Daily Archives: October 19, 2024

FIDO Alliance Publishes Draft Working Specifications for Passkeys, invites feedback

Posted on by

The FIDO Alliance has published a working draft of a new set of specifications for secure credential exchange that, when standardized and implemented by credential providers, will enable users to securely move passkeys and all other credentials across providers. The specifications are the result of commitment and collaboration amongst members of the FIDO Alliance’s Credential Provider Special Interest Group  including representatives from: 1Password, Apple, Bitwarden, Dashlane, Enpass, Google, Microsoft, NordPass, Okta, Samsung and SK Telecom.

[…]

FIDO Alliance’s draft specifications – Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) – define a standard format for transferring credentials in a credential manager including passwords, passkeys and more to another provide in a manner that ensures transfer are not made in the clear and are secure by default.

Once standardized, these specifications will be open and available for credential providers to implement so their users can have a secure and easy experience when and if they choose to change providers.

The working draft specifications are open to community review and feedback; they are not yet intended for implementation as the specifications may change. Those interested can read the working drafts here, and provide feedback on the Alliance’s GitHub repo. Drafts are expected to be updated and published for public review often until the specifications are approved for implementation.

[…]

Source: FIDO Alliance Publishes New Specifications to Promote User Choice and Enhanced UX for Passkeys – FIDO Alliance

So for all you authentication managers out there, it looks like a new standard will emerge soon. BTW it is very noticeable that LastPass is missing from the parties in the FIDO alliance.

Windows 11 24H2 disk space hoarding a ‘reporting error’ – don’t know which is  worse though

Posted on by

[…] Many Windows 11 24H2 users, this writer included, saw a chunk of disk space occupied by “Windows Update Cleanup” after running the Disk Cleanup tool. Efforts to reclaim the space proved fruitless.

The cause, according to Microsoft, is not necessarily due to a change in how the company has implemented updates in Windows 11 24H2. Instead, it appears to be a bug in reporting disk space.

Microsoft added the problem to the list of known issues with the Windows 11 24H2 release on October 14, 2024, with the following explanation: “This is a reporting error. When ‘Windows Update Cleanup’ is selected and Disk Cleanup is run for the first time, some or all files in that category (for example, 15 GB) are cleaned up correctly and the related disk space is freed as expected.

“However, after this initial run, the tool may inaccurately report an amount of space still available for cleanup (for example, 88 GB) in the ‘Windows Update Cleanup’ category. This inaccurate amount of disk space is reported even though the space was already freed in the initial run.”

According to Microsoft, the tool inaccurately reports how much disk space could be freed. Microsoft said it is “working on a resolution and will provide more information when it is available.”

How this “reporting error” came to be in the production build is unclear, particularly since complaints about it have been rumbling for a while now in Microsoft’s Feedback Hub. Microsoft eventually responded to our query, but only to say it would “look into this and circle back,” with a link to the Release Health Dashboard.

[…]

Source: Windows 11 24H2 disk space hoarding a ‘reporting error’ • The Register

So where is it worse to have the error?!

AI-Powered Social Media Manipulation App Impact facilitates zealots flooding posts with AI texts to look real

