Support for Apple Passkeys on Older Devices

Apple Passkeys:

At WWDC, Apple just announced Passkeys, their implementation of the FIDO protocols that aim to replace passwords. In Apple’s case, this capability will be available with iOS 16 and macOS Ventura, probably this fall. The other vendors are doubtless planning similar releases in a similar timeline.

Dan Moren from Six Colors has a post that gives a nice explanation of Passkeys and its operation by endusers. If you’re an Apple user with some or all of your passwords stored in the Apple iCloud Keychain, nothing much will change: you’ll authenticate with a fingerprint or face ID and a cryptographic exchange takes place between your device and the remote site to verify you. You can even use one device to log into another. Take a look at Moren’s post for the details.

(Via Irreal)

What I want Apple to do to enhance this is to extend this and other privacy efforts backwards so older Macs and other devices can take advantage.

For example, I have a 2012 Mac Mini that doesn’t support Apple Pay natively. I can use my more modern iOS devices to approve purchases made on that machine. But it doesn’t support Hide My Email or other privacy mechanisms.

Get on this, Apple!

※ In post-Roe world, privacy researcher worries about a ‘scenario where everyone is a sheriff’

In post-Roe world, privacy researcher worries about a ‘scenario where everyone is a sheriff’:

“Your phone is the snitch in your pocket,” cybersecurity researcher Zach Edwards told the Click Here podcast this week. “Every app that you download, the permissions that you give that app, all of the other… companies that are integrated into that app also get those same permissions.”

Edwards’ area of expertise is focusing on data brokers, the companies that bundle up personal information, create anonymous profiles, and then sell it. Among other things, they keep track of the websites you visit, your GPS location, how long you’re staying in one place, and a roster of other bits of your digital dust to create pattern data. Then, anyone with a credit card can buy it.

Shortly after Politico published a Supreme Court draft opinion suggesting the conservative majority was prepared to overturn Roe v. Wade, the landmark decision legalizing abortion, Edwards went into a roster of data broker platforms to see how the information stored there might be weaponized in states that come to outlaw — and possibly criminalize — abortion. 

Some of his findings were published in a report by Joseph Cox at Motherboard, which made clear that just about anyone with the inclination and a credit card could access granular data about abortion clinics from public sites like SafeGraph and Placer.ai  (both companies have since removed Planned Parenthood as a searchable option).

In the latest episode of Click Here, Edwards explained how simple weaponizing data can be and  why people living in rural areas need to be especially careful. 

(By Dina Temple-Raston and Will Jarvis at The Record)

Zach Edwards is not wrong. The ease with which one can acquire bulk surveillance data in the US without ever having to do the surveillance is frightening.

The US needs strong privacy legislation. Tech moguls don’t want it.

I recommend asking those seeking your vote what they will do in office to protect privacy, among other problems with such legislation.

The sky, black with lawyers

jwz on How to fix social media:

What we need is this one simple trick:

A site that scrapes, collates, and de-dups your friends’ posts on every social media site, and then shows you the union of all of those posts as one feed.

This is the only way to break Facebook’s back: to allow your friends’ transition from one social network’s data silo to another to be so gradual and effortless that you don’t even notice it happening.

The thing that makes this difficult, of course, is not the coding, but the fact that if you succeed at it in any meaningful way, the sky will blacken with lawyers, and the data silos’ spending on technical countermeasures will absolutely smother you.

Sadly, people have little agency in all of this. Social Media’s End User License Agreements (EULA) and Terms of Service (TOS) make that clear.

Hurtful language hurts politicians

United States Senator Bill Hagerty on Tuesday joined Senator Tom Cotton (R-AR) and nine other colleagues to introduce the Public Servant Protection Act, which protects public officials and employees and their families from having their home addresses displayed publicly online. Text of the bill may be found here. …

United States Senator Bill Hagerty on Tuesday joined Senator Tom Cotton (R-AR) and nine other colleagues to introduce the Public Servant Protection Act, which protects public officials and employees and their families from having their home addresses displayed publicly online. Text of the bill may be found here.

(Via Chattanoogan.com)

That’s not how free speech works.

