Google and Apple suspend contractor access to voice recordings

By John E Dunn

Apple and Google have announced that they will limit the way audio recorded by their voice assistants, Siri and Google Assistant, are accessed internally by contractors.

Let’s start with Apple.

Apple’s privacy hump began a week ago when The Guardian ran a story revealing that contractors “regularly hear” all sorts of things Apple customers would probably rather they didn’t, including sexual encounters, business deals, and patient-doctor chats.

Despite Apple’s protestations that such recordings are pseudonymised and only accessed to improve Siri’s accuracy, the whistleblower who spoke to the newspaper was adamant that in some cases:

These recordings are accompanied by user data showing location, contact details, and app data.

Apple now says it has suspended the global program under which voice recordings were being accessed in this way while it conducts a review.

It’s not clear how long this will remain in force, nor whether the company will adjust the time period it keeps recordings on its servers (currently between six months and two years).

By interesting coincidence, Google finds itself in a similar fix. Germany’s privacy regulator recently started asking questions after Belgian broadcaster VRT ran a story last month on contractors listening to Google Assistant recordings. Google’s privacy fig leaf:

We don’t associate audio clips with user accounts during the review process, and only perform reviews for around 0.2% of all clips.

Nevertheless, Google now says it has also suspended access to recordings in the EU for three months.

It was Amazon which started this ball rolling in April when a Bloomberg report reported that revealed that – yes – recordings stored by its Alexa voice assistant were being accessed by contractors.

Read more at https://nakedsecurity.sophos.com/2019/08/05/google-and-apple-suspend-contractor-access-to-voice-recordings/

Hackers exploit SMS gateways to text millions of US numbers

By John E Dunn

Receive any strange SMS text messages recently?

If you live in the US, there’s a small chance you might have received an SMS with the following text in the last few days from someone called ‘j3ws3r on Twitter’:

I’m here to warn the masses about SMS email gateways. Please look up how to disable it on your phone or call your provider and ask.

Judging from responses on Twitter, the chances of receiving one of these is currently low, although it’s also possible some phone users either ignored the message or deleted it out of habit.

(The text also begins with a promotional link to controversial YouTuber PewDiePie, a clue to its origins which we’ll get to shortly.)

Of the few recipients who took to Twitter to ask about the message, most seem concerned about how the senders got hold of their mobile number.

In fact, they didn’t have to because according to Wired the whole campaign was generated by writing a script that generates every possible mobile number between 1111111 and 9999999 and bolts these to a list of every US area code.

How were the texts sent?

It seems that a single Unix command was used to send the messages to the email-to-SMS gateways used by all 26 major US carriers, which in theory will have forwarded them to legitimate numbers.

Read more at https://nakedsecurity.sophos.com/2019/08/05/hackers-exploit-sms-gateways-to-text-millions-of-us-numbers/

FileZilla fixes show how far we’ve come since Heartbleed

By Mark Stockley

Users of FileZilla, the popular open source FTP client, may have noticed a rather serious looking bug described in the change log for the latest update:

Filenames containing double-quotation marks were not escaped correctly when selected for opening/editing. Depending on the associated program, parts of the filename could be interpreted as commands.

Fixed in version 3.43.0, the flaw is one of seven separate security bugs whose discovery is credited to a bug bounty program run by the European Union, of all things.

The EU’s bureaucratic tentacles reach into many things, but a bit of freeware from an area when cover CDs were a thing still seems an odd place to find them.

Explaining why requires a brief trip down memory lane…

Eric S. Raymond’s seminal work on open source, The Cathedral and the Bazaar, taught us that “given enough eyeballs, all bugs are shallow”.

The idea being that the more people who are actively involved in developing, debugging and testing your code, the easier, faster and cheaper it is to find and fix bugs in it.

It’s an idea that’s central to the success, longevity and robustness of sprawling, noisy, open source projects like the Linux kernel. The development process for Linux, and the many other open source projects propping up our internet ecosystem, is entirely transparent, conducted before a potential audience of billions of eyeballs.

Read more at https://nakedsecurity.sophos.com/2019/08/05/filezilla-fixes-show-how-far-weve-come-since-heartbleed/