[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
www/proprietary all.html malware-appliances.htm...
|
From: |
Therese Godefroy |
|
Subject: |
www/proprietary all.html malware-appliances.htm... |
|
Date: |
Tue, 20 Sep 2022 05:14:15 -0400 (EDT) |
CVSROOT: /webcvs/www
Module name: www
Changes by: Therese Godefroy <th_g> 22/09/20 05:14:15
Modified files:
proprietary : all.html malware-appliances.html
malware-mobiles.html
proprietary-insecurity.html proprietary.html
proprietary/workshop: mal.rec
Log message:
TikTok app on iOS tracks all browsing (www-discuss 2022-09-14).
CVSWeb URLs:
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/all.html?cvsroot=www&r1=1.125&r2=1.126
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/malware-appliances.html?cvsroot=www&r1=1.126&r2=1.127
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/malware-mobiles.html?cvsroot=www&r1=1.176&r2=1.177
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/proprietary-insecurity.html?cvsroot=www&r1=1.199&r2=1.200
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/proprietary.html?cvsroot=www&r1=1.445&r2=1.446
http://web.cvs.savannah.gnu.org/viewcvs/www/proprietary/workshop/mal.rec?cvsroot=www&r1=1.465&r2=1.466
Patches:
Index: all.html
===================================================================
RCS file: /webcvs/www/www/proprietary/all.html,v
retrieving revision 1.125
retrieving revision 1.126
diff -u -b -r1.125 -r1.126
--- all.html 14 Sep 2022 13:30:29 -0000 1.125
+++ all.html 20 Sep 2022 09:14:12 -0000 1.126
@@ -50,6 +50,33 @@
to detect once installed...</a></strong></p>
<ul class="blurbs">
+<!--#set var='ADD' value='2022-09-20' --><!--#set var='PUB' value='2022-08-24'
--><li><small class='date-tag'>Added: <span class="gnun-split"></span><!--#echo
encoding='none' var='ADD' --><span class="gnun-split"></span> — Latest
reference: <span class="gnun-split"></span><!--#echo encoding='none' var='PUB'
--></small>
+ <p>A security researcher found that the iOS in-app browser of TikTok <a
+
href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows";>
+ injects keylogger-like JavaScript code into outside web pages</a>. This
+ code has the ability to track all users' activities, and to
+ retrieve any personal data that is entered on the pages. We have
+ no way of verifying TikTok's claim that the keylogger-like code
+ only serves purely technical functions. Some of the accessed data
+ could well be saved to the company's servers, and even shared with
+ third parties. This would open the door to extensive surveillance,
+ including by the Chinese government (to which TikTok has indirect
+ ties). There is also a risk that the data would be stolen by crackers,
+ and used to launch malware attacks.</p>
+
+ <p>The iOS in-app browsers of Instagram and Facebook
+ behave essentially the same way as TikTok's. The main
+ difference is that Instagram and Facebook allow users
+ to access third-party sites with their default browser, whereas <a
+
href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/";>
+ TikTok makes it nearly impossible</a>.</p>
+
+ <p>The researcher didn't study the Android versions of in-app
+ browsers, but we have no reason to assume they are safer than the
+ iOS versions.<p><small>Please note that the article wrongly refers
+ to crackers as “hackers.”</small></p>
+ </li>
+
<!--#set var='ADD' value='2022-09-14' --><!--#set var='PUB' value='2022-08-07'
--><li><small class='date-tag'>Added: <span class="gnun-split"></span><!--#echo
encoding='none' var='ADD' --><span class="gnun-split"></span> — Latest
reference: <span class="gnun-split"></span><!--#echo encoding='none' var='PUB'
--></small>
<p>Some Epson printers are programmed to <a
href="https://hardware.slashdot.org/story/22/08/07/0350244/epson-programs-some-printers-to-stop-operating-claiming-danger-of-ink-spills";>
@@ -2841,7 +2868,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2022/09/14 13:30:29 $
+$Date: 2022/09/20 09:14:12 $
<!-- timestamp end -->
</p>
</div>
Index: malware-appliances.html
===================================================================
RCS file: /webcvs/www/www/proprietary/malware-appliances.html,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -b -r1.126 -r1.127
--- malware-appliances.html 14 Sep 2022 13:30:29 -0000 1.126
+++ malware-appliances.html 20 Sep 2022 09:14:12 -0000 1.127
@@ -59,6 +59,66 @@
<div class="column-limit" id="malware-appliances"></div>
