Apple is a bit slow in deleting fraudulent apps from its App Store, but they are catching up. Meta says it has disrupted Spamoflauge, a major Chinese disinformation network. And the UK wants to end end-to-end encryption for messaging apps; does this mean the government will have to approve security updates?
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, August 31 2023.
This week’s Intego Mac podcast security headlines include a preview of what we might see at Apple’s “Wonderlust” event scheduled for September 12. Meanwhile, Apple has been clearing out some nefarious loan apps from the App Store. How do they pass judgment in the first place? An update on the progress of the UK’s proposed law to prohibit the use of end-to-end encryption. And a recent Skype hack that leveraged information gleaned from IP addresses is a good reason for us to explain what the bad guys can actually learn from your IP address. Now, here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 0:55
Good morning, Josh, how are you today?
Josh Long 0:57
I’m doing well. How are you? Kirk?
Kirk McElhearn 0:58
I’m doing just fine. I don’t know about you. But I’m excited about the Apple Event on September the 12th. We’re going to present new iPhones, it’s something we haven’t had since last year.
Josh Long 1:07
Well, that’s true. This comes once a year. Usually in the September timeframe. We get new iPhones…
Kirk McElhearn 1:14
…and we know that there’s going to be a new Apple Watch or two. But we don’t know much else. There have been some discussions about a new iPad Pro, but that looks like it’s going to be 2024. They’re talking about an OLED display in the iPad Pro, which would be nice, but not that essential. I mean, I do notice the better display on my iPhone 14 Pro Max with the OLED display compared to a non OLED with an iPad. I mean, it depends on how you use it. But there’s no discussion of, I don’t know, a larger iMac, for example. The 21 and a half inch iMac came out more than two years ago. The larger iMac which was 30 inches before has not been replaced. So we have the 24 inch that replaced the 21 and a half. And it’s larger. We need like a 30 to replace the 27 or something bigger. And I’ve just chatting with a friend today who bought an external display because he has an Intel iMac 27 inch, he wants to upgrade it. And turns out that the display he bought doesn’t work with an Intel processor for some reason. So he’s thinking of buying a Mac Studio. He doesn’t want a 24 inch iMac he wants bigger. There haven’t been any rumors about that. Apple hasn’t said anything. You know, we had the iMac Pro, one model of the iMac Pro and it’s never been iterated.
Josh Long 2:30
Yeah, I’m not exactly sure what we’re going to get as in terms of Macs if anything at this event. Some are speculating that there might be a separate Apple event or if they’re minor updates, they might just quietly release them because they do that sometimes. Now on the MacBook Pro and MacBook Air lines are both, you know, kind of due for an update . Apple could release updates for those same with a Mac mini as well. We don’t know whether those are coming at this Apple event. One big change is that Apple is switching from Lightning ports, to USB-C ports. This is pretty well known. And because of European regulations, they’re now basically legally required to have at least the option of having a model right, they wouldn’t be allowed to sell Lightning based iPhones anymore in the EU. Apple switching USB-C I, you know, there’s different opinions on this. Some people are like, well, I’ve got all these Lightning cables I’ve been collecting over the years. And I happen to know that they tend to to break and fray around the edges pretty easily. So chances are that you probably have third party or re– have repurchased even Apple cables, because the ones that came with your phone, if you keep them around for a few years have probably started to fall apart, deteriorate anyway. So you know, it’s not such a bad thing I don’t think that we’re having to switch to USB-C.
Kirk McElhearn 3:55
But we get the USB-C problem which we’ve discussed in the past that you can’t tell from a given cable what it can do. You can’t tell what speed it is. You can’t tell if it accepts power, sends power through it. You can’t tell if it’s Thunderbolt or normal USB-C speeds. And I think this is going to be a problem. You know, a couple of weeks ago, I was looking through my boxes of cables, you’ve got boxes of cables right. And when USB started becoming popular, I started a box of USB-C cables and it’s really quite full. And some of it is odd peripherals that use USB-C. I have a Loupedeck device that I use which has buttons and dials when I’m editing things, that’s USB-C. I have a Sonos Roam portable speaker that’s USB-C. So you do get a lot of USB-C cables. The latest Amazon Kindle Scribe is USB-C. So I’ve got a box full of USB-C cables, but most of them probably don’t send data very quickly.
