Apple Addresses iOS 'Backdoor' Concerns by Outlining Legitimate Uses for Targeted Services

by News on July 23, 2014, no comments

By Eric Slivka

apple_security_icon

Earlier this week, forensic expert Jonathan Zdziarski attracted attention for his disclosures of what appeared to be “backdoors” in iOS that could allow for covert data collection of users’ information from their devices. While Apple issued a statement denying that anything nefarious was involved, the company has now posted a new support document (via Cabel Sasser) offering a limited description of the three services highlighted in Zdziarski’s talk.

Each of these diagnostic capabilities requires the user to have unlocked their device and agreed to trust another computer. Any data transmitted between the iOS device and trusted computer is encrypted with keys not shared with Apple. For users who have enabled iTunes Wi-Fi Sync on a trusted computer, these services may also be accessed wirelessly by that computer.

The three processes include:

com.apple.mobile.pcapd: Diagnostic packet capture to a trusted computer, used for diagnosing app issues and enterprise VPN connection problems.

com.apple.mobile.file_relay: Used on internal devices and can be accessed (with user permission) by AppleCare for diagnostic purposes on the user’s device.

com.apple.mobile.house_arrest: Used by iTunes for document transfer and by Xcode during app development and testing.

Security experts will undoubtedly have additional questions about just how these services work and whether there are better and more secure ways of accomplishing the tasks they handle. At the very least, however, today’s disclosure demonstrates a willingness by Apple to share information about the legitimate need for these services and should help quell unsupported speculation that Apple has worked with security agencies to implement these tools to allow for covert surveillance.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Read more here: MacRumors

    

This free mod makes Watch Dogs look more gorgeous than ever before

by News on July 23, 2014, no comments

By Jacob Siegal

Watch Dogs is one of the best games of the year and a decent showcase title for the new generation consoles, but it still doesn’t stand up to the seemingly professionally doctored demo from E3 2012. What we saw two years ago was a game that looked more stunning than just about anything else on the market — the reality wasn’t quite as impressive. Now, just two months after the game’s release, PC modder Federico Rojas (aka TheWorst) has released the final version of his graphics mod for Watch Dogs on the PC, bringing the retail release up to speed with the pipe dream from the original demo.

Read more here: BoyGeniusReport

    

White House Website Includes Unique Non-Cookie Tracker, Conflicts With Privacy Policy

by News on July 23, 2014, no comments

By Kurt Opsahl and Peter Eckersley

Yesterday, Pro Publica reported on new research by a team at KU Leuven and Princteon on canvas fingerprinting. One of the most intrusive users of the technology is a company called AddThis, who by are employing it in “shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.” Canvas fingerprinting allows sites to get even more identifying information than we had previously warned about with our Panopticlick fingerprinting experiment.

Canvas fingerprinting exploits the fact that different browsers have slightly different algorithms, parameters, and hardware for turning text into pictures on your screen (or more specifically, into an HTML 5 canvas object that the tracker can read1). According to the research by Gunes Acar, et al., AddThis draws a hidden image containing the unusual phrase “Cwm fjordbank glyphs vext quiz” and observed the way the pixels would turn out differently on different systems.

While YouPorn quickly removed AddThis after the report was published, the White House website still contains AddThis code. Some White House pages obviously include the AddThis button, such as the White House Blog, and a link to the AddThis privacy policy.

Other, like the White House’s own Privacy Policy, load javascript from AddThis, but do not otherwise indicate that AddThis is present. To pick the most ironic example, if you go to the page for the White House policy for third-party cookies, it loads the “addthis_widget.js.” This script, in turn, references “core143.js,” which has a “canvas” function and the tell-tale “Cwm fjordbank glyphs vext quiz” phrase.

The White House cookie policy notes that, “as of April 18, 2014, content or functionality from the following third parties may be present on some WhiteHouse.gov pages,” listing AddThis. While it does not identify which pages, we have yet to find one without AddThis, whether open or hidden.

On the same page that is loading the AddThis scripts, the White House third-party cookie policy makes a promise: “We do not knowingly use third-party tools that place a multi-session cookie prior to the user interacting with the tool.” There is no indication that the White House knew about this function before yesterday’s report.

Nevertheless, the canvas fingerprint goes against the White House policy. It may not be a traditional cookie, but it fills the same function as a multi-session cookie, allowing the tracking of unique computers across the web. While the AddThis privacy policy does not mention the canvas fingerprint by that name, it notes that it sometimes places “web beacons” on pages, which would load prior to the user interacting with the AddThis button.

The main distinction is that the canvas fingerprint can’t be blocked by cookie management techniques, or erased with your other cookies. This is inconsistent with the White House’s promise that “Visitors can control aspects of website measurement and customization technologies used on WhiteHouse.gov.” The website’s How To instructions are no help, because they are limited to traditional cookies and flash cookies. AddThis’ opt out is no more helpful, as it only prevents targeting, not tracking: “The opt-out cookie tells us not to use your information for delivering relevant online advertisements.”

The White House is far from alone. According to the researchers, over 5,000 sites include the canvas fingerprinting, with the vast majority from AddThis.

What You Can Do to Protect Yourself From Canvas

Fortunately, some solutions are available. You can block trackers like AddThis using an algorithmic tool such as EFF’s Privacy Badger, or a list-based one like Disconnect. Or if you’re a fairly knowledgeable user and are willing to do some extra work, you can use a manually controlled script blocker such as No Script to only run JavaScript from domains you trust.

Related Issues:

Share this: Share on Facebook Share on Google+ Share on Diaspora || Join EFF

Read more here: Electronic Frontier Foundation

    

Netflix will attack six European markets this September

by News on July 23, 2014, no comments

By Chris Smith

It’s no secret that Netflix to expand in additional European markets this year, but the company has never offered an exact rollout plan for the new countries it wants to conquer. Fortunately, in a new letter to shareholders spotted by Android Police, Netflix confirmed that its European presence will see a significant increase in September, when the movie streaming service will reach six new markets.

Read more here: BoyGeniusReport

    

iOS 8 and OS X Yosemite May Launch Separately Despite Integration Features

by News on July 23, 2014, no comments

By Husain Sumra

continuity

While iOS and Mac OS X have traditionally followed different release schedules, Apple’s recently announced Continuity features suggested it was possible for Apple’s two operating systems to debut at the same time. However, Apple is planning to stagger the releases of both iOS 8 and Mac OS X Yosemite, reports 9to5Mac, citing sources with knowledge of Apple’s plans.

iOS 8 is expected to launch in September alongside the iPhone 6 while OS X Yosemite will not launch until October. Apple used the same release schedule last year, launching iOS 7 alongside the iPhone 5s in September and OS X Mavericks one month later in October.

Continuity allows users to work seamlessly between iPhone, iPad and Mac, with the ability to start emails on one device and easily finish it on another, or using Macs and iPads to answer phone calls and “green bubble” text messages. Because iOS and OS X have never been designed to work better together than with iOS 8 and OS X Yosemite, many saw a dual release as a good opportunity for Apple to cross-promote both its iOS devices and Macs with a stand-out new feature like Continuity.

Apple is planning on using engineering and user interface design members from the iOS team to help complete OS X Yosemite in time for a fall release, with a public beta planned as early as later this month.

Read more here: MacRumors