSF, Oracle, Partnership on AI, Red Hat, Roadzen, ServiceNow, Sony Group, Stability AI, University of California Berkeley, University of Illinois, University of Notre Dame, The University of Tokyo, Yale University and others

[…]

While there are many individual companies, start-ups, researchers, governments, and others who are committed to open science and open technologies and want to participate in the new wave of AI innovation, more collaboration and information sharing will help the community innovate faster and more inclusively, and identify specific risks and mitigate those risks before putting a product into the world.

[..]

We are:

  • The creators of the tooling driving AI benchmarking, trust and validation metrics and best practices, and application creation such as MLPerf, Hugging Face, LangChain, LlamaIndex, and open-source AI toolkits for explainability

, privacy, adversarial robustness, and fairness evaluation

  • .
  • The universities and science agencies that educate and support generation after generation of AI scientists and engineers and push the frontiers of AI research through open science.
  • The builders of the hardware and infrastructure that supports AI training and applications – from the needed GPUs to custom AI accelerators and cloud platforms;
  • The champions of frameworks that drive platform software including PyTorch, Transformers, Diffusers, Kubernetes, Ray, Hugging Face Text generation inference      and Parameter Efficient Fine Tuning.
  • The creators of some of today’s most used open models including Llama2, Stable Diffusion, StarCoder, Bloom, and many others.

[…]

To learn more about the Alliance, visit here: https://thealliance.ai

[…]

Source: AI Alliance Launches as an International Community of Leading Technology Developers, Researchers, and Adopters Collaborating Together to Advance Open, Safe, Responsible AI

We will see – I don’t see any project pages on this quite yet. But this looks like a reasonable idea.

Richard Branson’s wallet too small to support Space travel

Posted on by

Sir Richard Branson is leaving his space tourism company, Virgin Galactic, to stand or fall on its own two feet after declaring that his business empire will not be tipping any more cash into the project.

Branson told the Financial Times: “We don’t have the deepest pockets after COVID, and Virgin Galactic has got $1 billion, or nearly. It should, I believe, have sufficient funds to do its job on its own.”

Virgin Galactic was founded in 2004. Despite setbacks including the crash of VSS Enterprise, the space tourism biz finally managed a suborbital jaunt to the edge of space in 2018. It performed the feat again a few months later in 2019 before flying Branson and pals in a crewed flight in 2021.

Branson’s flight proved controversial, and attracted the ire of the Federal Aviation Authority (FAA) for venturing outside of its allocated airspace. Other issues have kept Virgin Galactic’s suborbital tourism ambitions on the ground until 2023.

Things appeared to be looking up this year as the luxury operator began commercial business again after a successful suborbital test flight and approached a near-monthly cadence. But with tickets starting at $450,000 and a maximum of four paying passengers per flight, turning a profit using the VSS Unity spaceplane and VMS Eve carrier aircraft combination is wishful thinking.

To that end, Virgin Galactic is looking to its upcoming Delta class of spaceplane, which can carry up to six passengers. It also expects eight flights – and revenues of between $21.6 million and $28.8 million per ship – per month from the forthcoming class, according to its third quarter 2023 earnings update [PDF].

However, Virgin Galactic will still be burning cash to get there. Revenue guidance for Q4 2023 stood at $3 million, while its cash flow was expected to be between $125 and 135 million. Virgin Galactic will also be switching to a quarterly cadence before pausing flights of VSS Unity in mid-2024 to focus on building the Delta ships.

Why the need to pause? As well as calling a halt to unprofitable flights, this is likely due, at least in part, to staff cuts announced by boss Michael Colglazier. All told, approximately 185 employees – around 18 percent of the workforce – are to leave the building as the biz seeks to cut costs and focus on what is most likely to make money: the Delta class spaceplanes.

Those employees will not be alone. While Branson told the FT he was “still loving” the Virgin Galactic project, that love does not appear to extend to the entrepreneur’s wallet.

His other rocket startup, Virgin Orbit, perished earlier this year

Source: Branson’s wallet snaps shut for Virgin Galactic • The Register

Alternative browsers about to die? Firefox may soon be delisted in the US govt support matrix :'(

Posted on by

A somewhat obscure guideline for developers of U.S. government websites may be about to accelerate the long, sad decline of Mozilla’s Firefox browser. There already are plenty of large entities, both public and private, whose websites lack proper support for Firefox; and that will get only worse in the near future, because the ’fox’s auburn paws are perilously close to the lip of the proverbial slippery slope.