Josh Long 4:48
I think Apple has fixed this problem. Because the rumor is that all of the new iPhones are going to include a cable in the box that’s color coded according to your phone that you selected. So if you got a black model, then you’re gonna get a black cable. And they’re braided. So they’re supposed to be like kind of more reinforced, more durable than the old Lightning cables they used to include in the box. Because of that color matching. I think that’s how Apple’s gonna get around that whole problem.
Kirk McElhearn 5:17
Worth noting that they’ve been using braided cables since the 21 and a half inch iMac, with the HomePod mini remember the initial HomePod had a cable that you couldn’t unplug. I think that full size HomePod and HomePod mini have braided cables. So I think they’re moving to braided cables. But that doesn’t mean you’re going to know if it does certain speeds of data transfer.
Josh Long 5:37
I guess. Yeah. If you’re only buying cables from Apple, then at least that gives you a better idea. If you’ve got a whole box of cables that you got from who knows where you bought on Amazon or something from some random retailer, then yeah, good luck.
Kirk McElhearn 5:49
I’ll put a link in the show notes to an article I wrote about USB-C. A year or so ago.
Josh Long 5:53
Yes, great article. And it has a lot of information about the difference between USB cables that use the USB-C connector versus Thunderbolt cables, which is a different thing. By the way. On that note, there’s some seemingly credible rumors that are indicating that the Pro and Pro Max this year are going to potentially have faster syncing speeds. So if that matters to you, if you backup your phone to your Mac a lot, then you’ll probably enjoy having that faster synchronization.
Kirk McElhearn 6:27
The iPad Pro has had faster transfer speeds for a while. And that’s because Apple sees that as a creative device. They’re trying to sell it to filmmakers. You can even get Thunderbolt I’m not sure which models for the iPad Pro do that. John Gruber had a thing on Daring Fireball where he was talking about they’re saying that, you know, the people who make films with iPhones, they were maybe 1000s of them, but not millions. They’ll be happy to get the faster transfer speed. Most people won’t care.
Josh Long 6:52
Yeah, that’s a fair point. But other than that, yeah, it’s probably not that big of a deal for most people.
Kirk McElhearn 6:58
The other rumored technology in the new iPhone, probably Pro Max, Ultra is what’s called a periscope lens for better optical zoom. So Periscope lens is actually a lens with a 90 degree angle and a mirror in it right like a periscope. You know when the the submarine you walk out of the water. The problem with that is most people don’t care about that. You’ve already got a three times optical zoom on the iPhone Pro Max. You know the standard lens that we have on cameras, the standard wide angle lens, right the default lens. This goes back to those Kodak Instamatic cameras of the 1970s, they determined that most people wanted to take photos that include a certain number of things, right? That it’s wide enough to get a whole family in the picture or a landscape. And phones have adopted that. Point and shoot cameras for years did that. Most people don’t care about a zoom lens. They really don’t.
Josh Long 7:50
Okay, now hold on a second. “Periscopic lens”. What is what does that mean? Are we going to have like a like a submarine periscope, like poking up out of the top of our iPhone.
Kirk McElhearn 8:01
Basically, picture the lens pointing out of your iPhone and look backwards as the light comes in. It goes straight, then it goes sideways on a 90 degree angle with a mirror to a sensor.
Josh Long 8:13
By the way, this is actually all internal components. (Right. Nothing comes outside the iPhone.) Right Yeah, there have been Android phones that have actually done that where they have a pop up camera at the top that selfie camera right? (Sure.) That’s not what Apple is doing here. Just to be clear about that.
