“Has been exploited”.
Debugging registers or
Note: (old news 23 June 2023) ARNnet.
No need to speculate further or raise alarm unnecessarily, except to alert those who may not have updated their Apple devices in the prior 6 months.
Hopefully answers:
The hack, and it is quite a sophisticated and technically difficult one, appears to have been done with insider knowledge. The process had to follow non disclosed memory locations in a very specific order (including jump backs) and calls that would not be obvious unless the users had been primed already to those steps, it could have come about accidentally but as it is so technical it would seem to be very unlikely a chance happenstance What it did was take control of the device and keep control, totally without the owner having any alert that the phone was a zombie. The only way to avoid it was to make the phone a dumb phone with no telemetry at all to the net. MacOS has the same holes.
Is it possible to issue a patch, yes it is. Apple have already patched the first memory locations necessary for the hack to work into a table with a DENY entry. Without those locations the pathway does not exist. The problem is that Apple can issue a new patch that removes those entries and re-enables the pathway. These locations are built into the hardware, the CPU, it requires a re-build of the CPU to totally remove the vulnerability.
What is being asked by the discoverers is this an innocent mistake or was it intentionally built in and supplied to NSA or similar as a very obscure backdoor. Now discovery has made it obvious and something that will be now looked for, no longer obscure so no longer of use (until it is forgotten)… that may be the angle some are looking at as the reasoning for the patch and the holes.
To note:
In a blog post, Kaspersky explained that “the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge” and “did not require any actions from the user”.
Does turning off iMessage also offer a strategy to block the exploit infiltrating a device?
According to ARN linked in my previous post,
The campaign used two zero-click iMessage exploits and compromises without any user interactions based on a pair of bugs respectively in the kernel and Webkit.
The same article includes details of the Apple OS updates patched to block that step in that step in the exploit chain.
Turning off iMessage only stops the unseen steps that introduce the hack, it seems that there may have been a number of possible initial attack vectors with some not being so “invisible”. Even the Safari hack was invisible to the user of the device, that could have been achieved by a malicious coding in a drive by of a coded page. The iMessage just ensured that the device that they wanted to target was captured and not millions of others that they would need to sift through.
In December a news article advised that Tik-Tok is being investigated by the Information Commissioner over mass breaches of privacy and siphoning and scraping of personal details of users and non users of the product.
It is disclosed that the use of tracking pixels is the method being used. A link to a discussion about tracking pixels for those who may be interested can be found at https://en.ryte.com/wiki/Tracking_Pixel
It will be interesting to see what action, if any, evolves out of the investigation.
Don’t just assume you’re not being tracked if you use a Chrome ‘private’ (aka ‘incognito’) window …
The private window prevents other users of the same machine from seeing your details, but (of itself) it doesn’t block tracking. Chrome is now supposed to tell you about this when you open a private window.
On the topic of tracking, your device’s microphone can hear ultrasound (and you can’t). Be careful which apps you allow to have microphone access:
A link to a post in the topic about data breaches which references a malware setup that could infect visitors to sites and would be hard to detect and remove. The initial para in the post is a bit biblical as it was a reply to a prior post 
, so you will need to follow the link to see the detail about the article on the malware. The link after that is to the company that has more detail on how the malware is used.
Two articles that raise security concerns over Privacy policies and on-going data collection that look closely at car data collection Many privacy policies seem not to be really about protecting our privacy, but instead are about giving permission for businesses and Governments to have largely unfettered collection rights.
The first The New Daily item was from October 2023
The second The New Daily article refers to CHOICE and their call about the data collection and again it looks at Toyota as example of this collection and sharing of personal data.
Thank you CHOICE for further raising this issue.
For members of the Community and visitors do you own a Toyota?
Were you aware of the extent of the collection and sharing by Toyota?
If you own another manufacturer’s brand of vehicle do you have any idea of their privacy policy?
Do you know what the manufacturer collects and shares about you?
Feel free to leave your comments in response! (remember to remain civil)
We own two Mitsubishi Magnas - we liked the first so much we bought a second. These cars are old enough to lack modern tracking technology - but will eventually need to be replaced.
We are aware of car manufacturers’ desire for data about their customers, to use and sell as they see fit, and this will affect our decision-making when considering our next vehicle. Tesla is off the list, and Nissan and Toyota are looking like rather poor choices at the moment.
