Reuters: Flaw in iPhone and iPads May Have Allowed Hackers to Steal Data for Years →

April 22, 2020 · 21:11

Christopher Bing:

The bug, which also exists on iPads, was discovered by ZecOps, a San Francisco-based mobile security forensics company, while it was investigating a sophisticated cyberattack against a client that took place in late 2019. Zuk Avraham, ZecOps’ chief executive, said he found evidence the vulnerability was exploited in at least six cybersecurity break-ins. 

An Apple spokesman acknowledged that a vulnerability exists in Apple’s software for email on iPhones and iPads, known as the Mail app, and that the company had developed a fix, which will be rolled out in a forthcoming update on millions of devices it has sold globally. 

Apple declined to comment on Avraham’s research, which was published on Wednesday, that suggests the flaw could be triggered from afar and that it had already been exploited by hackers against high-profile users.


Vulnerability in Safari Allowed Unauthorized Websites to Access iOS and macOS Webcams →

April 3, 2020 · 23:55

Ryan Pickren:

This vulnerability allowed malicious websites to masquerade as trusted websites when viewed on Desktop Safari (like on Mac computers) or Mobile Safari (like on iPhones or iPads).

Hackers could then use their fraudulent identity to invade users’ privacy. This worked because Apple lets users permanently save their security settings on a per-website basis.

If the malicious website wanted camera access, all it had to do was masquerade as a trusted video-conferencing website such as Skype or Zoom […]

[…] Apple considered this exploit to fall into the “Network Attack without User Interaction: Zero-Click Unauthorized Access to Sensitive Data” category and awarded me $75,000.


How Rob Lost Control of His Bank Accounts to a Phone Scammer →

April 1, 2020 · 14:32

Rob Griffiths, on Robservatory:

Yesterday, instead of having a productive afternoon at home, I had the privilege of sitting at the bank for a couple of hours, resolving a problem completely of my own doing: I fell for a phone scammer. My wife and I had to close our accounts—which were in excess of 25 years old—and set up new ones. I then spent hours updating our various bill paying services, Quicken account access, etc.

Do yourself a favor, and don’t be me. I never thought I’d be “that guy” either, as I keep current on scams, look for signs of fishiness on phone calls, etc. Still, they got me, and it was painful—not necessarily in terms of financial loss (we’re out $500 for maybe 60 to 90 days while they investigate), but in terms of time: Time to fix what I did, and even more time spent beating myself up over my stupidity.

I have a strict rule — I do not give out any personal data or passwords to anyone, especially over the phone, even if I know it’s the bank calling me. I will either ask to call them back, to make sure I’m dialling the correct number, or I’ll go down to their branch personally.

Luckily Rob should pull through this one fine — he’s out some $500, which he’ll probably get back. It could have been much worse.


Wacom Drawing Tablets Track the Name of Every Application That You Open →

February 6, 2020 · 07:54

Robert Heaton:

I suspect that Wacom doesn’t really think that it’s acceptable to record the name of every application I open on my personal laptop. I suspect that this is why their privacy policy doesn’t really admit that this is what that they do. I imagine that if pressed they would argue that the name of every application I open on my personal laptop falls into one of their broad buckets like “aggregate data” or “technical session information”, although it’s not immediately obvious to me which bucket […]

Wacom’s privacy policy does say that they only want this data for product development purposes, and on this point I do actually believe them. This might be naive, since who knows what goes on behind the scenes when large troves of data are involved. Either way, while I do understand that product developers like to have usage data in order to monitor and improve their offerings, this doesn’t give them the right to take it.

Sad and unacceptable.


Apple Dropped Plan for Encrypting iCloud Backups →

January 21, 2020 · 15:11

Joseph Menn, reporting for Reuters:

More than two years ago, Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud, according to one current and three former FBI officials and one current and one former Apple employee.

Under that plan, primarily designed to thwart hackers, Apple would no longer have a key to unlock the encrypted data, meaning it would not be able to turn material over to authorities in a readable form even under court order.

In private talks with Apple soon after, representatives of the FBI’s cyber crime agents and its operational technology division objected to the plan, arguing it would deny them the most effective means for gaining evidence against iPhone-using suspects, the government sources said.

When Apple spoke privately to the FBI about its work on phone security the following year, the end-to-end encryption plan had been dropped, according to the six sources. Reuters could not determine why exactly Apple dropped the plan.

