Many apps I used are doing to a subscription model (a.k.a. Software-as-a-Service in the corporate world). As they move to the SaaS model I take a deep look.

Immediate red flags for me are when devs explain their move in these ways:

  • Implemented a custom proprietary sync mechanism
  • Implemented encryption
  • Costs are rising
  • Push notifications (in most apps, unnecessary chrome)
  • Theming, styling, icons &| dark mode (again, unnecessary chrome)

There are select apps in the subscription model to which I subscribe and why:

  • Apollo (Reddit reader app): superior to the native app & other options; theming; and to support development
  • CARROT Weather (Weather app) Tier 2: additional data sources; Apple Watch; map layers; and other stuff
  • Fiery Feeds (RSS reader app): for “Smart Views” ; to support development; and I read a lot of feeds
  • Overcast (Podcast app): to remove adds; to support development; and I listen to a lot of podcasts

Apollo violates two of my red flags, yet the developer is crazy responsive; his app is heads & shoulders better than the native Reddit app; and he regularly pushes out updates for security/bug fixes/functionality/chrome.

CARROT Weather also often pushes out updates for security/bug fixes/functionality/chrome, and is also better than the other options.

Overcast does, too, but more judiciously based less on chrome. I like PocketCasts, too, but less so.

Some apps that I avoid in the subscription model but use in their legacy or alternate license mode:

It turns out that there is a problem downloading from the GNU [ELPA] archive that’s related to TLS. Happily, the answer is simple: just add

(setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3")

to your init.el file. […]

If you’re getting weird errors when you download from the GNU repository, try adding the above line to your file. It worked well for me.

(Via Irreal)

I ran into this very issue the other day but didn’t have time to run it down.

Security Monitor by Riccardo Mori:

Now I’ve switched to ‘active distrust’ mode towards Apple. I don’t feel 10.14 Mojave brings anything particularly useful to me, and 10.15 Catalina even less so. Nothing really worth leaving High Sierra and its general stability behind. Everything I’m reading about Catalina, the experiences of those valiant people trying out the beta, and the technical observations of the more expert users and Mac developers, gives me the impression that Catalina is perhaps the first version of Mac OS that is more useful to Apple rather than their users, if you get my drift.

I can’t agree more. My personal machines – a 2011 Mac Mini Server and 2015 MacBook Pro are still on High Sierra because Apple is IMHO no more reliable than any other vendor. My work 2015 MacBook Air is force updated by the CIO Office to the latest macOS release – major, minor, and supplemental – to the point where internal sites are filling up with complaints about forced reboots during client meetings, presentations, customer maintenance, end-of-month/-quarter activities, and other sensitive moments.

Which makes me wonder yet again: why do people forget about availability when talking about security?

Finally got my Emacs setup just how I like it:

Now I just need a Mac IIcx to put it in and I’m good to go. Thanks, mly!

Previously, previously, previously, previously, previously, previously, previously, previously.

(Via jwz)

#jealous

No clue what to do about it, but sure something should be done about it, and picking the wrong thing to do about it: the Trump administration in a nutshell. There’s already been a “sensational case” – the San Bernadino one in 2016 – and the FBI paid an Israeli company about $1m to break into the iPhone in question, to find nothing useful. There was more, and better, data on the terrorists’ Facebook profiles.
unique link to this extract

(Via The Overspill)

Similar to my earlier post on AG Barr’s complete lack of understanding about how encryption actually works and benefits the entire economy.

Attorney General William Barr Really Wants to Read Your iMessages:

It is almost impressive how people with no clue about how encryption works have, time and time again, ignored the advice of actual experts in it. If [US Attorney General William] Barr were in charge of NASA, he’d demand a faster-than-light Space Shuttle even after being told that it is impossible.

(Via Pixel Envy)

This Ars Technica article is a pretty good summary of Barr’s latest attack on working encryption.

IBM: Breach Costs Impact Firms For Years:

The average global cost of a data breach has risen again, with experts at IBM claiming the financial impact can be felt for years after an incident. […]

The headline figure has risen from $3.86m to $3.92m over the past year, and in total by over 12% over the past five years, IBM claimed. However, in the US it is more than double this figure, at $8.19m.

Smaller companies with fewer than 500 employees suffered losses on average of over $2.5m, a potentially fatal sum. Mega breaches of over one million records cost $42m, while those of 50 million records are estimated to cost companies $388m.

For the first time, IBM measured the financial impact of a data breach over several years. It found that on average 67% of data breach costs were realized within the first year after a breach, but over a fifth (22%) accrued in the second year and another 11% did so more than two years after the initial incident.

Organizations in highly regulated environments like healthcare and financial services were more likely to see higher costs in the second and third years, it claimed.

Malicious breaches accounted for the majority (51%) of cases, up 21% over the past six years, and cost firms more – on average $4.45m per breach. However, accidental breaches accounted for nearly half (49%) of all incidents, with human error ($3.5m) and system glitches ($3.24m) costing slightly less than the global breach average.