Posted on by
Impact, an app that describes itself as “AI-powered infrastructure for shaping and managing narratives in the modern world,” is testing a way to organize and activate supporters on social media in order to promote certain political messages. The app aims to summon groups of supporters who will flood social media with AI-written talking points designed to game social media algorithms.
In video demos and an overview document provided to people interested in using a prototype of the app that have been viewed by 404 Media, Impact shows how it can send push notifications to groups of supporters directing them at a specific social media post and provide them with AI-generated text they can copy and paste in order to flood the replies with counter arguments.
[…]
The app also shows another way AI-generated content could continue to flood the internet and distort reality in the same way it has distorted Google search results, book sold on Amazon, and ghost kitchen menus.
[…]
One demo video viewed by 404 Media shows one of the people who created the app, Sean Thielen, logged in as “Stop Anti-Semitism,” a fake organization with a Star of David icon (no affiliation to the real organization with the same name), filling out a “New Action Request” form. Thielen decides which users to send the action to and what they want them to do, like “reply to this Tweet with a message of support and encouragement” or “Reply to this post calling out the author for sharing misinformation.” The user can also provide a link to direct supporters to, and provide talking points, like “This post is dishonest and does not reflect actual figures and realities,” “The President’s record on the economy speaks for itself,” and “Inflation has decreased [sic] by XX% in the past six months.” The form also includes an “Additional context” box where the user can type additional detail to help the AI target the right supporters, like “Independent young voters on Twitter.” In this case, the demo shows how Impact could direct a group of supporters to a factual tweet about the International Court of Justice opinion critical of Israel’s occupation of the Palestinian territories and flood the replies with AI-generated responses criticizing the court and Hamas and supporting Israel.
[…]
Becca Lewis, a postdoctoral scholar at the Stanford Department of Communication, said that when discussing bot farms and computational propaganda, researchers often use the term “authenticity” to delineate between a post shared by an average human user, and a post shared by a bot or a post shared by someone who is paid to do so. Impact, she said, appears to use “authentic” to refer to posts that seem like they came from real people or accurately reflects what they think even if they didn’t write the post.
“But when you conflate those two usages, it becomes dubious, because it’s suggesting that these are posts coming from real humans, when, in fact, it’s maybe getting posted by a real human, but it’s not written by a real human,” Lewis told me. “It’s written and generated by an AI system. The lines start to get really blurry, and that’s where I think ethical questions do come to the foreground. I think that it would be wise for anyone looking to work with them to maybe ask for expanded definitions around what they mean by ‘authentic’ here.”
[…]
The “Impact platform” has two sides. There’s an app for “supporters (participants),” and a separate app for “coordinators/campaigners/stakeholders/broadcasters (initiatives),” according to the overview document.
Supporters download the app and provide “onboarding data” which “is used by Impact’s AI to (1) Target and (2) Personalize the action requests” that are sent to them. Supporters connect to initiatives by entering a provided code, and these action requests are sent as push notifications, the document explains.
“Initiatives,” on the other hand, “have access to an advanced, AI-assisted dashboard for managing supporters and actions.”
[…]
“I think astroturfing is a great way of phrasing it, and brigading as well,” Lewis said. “It also shows it’s going to continue to siphon off who has the ability to use these types of tools by who is able to pay for them. The people with the ability to actually generate this seemingly organic content are ironically the people with the most money. So I can see the discourse shifting towards the people with the money to to shift it in a specific direction.”

Source: AI-Powered Social Media Manipulation App Promises to ‘Shape Reality’

This is basically a tool which can really only be used for evil.

Developers Now Required to Share Phone Number and Address on EU App Store to Meet ‘Trader’ Requirement

Posted on by

Apple today reminded developers that the EU trader requirement in the European Union is now being enforced. Developers who distribute apps in the EU will now need to share information that includes address, phone number, and email address on the EU App Store.

app store trader requirement dsa
Submitting updates for apps on the ‌App Store‌ in the European Union now requires trader information that’s added via ‌App Store‌ Connect, with those details shared on each developer’s ‌App Store‌ page. App updates can no longer be submitted without trader information, and starting on February 17, 2025, apps that do not have a trader status set will be removed from the ‌App Store‌ in the EU until trader status is provided and verified.

The Digital Services Act (DSA) in the European Union requires Apple to verify and display trader contact information for all “traders” who are distributing apps on the ‌App Store‌ in the European Union. Developers who make money from the ‌App Store‌ through either an upfront purchase price or through in-app purchases are considered traders, regardless of size.

