The theme of this week is by now a familiar one: “Things keep getting worse.” Starting with the security of countless so-called real time operating systems that all share some variation on the same decades-old code. That makes them all vulnerable to the set of Urgent/11 vulnerabilities we had reported on just the other week. And as is so often the case with these sort of devices and ancient code, there’s really no good way to fix them. And that was just the start of the week.
As a bookend, the attorney general William Barr Friday sent a sternly worded letter to Facebook encouraging them not to go forward with its plans for cross-platform end-to-end encryption, in the process reigniting the decades-old encryption debate. But while Barr had his counterparts from the UK and Australia backing up his push, it’s unclear what if any actual authority he would have to weaken encryption without laws on the books forcing it. (Also, it would be a truly terrible idea.)
In slightly brighter social media news, we looked at how adversarial examples could help protect your Facebook data from the next Cambridge Analytica. And we explained how the new Incognito Mode for Google Maps helps cover your tracks—and more importantly, all the ways in which it doesn’t. Speaking of covering tracks, we took a look at how the Ukraine whistle-blower did everything meticulously by the book, and the potential dangers in the Trump administration’s repeated insistence that he or she did not. We also talked to two past whistle-blowers for some perspective on what the current one must be going through. The consensus: his or her life will be forever changed.
The Trump campaign, meanwhile, appears to have been the target of Iranian hackers, although Microsoft says the phishing attempts it spotted were unsuccessful. Lastly, if you’re thinking about sideloading Google apps onto a Huawei device… don’t! You’re welcome.
And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
The bug boffins at Google’s Project Zero have identified a vulnerability in popular Android handsets like the Google Pixel 2, Samsung Galaxy S9, and Moto Z3. Not only that, but the researchers have spotted evidence that hackers are exploiting that bug in the wild. This isn’t quite as dire as, say, the recent revelations about widespread iOS hacking. For one thing, the affected devices are mostly older, although in many cases still widely in use. And for the attack to work, it needs either to be paired with a second Chrome browser exploit, or victim needs to download a malicious app. Still, the potential consequences are devastating, especially given that it’s actively in use: a full compromise of the device, meaning access to any of its data and more. Google says it plans to patch the vulnerability in its October security update.
In the heated, high stakes debate over net neutrality, the FCC comment period became a prime battleground. Unfortunately, as was widely reported at the time, that process was also overwhelmed by bots. A Buzzfeed News investigation shows how two small firms appear to have been behind the bulk of the misrepresentation.
Security experts broadly agree that voting by app is not a great idea, electoral-integrity-wise. Still, an app called Voatz entered that particular thunderdome in West Virginia last fall, allowing members of the military from that state serving abroad to cast their ballots with their smartphones. Now, CNN reports that the FBI is investigating an apparent attempt to hack into Voatz—although it may have been as innocuous as a University of Michigan student experiment. Either way, it’s a nice reminder of why everyone’s so uncomfortable with this whole digital voting idea in the first place.
German authorities raided and shut down a “bulletproof” Dark Web hosting operating comprising hundreds of servers housed in an former NATO bunker in late September. Seven were arrested in connection with hosting the sites—which included “Cannabis Road,” “Wall Street Market,” and “Orange Chemicals”—including the 59-year-old Dutchman alleged to be the operation’s ringleader.