The U.S. Web Design System (USWDS) provides a comprehensive set of standards which guide those who build the U.S. government’s many websites. Its documentation for developers borrows a “2% rule” from its British counterpart:

. . . we officially support any browser above 2% usage as observed by analytics.usa.gov.

At this writing, that analytics page shows the following browser traffic for the previous ninety days:

BrowserShare
Chrome49%
Safari34.8%
Edge8.4%
Firefox2.2%
Safari (in-app)1.9%
Samsung Internet1.6%
Android Webview1%
Other1%

I am personally unaware of any serious reason to believe that Firefox’s numbers will improve soon. Indeed, for the web as a whole, they’ve been declining consistently for years, as this chart shows:

Chart of browser share for January, 2009, through November, 2023

Chrome vs. Firefox vs. Safari for January, 2009, through November, 2023.
Image: StatCounter.

Firefox peaked at 31.82% in November, 2009 — and then began its long slide in almost direct proportion to the rise of Chrome. The latter shot from 1.37% use in January, 2009, to its own peak of 66.34% in September, 2020, since falling back to a “measly” 62.85% in the very latest data.1

While these numbers reflect worldwide trends, the U.S.-specific picture isn’t really better. In fact, because the iPhone is so popular in the U.S. — which is obvious from what you see on that aforementioned government analytics page — Safari pulls large numbers that also hurt Firefox.

[…]

Firefox is quickly losing “web space,” thanks to a perfect storm that’s been kicked up by the dominance of Chrome, the popularity of mobile devices that run Safari by default, and many corporate and government IT shops’ insistence that their users rely on only Microsoft’s Chromium-based Edge browser while toiling away each day.

With such a continuing free-fall, Firefox is inevitably nearing the point where USWDS will remove it, like Internet Explorer before it, from the list of supported browsers.

[…]

Source: Firefox on the brink? The Big Three may effectively be down to a Big Two, and right quick.

Competition is important, especially in the world of browsers, which are our window into far and away most of the internet. Allowing one browser to rule them all leads to some very strange and nasty stuff. Not only do they no longer follow (W3C) standards (which IE and Chrome didn’t and don’t), but they start taking extreme liberties with your privacy (a “privacy sandbox” that allows any site to query all your habits!), pick on certain websites and even edit what you see, send your passwords and other personal data to third party sites, share your motion data, refuse to delete private data on you, etc etc etc

Firefox is a very good browser with some awesome addons – and not beholden to the Google or Microsoft or Apple overlords. And it’s the only private one offering you a real choice outside of the Chromium reach.

Microsoft confirms Smart App issue renaming printers to HP, installing HP apps and drivers for no reason

Posted on by

No, it isn’t your imagination. Windows really is installing the HP Smart App and renaming printers without user interaction.

Microsoft has updated its Windows release health dashboard to admit a problem exists. The title of the issue says it all: “Printer names and icons might be changed and HP Smart app automatically installs.”

The problem appears widespread – as well as Windows 11, versions of Windows 10 going right back to the Windows 10 Enterprise 2015 LTSB have been hit by the issue, which appears to affect Windows devices with access to the Microsoft Store. Windows Server, including Windows Server 2012, is also affected.

As a reminder, symptoms of an affected Windows 10 or 11 devices include the unexpected and unasked-for installation of the HP Smart App, even if no HP hardware is connected.

However, things can get progressively weirder, and Microsoft has reported that existing printers can end up being renamed HP printers, regardless of manufacturer. We’ve reported on how much HP would like to take control of its ecosystem, but this seems extreme even for the inveterate ink pusher.

According to Microsoft, when renaming occurs, most printers are dubbed the “HP LaserJet M101-M106,” and the printer icons might also be changed. Double-clicking the printer displays the error “No tasks are available for this page.”

So, what is happening? Microsoft said it was still investigating the issue and coordinating with its partners on a solution. It all seems to stem from the mystery automatic installation of the HP Smart App. Windows devices that don’t have access to the Microsoft Store should not be affected, according to the Windows giant.