“Legal killed it, for reasons you can imagine,” another former Apple employee said he was told, without any specific mention of why the plan was dropped or if the FBI was a factor in the decision.

That person told Reuters the company did not want to risk being attacked by public officials for protecting criminals, sued for moving previously accessible data out of reach of government agencies or used as an excuse for new legislation against encryption.

If this is true, then Apple’s pro-privacy campaign is only true if you refrain from using iCloud. Unfortunately, iCloud Backup is the only automatic backup system supported by iOS, although you can go back to making local and secure iTunes backups instead. We of course have no real clue whether our particular backups were accessed or not, but I assume nobody is searching people’s data who stay away from legal trouble.

That said, Apple should definitely introduce end-to-end encryption for iCloud backups, or educate its users about the dangers of using iCloud Backup at the very least.


I Switched to ExpressVPN →

December 23, 2019 · 18:46

So after the recent acquisition of Private Internet Access, which I used for these past few years, I decided to switch providers. After weeks of wondering which one to choose, I settled on ExpressVPN — it seems to have the best balance of features that suit my needs.

I am not endorsing ExpressVPN at this point — it’s much too early for that — but they seem to be a solid company with proper care for our privacy. If you’d like to try them out, and use this link, you’ll get 30 days free.


Apple Mail Stores Encrypted Emails in Plain Text Database (Fix Included!) →

November 7, 2019 · 10:03

Bob Gendler:

The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails. And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED. Even with Siri disabled on the Mac, it still stores unencrypted messages in this database! […]

[…] This completely defeats the purpose of utilizing and sending an encrypted email. […]

Another database, entities.db, stores records of people’s names, email, and phone numbers you’ve corresponded with. Although the phone number may not be in your contact list, data from emails such as signature blocks and forward information are stored. It’s like an address book built for you. This could be touchy, as it may allow quick and easy access to some potentially sensitive information.

Bob mentions a few fixes you should definitely check out if you’re using encrypted email.

It’s been 100 days since I’ve alerted Apple, we’ve seen a security update to macOS Sierra 10.12, security updates to macOS High Sierra 10.13, Supplemental Updates to macOS Mojave 10.14, a security update to macOS Mojave 10.14, macOS Catalina 10.15.0 released, Supplemental Update to 10.15.0, and 10.15.1 release.

For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me.

Sadly, I am still not surprised that they react selectively to security issues. This problem hasn’t been fixed in years and it appears that not much has changed.


Safari Sends User IP Addresses to Chinese Tencent

October 13, 2019 · 21:38

From ‘About Safari & Privacy’ in iOSes Safari Settings:

When Fraudulent Website Warning is enabled, Safari will display a warning if the website you are visiting is a suspected phishing website. Phishing is a fraudulent attempt to steal your personal information, such as usernames, passwords and other account information. A fraudulent website masquerades as a legitimate one, such as a bank, financial institution or email service provider. Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.

  1. You can disable this by toggling off the Fraudulent Website Warning setting.
  2. This is complete unacceptable.

via Tom Parker


Why Does Apple Do Business in China ‘If This Is The Type of Shit They Pull’? →

October 10, 2019 · 08:53

John Gruber, for Daring Fireball:

The question is: Why do business in China if this is the type of shit they pull?

Money. And this is despite Tim Cook’s outburst in 2014:

“We do things for other reasons than a profit motive, we do things because they are right and just,” Mr Cook growled. Whether in human rights, renewable energy or accessibility for people with special needs, “I don’t think about the bloody ROI,” Mr Cook said, in the same stern, uncompromising tone that Apple employees hope they never have to hear. “Just to be very straightforward with you, if that’s a hard line for you … then you should get out of the stock.”

It seems that it all depends on how large that profit motive is.

Shame on Apple for catering to the Chinese government. At this point, the company needs something akin to the recent #BlizzardBoycott.


In Hong Kong Protests, Faces Become Weapons →

July 31, 2019 · 08:14

Paul Mozur, reporting for The New York Times:

The police officers wrestled with Colin Cheung in an unmarked car. They needed his face.

They grabbed his jaw to force his head in front of his iPhone. They slapped his face. They shouted, “Wake up!” They pried open his eyes. It all failed: Mr. Cheung had disabled his phone’s facial-recognition login with a quick button mash as soon as they grabbed him.

Apple is not always on point but their implementations of Touch ID and Face ID are spot on.


