Connect with us


How Apple’s AirTag turns us into unwitting spies in a vast surveillance network | Apple

Voice Of EU



Apple has launched the latest version of its operating system, iOS 14.5, which features the much-anticipated app tracking transparency function, bolstering the tech giant’s privacy credentials.

But iOS 14.5 also introduced support for the new Apple AirTag, which risks doing the opposite.

For the uninitiated, an AirTag is a small device (similar to a Tile) that can be attached to personal items such as keys, wallets or luggage. The tag periodically sends messages that can be used to track its location, letting you find any lost or missing items with the help of an app.

While clearly useful, AirTags can also potentially be misused. Concerns have been raised they might facilitate stalking, for example.

And there’s also a more fundamental problem with this technology. Its euphemistic description as a “crowdsourced” way to recover lost items belies the reality of how these items are tracked.

What you won’t find highlighted in the polished marketing statements is the fact that AirTags can only work by tapping into an Apple-operated surveillance network in which millions of us are unwitting participants.

So, how exactly do AirTags work?

AirTags are small, circular metal discs, slightly larger and thicker than an Australian one-dollar coin. Once paired with your Apple ID, the tag’s location will be shown in the Find My app, whenever location data are available.

Each tag transmits a unique identifier using Bluetooth. Any compatible Apple device within range (up to 100 metres in ideal conditions) will then relay that identifier to Apple’s servers, along with its own location data. The tag’s owner can then log on to the Find My app and access those location details, and bingo – you now have a pretty good idea of where your lost bag is.

The AirTags themselves have no positional location capability – they do not contain GPS technology. Rather, they “ping” the nearest Bluetooth-enabled device and let that device’s location data do the rest.

Besides Bluetooth, AirTags also use a relatively new technology called Ultra Wideband. This feature is supported only by later Apple devices such as iPhone 11 and 12, and allows for much more precise location tracking.

This precision extends to directional finding – now your phone can literally point you towards the missing tag.

While the actual nature of the data transmitted is not too concerning (tag ID and location), what makes it worrying is the sheer scale and number of devices involved. By using an AirTag, you are effectively availing yourself of a global monitoring network containing millions and millions of devices.

Everyone’s iPhone (assuming Bluetooth is enabled) is listening for AirTags. When it “hears” one, it uploads details of that tag’s identifier and the phone’s location to Apple’s servers.

Besides any privacy concerns, this is also likely to use small amounts of your data allowance. That’s probably fine most of the time, but if you are travelling internationally you might be hit with unexpected charges if you’ve forgotten to disable data roaming.

Stalking technology?

Apple says it has implemented a range of safeguards to detect and prevent attempts to use AirTags for stalking, including an alert triggered when an AirTag seems to be accompanying someone who’s not its owner. The alert can appear on the victim’s phone (if they use an iPhone) but can also raise an audible alert on the tag itself. But these measures are relatively easy to circumvent.

One experiment showed a tag can be placed on a person and would not trigger any of the safeguards if reconnected to the stalker’s device regularly enough. This could be done by the victim returning home or within range of their stalker within a three-day window.

More concerningly, the alerts can be turned off – which a victim of domestic violence may be coerced into doing by their aggressor. What’s more, as AirTags and similar devices become more common, we will inevitably encounter more warnings of tags appearing around us. Just like other commonly encountered alerts, many users will tire of seeing them and dismiss the prompts.

It is also presumably only a matter of time until these devices are hacked and put to other nefarious purposes.

Apple isn’t the only technology company drawing unwitting users into large networks. Amazon’s Sidewalk creates a network that allows your neighbours’ doorbell to connect through your Echo device (if their wifi doesn’t extend to the front door), effectively sharing your internet connection!

All of this functionality (and the inherent privacy risks) are covered in the standard terms and conditions. That lengthy, legalese document we never read allows tech companies to hide behind the claim that we have willingly opted into all this.

Can we opt out?

A simple option to avoid your device acting as a cog in Apple’s machine is to turn off Bluetooth and location services. With Bluetooth disabled, your device won’t “see” the beacons coming from AirTags, and without location services you can’t report the proximity of the tag.

Of course, turning off this functionality means losing useful capabilities such as hands-free kits, Bluetooth speakers and satellite navigation, and of course makes it harder to find your phone if you lose it.

Ultimately, if we want to benefit from the ability to locate missing keys, wallets and luggage through AirTags, we have to accept that this is only possible through a global network of sensors – even if those sensors are our own phones.

This article was first published on the Conversation. Paul Haskell-Dowland is associate dean in computing and security at Edith Cowan University

Source link


Collisons join A-list backers of Entrepreneur First’s $158m Series C

Voice Of EU



Founded in 2011, Entrepreneur First’s portfolio has grown to more than 500 companies, which together are worth more than $10bn.