Kirk McElhearn 8:29
What the periscope lens does is it allows the actual winds to be a bit further from the sensor, which is what you need when you’re using a telephoto lens. It’s actually quite a clever technology. But I don’t think most people need it. And you know, the iPhone is the most popular camera in the world. But the iPhone is popular because it’s designed for the photos that most people want to take. I don’t think most people zoom in on their photos. And if you have an iPhone Pro, you can if you have an iPhone Pro, you’ve got a 48 megapixel sensor. If you shoot in RAW at 48 megapixels, you can crop enough that you don’t really need more zoom.
Josh Long 9:08
Yeah, probably not something that the average user really necessarily needs.
Kirk McElhearn 9:13
So I want to quickly about the Apple Watch what we get through the rumor mill which is basically Mark Gurmann, who gets fed information from Apple is that the Apple Watch Series 9 won’t get much of an update, but the Apple Watch 10 Coming next year will be the big change. And I’m wondering that now that Apple has two watch models so they’ve got the normal and the Ultra I’m not talking about cellular versus GPS or stainless steel versus aluminum, we’re talking to the body itself. Maybe what they’re going to do is iterate one of those two each year so they can have a tick tock so that every year one of those watches gets a major update and the other one gets a minor update so each one gets a major update every two years. I think most people keep the Apple watch at least two years. So having annual incremental updates when we’ve reached the point where they can’t put too many new features in makes no sense.
Kirk McElhearn 9:57
Okay, let’s go into other news. Apple has removed some fraudulent loan apps from the App Store after hundreds of thousands of downloads. And we talked about this a couple of times in the past, first of all, why someone gets an app to take out a loan. But I think this is mostly in India, where the financial system is a bit different. But Apple is cracking down on fraudulent apps. Yet there’s still tons of fraudulent apps. And it’s like, it’s whack a mole, isn’t it?
Josh Long 10:23
Yeah, this is a constant problem. Unfortunately, there are a couple of folks who have been posting on social media and trying to keep track of all of this and keep people informed about it. But again, hundreds of 1000s of downloads, that’s not a small problem. That’s a really big issue. And these are apps that are using the names of big legitimate companies. And they’re not actually from those companies. So somehow Apple, letting these things slip past its review process allowing these things into the App Store. This is a significant problem. And Apple really, really needs to step up its game at reviewing these apps carefully. Especially anything financial related.
Kirk McElhearn 11:06
Okay, quickly, Facebook, Facebook, what’s the name of that company? Again? That runs Facebook meta meta. Okay. They have issued a detailed report about “Spamoflage”. I wish I’d come up with that name. That’s so cool. Be a good name for a punk band. It’s a major Chinese disinformation network. The, you know, the problem I have is that Facebook is such a conduit for disinformation, that, like they’re saying, here’s what we did, but they’re saying someone else did it. But we’re still the ones who showed it to you. I have a bit of a conflicting opinion on this story.
Josh Long 11:40
I guess one of the things that I found interesting about this is that based on this new information that we’ve gotten, there’s still a lot of active campaigns, disinformation campaigns coming from foreign governments. For example, CNBC said that they found disinformation still circulating on X, formerly known as Twitter as recently as Sunday evening, with tweets linking to a YouTube video that we’re disputing some Times of London reporting, and so forth. And they’re claiming that all of this, again, is coming from the Chinese government. Why this might affect you is that remember that we’re coming up on an election season in the United States. So there’s going to be a lot more information getting shared and some of that information is going to be accurate and some is not. So just be very, very careful about where you get your sources of news.
Kirk McElhearn 12:29
Don’t trust anything you read on the internet. That’s kind of the thing, right?
Josh Long 12:33
I mean, you have to be really cautious with any thing that you read just about these days, but especially in social media posts. Yeah, don’t take anything at face value.
