So, the ‘Sign in with Apple’ feature had a significant vulnerability that’s been thankfully patched. An independent bug bounty hunter, Bhavuk Jain has posted up a detailed take on how he found the vulnerability and reported it to Apple. It’s a pretty fascinating read.

My favourite Apple Sign-In feature has been how you can choose to mask or not share your email ID with a third-party during the authentication process (bye unsolicited emails!). When the email address is hidden, Apple generates a JSON Web Token (or JWT (or JOT if you’re that guy) which is a standard to transmit claims securely between two parties) that is then used by the third-party app to authenticate the user. Bhavuk found that the payload returned by Apple included a URL accessible on Apple’s servers to which he could send just an email address (any email address) and could get authenticated without a password. Apple essentially sent back a valid authentication token that could be used with the third-party app.

This was no doubt a glaring flaw no matter how you slice it. OpenID Connect and OAuth consent flow standards exist for a reason - no matter how excellent your engineers are or how sophisticated your own spin on existing standards are, the risks of rolling your own authentication is pretty damn high.

The Australian government rolled out their contact tracing app, COVIDSafe through the Apple and Android app stores at 6 last evening. Understandably, there has been quite a bit of apprehension leading up to it but the it’s starting to sound like there might be a cautious uptake of the app among the general public given that 1 million people downloaded it in the last 12 hours. If the AFR’s readership (possibly right-leaning and more trusting of the current government) is a reliable metric, the consensus is that the app may eventually help ease restrictions in place.

A few things:

• It’s an app with a purportedly singular purpose - contact tracing. It’ll use low energy Bluetooth to exchange a handshake between two devices that are 1.5 m apart for over 15 minutes.

• The only data that’s collected are a name or pseudonym, age range and your phone number. I realize that you’ll need phone numbers to get in touch with individuals who may have spent time with a diagnosed person but having that unique identifier in the database negates any perceived benefit of using a pseudonym. An alternative would be notify people of proximity to confirmed cases through just device notifications; granted, it’ll be harder to ensure quarantine or isolation measures.

• ”Not even a court order can penetrate the law, not even a court order, or the investigation of an alleged crime would be allowed to use [the data]”.

• There’s two levels of consent to go through registration and they’re quite detailed - it’s harder to implement something stricter without sacrificing usability and uptake.

• The data store is hosted on AWS instances in ACT - assume they’ll use the same protected instances that the government already use.

• The data stored on devices is held on for rolling period of 21 days much like how you can configure browsing history deletion on Google’s My Activity page.

• It’s a bit unclear what permissions and privileges the ‘COVIDSafe Administrator’ will have but I assume quite a bit given they can delete registration data.

• The punishments for misuse of app data are quite onerous - 5 years jail time and $63,000 in fines.

• Law firm Maddocks conducted a 48 page privacy assessment and made 19 recommendations which all seem to have been accepted.

• Source code will be released over the coming days.

• Singapore’s version of the app, the source code for which has been leveraged for COVIDSafe, hasn’t quite seen the uptake you’d want for something like this. Approximately 20% of Singapore residents have downloaded the app and Australia wants at least 40% of the population to download it for it to be useful.

The debate over this has been lively and has no doubt contributed to the way the app has been rolled out - fingers crossed that every safeguard in place is meaningfully enforced.

Links:

AFR: 'Privacy by design' approach for COVIDSafe app

The Verge: Why Bluetooth apps are bad at discovering new cases of COVID-19

ITNews: Australia's COVID tracing app better than Singapore's: Health chief

The excellent Jake Wilson, who writes for The Age, has penned quite a moving essay on the loss of cinemas and the communal experience of movie-going that is especially felt now. High definition streaming really is no substitute for the tactility of sitting down on uncomfortable seats with fellow film-loving patrons.

In this sense, the cinema I’ve valued most since childhood has long been a waning cult, kept alive by a circle of devotees. If that sounds mystical, I’m not about to argue. Movie theatres are traditionally adorned like temples, and in my eyes that’s what they are, or should be: places designed for the conjuring of visions that connect us to something larger than ourselves.

Putting the technological specifics to one side, perhaps the cult of cinema isn’t so unique. All of us at present face the loss of our particular temples, where we meet in the flesh with others who dream the same dream. What these cumulative losses will mean for society remains, for now, hard to say. Soon, we will begin to find out, stuck at home with our Netflix queues and our faltering internet speeds, awaiting the moment when our city can breathe again.