<ul class="blurbs">
+ <li id="M202209000">
+ <!--#set var="DATE" value='<small class="date-tag">2022-09</small>'
+ --><!--#echo encoding="none" var="DATE" -->
+ <p><a hreflang="ja"
+ href="https://ja.wikipedia.org/wiki/B-CAS";>B-CAS</a> <a
+ href="#f1">[1]</a> is the digital restrictions management (DRM) system
+ used by Japanese TV broadcasters, including state-run TV. It is sold
+ by the B-CAS company, which has a de-facto monopoly on it. Initially
+ intended for pay-TV, its use was extended to digital free-to-air
+ broadcasting as a means to enforce restrictions on copyrighted
+ works. No exception is made for works that can be freely redistributed,
+ so they are encrypted too.</p>
+
+ <p>Beside implementing drastic copying and viewing restrictions,
+ B-CAS gives the broadcaster full power over users, through back doors
+ among other means. For example:</p>
+
+ <ul>
+ <li>It can force messages to the user's TV screen, and the user
+ can't turn them off.</li>
+
+ <li>It can force updates, even if the TV is disconnected from the
+ internet or turned off (but still plugged into an outlet). This can
+ be abused for information control policies that disable stored TV
+ programs, thus interfering with free speech.</li>
+
+ <li>It can collect viewing information and share it with other
+ companies to take surveys. Until 2011, this data was not anonymous
+ because user registration was required. We don't know whether the
+ personal information thus collected was deleted from the company's
+ servers.</li>
+
+ <li>As the export of B-CAS cards is illegal, travelers and
+ foreigners are deprived of a valuable source of information about
+ what happens in Japan.</li>
+
+ <li>On the client side, the DRM is typically implemented by a card
+ that plugs into a compatible receiver, or alternatively by a tuner
+ card that plugs into a computer. Since the software in receivers is
+ nonfree, and tuner cards are designed for either Windows or MacOS,
+ free-software advocates can't watch Japanese TV.</li>
+ </ul>
+
+ <p>These unacceptable restrictions led to a sort of cat-and-mouse game,
+ with some users doing their best to bypass the system, and
+ broadcasters trying to stop them without much success: cryptographic
+ keys were retrieved through the back door of the B-CAS card, illegal
+ cards were made and sold on the black market, as well as a tuner for
+ PC that disables the copy control signal.</p>
+
+ <p>In modern high definition TV sets, the card is replaced with a chip
+ that is built into the receiver, on the assumption that this chip will
+ be tamper-resistant. Time will tell…</p>
+
+ <p id="f1"><small>[1] This article is in Japanese. We thank the
+ Japanese free software supporter who translated it, and shared his
+ experience with us. Unfortunately, the Wikipedia article presents DRM
+ as a good thing.</small></p>
+ </li>
+
<li id="M202208070">
<!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
--><!--#echo encoding="none" var="DATE" -->
@@ -1328,7 +1388,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2022/09/14 13:30:29 $
+$Date: 2022/09/20 09:14:12 $
<!-- timestamp end -->
</p>
</div>
Index: malware-mobiles.html
===================================================================
RCS file: /webcvs/www/www/proprietary/malware-mobiles.html,v
retrieving revision 1.176
retrieving revision 1.177
diff -u -b -r1.176 -r1.177
--- malware-mobiles.html 13 Sep 2022 15:39:44 -0000 1.176
+++ malware-mobiles.html 20 Sep 2022 09:14:12 -0000 1.177
@@ -354,6 +354,35 @@
bugs.</p>
<ul class="blurbs">
+ <li id="M202208240">
+ <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
+ --><!--#echo encoding="none" var="DATE" -->
+ <p>A security researcher found that the iOS in-app browser of TikTok <a
+
href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows";>
+ injects keylogger-like JavaScript code into outside web pages</a>. This
+ code has the ability to track all users' activities, and to
+ retrieve any personal data that is entered on the pages. We have
+ no way of verifying TikTok's claim that the keylogger-like code
+ only serves purely technical functions. Some of the accessed data
+ could well be saved to the company's servers, and even shared with
+ third parties. This would open the door to extensive surveillance,
+ including by the Chinese government (to which TikTok has indirect
+ ties). There is also a risk that the data would be stolen by crackers,