Apple Contractors ‘Regularly Hear Confidential Details’ on Siri Recordings →

July 27, 2019 · 01:09

Alex Hern, reporting for The Guardian:

Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or “grading”, the company’s Siri voice assistant, the Guardian has learned.

Although Apple does not explicitly disclose it in its consumer-facing privacy documentation, a small proportion of Siri recordings are passed on to contractors working for the company around the world. They are tasked with grading the responses on a variety of factors, including whether the activation of the voice assistant was deliberate or accidental, whether the query was something Siri could be expected to help with and whether Siri’s response was appropriate […]

“There’s not much vetting of who works there, and the amount of data that we’re free to look through seems quite broad. It wouldn’t be difficult to identify the person that you’re listening to, especially with accidental triggers – addresses, names and so on.

This is unacceptable.


Half of Top Free VPN Apps Affiliated with China →

July 19, 2019 · 09:08

Simon Migliano:

Our investigation uncovered that over half of the top free VPN apps either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the internet within its borders. Furthermore, we found the majority of free VPN apps had little-to-no formal privacy protections and non-existent user support.

Apple and Google have let down consumers by failing to properly vet these app publishers, many of whom lack any sort of credible web presence and whose app store listings are riddled with misinformation.

People will generally prefer not to pay for something when there is a free alternative. The thing is, there is no such thing as free — you just pay via alternative means. In the case of VPNs, you’ll be paying with your privacy and security, which is what a VPN is supposed to help with. Do not use free VPNs.


Think FaceApp Is Scary? →

July 19, 2019 · 09:03

Brian Barrett:

Faceapp is a viral lark that takes a convincing guess at what you’ll look like when you’re old. FaceApp is also the product of a Russian company that sends photos from your device to its servers, retains rights to use them in perpetuity, and performs artificial intelligence black magic on them. And so the FaceApp backlash has kicked into gear, with anxious stories and tweets warning you off of its charms. Which, fine! Just make sure you save some of that ire for bigger targets.

When the last wave of Faceapp photos hit the internet a few days ago, after they added their new filters, I was again tempted to install the app, just as I was a few years ago, when the exact same concerns were raised. Resisting the temptation was pretty easy though. Why is it so hard for others? And how did they forget so quickly?


SIM Swap Horror Story: I’ve Lost Decades of Data and Google Won’t Lift a Finger →

June 19, 2019 · 09:22

Matthew Miller, on ZDNet:

First they hijacked my T-Mobile service, then they stole my Google and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase. I’m stuck in my own personal Black Mirror episode. Why will no one help me?

I use a password manager but I made it a point many years ago to keep some passwords only in my head. My banking login information included.

Regarding the part about Google and Twitter — it’s 2019 and getting help from those companies, in critical situations, is basically impossible. Baffling.


Facebook Demanding Some New Users’ Email Passwords →

April 3, 2019 · 18:42

Kevin Poulsen:

Just two weeks after admitting it stored hundreds of millions of its users’ own passwords insecurely, Facebook is demanding some users fork over the password for their outside email account as the price of admission to the social network.

Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”

A form below the message asked for the users’ “email password.”

“That’s beyond sketchy,” security consultant Jake Williams told the Daily Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”

The people running Facebook need to be criminally charged for all the wrong that they’ve done and continue to do.

And please just go and delete your Facebook account.


Cloudflare Introduces Warp — A VPN for Their 1.1.1.1 DNS Service →

April 3, 2019 · 14:33

Matthew Prince:

We built Warp because we’ve had those conversations with our loved ones too and they’ve not gone well. So we knew that we had to start with turning the weaknesses of other VPN solutions into strengths. Under the covers, Warp acts as a VPN. But now in the 1.1.1.1 App, if users decide to enable Warp, instead of just DNS queries being secured and optimized, all Internet traffic is secured and optimized. In other words, Warp is the VPN for people who don’t know what V.P.N. stands for.

There will be both a free tier and a paid subscription for Warp. I’m in the queue, waiting to get in, and really hoping Cloudflare lives up to their promises of privacy. Since I have been using their 1.1.1.1 DNS service for the past year, it’s been rock solid, and I haven’t read about any scandals on the subject, so keeping my fingers crossed on this one.


Apple Tells App Developers to Disclose or Remove Screen Recording Code →

February 8, 2019 · 11:59

Zack Whittaker, reporting for TechCrunch:

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

“We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary,” the spokesperson added.

