Hallucinating Bots, Unsolicited Smartwatches, and Could this Be the End of End-to-End Encryption? – Intego Mac Podcast Episode 298
Posted on
by
Kirk McElhearn
AI bots make things up, and the web is at risk of becoming overloaded with low-quality articles. Some US military have been receiving unsolicited smartwatches; they have been warned not to turn them on. And a bill in the UK threatens to end end-to-end encryption.
- Tour de France
- Tour de France Unchained
- Silo on Twitter
- iOS 17 Expands Communication Safety Worldwide, Turned On by Default
- Turn your phone off every night for five minutes, Australian PM tells residents
- CID Lookout: Unsolicited Smartwatches Received by Mail
- Apple joins opposition to encrypted message app scanning
- 10 Ways End-to-Encryption Protects Your Data, Your Privacy, and Your Bank Balance
- Moving data from iCloud may need to be made easier under upcoming EU law
- Google Takeout
- AI is killing the old web, and the new web struggles to be born
- Android’s emergency call shortcut is flooding dispatchers with false calls
Transcript of Intego Mac Podcast episode 298
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, June 29 2023.
This week’s Intego Mac Podcast security headlines include: can turning off your phone for five minutes a day protect it from malware? US service members receive surprise smartwatches…that track them. A new security feature coming to iOS 17 will expand Communication Safety. And if an Online Safety Bill passes in the UK, it could lead to the end…of end-to-end encryption. Now, here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s chief security analyst, Josh Long.
Kirk McElhearn 0:49
Good morning, Josh, how are you today?
Josh Long 0:51
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:53
I’m doing just fine. You know, I want to alert people of something really important. That’s happening this weekend. On Saturday, the Tour de France starts. So you should all be in front of your TVs. It’s a very important event.
Josh Long 1:05
And if you can’t watch it on your local stream, you might have to use a VPN to see the better coverage overseas.
Kirk McElhearn 1:13
Exactly. I use a VPN to watch the French coverage. Because there’s way too many ads on TV here in the UK. And it gets me you know, listening to French and plus sometimes that most of the day, they’re on for the entire stage, whereas in the UK, they’re not so you get longer coverage, you get more complete coverage. Anyway, it’s a great race. I know this isn’t a podcast about TV. There’s a wonderful documentary on Netflix called Tour de France unchained that looks at last year’s Tour, like embedded with the teams and you can learn a lot about how the race works. We’re not going to talk about any more TV, although is there anything to talk about with Apple TV, not really.
Josh Long 1:50
We could talk about how Apple released a full first episode of “Silo” which is this Apple TV Plus series, they released the first full episode on Twitter, interestingly enough, and I was asking Kirk, I know that the first set of Apple TV Plus series that they released, they put out the first episode for free.
Kirk McElhearn 2:11
Sometimes more, even two or three. But this is the first time they’ve done it on Twitter. So basically, they want people to watch it, who aren’t using the Apple TV app, or the hardware, Apple TV or anything like that. Because they want to get more people into that ecosystem. And it’s an interesting way to do it. If people were watching it on their phone, that’s kind of like not the best way to watch it, though a lot of people do watch on the phone. But it almost feels desperate to me that they’re trying to suck people in through that sort of thing. Why not just put it on YouTube,
Josh Long 2:44
I don’t know if it’s just that maybe Apple sees YouTube as sort of a competitor in terms of, you know, it’s also a place where you can sign up for a monthly service, you can watch movies on there…
Kirk McElhearn 2:56
It makes you wonder like if Apple only had their own website where they could put the episode up for people to watch.
Josh Long 3:02
Now, that’s an interesting point. Yeah. And again, maybe the reason is just they’re trying to reach new markets. It is interesting, though, to see Apple experimenting like that.
What new Communication Safety features are coming to Apple operating systems in the Fall?
Kirk McElhearn 3:11
Okay, we’ve talked in the past about Apple’s Communication Safety system, which will block or blur photos that may be deemed to be sensitive when they’re received by Messages and other things. With iOS 17, iPadOS 17 and macOS Sonoma, they’re making this available worldwide. Initially, it was I believe it was just in the US, or maybe just a few countries since the release with iOS 15. It’s going to be on by default for children under 13, who are signed into their Apple ID and part of a Family Sharing group. And of course, parents can turn it off in the Screen Time settings, or turn it on for older children, if they want as well,
Josh Long 3:47
I just looked on my iOS 17 Beta device, if I go to the Settings app, and then go to Screen Time, and then scroll down a bit, I have Communication Safety listed there. And it is on by default. So this is even if I don’t have Screen Time setup on that device, it’s not enabled on this device where I’m using the iOS 17 Beta. But Communication Safety actually is on by default. Again, this is a beta. I don’t know whether this is going to be on by default for everybody, including all adults. But it does look like the at least the check for sensitive photos that part of it does seem to be on by default in the beta.