For the ninth year in a row, healthcare organizations suffered the highest cost of a breach – nearly $6.5m on average.

IBM claimed that extensively tested incident response plans can minimize the financial impact of a breach, saving on average $1.23m.

Other factors affecting the cost of a breach include how many records were lost, whether the breach came from a third party and whether the victim organization had in place security automation tech and/or used encryption extensively.

(Via Infosecurity)

Highlights from my employer’s annual Cost of a Data Breach study. The live version including the calculator is here. Check it out (registration required).

Emacs! In the New York Times!:

Paul Ford, co-founder and chief executive of Postlight, has a delightful paean to open source in The New York Times Magazine. In the article, Letter of Recommendation: Bug Fixes, Fords talks about the joys of open source and the pleasures of browsing through a program’s history with a version control system like Git. He says he likes to read commits like a newspaper. It tells him what he can do today that he couldn’t do yesterday. One of the main examples he gives of an important open source project is Emacs.

He talks about Emacs going back 40 years and how much one can learn by examining how the code evolved. Over 600 people made almost 140,000 commits to make Emacs what it is today. It is, he says, the Ship of Theseus in code form. Ford remarks, “I read the change logs, and I think: Humans can do things.

None of this is news to Irreal readers, of course, but it is significant that it’s appearing in a general purpose publication like the New York Times. Most often, what we do appears to be mysterious and arcane to the general public. Ford does a good job of capturing the flavor of some of it.

(Via Irreal)

Sweet! It’s a bit Utopia-ish, but I like the shout out for Emacs (naturally).

From the Mozilla Bugzilla entry:

This patch adds the platform agnostic media selector and changes the way our themes behave as follows: If the default Firefox theme is selected, Firefox will match the system appearance (current default theme in light mode, dark theme in dark mode). Note that about:addons will continue to show “default” as the selected theme, even when it is technically using the dark theme under the hood to match the system’s dark mode. If any Firefox theme other than “default” is selected in about:addons, Firefox will not change themes when the system appearance changes.

This is missed in the release notes. I think this is true for macOS and Windows. I am not sure about other platforms.

Granted, this is not the most egregious lapse CPB and it’s ecosystem have wrought. But it might be the one that gets traction.

US Customs Contractor Hack Breaches Traveller Images:

US Customs Contractor Hack Breaches Traveller Images

US Customs and Border Protection (CBP) has admitted a data breach at a sub-contractor has compromised images of individuals and vehicles entering and leaving the country.

The controversial agency first learned of the “malicious cyber-attack” on May 31.

And we know this was a “malicious cyber-attack” exactly how? 

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” it said in a statement.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

“Security by contract” isn’t a thing. And the data was breached … how?

 

(Via Infosecurity) also here here here here here here and many other places I’m sure.

CBP and the Transportation Security Administration (TSA) both fall under the Department of Homeland Security (DHS). Their collective track record on privacy, cybersecurity, and basic physical security leaves much to be desired.

Which leaves me scratching my head about why Delta asks their customers to risk their unchangeable data in a breach for convenience. And, to be clear, the convenience of the boarding gate scanners at some US airports is not for the passengers – it’s for Delta.

I always opt out. Not a U.S. citizen? Or you are but maybe your name (or one like yours) is on a watchlist? I have nothing for you, I’m afraid.

Back to the breach! Thank goodness the CPB is now on the case. Per the Atlantic,

CBP claims they’ve already conducted a search, but haven’t found any of the stolen images on the dark web, where hackers sometimes trade post stolen information for sale. In its statement to The Atlantic, CBP said it’s working with law enforcement to continue the search and survey the full extent of the damage. It hasn’t yet commented on the scope of the breach or offered specifics on the data that was stolen. Perceptics did not immediately respond to a request for comment.

And how do we know what third party vendor left this data vulnerable? The CPB told us by way of the Washington Post:

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

Perceptics representatives did not immediately respond to requests for comment.

CBP spokeswoman Jackie Wren said she was “unable to confirm” if Perceptics was the source of the breach.

This whole thing – from prevention to protection to monitoring to response to recovery – was manageable. Yet another takeaway is that CPB has no Incident Response Plan (IRP) at its most basic level. How do we know? They would not have sent the press a Word document titled with the name of the vendor that is the source of the leak.

It also throws into question the whole idea of a “malicious cyber-attack”. It seems more likely Perceptics, the alleged source of the data leak, failed to safeguard the data their contract said they shouldn’t have access to yet somehow acquired from CPB without their knowledge.

Hanlon’s Razor says to never attribute to malice that which is adequately explained by stupidity. Maybe the corollary in this case is never attribute to “malicious cyber-attack” that which is adequately explained by opportunism met by trivial, if any, security? I merely speculate … 

Why do I feel a bunch of SSSS branded boarding passes in my future?