This is one area where the App Store Review Team needs to dramatically improve. Such code and analytics should not be able to make it into the App Store.


Teenager Finds MacOS Exploit That Steals Password From the Keychain →

February 8, 2019 · 11:57

Thomas Brewster, writing for Forbes:

[…] German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.

To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.

This is bad and while I understand why he doesn’t want to disclose it to Apple, all MacOS users are susceptible to a security breach.


Ex-Nsa Operatives Reveal How They Helped Spy on Targets for the Arab Monarchy — Dissidents, Rival Leaders and Journalists →

February 4, 2019 · 15:52

Christopher Bing and Joel Schectman, reporting for Reuters:

“I am working for a foreign intelligence agency who is targeting U.S. persons,” she told Reuters. “I am officially the bad kind of spy.”

The story of Project Raven reveals how former U.S. government hackers have employed state-of-the-art cyber-espionage tools on behalf of a foreign intelligence service that spies on human rights activists, journalists and political rivals […]

The operatives utilized an arsenal of cyber tools, including a cutting-edge espionage platform known as Karma, in which Raven operatives say they hacked into the iPhones of hundreds of activists, political leaders and suspected terrorists […]

Karma allowed Raven to obtain emails, location, text messages and photographs from iPhones simply by uploading lists of numbers into a preconfigured system, five former project employees said.

Fascinating read. And even more inspiration for a new James Bond movie.


Amazon Is Abusing Apple’s Enterprise Certificates Too →

February 1, 2019 · 14:11

The Amazon Flex app is where you will spend most of your time scheduling and completing your deliveries. So it only makes sense that after signing up and getting approved for Amazon Flex, your next step is to download the Amazon Flex delivery app on your phone and start making deliveries!

Unfortunately, because Amazon Flex is not a program that is completely open to the public, the Amazon Flex app cannot be found on the Google Play store or the App Store. Instead, you must manually install the Amazon Flex app on your phone through a special process. The instructions are quite different for iPhone and Android, so be sure to reference the correct section depending on the phone type that you are using!

So that’s the big three tech giants all accounted for. Who’s next?


Apple Revokes Google’s Enterprise Certificate →

February 1, 2019 · 14:09

Tom Warren, for The Verge:

Apple shut down Google’s ability to distribute its internal iOS apps earlier today. A person familiar with the situation told The Verge that early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps stopped working alongside employee-only apps like a Gbus app for transportation and Google’s internal cafe app. The block came after Google was found to be in violation of Apple’s app distribution policy, and followed a similar shutdown that was issued to Facebook earlier this week.

Nicole Nguyen, for Buzzfeed News:

In a statement, Google told BuzzFeed News, “We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon.” Apple told BuzzFeed News, “We are working together with Google to help them reinstate their enterprise certificates very quickly.”

Hands were slapped, but I wonder how many more companies are using enterprise certificates for things they shouldn’t be.


Hackers Are Passing Around a Megaleak of 2.2 Billion Records →

February 1, 2019 · 14:06

Andy Greenberg, reporting for Wired:

When hackers breached companies like Dropbox and LinkedIn in recent years—stealing 71 and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 _billion_ unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year’s phone book.

You can (allegedly) safely check which of your accounts have been breached on Have I Been Pwned. Oh and if you aren’t yet doing so, I strongly recommend using a password manager, such as 1Password.


Apple Blocks Facebook From Running Its Internal iOS Apps →

January 31, 2019 · 09:39

Tom Warren, for The Verge:

Apple has shut down Facebook’s ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release “dogfood” (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we’re told, as the affected apps simply don’t launch on employees’ phones anymore.

This won’t change how Facebook operates. John Gruber recently called Facebook ‘a criminal enterprise’ and I’m finally willing to agree with him — that company should be treated as such by everyone. Quite frankly, I wouldn’t lose any sleep if they were completely booted from the App Store (including Instagram, WhatsApp, and all their other assets).


Google Will Stop Peddling a Data Collector For iPhones →

January 31, 2019 · 09:08

Zack Whittaker, Josh Constine, and Ingrid Lunden, reporting for TechCrunch:

Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch has learned.