The Register is awaiting a response from Microsoft on the issue and will update should the company respond

Source: Microsoft confirms Smart App issue renaming printers to HP • The Register

SpyLoan apps don’t give you loans but blackmail you, steal your money, downloaded 12m times on Android – Apple won’t tell you how often they get duped

Posted on by

Since the beginning of 2023, ESET researchers have observed an alarming growth of deceptive Android loan apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds.

Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims’ personal and financial information to blackmail them, and in the end gain their funds. ESET products therefore recognize these apps using the detection name SpyLoan, which directly refers to their spyware functionality combined with loan claims.

Key points of the blogpost:

  • Apps analyzed by ESET researchers request various sensitive information from their users and exfiltrate it to the attackers’ servers.
  • This data is then used to harass and blackmail users of these apps and, according to user reviews, even if a loan was not provided.
  • ESET telemetry shows a discernible growth in these apps across unofficial third-party app stores, Google Play, and websites since the beginning of 2023.
  • Malicious loan apps focus on potential borrowers based in Southeast Asia, Africa, and Latin America.
  • All of these services operate only via mobile apps, since the attackers can’t access all sensitive user data that is stored on the victim’s smartphone through browsers.

[…]

All of the SpyLoan apps that are described in this blogpost and mentioned in the IoCs section are marketed through social media and SMS messages, and available to download from dedicated scam websites and third-party app stores. All of these apps were also available on Google Play. As a Google App Defense Alliance partner, ESET identified 18 SpyLoan apps and reported them to Google, who subsequently removed 17 of these apps from their platform. Before their removal, these apps had a total of more than 12 million downloads from Google Play. The last app identified by ESET is still available on Google Play – however, since its developers changed its permissions and functionality, we no longer detect it as a SpyLoan app.

[…]

According to ESET telemetry, the enforcers of these apps operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore (see map in Figure 2). All these countries have various laws that govern private loans – not only their rates but also their communication transparency; however, we don’t know how successfully they are enforced. We believe that any detections outside of these countries are related to smartphones that have, for various reasons, access to a phone number registered in one of these countries.

At the time of writing, we haven’t seen an active campaign targeting European countries, the USA, or Canada.

[…]

ESET Research has traced the origins of the SpyLoan scheme back to 2020. At that time, such apps presented only isolated cases that didn’t catch the attention of researchers; however, the presence of malicious loan apps kept growing and ultimately, we started to spot them on Google Play, the Apple App Store, and on dedicated scam websites

[…]

Security company Lookout identified 251 Android apps on Google Play and 35 iOS apps on the Apple App Store that exhibited predatory behavior. According to Lookout, they had been in contact with Google and Apple regarding the identified apps and in November 2022 published a blogpost about these apps

[…]

Once a user installs a SpyLoan app, they are prompted to accept the terms of service and grant extensive permissions to access sensitive data stored on the device. Subsequently, the app requests user registration, typically accomplished through SMS one-time password verification to validate the victim’s phone number.

These registration forms automatically select the country code based on the country code from the victim’s phone number, ensuring that only individuals with phone numbers registered in the targeted country can create an account,

[…]

After successful phone number verification, users gain access to the loan application feature within the app. To complete the loan application process, users are compelled to provide extensive personal information, including address details, contact information, proof of income, banking account information, and even to upload photos of the front and back sides of their identification cards, and a selfie

[…]

On May 31st, 2023, additional policies started to apply to loan apps on Google Play, stating that such apps are prohibited from asking for permission to access sensitive data such as images, videos, contacts, phone numbers, location, and external storage data. It appears this updated policy didn’t have an immediate effect on existing apps, as most of the ones we reported were still available on the platform (including their broad permissions) after the policy started to apply

[…]

After such an app is installed and personal data is collected, the app’s enforcers start to harass and blackmail their victims into making payments, even if – according to the reviews – the user didn’t apply for a loan or applied but the loan wasn’t approved

[…]

Besides the data harvesting and blackmailing, these services present a form of modern-day digital usury, which refers to the charging of excessive interest rates on loans, taking advantage of vulnerable individuals with urgent financial needs, or borrowers who have limited access to mainstream financial institutions. One user gave a negative review (shown in Figure 14) to a SpyLoan app not because it was harassing him, but because it had already been four days since he applied for a loan, but nothing had happened and he needed money for medication.

[…]

 

Source: Beware of predatory fin(tech): Loan sharks use Android apps to reach new depths