Japan and India are interested in reining in Apple’s App Stores, not unlike the EU and UK have already done. Facebook says it will train its AI on user data and opting out may not be very easy. Chromebook Plus gets on board with AI joining Microsoft in adding pressure to Apple’s forthcoming WWDC announcements.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, May 30, 2024.
This week’s Intego Mac Podcast security headlines include: Japan and India are looking like another two countries who are interested in reining in Apple’s App Stores, not unlike the EU and UK have already done. Facebook says it will train its AI on user data and opting out may not be very easy. Chromebook Plus gets on board with AI joining Microsoft in adding pressure to Apple’s forthcoming WWDC announcements. Now here are the hosts of the Intego Mac podcast: veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:50
Good morning, Josh, how are you today?
Josh Long 0:52
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:54
I’m doing just fine. We want to open with a story. And we went to some other websites. And there are a number of security journalists we follow and they often say very useful things. But this is an article with a misguided headline. Brian Krebs on his blog KrebsOnSecurity says why your Wi Fi router doubles as an Apple AirTag, Apple AirTag now an Apple AirTag that means if I lose the device, and someone walks by with an iPhone, it’s going to locate it right? So does that mean that the router anytime someone walks by with an iPhone, they can help me find the router? It doesn’t make any sense, does it?
Josh Long 1:32
No, that’s actually nothing to do with what the actual vulnerability is. So there’s another article that we’ll link to in the show notes called Apple Location Services vulnerability can enable troop movements to be tracked if you can believe it. This is actually related to that. Suppose the Wi Fi router doubling as an AirTag story.
Kirk McElhearn 1:54
So basically what the article is about is the fact that routers use something called Wi Fi based positioning systems WPS that get hardware identifiers from all wireless access points that come within range of their mobile devices is what Brian Krebs says, this is a database that records the MAC address of a device and it could allow someone to locate a device but it’s not like you’re going to find something with an AirTag and you have to be close enough to a router for this to work anyway, the AirTag is bad. The true movement is interesting that someone can tell from the MAC address of a device if they can get access to this database where it’s located.
Josh Long 2:33
So the University of Maryland is what started this whole thing. So they did some research into Wi Fi based positioning systems WPS is and this is the abstract from their paper or the first part of it. It says that WPS is are used by modern mobile devices to learn their position using nearby Wi Fi access points as landmarks. In this work, we show that Apple’s WPS can be abused. To create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi Fi BSS IDs, or this is the base station identifiers or what your Wi Fi network is named geo locations in only a matter of days, our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space, MAC addresses, ma c, all in caps are these hardware addresses that are associated with particular devices or routers. Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSS IDs around the world. So in other words, they now know exactly where 2 billion Wi Fi routers are across the world. And so therefore, they can use that information to potentially identify where somebody has been, because of making that association between the device and the router that it was connected to.
Kirk McElhearn 4:11
One possible way this can be used as to detect troop movements in an area where let’s say there’s not a lot of people, such as a conflict zone. And if they can find the Wi Fi base stations in that area that can help detect where troops are, which is a bit disturbing, right? I’m sure that no military wants their troop movements to be discovered like that. Now, Apple came out and actually replied to this. So Apple talks about crowd sourced Wi Fi and cellular will location services, and they quietly updated their website according to Brian Krebs note that anyone can opt out of having the location of their wireless access points collected and shared by appending. Underscore no map to the end of the Wi Fi access points named the SSID. If you add underscore no map to your network name. It also blocks Google from indexing its location This is kind of, I mean, it’s not that hard to do. But then you have to reconnect every single device that connects to your Wi Fi router, because it will recognize the name, it seems to be a bit of an annoyance if you want to do that, in fact, most people won’t do this anyway. I’m not too worried of someone knowing that there’s a Wi Fi router here. I’m not in the middle of nowhere. I’m not in a dense area, but still, but there are certainly people who don’t want this. And if I understand correctly, Josh, you already have “_nomap” (underscore no map) on your SSID, don’t you?