+ and used to launch malware attacks.</p>
+
+ <p>The iOS in-app browsers of Instagram and Facebook
+ behave essentially the same way as TikTok's. The main
+ difference is that Instagram and Facebook allow users
+ to access third-party sites with their default browser, whereas <a
+
href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/";>
+ TikTok makes it nearly impossible</a>.</p>
+
+ <p>The researcher didn't study the Android versions of in-app
+ browsers, but we have no reason to assume they are safer than the
+ iOS versions.<p><small>Please note that the article wrongly refers
+ to crackers as “hackers.”</small></p>
+ </li>
+
<li id="M201908020">
<!--#set var="DATE" value='<small class="date-tag">2019-08</small>'
--><!--#echo encoding="none" var="DATE" -->
@@ -1677,7 +1706,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2022/09/13 15:39:44 $
+$Date: 2022/09/20 09:14:12 $
<!-- timestamp end -->
</p>
</div>
Index: proprietary-insecurity.html
===================================================================
RCS file: /webcvs/www/www/proprietary/proprietary-insecurity.html,v
retrieving revision 1.199
retrieving revision 1.200
diff -u -b -r1.199 -r1.200
--- proprietary-insecurity.html 22 Aug 2022 15:07:27 -0000 1.199
+++ proprietary-insecurity.html 20 Sep 2022 09:14:13 -0000 1.200
@@ -113,6 +113,35 @@
<div class="column-limit" id="proprietary-insecurity"></div>
<ul class="blurbs">
+ <li id="M202208240">
+ <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
+ --><!--#echo encoding="none" var="DATE" -->
+ <p>A security researcher found that the iOS in-app browser of TikTok <a
+
href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows";>
+ injects keylogger-like JavaScript code into outside web pages</a>. This
+ code has the ability to track all users' activities, and to
+ retrieve any personal data that is entered on the pages. We have
+ no way of verifying TikTok's claim that the keylogger-like code
+ only serves purely technical functions. Some of the accessed data
+ could well be saved to the company's servers, and even shared with
+ third parties. This would open the door to extensive surveillance,
+ including by the Chinese government (to which TikTok has indirect
+ ties). There is also a risk that the data would be stolen by crackers,
+ and used to launch malware attacks.</p>
+
+ <p>The iOS in-app browsers of Instagram and Facebook
+ behave essentially the same way as TikTok's. The main
+ difference is that Instagram and Facebook allow users
+ to access third-party sites with their default browser, whereas <a
+
href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/";>
+ TikTok makes it nearly impossible</a>.</p>
+
+ <p>The researcher didn't study the Android versions of in-app
+ browsers, but we have no reason to assume they are safer than the
+ iOS versions.<p><small>Please note that the article wrongly refers
+ to crackers as “hackers.”</small></p>
+ </li>
+
<li id="M202202090">
<!--#set var="DATE" value='<small class="date-tag">2022-02</small>'
--><!--#echo encoding="none" var="DATE" -->
@@ -1286,7 +1315,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2022/08/22 15:07:27 $
+$Date: 2022/09/20 09:14:13 $
<!-- timestamp end -->
</p>
</div>
Index: proprietary.html
===================================================================
RCS file: /webcvs/www/www/proprietary/proprietary.html,v
retrieving revision 1.445
retrieving revision 1.446
diff -u -b -r1.445 -r1.446
--- proprietary.html 14 Sep 2022 13:30:29 -0000 1.445
+++ proprietary.html 20 Sep 2022 09:14:13 -0000 1.446
@@ -96,8 +96,8 @@
<hr class="thin" />
</div>
-<p>As of August, 2022, the pages in this directory list around 550
-instances of malicious functionalities (with more than 660 references to
+<p>As of September, 2022, the pages in this directory list around 550
+instances of malicious functionalities (with more than 670 references to
back them up), but there are surely thousands more we don't know about.</p>
<p>If you want to be notified when we add new items or make other changes,
@@ -197,6 +197,35 @@
to detect once installed...</a></strong></p>
<ul class="blurbs">
+ <li id="M202208240">
+ <!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
+ --><!--#echo encoding="none" var="DATE" -->
+ <p>A security researcher found that the iOS in-app browser of TikTok <a
+
href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows";>