London-based scale-up investor Entrepreneur First has raised $158m in a Series C funding round, with backing from some of the world’s biggest tech founders.

The funding round included participation from Stripe co-founders Patrick and John Collison. They were joined by Wise co-founder Taavet Hinrikus (who also launched a new VC fund this week), LinkedIn co-founder Reid Hoffman, WordPress co-founder Matt Mullenweg, Monzo co-founder Tom Blomfield, Nested co-founder and CEO Matt Robinson, and many others.

There was also investment from longstanding institutional backers such as Transpose Platform, Vitruvian Partners, Encore Capital and Isomer Capital.

“It feels right that this round of funding comes from the most successful technology founders of today,” Entrepreneur First CEO Matt Clifford said. “Their support will build their counterparts of tomorrow.”

Founded in 2011, Entrepreneur First describes itself as “the best place in the world to meet your co-founder”. It says the best companies come from co-founding partnerships, but that finding the right person can be hugely challenging.

Entrepreneur First invests in early-stage founder talent. It works to bring people together from all walks of life to help meet potential co-founders, while giving them access to advisers in a three-month programme.

The company currently has 120 employees with offices in London, Toronto, Paris, Berlin, Bangalore and Singapore.

Its portfolio now includes more than 500 companies, which together exceed $10bn in value. These companies include computer vision unicorn Tractable, employment platform Omnipresent and advertising infrastructure platform Permutive.

“We built a way for the world’s most talented people, from all walks of life, to come together to find co-founders and build from scratch,” Clifford said. “Now, that fix has introduced co-founders who wouldn’t have otherwise met, to build companies that wouldn’t have been built.”

Entrepreneur First aims to see the value of companies built from its platform cross $100bn and beyond in the years to come.

“What we do may no longer seem crazy, as it did 10 years ago,” Clifford added. “But we’re just as committed to keep innovating to serve entrepreneurs better – and be the best place in the world to find a co-founder.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading


Kira Puru: the 10 funniest things I have ever seen (on the internet) | Culture

Voice Of EU



Never in my life have I felt more unfunny than I did while compiling this list. There is nothing that’ll give you the ick faster than someone whipping out their phone to show you something “funny” they’ve seen on the internet, thrusting you into the longest three minutes of your life. Oh and that keen, wide-eyed look they give you after, practically begging for validation? Gross. And somehow, despite knowing this, here I am, desperately hoping that you’ll laugh and think I’m cool.

Look, I’m not in the business of being funny. I make music. And that’s the excuse I’ll be sticking to if nothing on this list appeals to you. But if you’re feelin’ frisky, let me whip out my proverbial phone and show you a thing or two …

1. @rhyleep95 on TikTok

Allow TikTok content?

This article includes content provided by TikTok. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. To view this content, click ‘Allow and continue’.

I think creating this list has made me realise that a lot of what I think is “funny” is actually just earnest expressions of joy and people at play. Rhylee is a natural comedian who is genuinely talented across multiple disciplines, but her account is perfect comfort-watch territory because it’s just truly nice to watch someone have fun.

2. Nina Oyama on Twitter (@ninaoyama)

I’m doing cry july

— nina oyama (@ninaoyama) July 9, 2021

I’m a depressed queer with a penchant for dry, grubby humour, so naturally I’m a Nina Oyama stan. If you’re on Twitter and not following Nina, you’re misusing the platform.

3. @mignonettetakespictures on Instagram

Allow Instagram content?

This article includes content provided by Instagram. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. To view this content, click ‘Allow and continue’.

More amusing than literally funny, but @mignonettetakespictures serves up bittersweet tearjerkers, unhinged absurdity, belly laughs and everything in between.

4. @gnomeboys on TikTok

Allow TikTok content?

This article includes content provided by TikTok. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. To view this content, click ‘Allow and continue’.

I could have just submitted 10 Gnome Boys clips for this list tbh. A supremely balanced mix of comedy, talent, and wholesome celebration of friendship in equal measure. Slay.

5. Ziwe interviews Chet Hanks

I don’t know what this says about me, but Ziwe making people uncomfortable is something I find thoroughly enjoyable.

6. @grandma_droniak on TikTok

Allow TikTok content?

This article includes content provided by TikTok. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. To view this content, click ‘Allow and continue’.

Grandma Droniak is a modern feminist icon. And if you don’t like it, leave.

7. @aureliastclair on TikTok

Allow TikTok content?

This article includes content provided by TikTok. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. To view this content, click ‘Allow and continue’.

If there’s one thing I’m into, it’s deeply specific memes about Melbourne’s inner north, and Aurelia handles this masterfully. I’ve chosen this particular clip cuz I live in Brunswick and I’m very attached to my putrid bucket of rotting food scraps that literally goes into the general waste bin every week.