Source: Temple of doom? A film critic mourns the lost cult of cinema.

Well, 2020 isn’t quite what we thought it’d be.

A colleague and I wrote a piece for KPMG’s Newsroom around managing digital identities securely especially now that a majority of knowledge workers connect remotely. The piece was meant for a broader audience but I still hope there are some tangible takeaways if you work in or lead security teams.

—————-

All of us have been taken aback by the rate at which the ongoing crisis has escalated and the public health, social and economic impact it has had on millions of people around the world. Given its unprecedented nature, organisations across industries in Australia have had their existing continuity protocols and technology stacks stress-tested at scales that were never anticipated.

Organisations would do well to revisit their Identity and Access Management (IAM) frameworks and solutions for both critical and non-critical applications especially given that it is not out of the realm of possibility that passwords across systems could be similar. With password hygiene being a prevalent issue, external users (consumer and citizen identities) with email address as credentials can fall victim to password spraying attacks that, while not particularly sophisticated, are effective.

As more people work remotely and our collective anxiety increases, it is not entirely unexpected that cyber attacks and phishing scams will exponentially increase over the coming weeks and months.

From an IAM perspective, there are a few areas that organisations could potentially look at to shore up their existing systems securely:

1. Make changes to the IAM layer

Organisations may invariably compromise on security in their network layer to ensure that their employees have access to critical and non-critical applications remotely. A secure IAM platform will act as a compensating control in such instances. Making changes to the Open Systems Interconnection (OSI) model gets increasingly difficult as we go from top to bottom and making relevant changes to the IAM layer is easier to implement while being architecturally sound.

2. Secure cloud solutions

Single Sign-On (SSO) to cloud applications will be the norm for many organisations that empower their employees to work remotely; however, convenience can come at the cost of cloud security. While MFA is by no means perfect, using it for high-risk transactions or privileged users can reduce the surface area for attacks.

3. Secure Privileged Accounts

Securing privileged accounts with MFA using software or hardware tokens is easily achievable and will go a long way in ensuring threats are minimised especially as remote-working becomes the norm for the foreseeable future.

4. Provide more self-service functions

Securing help desks will continue to prove difficult so help staff help themselves with self-service function that are secured by 2-step authentication mechanisms.

Across the board, organisations will relax their security protocols to ensure their workers have frictionless access to their accounts and applications for working remotely, which will provide new surface areas for attacks. Having established and standards-based solutions that use protocols like SAML, OAuth 2.0 and OpenID Connect may provide a sense of assurance and flexibility especially when it comes to ease of securely onboarding new applications.

Many cyber-attacks and breaches, including some high-profile ones here in Australia, go weeks or even months without being detected and there are never all encompassing fixes or answers that solve everything but standards-based approaches are a dependable way of approaching these confusing times.

Shoshana Zuboff’s ‘The Age of Surveillance Capitalism’ is just an excellent resource if you’re trying to understand exactly what it is that is at stake with the overreaching and attractively-packaged business models of products from companies like Facebook, Google, Apple and Amazon.

It is chilling and frankly, the tone of the book can come across as apocalyptic but it’s thoroughly researched and strongly argued.

”In this new regime, objectification is the moral milieu in which our lives unfold. Although Big Other can mimic intimacy through the tireless devotion of the One Voice — Amazon Alexa’s chirpy service, Google Assistant’s reminders and endless information — do not mistake these soothing sounds for anything other than the exploitation of your needs. I think of elephants, the most majestic of all mammals: Big Other poaches our behaviour for surplus and leaves behind all the meaning lodged in our bodies, our brains, and our beating hearts, not unlike the monstrous slaughter of elephants for ivory. Forget the cliche that if it’s free, “You are the product.” You are not the product; you are the abandoned carcass. The “product” derives from the surplus that is ripped from your lives.” (P 377)

…

”When I speak to my children of or an audience of young people, I try to alert them to the historically contingent nature of “the thing that has us” by calling attention to ordinary values and expectations before surveillance capitalism began its campaign of psychic numbing. “It is not OK to have to hide in your own life; it is not normal,” I tell them. “It is not OK to spend your lunchtime conversations comparing software that will camouflage you and protect you from continuous unwanted invasion.”” (P 521)

I cannot recommend the book enough - there have been some great books on Big Tech these last few years but Zuboff’s tome is just alarmist enough for people to panic.