Kirk McElhearn 12:42
Okay, we’re gonna take a break. When we come back, we’re going to talk about how the UK Government could ban Apple security updates.
Voice Over 12:50
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Ventura, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 14:06
So we recently discussed a proposal in the UK to ban end-to-end encryption. Basically, this means that when you send a message on Apple’s iMessages, it is encrypted, the person you send it to gets the message but no one in between can read it. It’s not stored on the server anywhere. It’s not readable if someone sniffs your internet connection, it’s totally private. It’s like a sealed letter that wasn’t opened. And the UK Government doesn’t like that. Now, we’ve seen Apple against the FBI for issues of getting into phones of people who’ve committed crimes and all. The UK government wants a backdoor so they can basically tap the messaging apps of people who are suspected criminals. And what they want to do is to ban any app that uses end-to-end encryption. Of course, they’re talking about Messages but if you’re banning end-to-end encryption is a lot more there’s banking, there’s you know, all sorts of things. And the unintended side effect means that if this were the case, the UK government will have to approve any security update that Apple makes.
Josh Long 15:10
Yeah. So this is some proposed legislation. So this is not already in place. But as I was reading through the details of this, it seems like, you know, there are some were some headlines that were saying things like UK government could ban Apple security updates. And I was like, what, so I had to go and like, look up the original text of this. And as I read it, now, I’m not a lawyer, I’m not a politician. But as I read it, it does actually sound like they could plausibly do this. And basically, what they could say is, hey, it looks like that technical change that you want to make in this upcoming patch, we’re first of all, we’re going to need to review all your patches. Anytime that you’re going to release an update for any piece of software, we need to review it first and make sure that we’re okay with that. And then if there’s any vulnerabilities that you’re trying to patch, well, we have certain investigatory capabilities that we need. And so you know, we can just say, Yeah, you’re not gonna patch that we need you to just leave that unpatched forever, that would be great.
Kirk McElhearn 16:18
It’s a bit worrisome to think that… I mean, it shows the gulf between politicians and technicians, right, the politicians really don’t have a clue that they can stand up in UK Parliament said, we’re going to do this so bad people can’t send messages and images of you know, child exploitation and stuff, we know that this is a real problem. But they’re saying that as if they can stop a hurricane by holding their hand up, right? They don’t realize in the UK, there’s an expression, the knock on effect of something when you do one thing, it has an effect on something upstream or downstream. And they just don’t have a clue. Even though there have been people on the news here interviewed, you know, people from tech companies have explained why this is a problem. But they keep headbutting this as if it’s something that they can do. The British are very good at these three-episode, three hour TV cop series, right? A number of them in recent years show people communicating not by messaging apps, but by things like logging into the same online game and using the chat function, or they share a Gmail account, they type an email, and they save it as a draft. And then the other person goes into the account and reads what’s in the draft. These are all things that the UK government can’t snoop on, if they’re only focusing on messages.
Josh Long 17:35
Yeah, I think like a big problem here is that and this is true for any country, it’s very rare to get a politician who really understands the technology. And so the problem is, you get people who have no clue what they’re talking about, who are trying to write legislation to, you know, give them whatever powers they think that they need. And they just don’t understand really even what they’re asking for, and how significantly something like this could be abused. I don’t I honestly don’t think it’s necessarily malicious intent. I think that in some cases, at least, it’s politicians just not really understanding what they’re asking for.
Kirk McElhearn 18:13
Well, let me give you one example, my personal bank account is with an online only bank, there are no bank branches, I can call them or I can use the app. The app uses end-to-end encryption. If I’m chatting with someone from the bank, I’m sending them a message about I have a question about this and my bank account, or they’re gonna say that that can’t be encrypted, are they gonna say that I can’t bank safely. I mean, it’s just crazy. When you think about it, I don’t think this is going to go through because it’s kind of thing that they’re, they’re going to kind of keep grandstanding until they drop it to move on to something else. Because while American politicians are really the leaders and grandstanding, in the UK they tend to do a bit of that as well.