Josh Long 5:31
Well, okay, so I have a couple of SSIDs, because one of the ones that I use this for a guest network. And so one of them has underscore opt out, underscore no map at the end, it’s kind of ridiculous that there are multiple, I can’t even call it a standard because these are just things that certain companies decided arbitrarily, we’re gonna have our own thing. And so for whatever reason, Google and Apple use underscore no map, it must be at the end of your Wi Fi network name, or your BSS ID or SSID. Microsoft requires it to have opt out or underscore opt out somewhere in there, it doesn’t necessarily have to be at the end. So you can have underscore opt out underscore no map at the end of your Wi Fi network, if you want to make sure that Microsoft, and Google and Apple are also all going to exclude you from their databases, which is it’s kind of ridiculous. Like, I don’t see anybody else. Anytime that I’m ever looking at Wi Fi networks around me. Nobody uses these things at all.
Kirk McElhearn 6:41
Well, you do. And you’ve been doing this for years, right?
Josh Long 6:44
Yeah. Because this has existed for years, because you’re that guy, and I’m the guy who like knows that these things exist. So I mean, is it really all that important? Probably not. I mean, given that you have a whole bunch of other networks around you at any given time, and you’re out in public, and, you know, like, the problem is that everybody would have to opt out and no map, their Wi Fi routers and Wi Fi networks. And nobody’s going to do that. That’s the problem is that this whole system is designed to be opt out, and not opt in. So that means that Apple and Google and Microsoft, and probably other companies to have collections of all of these networks and where they’re located in the world.
Kirk McElhearn 7:32
Okay, we want to talk about Apple’s, I want to say troubles around the world. Early in March, the digital markets act in the European Union came into effect. And this led to, among other things, the requirement that Apple allow third party app stores, what we used to call side voting, in other words, getting apps through a source other than the Apple App Store. Well, it seems that Japan decided to look at the EU’s DMA and apply some of the regulations, two big companies, Apple, Google and others. And recently, India has come up with new digital market regulations. And Apple and other companies are lobbying heavily against this now, by my count, there are five large markets in the world, there’s the US the European Union, the US, Japan, there’s India and China. So if three of those five, force Apple to allow people to get apps outside the App Store, how long will it be for the other two? And how long will it be before Apple says, You know what, we have this great new thing for customer choice. And we’re going to let you get apps from outside the App Store and is the greatest thing after they spent years saying how dangerous it is.
Josh Long 8:41
Yeah, it sounds kind of familiar, because I feel like Apple did this pretty recently, when it decided, of course completely on its own and for altruistic reasons that they’re going to now include USB-C across its entire iPhone product line, and it’s like, okay, yeah, you’re only doing that because the EU is demanding it, but okay.
Kirk McElhearn 9:01
Well, to be fair, Apple was on the way to doing that, right? My oldest device is either my iMac, which is three years old, or my iPad Mini, which might be even older than that. And they both have USB-C. So the only device I have now that doesn’t have USB-C is my iPhone, which is an iPhone 14, so came out before the USB-C came to the iPhone 15. So it’s a little bit different. When Apple’s saying we’re changing the plug, as they’ve done many times. But now that all these countries are pushing back against Apple, basically, they saw what the EU did, the EU did a lot of work very seriously with analysis and legislation and they got everything down. It’s not perfect. There are a lot of things that they’ve done that are going to be adjusted. But all these other countries saw this and figured that they could do the same thing. Just as GDPR in the European Union has gotten a lot of traction and other countries as well. It’s a little bit slower, because it doesn’t require Commercial changes, right to the way things are sold, or to the way hard was manufactured. But we’re gonna see Apple have to allow people to download apps outside the App Store. Maybe in the entire world except the US you might be last who knows?
Josh Long 10:16
Well, we’ll see. Yeah, I think that more countries are going to want this because they see other countries are getting this. And they’re like, how come? We don’t have that yet. And so I think we’re gonna see a lot more countries, including probably the US at some point deciding who Yeah, we want that privilege to.
Kirk McElhearn 10:33
Okay, just a brief story we want to mention, a number of users have found that they can’t play CDs on a Mac using the Music app. So you can’t buy a Mac anymore. With a CD drive. Inside the Mac, you can connect an external CD drive, this happened to me a couple of weeks ago, I put a CD in it showed up in the Music app, and I couldn’t play it, I could rip the CD, but I couldn’t play the tracks. Our producer dog had the same problem. His problem is a little bit different. Now he’s seeing two CD show up in the sidebar of the Music app. I can play CDs again, I’ve seen a lot of people on forums having the same problem. We don’t know what’s causing this. But if you do have any problems, drop us a line at intego.com. We’d be curious what your setup is. And we’re not going to find a solution to this. It seems to be a bug. That doesn’t make any sense. When I wasn’t able to play CDs in the Music app, I was able to play the same CDs in the VLC app. So it’s not a system problem. It’s more problem with the way the Music app read CDs or something.