+ injects keylogger-like JavaScript code into outside web pages</a>. This
+ code has the ability to track all users' activities, and to
+ retrieve any personal data that is entered on the pages. We have
+ no way of verifying TikTok's claim that the keylogger-like code
+ only serves purely technical functions. Some of the accessed data
+ could well be saved to the company's servers, and even shared with
+ third parties. This would open the door to extensive surveillance,
+ including by the Chinese government (to which TikTok has indirect
+ ties). There is also a risk that the data would be stolen by crackers,
+ and used to launch malware attacks.</p>
+
+ <p>The iOS in-app browsers of Instagram and Facebook
+ behave essentially the same way as TikTok's. The main
+ difference is that Instagram and Facebook allow users
+ to access third-party sites with their default browser, whereas <a
+
href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/";>
+ TikTok makes it nearly impossible</a>.</p>
+
+ <p>The researcher didn't study the Android versions of in-app
+ browsers, but we have no reason to assume they are safer than the
+ iOS versions.<p><small>Please note that the article wrongly refers
+ to crackers as “hackers.”</small></p>
+ </li>
+
<li id="M202208070">
<!--#set var="DATE" value='<small class="date-tag">2022-08</small>'
--><!--#echo encoding="none" var="DATE" -->
@@ -254,14 +283,6 @@
<p>Those companies know that snoop-phone usage trains people to say
yes to almost any snooping.</p>
</li>
-
- <li id="M202006110">
- <!--#set var="DATE" value='<small class="date-tag">2020-06</small>'
- --><!--#echo encoding="none" var="DATE" -->
- <p>Network location tracking is used, among other techniques, for <a
-
href="https://www.linkedin.com/pulse/location-based-advertising-has-starbucks-coupon-finally-john-craig";>
- targeted advertising</a>.</p>
- </li>
</ul>
<p class="button right-align">
<a href="/proprietary/all.html">More items…</a></p>
@@ -324,7 +345,7 @@
<p class="unprintable">Updated:
<!-- timestamp start -->
-$Date: 2022/09/14 13:30:29 $
+$Date: 2022/09/20 09:14:13 $
<!-- timestamp end -->
</p>
</div>
Index: workshop/mal.rec
===================================================================
RCS file: /webcvs/www/www/proprietary/workshop/mal.rec,v
retrieving revision 1.465
retrieving revision 1.466
diff -u -b -r1.465 -r1.466
--- workshop/mal.rec 14 Sep 2022 13:30:28 -0000 1.465
+++ workshop/mal.rec 20 Sep 2022 09:14:15 -0000 1.466
@@ -24,6 +24,39 @@
#### Please don't remove the blank line after this marker! ####
# ADD NEW BLURB HERE
+Added: 2022-09-20
+Id: 202208240
+RT: www-discuss 2022-09-14 (TikTok app on iOS tracks all browsing)
+PubDate: 2022-08-18
+PubDate: 2020-10-31
+Target: malware-mobiles.html insecurity
+Target: proprietary-insecurity.html proprietary-insecurity
+Keywords:
+Blurb: <p>A security researcher found that the iOS in-app browser of TikTok <a
++
href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows";>
++ injects keylogger-like JavaScript code into outside web pages</a>. This
++ code has the ability to track all users' activities, and to
++ retrieve any personal data that is entered on the pages. We have
++ no way of verifying TikTok's claim that the keylogger-like code
++ only serves purely technical functions. Some of the accessed data
++ could well be saved to the company's servers, and even shared with
++ third parties. This would open the door to extensive surveillance,
++ including by the Chinese government (to which TikTok has indirect
++ ties). There is also a risk that the data would be stolen by crackers,
++ and used to launch malware attacks.</p>
++
++ <p>The iOS in-app browsers of Instagram and Facebook
++ behave essentially the same way as TikTok's. The main
++ difference is that Instagram and Facebook allow users
++ to access third-party sites with their default browser, whereas <a
++
href="https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/";>
++ TikTok makes it nearly impossible</a>.</p>
++
++ <p>The researcher didn't study the Android versions of in-app
++ browsers, but we have no reason to assume they are safer than the
++ iOS versions.<p><small>Please note that the article wrongly refers
++ to crackers as “hackers.”</small></p>
+
Added: 2022-09-14
Id: 202204140
RT: www-discuss 2022-04-22 (No more "dumb TVs")
- www/proprietary all.html malware-appliances.htm...,
Therese Godefroy <=