In its app, Google invites users aged 18 and up (or 13 if part of a family group) to download the app by way of a special code and registration process using an Enterprise Certificate. That’s the same type of policy violation that led Apple to shut down Facebook’s similar Research VPN iOS app, which had the knock-on effect of also disabling usage of Facebook’s legitimate employee-only apps — which run on the same Facebook Enterprise Certificate — and making Facebook look very iffy in the process […]

After we asked Google whether its app violated Apple policy, Google announced it will remove Screenwise Meter from Apple’s Enterprise Certificate program and disable it on iOS devices.

The company said in a statement to TechCrunch:

“The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.”

Translation: ‘Please Apple, don’t disable our certificate, like you did Facebook’s. We’ll be good now. Promise!’


UAE Used Cyber Super-Weapon to Spy on iPhones of Foes →

January 31, 2019 · 08:54

Joel Schectman, for Reuters:

The ex-Raven operatives described Karma as a tool that could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone, they said.

In 2016 and 2017, Karma was used to obtain photos, emails, text messages and location information from targets’ iPhones. The technique also helped the hackers harvest saved passwords, which could be used for other intrusions.

It isn’t clear whether the Karma hack remains in use. The former operatives said that by the end of 2017, security updates to Apple Inc’s iPhone software had made Karma far less effective.

How many tools are currently out in the world, whose existence we are completely oblivious to?


Facebook Pays Teens to Install VPN That Spies on Them →

January 30, 2019 · 09:55

Josh Constine, reporting for TechCrunch:

Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms. Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits.

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

[Update 11:20pm PT: Facebook now tells TechCrunch it will shut down the iOS version of its Research app in the wake of our report. The rest of this article has been updated to reflect this development.]

Just delete your account. The stuff they’re doing is completely unacceptable and I’m actually surprised nobody has been jailed yet.


Major FaceTime Bug Lets You Hear the Audio of the Person You Are Calling Before They Pick Up →

January 29, 2019 · 10:49

Benjamin Mayo, for 9to5Mac:

A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

In the meantime, Tim Cook tweeted:

We must keep fighting for the kind of world we want to live in. On this #DataPrivacyDay let us all insist on action and reform for vital privacy protections. The dangers are real and the consequences are too important.

Twitter user MGT7500 claims to have reported the bug days ago:

My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport…waiting to hear back to provide details. Scary stuff!

At this point it’s not even the bug itself that irritates me, but the manner in which apple handles such reports. It’s unacceptable to call “all hands on deck” only after news of the bug goes public.


Tim Cook’s Op-Ed on Privacy →

January 19, 2019 · 12:41

Tim Cook:

Last year, before a global body of privacy regulators, I laid out four principles that I believe should guide legislation:

First, the right to have personal data minimized. Companies should challenge themselves to strip identifying information from customer data or avoid collecting it in the first place. Second, the right to knowledge—to know what data is being collected and why. Third, the right to access. Companies should make it easy for you to access, correct and delete your personal data. And fourth, the right to data security, without which trust is impossible.

But laws alone aren’t enough to ensure that individuals can make use of their privacy rights. We also need to give people tools that they can use to take action. To that end, here’s an idea that could make a real difference.

I still trust Apple more than any other company to care about my privacy (though their deal with China makes me wary) — I hope they don’t screw this up as badly as they did their pricing.


DuckDuckGo Powered by Apple Maps →

January 19, 2019 · 12:37

DuckDuckGo:

We’re excited to announce that map and address-related searches on DuckDuckGo for mobile and desktop are now powered by Apple’s MapKit JS framework, giving you a valuable combination of mapping and privacy. As one of the first global companies using Apple MapKit JS, we can now offer users improved address searches, additional visual features, enhanced satellite imagery, and continually updated maps already in use on billions of Apple devices worldwide.

With this updated integration, Apple Maps are now available both embedded within our private search results for relevant queries, as well as available from the “Maps” tab on any search result page.

I wonder why they chose Apple Maps instead of one of the many alternatives to Google Maps. Are the other options not as focused on privacy? Did Apple simply make them a good deal? Either way, this is most welcome. I have been using DDG as my search engine for a few years now and I rarely have to switch to Google to find something DDG missed.


Bypassing 2FA With ‘Modlishka’ Reverse Proxy Tool →

January 19, 2019 · 12:26

Piotr Duszyński:

This blog post is an introduction to the reverse proxy “Modlishka” tool, that I have just released. I hope that this software will reinforce the fact that social engineering is a serious threat, and cannot be treated lightly.

On the page below I will shortly describe how this tool can be used to bypass most of the currently used 2FA authentication schemes.