Linked List: November 23, 2021

Tuesday, 23 November 2021

Björn Finke, reporting for Süddeutsche Zeitung (original in German; I’m quoting here from Safari 15’s translation to English):

For example, these powerful companies must no longer prefer their own services in search results, as Google did in the 2.4 billion case. You may also not collect business data from independent merchants on the platform and use it for your own offers, as Amazon is accused of. And they must allow mobile phone users to install other app stores and thus get more choice in mobile phone programs. This will hurt Apple a lot. In the event of violations, the Commission can intervene directly in the future without having to prove market power and harmful consequences in long investigations.

Misguided, to say the least.

Parliament expanded the list of platforms to be viewed and includes, for example, Internet-enabled TVs or voice assistants such as Alexa. On the other hand, MEPs increased the thresholds for sales to eight billion euros and the market value to 80 billion euros. This means that only Booking.com should be able to fall under the law from Europe for the foreseeable future. MEP Schwab argues that it is better for the Commission to focus on the really large companies in the implementation and control of the legal act. Critics warn, however, that the US government could consider it an unfriendly act if the groundbreaking law hits almost only American companies.

European regulations that are targeted, almost exclusively, at U.S. companies. You think that might be perceived here as “unfriendly”? You don’t say.

Another important addition to the Commission draft is that Parliament wants to force gatekeepers to allow exchanges between rival messenger services and social media. Then, for example, a user could send a message from WhatsApp to the competitor Signal — this opening should also stimulate competition.

This nugget is under a sub-head that was translated to “Send a message from WhatsApp to Signal? No problem”. No problem at all. Probably will only take a few lines of code to get all the world’s messaging systems — including those using end-to-end encryption like Signal and WhatsApp (and iMessage) — talking to each other.

They should do another draft that mandates the invention of personal jet packs and flying cars, too.

600 Google Employees Sign Manifesto Opposing Company’s Vaccine Mandate ★

Jeffifer Elias, reporting for CNBC:

The manifesto within Google, which has been signed by at least 600 Google employees, asks company leaders to retract the vaccine mandate and create a new one that is “inclusive of all Googlers,” arguing leadership’s decision will have outsize influence in corporate America. It also calls on employees to “oppose the mandate as a matter of principle” and tells employees to not let the policy alter their decision if they’ve already chosen not to get the Covid vaccine.

Casey Newton:

Wow, they made a list of the dumbest people at Google.

Don’t let the door hit you on the way out. And, to be clear, Google has somewhere north of 140,000 employees.

(I sure would like to read the actual “manifesto”, but I can’t find it.)

The Apple v. NSO Group Complaint (PDF) ★

The opening paragraph:

Defendants are notorious hackers — amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple. For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.

It gets more strident from there.

I genuinely wonder what Apple’s goals are with this suit. Is it just to bring NSO Group’s activities to light? If this goes to trial, the testimony should really be something to see. How much in damages will Apple seek at trial? Enough to bankrupt NSO Group? (Don’t forget Facebook has an ongoing lawsuit against NSO Group for having exploited a bug in WhatsApp to install malware on targets.)

Apple’s Own Announcement of Their Lawsuit Against NSO Group ★

Apple Newsroom:

Apple’s legal complaint provides new information on NSO Group’s FORCEDENTRY, an exploit for a now-patched vulnerability previously used to break into a victim’s Apple device and install the latest version of NSO Group’s spyware product, Pegasus. The exploit was originally identified by the Citizen Lab, a research group at the University of Toronto. [...]

NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.

A couple of things are interesting about this. First, Apple repeatedly refers to the “FORCEDENTRY” exploit by name. This is not PR bullshit — they’re talking about a very specific exploit. Second, they refer to Android as their compatriot, not their competitor. There’s a time and place for Apple to brag about iOS being more secure than Android, but this isn’t it. The message here: “This isn’t just about us, NSO Group is after everyone.”

Lastly, the phrase “the immense resources and capabilities of nation-states”. This is Apple hammering home the fact that deliberate backdoors would be exploited. They’re up against countries with, effectively, infinite money and resources to find and exploit accidental vulnerabilities. If there were deliberate backdoors, the game would be over before it started.

Apple commends groups like the Citizen Lab and Amnesty Tech for their groundbreaking work to identify cybersurveillance abuses and help protect victims. To further strengthen efforts like these, Apple will be contributing $10 million, as well as any damages from the lawsuit, to organizations pursuing cybersurveillance research and advocacy.

The New York Times story on this mentioned that Apple would be donating any damages from the lawsuit, if they win. It’s a nice touch that they’re donating $10 million no matter what happens in court. Citizen Lab and Amnesty Tech did crackerjack work exposing this exploit.

Apple is notifying the small number of users that it discovered may have been targeted by FORCEDENTRY. Any time Apple discovers activity consistent with a state-sponsored spyware attack, Apple will notify the affected users in accordance with industry best practices.

Interesting!

Apple Sues NSO Group ★

Nicole Perlroth, reporting for The New York Times:

Apple is also asking for unspecified damages for the time and cost to deal with what the company argues is NSO’s abuse of its products. Apple said it would donate the proceeds from those damages to organizations that expose spyware. [...]

The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.” The clause helped Apple bring its lawsuit against NSO in the Northern District of California.

Shades of nailing Al Capone for tax evasion.

Apple executives described the lawsuit as a warning shot to NSO and other spyware makers. “This is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter,” Ivan Krstic, head of Apple security engineering and architecture, said in an interview on Monday.

That is not — at all — how leaders at Apple usually speak in the press. Apple is not a hard or tricky company to read. They are furious about NSO Group.