Kirk McElhearn 4:25
Okay, we’ll check in on this as the betas progress. And this is definitely a feature that we’ll want to mention when these new operating systems are released. Because this does seem like very useful to have to prevent getting unsolicited photos of things you don’t want to see. So Josh, do you turn your phone off for five minutes every day?
How does powering my phone off and then on protect me from malware?
Josh Long 4:42
Well, I don’t usually but you brought this up because the Australian Prime Minister recently made a public statement echoing some cybersecurity advice they had heard elsewhere that you should be turning off your phone every day. It’s interesting they said specifically five minutes. There’s not any particular reason why it needs to be five minutes. But this advice is interesting. The whole idea behind this, why you might want to turn off your device every day, is that if your device were infected by something like the vulnerabilities that we just talked about that Apple patched last week, and the way that they were getting infected was such that it could only stay infected until the device was rebooted or basically shut off and turned back on. And then it would have to get reinfected. And that’s actually how most of these exploits work against iOS, both iPhone and iPad are the same way. Where typically you don’t have a persistent infection. That means one that survives a reboot. Typically, you’d have to get reinfected after your device restarts. And so I think this advice, the whole purpose of this is that if you are somebody who is likely to get somebody targeting you and trying to install malware, or infect your device remotely, then by shutting it down, it wipes out any existing infection. Now, if you are a target of the sophisticated like nation state attacks, this is not like run of the mill, you know, stuff that anybody has access to that your neighbor can infect your device. This is something that like nation states have access to. So it’s it’s not the kind of thing that really is great advice necessarily for like the everyday person.
Kirk McElhearn 6:36
So what if you have Lockdown Mode turned on? Do you still need to turn your iPhone off?
Josh Long 6:40
Well, that’s a really good question. So in Lockdown Mode, first of all, that’s the thing that people should be using, if they’re concerned that somebody might be infecting their phone, right? This is a feature that Apple is offering to everybody who wants it on macOS iOS. And now it’s also going to be on watchOS starting with the next major release. And this is a feature that turns off a bunch of features, which seems ironic. But the whole purpose of this is so that it reduces the attack surface, it makes it harder for the bad guys to be able to break into your device in the first place by turning off a bunch of things that bad guys typically will try to exploit, like the way that iMessage processes images that are sent. So if you’re concerned that somebody’s going to try to hack into your device, turn on Lockdown Mode first of all. If you are still paranoid that somebody might be infecting your device, in spite of having Lockdown Mode enabled, you’re probably overly paranoid, but go ahead and turn off your device every day. It doesn’t hurt to do that. You know, it’s not something that I think that the general average person really needs to worry about. I think the average person should be more concerned about maybe using apps that are in the App Store that Apple has approved, but come from kind of sketchy developers, that’s I think the thing that the average person needs to be a little bit more concerned about.
The Army warns service members to beware of unsolicited tech.
Kirk McElhearn 8:07
Okay, we have an alert from the Department of the Army Criminal Investigation Division, whose slogan is “Prevent, Investigate, Educate”. Sounds like a TV series, doesn’t it? CID lookout unsolicited smartwatches received by mail. Apparently, service members across the military have reported receiving smart watches unsolicited in the mail. And these aren’t Apple Watches. These are cheap Chinese watches. When they’re used, they auto connect to Wi Fi and begin connecting to cell phones unprompted, giving access to a myriad of user data. Now, the idea of someone in the military or let’s say in the intelligence community receiving any kind of device like this, and actually using it, I mean, I guess they do have to warn because soldiers might not realize. I remember we talked about a story a couple of years ago, where a lot of soldiers were using Strava, which is an app you can use to log your runs and your bike rides, et cetera. And so many people were using it that there was a public heat map on Strava’s website that showed where a military base was someplace in the Middle East. So the idea of getting something electronic in the mail and using it should definitely be something to think about even if you’re not in the military. Now. Apparently, this is called “brushing”, brushing as a practice of, according to the CID, sending products often counterfeit unsolicited to seemingly random individuals by mail in order to allow companies to write positive reviews and receiver’s name allowing them to compete with established products. So did they just find the names of a bunch of soldiers in some base someplace? And that sounds a little suspicious. In any case, I would avoid ever using any electronic device like that you receive, ever plugging in a thumb drive or a hard drive or anything.