Kirk McElhearn 18:52
We want to talk about an interesting vulnerability in Skype. And we were discussing this before the show, what’s important here is something that most people don’t realize it’s your IP address. Now, Josh is often mentioning that your IP address is important. And you can use a VPN to hide your IP address, or that you can use a service to block IP addresses in your emails, etc. But we want to go over in some detail what this means what you can get from an IP address. So there is a vulnerability in Skype that could expose your IP address to hackers. Let’s assume you’re on a group call and Skype and someone is part of that call and they can get the IP addresses of all the people on there. Your IP address, and this is not the case for everyone in every country with every ISP but it can indicate where you live with some degree of precision.
Josh Long 19:41
Right. That’s one of the things that and I’ve We’ve mentioned this before, but if you haven’t heard us talk about this, it’s it’s something that not very many people are aware of that if somebody knows your IP address, let’s say that you’re you know, at home and you’re browsing on your computer browsing websites, every time that you access a website, you are exposing your IP address that is the IP address of your home router to that website that you’re visiting. And then most of the time, that’s not really a big deal. However, where it can be a bigger problem is, if that website that you’re visiting is really paying close attention to it, they can sometimes know the exact neighborhood where you live. So for example, I’ve seen this a lot in US based internet service providers, you know, cable, fiber, DSL, whatever you have, like this potentially affects all of them. A lot of internet service providers have they distributeIP addresses regionally. And sometimes you can actually even do a reverse lookup, and it will tell you the name of that neighborhood, sometimes just in that, you know, reverse lookup name. So it might be something.frontier.net, or something, if that happens to be your or something.charter.net, whatever your internet service provider happens to be. And that whole big ole long something before the dot name of your company, could in some cases, reveal your neighborhood. And in other cases, just having that IP address allows you to look that up and find out what neighborhood you’re coming from. So in my particular case, with my current Internet service provider, I was able to look up my home IP address, and was able to get GPS coordinates of a location in my home city that was two miles as the crow flies from my house. So that’s kind of concerning. And that’s one of the reasons why I always have a VPN on even when I’m at home, not just when I’m you know, out in the public or connecting to public Wi Fi hotspots, I would rather not be always giving out my IP address to everybody on the entire internet.
Kirk McElhearn 21:54
So I looked mine up and I use two different services we’re going to link in the show notes to both of these. MX toolbox.com is something I’ve used in the past. It’s something you can use to check if you have email problems. MX records are a type of email record. And it tells me that I’m somewhere near Stratford upon Avon I’ve mentioned on this podcast on other podcasts. I live near Stratford upon Avon. I tried another one, which Josh says that he really likes called IPVoid. It says that I’m in Worthing in West Sussex, that is on the southern coast of the UK, pretty much south of London. I don’t know how these two databases got this so wrong. If I go to Google, Google tells me that I’m in a town, which is about five miles south of me. So I don’t allow Google to get my location right. They say on the bottom of the Google search page, your location from your IP address, and it’s got me at a town five miles south. Now, you could triangulate. But I don’t understand why there’s such a difference. Wouldn’t these databases be shared? Right? All these DNS databases? Why would two of these different lookup services, and Google all come up with different things?