Another factor to consider: As of a few years ago, all new cars sold in the EU must feature eCall (automated emergency calling). This implies, for all intents and purposes, that all such cars
If this catches on in Australia, that would make your car as bad as your mobile phone, just another instrument of ubersurveillance.
Oh, I read that as: we liked the first so much we bought the company. 
If I could afford Mitsubishi, I think I could do something about world peace and food insecurity.
More expensive a buy than just the one name. Nissan is a major shareholder. 
Staying with the automotive and privacy theme. Noted Repco, Burson and other automotive parts suppliers have ready access to a reverse data base. Input a vehicle rego number and they know the exact model, year etc.
What other details might be linked?
Businesses often share various levels of information with aggregators in their chain or external data resource/analytics providers.
Customer loyalty schemes stand out. For those not a member how often are customers asked for more details to record against a sale for …. supposed customer benefit than legally necessary?
How aware is the average consumer of what they must provide verses what they do not?
If registering a warranty on line with a retailer or supplier there is hopefully an opportunity to first review the T&C’s plus privacy policy. Not so convenient if doing so across the sales counter in store. Assuming the store staff note to the customer they may like to see the same before doing so.
A piece of malware designed to use your facial recognition information has been found in iOS and Android and is actively out and about. Currently seen in two SE Asian countries it has the great potential to go worldwide and so something we need to be aware of in Australia. It uses social engineering to get users to scan their faces and ID to use them for fraud.
I really can’t believe how lackadaisical people are about using facial recognition. This malware is a perfect example of how unsafe this system is. Until we have some real data protections in place we need to slow down on this biometric data collection.
I was recently in a situation where a web company wanted by facial biometric data so they could make payments to our sports club. The company in Australia hosting the site outsourced another company (US company) to handle the payments and they outsourced to a third company (UK based) to collect, not only your facial data but a copy of your passport as well.
When I asked who’s privacy policy this would be under, I got no answer. These cowboys will be our undoing unless we get some substantial laws in place to protect personal data and to protect is both nationally AND internationally.
A Microsoft patch (April 9, 2024—KB5036893 (OS Builds 22621.3447 and 22631.3447) - Microsoft Support) issued for some severe vulnerabilities has an unwanted consequence for some or even perhaps many users of VPNs in all versions of Windows 11. At the moment it is unclear how many people have been affected by the patch problem. If you using a VPN and get an error that points to a certificate not being found, the patch is the likely cause. The only workaround at the moment is to uninstall the patch, but with the vulnerabilities that are mitigated by the patch being possibly worse than not using the fix, uninstalling may not be the best idea. Microsoft have advised they are working towards a fix.
To see the warning by Microsoft see the April 2024 part of the following link
A News article about the issue
A patch has finally come out that includes a fix for the VPN issue for users.
The following are the patches for the affected versions of Windows (most of us will only be concerned with the Win 11 or Win 10 patches).
The normal automatic Windows updating should install the package but it is listed here for those who delay patching.
A news article at news.com.au that states the ACCC have “questioned whether Australians are able to give informed consent when signing away their data to businesses with convoluted and vague privacy policies”. This is what we (Community members) have all been saying for quite some time. Now the ACCC appear to be unhappy about all the data hoarding, that this unfettered grab for wanting to know all about us and the ability to change our buying habits (among other changes they could make) is more dangerous than first thought. It might be said of the ACCC in this arena is trying to close the gate after the horse is over the horizon and too far away to be seen (not just bolted).
Australian Privacy Foundation chair David Vaile said "consumers are often told to ‘take it or leave it’ while businesses reserve the right to be secretive.
“[They essentially say], ‘If you want to shop in here, or if you want to do certain things it’s not negotiable – we won’t actually tell you what we do with your data or where it goes … because we’ve just got this vague, impossible-to-read privacy policy,” he said.
“The abuse of the notion of consent, or informed consent, is at the heart of this.”"
Anyway here is a link to the article
If you want to read the ACCC interim report that helped generate the article it can be read and/or downloaded using the following link
Trouble for the ACCC is that in 2023 they released a report that almost states the opposite to many of the issues they currently say are bad.
I guess if you want to create confusion, then be the ACCC.
