By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: July 12, 2024

Friday, 12 July 2024

AT&T Only Learned of Massive 2022 Data Breach This April; Delayed Revealing It at the Request of U.S. Law Enforcement ★

Brian Krebs:

In a written statement shared with KrebsOnSecurity, the FBI confirmed that it asked AT&T to delay notifying affected customers.

“Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident,” the FBI statement reads. “In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”

Techcrunch quoted an AT&T spokesperson saying the customer data was stolen as a result of a still-unfolding data breach involving more than 160 customers of the cloud data provider Snowflake.

Mark Burnett is an application security architect, consultant and author. Burnett said the only real use for the data stolen in the most recent AT&T breach is to know who is contacting whom and how many times.

“The most concerning thing to me about this AT&T breach of ALL customer call and text records is that this isn’t one of their main databases; it is metadata on who is contacting who,” Burnett wrote on Mastodon. “Which makes me wonder what would call logs without timestamps or names have been used for.”

It remains unclear why so many major corporations persist in the belief that it is somehow acceptable to store so much sensitive customer data with so few security protections. For example, Advance Auto Parts said the data exposed included full names, Social Security numbers, drivers licenses and government issued ID numbers on 2.3 million people who were former employees or job applicants.

Google Chrome, Along With Other Popular Chromium Browsers, Grants System Monitoring Privileges to *.google.com Domains ★

Luca Casonato:

So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.

This API is not exposed to other sites - only to *.google.com.

This is interesting because it is a clear violation of the idea that browser vendors should not give preference to their websites over anyone else’s.

The DMA codifies this idea into law: browser vendors, as gatekeepers of the internet, must give the same capabilities to everyone. Depending on how you interpret the DMA, this additional exposure of information only to Google properties may be considered a violation of the DMA. Take for example Zoom - they are now at a disadvantage because they can not provide the same CPU debugging feature as Google Meet.

I frequently bemoan the DMA’s ambiguity but here I’d say it’s crystal clear. Chrome is a designated gatekeeping platform, and granting system-monitoring privileges only to Google’s own websites is clearly in violation. Here’s a Hacker News comment from a purported Google employee who calls the feature “mundane” while admitting that Google Meet uses it as a tool to debug bad connections, even though no other web-based meeting app has access to it. I can think of no better example proving that Google views the open web as a platform that it owns.

But put the DMA aside. This is just creepy. It’s clearly a privacy violation. I don’t want Google to know what kind of CPU I have, how many cores, and how busy they are. And the makers of other Chromium-based browsers are so lazy that their browsers — Microsoft Edge and Brave at least — include this same “feature”. I don’t mean that Edge grants system-monitoring privileges to Microsoft’s websites. Edge grants these privileges to Google’s websites, and Google’s alone.

But speaking of the DMA, Chromium is, far and away, the most popular browser engine that the DMA compels Apple to allow on iOS. There are legitimate reasons to wish that Apple allowed third-party browser engines on iOS. But there are also legitimate reasons why Apple doesn’t allow them. Chrome really is bad. Better to let the market decide than let clueless regulators decide.

(Via Simon Willison.)

Massive Data Breach at AT&T Exposed Six Months of Call and SMS Records of Nearly All Customers ★

Matt Egan and Sean Lyngaas, reporting for CNN:

The call and text message records from mid-to-late 2022 of tens of millions of AT&T cellphone customers and many non-AT&T customers were exposed in a massive data breach, the telecom company revealed Friday. AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customers and the customers of wireless providers that use its network between May 1, 2022 and October 31, 2022.

The stolen logs also contain a record of every number AT&T customers called or texted — including customers of other wireless networks — the number of times they interacted, and the call duration.

Importantly, AT&T said the stolen data did not include the contents of calls and text messages nor the time of those communications.

Of course the breach didn’t contain the content of (most) phone calls and (most) text messages, because carriers don’t record phone calls and, thankfully, don’t log the contents of text messages. This isn’t an important distinction at all. This is a devastating breach.