(On a related note, during my recent trip to India and Sri Lanka, I found it quite unnerving how people have have become nonchalant so quickly about having their faces captured on phones or are willing to provide copies of their national identity cards to pretty much anyone who can get you a good deal on mobile phone SIM cards.)

Of all the things Apple announced yesterday, the most interesting one was a small feature they casually dropped - an Apple-branded SSO or their own version of a ‘social login’. While it seems similar to the Facebook or Google login buttons you see on many sites, this third-party login doesn’t share your email address with the service providers you use it to register with and goes so far as to generate and maintain separate unique alias email addresses.

The service providers get access to the relevant information they need to provide you with whatever service they offer but it’s up to you to share your name or email address. At face value, this is almost too good to be true because it shifts the locus of control to the user. In true Apple fashion, they’ve made this mandatory for developers that use third-party logins.

I’m cautiously optimistic and excited about Apple’s pivot to a privacy-conscious organisation but as with all these things, the detail is in the fine print.

There have been some great books these last few years that I’ve finally managed to get around to. Here are some of my favourites so far.

Eating Animals by Jonathan Safron Foer - Ever since we got a dog, I’ve been somewhat queasy about eating meat, especially the four-legged variety. While the book can put off the more avid meat-eaters among us, there are some compellingly documented reasons to be wary of of factory farming, the cruelty it inflicts on animals and it’s impact on the environment. There’s an interesting counterpoint to ‘nature is cruel’ argument as well that I found particularly insightful. If anything, the book has been directly responsible for me giving up KFC and staying away from lamb, beef and pork over the last few months.

The People vs Tech by Jamie Bartlett - Technology giants are an easy target and writing about evil algorithms and smartphone addiction is in vogue and lucrative; however, the point needs to be hammered home. I found Bartlett’s book a bit too on-the-nose but still riveting - he paints a picture of how we got here and how our reverence for technology has blinded us to it’s impact on democracy. It’s bleak and provides little hope much like another book I read this year.

The Uninhabitable Earth by David Wallace Wells - This is both one of the best and worst books I’ve read in the last few years. Wells paints a bleak picture of the horrors of climate change and how we’re programmed to ignore slow decimation. He tackles the unfairness of climate change - the countries that shoulder the most ‘climate guilt’ will see the least impact and the best case scenario that he (and the IPCC) paints isn’t ideal - a 2.5 degrees increase is still catastrophic - but the worst case scenario is downright depressing. There are some optimistic takeaways but they’re mostly relegated to the last few pages. I’d say this was essential reading especially for those that believe the invisible hand of the market or increased awareness will save us.

Exhalation by Ted Chiang - Chiang returns with a book of science fiction short stories (following Stories of Your Life) that are entertaining and mind-expanding. There are some genuinely excellent stories here especially, ‘The Lifecycle of Software Objects’ and ‘Anxiety is the Dizziness of Feeling’.

The Overstory by Richard Powers - This book is full of such rich detail, especially the first half where it paints elaborate portraits of its varied protagonists. As with most books I’ve read this year, the environment and our impact on it is a major theme.

While sifting through Airbnb for our upcoming honeymoon, we noticed that apartments in Tokyo and Kyoto looked noticeably similar to the ones we've stayed at in Australia and even, Hawaii. You're also likely to notice that with local cafes and restaurants - exposed walls, raw wood tables and brushed ceramic cups. The Verge has a surprisingly insightful piece on the phenomenon.

"As an affluent, self-selecting group of people move through spaces linked by technology, particular sensibilities spread, and these small pockets of geography grow to resemble one another, as Schwarzmann discovered: the coffee roaster Four Barrel in San Francisco looks like the Australian Toby’s Estate in Brooklyn looks like The Coffee Collective in Copenhagen looks like Bear Pond Espresso in Tokyo. You can get a dry cortado with perfect latte art at any of them, then Instagram it on a marble countertop and further spread the aesthetic to your followers."

(...)

"The connective emotional grid of social media platforms is what drives the impression of AirSpace. If taste is globalized, then the logical endpoint is a world in which aesthetic diversity decreases. It resembles a kind of gentrification: one that happens concurrently across global urban centers. Just as a gentrifying neighborhood starts to look less diverse as buildings are renovated and storefronts replaced, so economically similar urban areas around the world might increasingly resemble each other and become interchangeable."