Should public servants and their families be protected by law enforcement? Yes. We all should, and those serving in office should get protection specific to their role as the vitriol is particularly incendiary and the service they provide is important.

Should government officials be sheltered from voters who disagree with them, those who say things they don’t like, in a peaceful manner? No. If the voices are dangerous? Yes.

Should journalists and news outlets couch political grandstanding as “protection” from “threats”? No.

Should public employee addresses be public record? That’s not clear cut. I think elected officials should have their addresses on record since their residence is part of the requirement to hold office. If public service employees, like fire and police, are required to live in their community, then that should be public record as well.

Of course, this is largely moot. Most everyone volunteers their location on social media. It would not take much work to figure out where a public servant lives based on posts by themselves, their significant others, or their offspring.

Lawn care specialists, house cleaning professionals, au pairs, and the like could also post location information.

Maybe neighbors post their own information and it becomes easy to triangulate a voted-on public servant’s house?

No escape

There is no way to escape the machine systems that surveil us, whether we are shopping, driving or walking in the park. All roads to economic and social participation now lead through surveillance capitalism’s profit-maximizing institutional terrain, a condition that has intensified during nearly two years of global plague.

(Shoshana Zuboff via NYT)

Compare this with the underhanded way Vizio spies on paying customers:

If you think that some companies want to make money the honest way, by selling you stuff, while other companies are full of evil wizards who want to spy on you in order to deprive you of free will, then the answer is simple: just pay for stuff, and you’ll be fine. But time and again, we learn that companies spy on you – and abuse you in other ways – whenever it suits them – even companies that make a lot of noise about how they don’t need to spy on you to make money.

(Via Cory Doctorow)

The outside world is surveilled. I don’t like it. What I can do about it, I do.

The inside world, the world in my house and yard and car, that I only want surveilled by one person — me.

  • When I shop for a new thing I ask a few key questions:
    • Will the device work without a network connection?
    • Without a subscription?
    • Without advertising? Tracking?
    • Do I own the thing I bought?
    • Can I repair it? Modify it? Resell it?

    Analog stuff is great. There is no debate. Getting “smart” in one’s home is harder.

    H/t Dave Pell.

    The US military’s privacy pearl clutching

    Status

    The Ease of Tracking Mobile Phones of U.S. Soldiers in Hot Spots – WSJ:

     

    In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.

    …  The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.

     

    A bunch of thoughts:

    I can’t help but immediately think about the push in many political quarters to weaken security by breaking encryption. I’ll get back to that.

    Why did this get attention in 2016? And no, this was not “an early look”.

    The government has known for decades that cell phones are trackable if they have power and their transceiver is on. It’s how cell phones work. Anyone who’s watched any incarnation of Law & Order in this century or the last also knows this. The government could have mandated a phone system that would have afforded protections but the carriers resisted, I expect.

    And don’t forget cell phones aren’t always phones – laptops and tablets and watches and Kindles and a bunch of other things might – and eventually will – have cell connectivity. With 5G, the distinction might go away if the media (cell, wired, wifi, &c.) converge as advertised. Imagine golf gloves that report your stats back to the cloud.

    By the way, all that additional social media data is gravy to the buyer, but someone specifically wanting to track the movement of US military personnel around the globe don’t need it … from military personnel.

    Take this scenario:

    • They script a tool like the McDonalds Ice Cream Machine tracker to scrape airline seat assignments to see if open seat availability suddenly drops on certain routes;
    • They scrape social media for hub airport and airline workers who are talking about increases in military personnel coming through; and
    • They watch counts for private Facebook groups for military families to see if their memberships increase.

    Based off of that trivial-to-collect data (It’s free or for sale), and we assume they just generally monitor social media and the news, it’s not hard to get an idea of what’s happening. And before anyone complains that my loose lips are sinking ships, this is a simple scenario that is well understood and the plot of several books, movies, and TV shows.

    Note, my above scenario assumes all the military personnel are disconnected and analog.

    Also note that the above scenario works for advertisers as well as it does for bad actors and for industrial espionage …  and other use cases..

    That things would evolve into what the Wall Street Journal article describes was predictable:

    buried in the data was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.