Josh Long 11:30
And specifically, this is on Mac OS Sonoma, by the way that we’re talking about here.
Kirk McElhearn 11:35
Yeah. Okay, just before the break a brief AI story, there’s a really cool new proof of concept, headphone idea where if you look at someone for a few seconds, one person in a crowd, the headphones will know who you’re looking at, and they will isolate that voice from the crowd noise. Now, Apple has something similar with the way that they can boost conversations on the iPhone, and I could see something like this coming to air pods. It’s really practical. Because if you don’t have great hearing and you’re in a crowd, it can be difficult to focus on one person. And imagine if you’re in a meeting, or a cocktail party or something like this, you put your air pods and then you look at someone and you hold for three seconds, maybe you press a button on your watch or something. And it focuses on that person. It detects their voice and blocks out the others. I assume this has something to do with detecting the specific sound of that person’s voice. It’s not just their location.
Josh Long 12:29
Yeah, it’s pretty interesting research. And apparently, this builds on the same team has previously done some other what they call semantic Hearing Research. And so it’s pretty cool to see, you know, AI being used in this way. So, you know, we hear about AI all the time. There’s like a million headlines about it. And we’ll have some more in just a moment. But yeah, it’s it’s interesting to see all the different potential use cases where various kinds of artificial intelligence it’s not just chatbots.
Kirk McElhearn 12:59
Okay, we’re gonna take a break. When we come back, we’re going to talk about AI.
Voice Over 13:04
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego: World class protection and utility software for Mac users, made by the Mac security experts.
Kirk McElhearn 14:20
So I discovered something last week, Facebook sent me a notification telling me that they were going to use my content on Facebook to train their AI watch for language model. And I was thinking they’re going to use my content. Okay, well, I want to opt out, but you can’t opt out. And this was really interesting. The fact that I’m in the UK, so in the EU or the UK, you can request removal from the program. You can’t just go to your settings and say I don’t want this to happen. And I went through the process and I requested removal and they asked for a reason why and I said because I don’t want to use my personal data. I just assumed I wouldn’t hear back From them, and I heard back within a couple of minutes, I said, Fine, you’re opted out. Of course, I don’t trust Facebook to actually opt me out. But the point is that they don’t give you the option without filling out the form and saying why? Now, this gets more interesting, because when I asked Josh, if he had the settings, he doesn’t have the savings, because you can’t opt out in the US.
Josh Long 15:21
That’s right. And so I’m in the US. But not only that, I mean, California, and California does have something called the California Consumer Privacy Act of 2018, or CCPA, for short. And it’s kind of similar in some ways, it overlaps somewhat with like the GDPR, you know, so it’s privacy regulations that are specific to residents of California. And for whatever reason, Facebook doesn’t allow me as a resident of California to opt out, like I don’t have the same form that Kirk sees, if I tried to go to that exact URL, if he sends me the link and says, Here, try this one. It doesn’t actually take me there, it takes me to basically kind of an error message on their site saying, well, that’s page isn’t available in your area. But here’s some other things you might be looking for. And so that’s not particularly useful. And when I tried to follow the steps that Kirk lists in this article, again, I don’t have access to this, I don’t get a form that allows me to opt out. And that’s kind of an it kind of makes me feel a little bit uncomfortable, right? Like, why is it that I can’t opt out and other people can, but they can only opt out? If they fill out a form and wait for a response. Like, that whole thing is crazy. Why isn’t this automated? How many people are they having to hire, to sit there and like and go through things or a probably automated anyway, because you got a response pretty quickly. But just the fact that they make you fill out a whole form and explain yourself is very bizarre, it makes it feel like you can’t opt out. And maybe in my case, I actually can’t opt out.
Kirk McElhearn 17:10
Now if it makes you feel like you’re begging Facebook in a way or or you’re going to be angry and say I refuse to let you do this, that you’re going to vent your anger. The text in the US says we are committed to being transparent about the legal basis that we use for processing information. We believe use of this information is in the legitimate interest of Meta, our users and other people. So when you’re in the EU or the UK, they talk about a legal basis called legitimate interest for using your information to develop and improve AI it made it this means that you have the right to object to how your information is used. But you in the People’s Republic of California, you have no rights. Josh, you can opt out. (Yeah, I don’t like that very much. ) Okay. Something similar is going on at Slack, where Slack is scraping customer data for training their AI model.