Josh Long 9:56
Yeah, and we talked about that not too long ago that journalists in some cases are being targeted with these drives that are sent to them in the mail. And of course, you know, what if there’s some big story on this thing, but you don’t know, is that device going to blow up? Is it going to like short out your port and destroy your computer? Or who knows what. So you do have to be very careful about any kind of technology that’s just mysteriously sent to you anonymously or otherwise. You know, what if if somebody really wanted to get you to try out some device that they’re sending to you, they would probably put it in an Amazon box and make it look like it was actually shipped to you by Amazon or some legitimate company. And so you might think, Oh, well, somebody accidentally sent me an Apple Watch to my address. And you know, if you’re the somewhat unscrupulous type, you might think, Oh, well free Apple Watch. Sweet. And if you tried to set it up, well, you might be getting yourself in trouble. The PC World article actually does mention that there are imitation Apple Watches that can be purchased for as little as $15. So it’s not necessarily that these devices that are being sent in the mail are Apple Watch knockoffs. They may be. But in any case, no matter what if somebody sends you some unsolicited tech, and you work for the government, you work for the military. Just be very cautious about it. And probably just don’t use that maybe turn it into your IT department and have them analyze it because it might be something that is malicious.
Kirk McElhearn 11:25
Okay, we’re gonna take a break. When we come back, we’re going to look at some more news.
Voice Over 11:31
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Ventura, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Apple objects to UK’s Online Safety Bill
Kirk McElhearn 12:47
So there’s not a lot of Apple news this week. However, Apple has made a statement to the UK government about the UK Online Safety Bill, which is being discussed in Parliament right now. And which would apparently eliminate end-to-end encryption in messaging apps and probably in other services as well. If they’re going to kill it in messaging apps, they’re going to kill it in the browser. I’m gonna link in the show notes to an article that I wrote on the Intego Mac Security blog I think last year about why end-to-end encryption is so important. You couldn’t put a credit card number in your browser without end-to-end encryption. You couldn’t use online banking, you couldn’t use a lot of apps and any of your data would be at risk of being you know, sniffed by someone who gets access to a server. So Apple’s coming out very strongly saying end-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists and diplomats. It also helps everyday citizens defend themselves from surveillance, identity theft, fraud and data breaches. So Apple is not the only company apparently there are 80 organizations and tech experts who’ve written to a UK Minister about this. But this is a bit worrisome that governments think that they could just get rid of end-to-end encryption that will solve all the problems with dealing with crime and have no side effects.
Josh Long 14:05
And we’ve seen similar bills being proposed across the United States and many other jurisdictions as well that want to go after end-to-end encryption because the thinking on you know the side of politicians typically who don’t know a lot about how technology works. They typically think end-to-end encryption is bad because it enables terrorism and child pornography and well, okay. But there’s a lot of legitimate use cases. It’s, it’s like I’ve mentioned many times, any tool and this is true for technology as well as for you know, any other kind of tool can be used for good or for evil, right? You can use a wrench to fix a pipe or you can use a wrench to clobber somebody over the head. It’s the same way with any kind of technology as well. End-to-end encryption is I would say inherently good. There’s nothing bad about end-to-end encryption itself and so damaging all end-to-end encryption or, you know, we’re putting backdoors in it so that a government entity, for example, can decrypt whatever they want that is, was end-to-end encrypted. That’s a problem, because now the bad guys also will will be able to use that same backdoor. It’s there’s no way to guard that secret well enough that only the good guys have access to that secret backdoor, all the bad guys are going to know that secret backdoor as well.
What is the DATA Act and how does it give me more control over my personal data?
Kirk McElhearn 15:27
Okay in other government laws that are being discussed, in fact, this one is actually been signed off by the EU. There are new rules within something called the DATA Act about how companies use consumer and corporate data with safeguards against non-EU governments gaining illegal access. This is a pretty complicated bill. We can’t even figure out everything involved here. But one of the most important areas is that the new legislation gives individuals and business more control over their data generated through smart objects, machines and devices, allowing them to copy or transfer data easily from across different services. So this affects Apple with iCloud, it affects individual apps with data that you may want to transfer. The problem is that there is some interoperability that’s easy. So let’s say you store files on iCloud Drive, you want to move them to Dropbox, it’s not very hard, may not be easy on a phone, but on your Mac, you just drag the files and you’ve moved them. But there are apps that use iCloud to store data to sync from device to device using what Apple calls CloudKit. their framework for storing data. That might not be so easy to transfer. One of the ideas so Apple has an app that lets you go from Android to an iPhone and copy lots of different data. And it’ll copy into Apple silos. So your calendar events will go into iCloud for Apple Calendar, et cetera. But it does this Act mean that every bit of data you have should be transferable? I don’t think that’s entirely possible, given the way third party apps may store data in ways that isn’t accessible, or third party apps may not have equivalents on both platforms.