    The U.S. military’s clutching of pearls and muttering, “Well, I do declare that I never …  ,” about this situation is perhaps disingenuous. ※

    The U.S. government has built robust programs to track terrorists and criminals through warrantless access to commercial data. Many vendors now provide global location information from mobile phones to intelligence, military and law-enforcement organizations.

    But those same capabilities are available to U.S. adversaries, and the U.S.—having prioritized a free and open internet paid for largely through digital advertising with minimal regulation of privacy—has struggled to effectively monitor what software service members are installing on devices and whether that software is secure.

    Which brings us back to encryption – strong, uncompromized encryption –  is one of the tools that the government could bring to bear to help protect troop movements. There are innumerable ways they could, and do, leverage encryption. By the way, we need strong encryption for e-commerce, on-line banking, and a ton of other critical things.

    There’s some reflection on the tech industry welding batteries into their phones (and devices) and adopting eSIMs, predicating an always on-line but always trackable society, that needs considering.

    Solving this problem, the consolidation of anyone’s/everyone’s/each-of-our on-line and off-line life into a revenue stream for the advertising companies that are Facebook and Google, one that is very much the government’s own creation yet needs to be solved by the government, is a complex undertaking that will require the private sector to forgo some profits for the greater good. Oh, it could fix some of the military troop movement leak issue as a byproduct.

    ※ There is a American trope about the White southern belle or matriarch who, when faced with realities with which she does not want to deal, does what I describe.

    The End of Reputation

    AI can now easily (8 seconds) change the identity of someone in a film or video.
    Multiple services can now scan a few hours of someone’s voice and then fake any sentence in that person’s voice. […]
    Don’t buy anything from anyone who calls you on the phone. Careful with your prescriptions. Don’t believe a video or a photo and especially a review. Luxury goods probably aren’t. That fish might not even be what it says it is.
    But we need reputation. The people who are sowing the seeds of distrust almost certainly don’t have your best interests in mind-we’ve all been hacked. Which means that a reshuffling is imminent, one that restores confidence so we can be sure we’re seeing what we think we’re seeing. But it’s not going to happen tomorrow, so now, more than ever, it seems like we have to assume we’re being conned.
    Sad but true.
    What happens after the commotion will be a retrenchment, a way to restore trust and connection, because we have trouble thriving without it.

    (Via The end of reputation; photo via Raphael Lovaski on Unsplash)
    Apologies to Seth for quoting nearly his whole post, but it’s important and scary.
    Neal Stephenson, in his book Fall; Or, Dodge in Hell 🇺🇸 🇯🇵, addresses this very issue of reputation and authenticity. In very simplistic & basic terms, it involves leveraging something like blockchain to “check in” or “sign in” to legitimate things by you or things you control. He also talks about Editors, who are human professional social media filters, which takes us down a different rabbit hole.
    As I move my on-line life as much on to platforms I control or trust, I am thinking about how to validate “me” outside of that without that validation coming back to bite me later, assuming such a thing is possible.
    What do you think?

    Bruce Schneier on The Myth of Consumer Security

    The Department of Justice wants access to encrypted consumer devices, but promises not to infiltrate business products or affect critical infrastructure. Yet that’s not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement.

    (Via The Myth of Consumer Security – Lawfare)

    The War On Encryption

    No clue what to do about it, but sure something should be done about it, and picking the wrong thing to do about it: the Trump administration in a nutshell. There’s already been a “sensational case” – the San Bernadino one in 2016 – and the FBI paid an Israeli company about $1m to break into the iPhone in question, to find nothing useful. There was more, and better, data on the terrorists’ Facebook profiles.
    unique link to this extract

    (Via The Overspill)
    Similar to my earlier post on AG Barr’s complete lack of understanding about how encryption actually works and benefits the entire economy.

    Attorney General William Barr Really Wants to Read Your iMessages

    Attorney General William Barr Really Wants to Read Your iMessages:

    It is almost impressive how people with no clue about how encryption works have, time and time again, ignored the advice of actual experts in it. If [US Attorney General William] Barr were in charge of NASA, he’d demand a faster-than-light Space Shuttle even after being told that it is impossible.

    (Via Pixel Envy)
    This Ars Technica article is a pretty good summary of Barr’s latest attack on working encryption.