Josh Long 17:59
Yeah, there were some concerned people expressing a lot of opinions about this over the past couple of weeks. So yeah, Slack is yet another company that’s now deciding that by default, we’re just going to scrape customer data for AI model training. So this is something that slack administrators can opt out of. So that so if your company has slack, they can choose to opt out the entire company from from this data scraping. But in the meantime, it’s on by default. So if you do use Slack, make sure that you talk to your Slack administrator and say, Hey, you might want to opt out of this. So slack isn’t scraping data that belongs to us.
Kirk McElhearn 18:43
I find it difficult that slack that has a lot of business customers could do something like this. Whereas they know that companies and employees of companies are sharing privileged intellectual property over slack. And that they’re saying that by default, they’re going to take this intellectual property that crosses a line that to me suggests that slack is not your friend if you’re a business.
Josh Long 19:08
Well, and in a social media posts in response to critics, by the way, Slack said that well, okay, but this is for things like recommending channels to you or the emojis reactions that you might want to use in Slack. Okay, yeah. But we don’t need you to scrape our data to do that. Like we just rather you didn’t do that. So yeah, it does. It’s another one of those things that it’s a bit creepy that something like this is on by default. But you know what, these are just a couple of examples of companies that are doing that. And there’s actually a lot more out there that aren’t getting these headlines. So it’s something to be aware of, you know, we talked before about privacy policies and how ridiculously complicated they are and difficult to understand, but it’s kind of something that I feel like maybe we should be doing a little bit better job of reading privacy policies and Just as a, as a society in general trying to be more aware of what kind of information these companies are scraping and taking from us without our permission, explicit permission.
Kirk McElhearn 20:11
Okay, Josh, your homework is to read Apple’s privacy policy and give us a summary or or drop it into an AI and get a summary and see what it says. The problem is that these things are so long, they’re written in legalese, they’re very hard to understand. They’re They’re designed to obfuscate. And it gives the companies an awful lot of leeway. As we’ve seen with all of our data that’s collected all over the place. Don’t get me started on this. This is, this is a topic for, we could do a whole episode on privacy policies one day. Speaking of AI, you can’t swing a cat without a new AI computer. And Chromebook Plus now with Gemini helped me right and more. So Gemini is Google’s Chatbot. And it’s being added to the Chromebook Plus, which I think is better than the Chromebook without the plus. So help me write is the thing where you can have the AI write something for you from a prompt, you get generative AI wallpaper and call backgrounds, you get the magic editor on Google Photos. I think this exists on a lot of Android phones already. And you get this for free on Chromebook Plus, you get this for free for 12 months with a Chromebook Plus and after that it’s $100 a year. Is it surprising Microsoft has computers with AI, and Chromebook. And let’s see out of the big three operating system companies. That’s let’s see Microsoft, Google, who does that leave? What’s the one that doesn’t have a computer yet?
Josh Long 21:34
Oh, right. That would be Apple. Although I’m pretty sure that in a couple of weeks, we’re gonna get more information about how the next Apple operating systems are going to integrate AI with everything.
Kirk McElhearn 21:45
Well, don’t forget, when they announced the new Mac Pro with the M4 processes, they did talk about AI, they didn’t go heavy, because they don’t want to spoil the surprise. It’s going to be on June 10 at the worldwide developer conference, but they did mention AI. The interesting thing about the Chromebook I’m going to link to an article that I wrote sometime last year, should Apple make a low cost Safari book, a Chromebook competitor is you’re getting all these tools for something that starts at about $350. And some of them go up to maybe 800 that are designed for gaming. But you can get a good Chromebook for less than $500, a Chromebook Plus, right, you can get a regular Chromebook for I don’t know 150. But you can get a good Chromebook Plus for less than $500, that does a lot of things. And for most people, that’s all they need for the educational market, it’s really important. And Apple really needs to compete in the educational market. And they’ve kind of lost that, haven’t they?