Josh Long 23:02
Well, first of all, there’s multiple different sources of information. So again, you can sometimes do a “whois” look up. whois this typically used to find out information about a domain. So for example, you could do whois apple.com, you could type that into Terminal and find out some details about the registration of of that domain. But whois can also be used for reverse lookups as well. So you can do a whois on an IP address, and sometimes get that string that I was talking about before, where if it’s, you know, the IP address of your home router, then it might give an indication of where you live. So but there’s lots of different lookup tools. In fact, IPVoid, you’ll see if you visit that website, ipvoid.com. If you put in your home IP address there, there’s a whole bunch of different fields that you can put it into, you can do a whois lookup, you can, there’s one that’s called my IP address, where you can just put your IP address in there and view whatever information they can find about your IP. There’s a whole bunch of different types of things that you can look up here. And so each one of those can have some different information that it can reveal about you the reverse DNS lookup that I mentioned before. These all can have little bits of information about you. Now obviously, there’s other ways that websites can find out where you are, many websites will actually prompt you and say, Hey, let us know your location. So that for example, we can tell you where your nearest store is in our chain. So you can choose to enable that if you want to and give them even more precise information about where you are geographically. But even if you’re not doing that, a lot of times websites can get pretty accurate. Again, it might not be exactly the neighborhood where you live, but it might be pretty close to there.
Kirk McElhearn 24:53
So on iOS, you have an option to just give an approximate location. So if I look in Google on my iPhone, it tells I’m in the West Midlands. So West Midlands is like saying, you’re in Texas, right? You’re somewhere in this big area. But the one on my Mac that gives the name of a town that’s a few miles away from me, here’s what I think is happening. Google has stored all the information about this, this block of IP addresses that’s owned by this ISP, a lot of people did allow Google to get location information. So each time they’ve added that to a database. Now, since the IP addresses rotate, I think mine changes once a week. That means at some point, someone near me had that IP address. And when I have it, Google is just assuming it’s the same. Now, since these ranges of IP addresses do tend to be geographically based, as you said, a neighborhood or an area with a number of towns or a small town, it’s very likely that Google just figures it’s close enough, right? We don’t need the precise location. If you don’t want to give it an I don’t give Google my location at all. If you go onto Google Maps, and you might have to give your location if you want directions, I mean, Google Maps knows where my home is, right? Because I’ve saved that to get directions. So no matter how you do it, your location is being given up. Now, you said earlier that there’s for you, it’s about two miles away as the crow flies. Let’s say I’m Tom Cruise, and I’m trying to find the Josh Meister. And I know he’s in a radius of two miles, I found a picture of you online in front of your house that someone took some of your friends and I look at that. And I compare that with some other online photos to try and find a house that looks the same, and is that same car parked in front of it, and is that big tree the same. So with enough research, you can find information on people. And this is how stalkers work. This is how private detective work to.
Josh Long 26:46
Right. And I was gonna say there are a lot of websites out there. Now most of these sites probably are scams that you know, claim to be able to allow you to look up, you know, secret information about somebody and you got to wait through all these things and supposedly pay some money when you finally get to the end of this thing. Most of these sites are probably scams. But there are actually some places that you can go where you can get information on somebody if you really want to, and you often do have to pay for it. But yeah, that information is out there, like there are public records. And so some of these services will actually catalog all of this, put it behind a paywall, of course, so that’s how they make their money. But then somebody could potentially use those services to look you up right and sometimes actually find out your exact home address. But even setting that aside, just the idea of somebody being able to find your rough location, your neighborhood where you’re living, if somebody wants to they could go hang out and you know, walk around the neighborhood and maybe eventually they come across where you live.
Kirk McElhearn 27:53
Well, I looked up one of these things and is a Josh Long in Victorville California. There’s one in Oroville, California, this one in Manteca, California, Apple Valley, Lincoln, et cetera, et cetera, et cetera. You’re lucky because you have a name. That’s common enough. So you’re harder to find than I would be. But if anyone wants to find you, they’re gonna find you. Right?
Josh Long 28:12
That’s the thing is it’s actually yeah, if you, especially if you have an uncommon name, if you have a fairly unique name, it can be pretty easy to find you online because of that. So yeah, although it’s frustrating for me to be one of many, many Josh long’s that exist out there. This is one advantage, I guess, of having a common name.
Kirk McElhearn 28:34
Okay, that’s enough for this week. Until next week, Josh, stay secure and stay hidden. Don’t tell anyone your location.
Josh Long 28:40
All right, stay secure.
Voice Over 28:43
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
