By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: December 9, 2021

Thursday, 9 December 2021

The Verge: ‘The Vice President Should Not Be Using Bluetooth Headphones’ ★

Corin Faife, writing for The Verge:

But in certain cases this can be skirted, as with one exploit that impersonates a trusted Bluetooth device already known to the user in order to connect to the phone, at which point the attacker can request or send data via Bluetooth. (The complexity of this attack makes it unlikely to affect regular people, but for a figure like the VP — who is undeniably a high-value target for foreign surveillance attempts — there’s a non-zero chance of falling victim. It also affects both Android and Apple devices, the latter of which Harris appears to use.) [...]

In total, the CVE Program, which tracks cybersecurity vulnerabilities, lists 459 current and historic vulnerabilities that mention Bluetooth, suggesting that Kamala Harris is right to be wary. There’s a simple way to mitigate all of these attacks — disabling Bluetooth, sticking to wired headphones — but doing so means swimming against the technological current, and maybe looking like you can’t afford AirPods.

Put another way, if Kamala Harris used wireless headphones, there is a chance — almost certainly a very small chance, but, we don’t know — that it could be taken advantage of by an adversary. If she uses wired headphones (and, presumably, disables Bluetooth on her iPhone), there’s no chance her phone can be exploited by a Bluetooth vulnerability.

Glenn Fleishman, on Twitter:

@gruber Your note on the Harris/Bluetooth thing: most zero-days are now held closely by government and criminals. So there may be Bluetooth zero-days that are used very sparingly and haven’t yet been discovered. Harris’s time on the Senate Intelligence Committee might be a clue!

What we don’t know, she might.

More on Apple’s Political Dance With China ★

Nick Heer, writing at Pixel Envy:

Ma reports that Apple acquiesced to many government demands, like building research and development centres in the country — including one with the university where Cook was later named chairman of the advisory board — assigning an executive specifically to business in China, and even changing the scale of disputed territories in Apple Maps.

However, it also seems that this deal has helped Apple avoid more stringent regulation in other areas, in ways that are beneficial to users’ rights. Even though Chinese users’ iCloud data is stored on servers located within the country and operated by a local partner — as required by law — it has been allowed to retain control over its encryption keys. The government has allowed it to retain control over its source code, too. But Ma has previously reported that many of Apple’s exemptions are being revoked, and now writes that key businesses, including the App Store, are in a sort of legal limbo.

The whole situation is a fascinating study in diplomacy. As Heer observes, it’s wrong to look at it as a one-sided relationship — that China makes demands, and Apple acquiesces. Apple certainly gets a lot from China — they assemble the vast majority of their products there, and it’s their second biggest consumer market for selling those products. But China gets a lot from Apple. Apple is arguably the most prestigious corporation in the world, and inarguably one of the most prestigious. China benefits from that relationship on the world stage. As Ben Thompson wrote yesterday in a subscribers-only Stratechery update:

Apple remains the most visible and most impressive example of China’s manufacturing prowess. That is extremely valuable both in terms of China’s image and also its capabilities: Apple doesn’t just benefit from China’s capabilities, it also enhances them, in a virtuous cycle.

Apple bent quite a bit, to say the least, to keep iCloud available in China while complying with the recently-passed law requiring all cloud-based services for Chinese users to be hosted in data centers owned by Chinese companies, physically located in mainland China. But Apple still controls the encryption keys to the data on those servers.

The issue of source code is an even better example of Apple not acquiescing to every “request” from the CCP. Back in 2016, Reuters reported:

Apple Inc. has been asked by Chinese authorities within the last two years to hand over its source code but refused, the company’s top lawyer told lawmakers on Tuesday in response to U.S. law enforcement criticism of its stance on technology security. [...] “I want to be very clear on this,” Apple general counsel Bruce Sewell told Tuesday’s hearing under oath. “We have not provided source code to the Chinese government.”

Source code, I firmly believe, would be a dealbreaker for Apple. It’s humiliating that Apple Maps shows the disputed Diaoyu Islands larger than they actually are to users in China, but, well, sometimes you need to eat dirt. Same thing for removing the Taiwanese flag from the emoji keyboard for users in Hong Kong. That is a serious shit sandwich and everyone at Apple, from Tim Cook down to the programmer who had to special-case the emoji keyboard to remove it for Hong Kongers, knows it. A demand for iOS’s source code, though, that would be over the line. I don’t see how Apple could comply with it. The Chinese get that. It is a two-way relationship.

And in terms of ways that Apple has benefitted from this diplomacy, look no further than Huawei. Trade sanctions imposed by the Trump administration have effectively driven Huawei out of the high-end smartphone business. The way trade wars typically work is tit-for-tat. After the tit of the U.S. imposing harsh sanctions on Huawei — the premiere Chinese phone maker — the obvious tat would have been for China to crack down on Apple — the premiere U.S. phone maker. That never happened. (I took that from Ben Thompson’s column yesterday, too.)

Update to Yesterday’s Post on the Appeals Court Granting Apple a Stay on the App Store In-App Purchasing Injunction ★

Here’s a paragraph I just added to yesterday’s piece:

There are a lot of people who really wanted this injunction to stick, under the premise that it would force Apple to open the App Store to third-party in-app purchasing for digital content without Apple taking any cut whatsoever, exactly as Apple has done all along for in-app purchasing of physical goods. That was never going to be the case, even if this injunction had gone into effect. What was the point of the injunction then? you might ask. Good question.