[…]

Source: Developers Now Required to Share Phone Number and Address on EU App Store to Meet ‘Trader’ Requirement – MacRumors

If You Ever Rented From Redbox, Your Private Info Is Up for Grabs

Posted on by

If you’ve ever opted to rent a movie through a Redbox kiosk, your private info is out there waiting for any tinkerer to get their hands on it. One programmer who reverse-engineered a kiosk’s hard drive proved the Redbox machines can cough up transaction histories featuring customers’ names, emails, and rentals going back nearly a decade. It may even have part of your credit card number stored on-device.

[…]

a California-based programmer named Foone Turing, managed to grab an unencrypted file from the internal hard drive containing a file that showed the emails, home addresses, and the rental history for either a fraction or the whole of those who previously used the kiosk.

[…]

Turing told Lowpass that the Redbox stored some financial information on those drives, including the first six and last four digits of each credit card used and “some lower-level transaction details.” The devices did apparently connect to a secure payment system through Redbox’s servers, but the systems stored financial information on a log in a different folder than the rental records. She told us that it’s likely the system only stored the last month of transaction logs.

[…]

Source: If You Ever Rented From Redbox, Your Private Info Is Up for Grabs

Which is a great illustration why there needs to be some regulations about what happens to personal data when a company is sold or goes bust.

All U.S. Smartphones Must Be Compatible With Hearing Aids, FCC Says

Posted on by

hearing aid

I’m a loud proponent for accessibility in tech, though, sadly, I don’t get to celebrate it often. This week, the U.S. Federal Communications Commission delivered a rare win by mandating that all mobile phones be hearing aid compatible.

The new mandate, announced Thursday, also discouraged phone manufacturers from incorporating proprietary Bluetooth standards on their products as that could potentially complicate the process of connecting to hearing aids. Instead, it established a new Bluetooth pairing requirement that should facilitate a simpler and more universal connectivity between smartphones and hearing aids.

The FCC also required smartphone manufacturers to ensure their devices are meeting the volume control benchmarks, so users can crank up their smartphones’ volume without having their content suffer from distortion. Turning the volume up on a device often reveals its weakness and takes away crispness and detail, so I’m happy there’s finally a check for this measure; this specific requirement will also benefit people without hearing loss.

[…]

According to an FCC fact sheet, the transition period to adapt to the new mandate is 24 months for smartphone manufacturers, 30 months for nationwide service providers, and 42 months for non-nationwide providers. It adds that it will ensure non-compatible devices are no longer selling when the transition period ends.

[…]

Source: All U.S. Smartphones Must Be Compatible With Hearing Aids, FCC Says

Microsoft said it lost weeks of security logs for its customers’ cloud products

Posted on by

Microsoft has notified customers that it’s missing more than two weeks of security logs for some of its cloud products, leaving network defenders without critical data for detecting possible intrusions.

According to a notification sent to affected customers, Microsoft said that “a bug in one of Microsoft’s internal monitoring agents resulted in a malfunction in some of the agents when uploading log data to our internal logging platform” between September 2 and September 19.

The notification said that the logging outage was not caused by a security incident, and “only affected the collection of log events.”

Business Insider first reported the loss of log data earlier in October. Details of the notification have not been widely reported. As noted by security researcher Kevin Beaumont, the notifications that Microsoft sent to affected companies are likely accessible only to a handful of users with tenant admin rights.

[…]

The affected products include Microsoft Entra, Sentinel, Defender for Cloud, and Purview, according to the Business Insider report.

[…]

The logging outage comes a year after Microsoft came under fire from federal investigators for withholding security logs from certain U.S. federal government departments that host their emails on the company’s hardened, government-only cloud; investigators said having access to those logs could have identified a series of China-backed intrusions far sooner.

The China-backed intruders, referred to as Storm-0558, broke into Microsoft’s network and stole a digital skeleton key that allowed the hackers unfettered access to U.S. government emails stored in Microsoft’s cloud

[…]

Following the China-backed hacks, Microsoft said it would start providing logs to its lower-paid cloud accounts from September 2023.

Source: Microsoft said it lost weeks of security logs for its customers’ cloud products | TechCrunch

Cloud problems scale so very very well. Everyone has a problem if your cloud provider has one.