8. Dirty Bird #2: Dads

Uh. I’m not sure what to say about this. Please enjoy some vintage Sam Campbell, where he and his friend Henry run into their dads while on a “chicken eating tour of the suburbs”.

9. @janemckennan0 on TikTok

Allow TikTok content?

This article includes content provided by TikTok. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. To view this content, click ‘Allow and continue’.

Jane’s body of work is very dynamic and thrilling. A cutting edge artist in the peak of her prime, in my humble opinion.

10. @lostmymarblesagain on TikTok

Allow TikTok content?

This article includes content provided by TikTok. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. To view this content, click ‘Allow and continue’.

Look, we’re this deep into the list and I don’t know what’s funny any more. But if Brittany Broski has one million fans, I’m one of them. If she has one fan, it’s me. If she has zero fans, I’m dead.

  • Kira Puru is part of Southside Live, a free, family-friendly event presented by City of Port Phillip in Victoria, 24 June – 3 July

Source link

Continue Reading


Adopt Modern Auth now for Exchange Online • The Register

Voice Of EU



The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

In an advisory [PDF] this week, Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth,” CISA wrote. “After completing the migration to Modern Auth, agencies should block Basic Auth.”

The agency adds that Basic Auth is often used by legacy applications or custom-built business software, and that many user-facing applications, such as Outlook Desktop and Outlook Mobile App, already have been moved to Modern Auth via Microsoft security updates.

“This is a big deal,” John Gunn, CEO of authentication outfit Token, told The Register. “Security-conscious organizations have already made the switch, but many have not, and they are needlessly exposing themselves and others to attack. Hopefully this message will accelerate the process and motivate the stragglers.”

Basic Auth is a legacy authentication method that doesn’t naturally support multifactor authentication (MFA) and requires a user’s password be sent with each authentication request. There are numerous protocols that can use Basic Auth, including the Post Office Protocol/Internet Message Access Protocol (POP/IMAP), Exchange Web Services, ActiveSync, and Remote Procedure Call over HTTP (RPC over HTTP), the agency said.

MFA is required of FCEBs per President Joe Biden’s May 2021 Executive Order 14028 to improve the country’s cybersecurity capabilities.

Ray Kelly, a fellow at Synopsys Software Integrity Group, reminded us that Basic Auth simply sends one’s username and password in a plaintext, encoded form; you can use a Base64 decoder to view the original credentials. It needs to be encapsulated in encryption to be used securely over a network.

“Microsoft’s move to disable basic authentication in Exchange Online is a great thing for securing the Microsoft cloud ecosystem, as we have seen legacy protocols relying on basic authentication used to bypass multi-factor authentication controls,” Aaron Turner, CTO at AI cybersecurity vendor Vectra, told The Register.

“By moving to a posture of disabling basic authentication by default, it essentially hardens all email users who rely on Microsoft Exchange Online. This will make it more difficult for attackers to simply scrape a username and password from a vulnerable mobile device or browser session.”

Speaking of passwords, Microsoft has long been a vocal advocate for doing away with these passphrases for authentication, saying they are unreliable and a weak link in the cybersecurity chain. The Windows giant also has promoted MFA as a way of reducing by 99 percent the likelihood that a user will be compromised.

Moving away from legacy authentication

In a document dated 2020, two senior Microsofties said an analysis of Azure Active Directory traffic showed that 99 percent of password spray attacks and more than 97 percent of credential-stuffing attacks leveraged legacy authentication protocols. In addition, Azure AD accounts in organizations that disabled such authentication methods saw 67 percent fewer compromises than those still using legacy authentication.

Microsoft last year announced it will disable Basic Auth in Exchange Online starting October 1, 2022.

Garret Grajek, CEO of identity specialist YouAttest, called the use of two-factor (2FA) or multifactor authentication “table stakes” in the modern IT world.

“There is no excuse for use of single authentication in 2022,” Grajek told The Register. “The major vendors – Amazon, Microsoft, Google – have made it an option in their offerings. 2FA should be turned on for all resources. The attacks via zero-day flaws, source-code injections and supply chain vulnerabilities need to be monitored.”

He added that “to get hacked by simple username/password hacks on identities is unacceptable. The real challenge going forward is implementing a zero-trust architecture and real identity governance across all users and systems.”

CISA recommends several steps for moving to Modern Auth, with the first one being to review Azure AD sign-in logs to find the applications and users that are authenticating with Basic Auth.

Next is developing a plan to move those applications and users to Modern Auth by following Microsoft’s documentation and Exchange Team blog post about the shift. After that’s done, organizations can use authentication policies to block Basic Auth before authentication occurs, setting the policy per-mailbox or across the business.

Taking these steps means a significant improvement in security, Token’s Gunn adds.

“The advantages of Modern Auth include using MFA [and] not letting apps save credentials,” he said. “Auth has a defined lifetime and the scope of permissions can be limited. All of these make a big difference in stopping attacks.” ®

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!