(I added those “mosts” because the carriers facilitate the recording/logging of some calls and text messages at the behest of law enforcement agencies. Which is exactly why we should all be moving as much of our communications as possible to E2EE platforms.)

Hermès’s H08 Watch, the Other Source for Samsung’s Ultra Rip-Off ★

I’ve seen a few people arguing that Samsung’s Galaxy Watch Ultra, though clearly inspired by Apple Watch Ultra, isn’t a rip-off, per se, because it’s not an exact clone. Ben Thompson even tried to argue such with me on Dithering this week.

Here, for example, is a literal clone of Apple Watch Ultra that I bought on Temu last year for $16. (I’m linking to the user manual because the watch itself is no longer available, but here’s a thumbnail photo from Temu.) But of course Samsung wasn’t going to go that far and literally clone Apple Watch Ultra. That’s absurd. What they did was rip off as much as they thought they could get away with.

What I neglected to point out, but have since updated the post to mention, is that whatever elements of the Galaxy Watch Ultra weren’t copied from Apple Watch Ultra were clearly ripped off from Hermès’s H08 watch:

That’s a handsome watch in and of itself, but it should be noted that Hermès is a longstanding partner of a smartwatch maker named — checks notes... — Apple.

European Commission Charges X With Breach of DSA ★

I guess the European Commission hasn’t taken off for their months-long summer vacation quite yet:

[T]he Commission has issued preliminary findings of non-compliance on three grievances:

• First, X designs and operates its interface for the “verified accounts” with the “Blue checkmark” in a way that does not correspond to industry practice and deceives users. Since anyone can subscribe to obtain such a “verified” status, it negatively affects users’ ability to make free and informed decisions about the authenticity of the accounts and the content they interact with. There is evidence of motivated malicious actors abusing the “verified account” to deceive users.

• Second, X does not comply with the required transparency on advertising, as it does not provide a searchable and reliable advertisement repository, but instead put in place design features and access barriers that make the repository unfit for its transparency purpose towards users. In particular, the design does not allow for the required supervision and research into emerging risks brought about by the distribution of advertising online.

• Third, X fails to provide access to its public data to researchers in line with the conditions set out in the DSA. In particular, X prohibits eligible researchers from independently accessing its public data, such as by scraping, as stated in its terms of service. In addition, X’s process to grant eligible researchers access to its application programming interface (API) appears to dissuade researchers from carrying out their research projects or leave them with no other choice than to pay disproportionally high fees.

I don’t really have an opinion on the second and third points, but the first one seems daft to me. Here’s how commissioner Thierry Breton is quoted in the EC’s press release:

“Back in the day, BlueChecks used to mean trustworthy sources of information. Now with X, our preliminary view is that they deceive users and infringe the DSA. We also consider that X’s ads repository and conditions for data access by researchers are not in line with the DSA transparency requirements. X has now the right of defence — but if our view is confirmed we will impose fines and require significant changes.”

Blue checkmarks were indeed used, “back in the day”, to indicate “verified” accounts. But upon purchasing Twitter, Elon Musk eliminated that program. They don’t advertise it as “Verified” any more; they just call it “Twitter Premium” and make it very clear that blue checkmarks indicate premium account status. That’s illegal under the DSA?

Anyway, here’s Elon Musk, replying to Breton’s announcement of this investigation:

How we know you’re real? 🧐

And:

We look forward to a very public battle in court, so that the people of Europe can know the truth.

And, more intriguingly, replying to Margrethe Vestager:

The European Commission offered X an illegal secret deal: if we quietly censored speech without telling anyone, they would not fine us.

The other platforms accepted that deal.

X did not.

The weapon the EC wields is their ability to fine companies 10–20 percent of global revenue. Musk is in a unique position to tell them to fuck off. Twitter’s revenue peaked at $5 billion in 2021 — when the company was still publicly-held — and has surely declined since then. A $500 million fine is figuratively nothing to Musk. He’d gladly pay that just for the attention a public fight over this will bring to him personally and X as a platform.