< Notes...

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).

An 11 years old device still receives security updates from Apple. Meanwhile Google:

Nexus devices get security updates for at least 3 years from when the device first became available on the Google Store, or at least 18 months from when the Google Store last sold the device, whichever is longer. After that, we can’t guarantee more updates.

How do you like them apples?

Each time I tell the kid he should upgrade his iPhone because critical security fixes were released, he jokes, and complains, and tells me all his friends are using even older iOS and nothing ever happens to them. He tells me I am too paranoid. It annoys and concerns me quite a bit. I don’t want to be the proverbial shoemaker, whose children go barefoot.

It was in the news yesterday that India had ordered all smartphones makers to ensure all new devices came preloaded with an app called Sanchar Saathi, allegedly to “bolster telecom cybersecurity”. Apple, non-publicly, stated that they would not comply. Today India is scrapping their mandatory order. Much planning, such wow!

It is not often that I see a rejection of a pull request so politely, and clearly explained. Heck, this one ought to be a first, at least for me. After a thorough explanation, the project’s owner concludes:

“I recommend closing this PR. The original implementation is secure and maintainable. Thank you for your contribution, but we must prioritize security in this security-sensitive codebase.”

My kid is one who often tells me, when I worry about his less-than-perfect password, “who cares, I have nothing to hide”. If you are one of those, please think again. I had a conversation, again, with the child about this last night.

“I find it fascinating when people say that they have nothing to hide. I usually jokingly say: unlock your phone and hand it to me. Your phone is a window to your life. Where a lot of people believe that it is possible to give full access to properly vetted authorities, in the world of security, when you open a door for one person, you incidentally open it to everyone.”

➝ Via Hacker News.

Now, this is some promise!

When we launch Private Cloud Compute, we’ll take the extraordinary step of making software images of every production build of PCC publicly available for security research. This promise, too, is an enforceable guarantee: user devices will be willing to send data only to PCC nodes that can cryptographically attest to running publicly listed software. We want to ensure that security and privacy researchers can inspect Private Cloud Compute software, verify its functionality, and help identify issues — just like they can with Apple devices.

An email from AT&T, with “Important Information” on the subject:

“We’re contacting you regarding the security of your data. After a thorough assessment, AT&T has determined that some of your personal information was compromised…”

No kidding, Sherlock! Some as in my name, phone number, address, and social security number (this one is key). Some?! Oh, but I must rest assured that “AT&T takes these issues very seriously”. As if! 😤

My Personal Identifiable Information (PII) leaked (unauthorized third parties were likely able to access and download full names, Social Security numbers, policy/account numbers, dates of birth, and addresses, among other), again, compliments of SaaS. This time it was “MOVEit Transfer”, which Corebridge (one of my retirement accounts financial institutions) uses.

This CVE provides details of the vulnerability that was exploited. Links within that page explains it further.

Duuuuuuuck! 🤬 Initial fraud alert—1 year—placed on the three major credit bureaus.

Partner is also receiving the same notification I got, today. The impact of the breach goes beyond Corebridge. Maybe you are affected too!

If you have an Apple device (iPhone, iPad, Watch, AppleTV, Mac), please update it as soon as possible. This, as with any other security updates, I stress, must be done as soon as you can.

For iPhone/iPad, go to “Settings → General → Software Update”, and choose to install. For WatchOS, go to “Settings → General → Software Update”, and follow the instructions to upgrade. Finally, for macOS go to “System Settings → General → Software Update” (on older versions is a bit different, but you get the general idea).

“Rapid Security Responses are a new type of software release for iPhone, iPad and Mac. They deliver important security improvements between software updates – for example, improvements to the Safari web browser, the WebKit framework stack or other critical system libraries. They may also be used to mitigate some security issues more quickly, such as issues that may have been exploited or reported to exist.” — Rapid Security Responses

This is new, at least for me, and interesting. There seems to be more to gain than to lose by installing, and enabling it. Done!