Josh Long 22:32
Certainly, in a lot of areas they have, again, I know happen to know about the California education system because I live here but and have worked in the California education system in it and so forth in the past. So California number of years ago, basically switched across the board to Chromebooks for most students, at least an upper grades and high school and so forth. And so this is largely because of both price. And also because of what types of things that these users need to do, right? Students typically need to write reports. And guess what, Google Docs works just fine for that you don’t really need to have a full blown computer that does all the local apps and Microsoft Office and everything else. It’s just not necessary for the kinds of things that most high schoolers are doing. And so therefore, just having a Chromebook, which is significantly cheaper than a Mac, laptop, and even cheaper most of the time, then a Windows based laptop, you might as well just give them all Chromebooks. So yeah, Apple certainly lost that market, again, at least for students in California and other markets. And so it’s something that Apple is needed to address for some time. And now that Google and also Microsoft, as you alluded to, Microsoft has its co pilot PC that they’ve announced, that is basically the same kind of thing. It’s like it’s, it’s a simple PC that’s got aI integrated all throughout it. And Microsoft’s going to be pushing this thing a lot more in coming months, I think they said that their new arm based copilot PC is going to be available in September. And they claim that it’s already got a better processor than the M3 and M4. It also is important that the operating system depends all those neural cores and things that it actually has. So we’ll see how good Microsoft’s implementation is versus Apples. I have a feeling that Apple is going to do a lot better and do a lot more on device. But we’ll see about that. In any case with both Google and Microsoft being big competitors in this low end and now AI enhanced laptop space. This is something where Apple really really needs to start pushing harder and figure out what it’s going to do to compete.
Kirk McElhearn 24:58
Well. One of the things about the Chromebook remember is that it’s technically a thin client, it connects to the cloud. And in the article I wrote about a possible Safari book competitor, I suggested that people could use iCloud for that. One advantage of the Chromebook in schools is that any student can log into any Chromebook, they’re not individual, they log into an account that logs in on the cloud, and they get access to their stuff. And under school, it’s a lot better when you’ve got a cart of Chromebooks. And you don’t have to match the computer to the student, whether Apple will do that I can’t really see it, maybe they’ve just given up on the education market entirely, which could be, you know, they did want the iPad to work. But now given the cost of iPads, the M2 iPad Air 11 inch starts at 599. That’s more than most Chromebooks. So that’s not really a solution, add the keyboard, that’s $299. And that puts it out of the range of schools. We’ve heard some rumors already from Mark Gurmann, Apple’s designated leaky, who has talked a lot about what Apple is going to do. And WWDC, we’re not going to talk about it now. Because we don’t really went up into rumors, we’ll know in a couple of weeks. But there are enough hints that Apple is going to come out with a suite of AI tools and Apples playing catch up. And one of the problems is Apple only updates these things once a year. So they can’t say in March, hey, we’ve got this great new feature for you. They’re stuck into this thing of we announced in June, we prepare the developers for September, October, maybe we announced a feature two coming later. But we don’t drop features in the middle of the year. And that’s got Apple on the back foot right now, as all these other companies, Google and Microsoft and others are able to, you know, push out new features whenever they want. Okay, before we finish, is there any malware news this week, Josh?
Josh Long 26:43
Oh, just the usual stuff. I mean, we got new variants of AtomicStealer (AMOS). There’s there’s a new scam loan apps in the App Store, you know, just the typical stuff that we see every week.
Kirk McElhearn 26:56
It’s gotten to the point where it is typical, isn’t it?
Josh Long 26:59
It really is. Yeah, yeah. And these AtomicStealer variants we’ve mentioned before, they they’re typically like something where you’re searching for some software. And the first result in the Google search is actually an ad and it takes you to a malicious page that is a look alike of the real site. And if you happen to download the software, from there, well, you’re actually getting a Trojan horse that’s going to infect your computer so and it’ll very much look similar to the actual software. So you do need to be very, very careful about this. I would say that’s the number one threat on Macs right now. Is these look like malware that are infecting your device with with Steelers there. So they’re looking for passwords and exfiltrating them and all that kind of stuff. It’s it’s bad stuff, and it’s everywhere. So you do need to be really, really careful about that.
Kirk McElhearn 27:47
Okay, that’s enough for this week. Until next week, Josh, stay secure.
Josh Long 27:50
All right, stay secure.
Voice Over 27:24
Thanks for listening to the Intego Mac Podcast, the voice of Mac security with your host, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.