Josh Long 17:07
Right. And as you said, this is a little bit unclear about what exactly would be required of Apple. But if the idea is that maybe we would get something like Google Takeout for Apple, Google Takeout is if you go to takeout.google.com. This is a site where you can export, basically almost everything that Google has about you and export that data. So that if you wanted to look through it and see what Google knows about you, you have access to be able to do that. It’s not necessarily all stuff that can be imported into another service. But at least it gives you an idea of what data they have. And possibly one interpretation of this, these new rules would be that maybe Apple would have to do something like Google Takeout, where they give you access to be able to export all of your data that’s synchronized some way to iCloud, maybe through CloudKit, in the case of like, third party apps. I don’t know how how useful that would be in terms of migrating to another platform. Because, again, as you say, when it comes to third party apps, especially those apps, if they’re even required to comply with this, right, I would assume that it is sort of only applied to apps for major developers like Microsoft, for example. And other big developers, would they be required then to allow you to reuse that data? I’m not sure. It’s interesting, though. I kind of I don’t dislike the idea of Apple having to offer a Takeout-type service.
Kirk McElhearn 18:38
I had never heard of this before. And this must be how Apple has their Switch to iPhone service. So they probably since they’re going from Android to iPhone, and all of the Android stuff would be on Google. This is probably what they do. If Google’s already doing this, the fact that Apple’s not is a bit suspicious. I think Apple should absolutely provide this if Google is providing it. Again. I had no idea I hadn’t seen this. And it looks like it’s really easy to get yourself off of Android then.
Josh Long 19:04
Right, right. Because basically, everything that you do on Android is all part of your Google account. So you can just easily export all that stuff.
Kirk McElhearn 19:11
Well, everything except for some third party apps that may be handling data in a different way.
Josh Long 19:15
Right. Good point. Yeah. And you could have third party apps on iOS as well that handle all their data separately, they may use their own proprietary servers rather than syncing stuff to iCloud. That’s entirely possible on iOS too. So it would be very interesting to see Apple do a Takeout-type service. It’s very funny that Google has Takeout, right. Google is not known for being a very privacy friendly company and Apple is. That Apple says that they are a privacy yet they don’t really allow you to fully export all the stuff that Apple has about you. And so that that is a little bit odd.
AI-generated content threatens to inundate and overwhelm internet search
Kirk McElhearn 19:54
We talked in the past about how to get your data from various services and I think we looked at Amazon and other companies like that. And it is surprising that Apple has no system where you can just get all your data. In fact, this is something they need. We want to talk about something which isn’t…Well, it’s not really security and privacy, but it’s going to be. First of all, Josh and I are real. We are not bots with AI generated voices. All of the articles we write on the Intego Mac Security blog are artisanal, handcrafted, bespoke articles. The Verge has an article this week, AI is killing the old web and the new web struggles to be born. Apparently, tons of content farms are using AI such as ChatGPT, and other things to create totally useless articles just to fill up space, and to get traffic through Google and to get money through Google ads. And the problem here is, it’s so easy to do, that the web is going to be flooded with all this stuff, unless Google and Bing and other search engines can figure out how to filter them out. And I don’t think it’s that easy, because when you read articles written by these things, they’re well-written, they don’t have spelling or grammar errors. They do have a certain style, which is detectable, but they’re not bad. Like, I don’t know, if you remember Josh, a couple of times, I get Google words from my names. And these are websites that take articles from our blog, the Intego Mac Security blog. And what they do is they replace nouns and verbs with synonyms. So it’s not a copy of the actual article, but it’s unreadable. And they’re doing the same thing to try and get Google ads. So this is going to be a problem. Because when you do a Google search, and you end up going to websites like this, you don’t know whether you’re going to get valid information, or whether it’s just something that was hallucinated by an AI.
Josh Long 21:43
Right. And I think that last part, that’s one of the things that I think is most fascinating about this, and most concerning, I guess, about this is that it’s not necessarily just that there’s more AI generated content out there. But the fact that we know that these AI bots have these hallucinations, right, it may sound very authoritative, and in may even cite sources, but in some cases, it may be making up those sources, they don’t actually exist. That’s something that’s pretty concerning. If you just trust everything that you read online. Obviously, you can’t trust everything that you read online.
Kirk McElhearn 22:20
But you could trust everything you read on the Intego Mac Security blog.
Josh Long 22:23
Yeah, at least, at least anything you’re reading on our site is not going to be generated by AI and will be fact checked. But if you’re just like Googling stuff, right, and something ranks highly in Google, it’s not a source you’ve ever heard of before. But it seems to be authoritative. Just be very careful about it, because it very well could be AI-generated content. And it’s interesting that you mentioned this too, because recently, I’ve been getting a lot of articles pushed out me on Twitter, the Twitter algorithm seems to think that I’m really into AI. And so every day I’m getting one of these kind of threads pushed at me, like here’s how to make $250,000 a day on on by using AI generated content. And and the typical kind of junk that you find in these threads is things like use AI to generate books and put them on Amazon and use AI to to generate websites for you and and become a fake subject matter expert. They don’t say fake, but that’s basically the implication is like, find a niche, and then exploit it using AI. If this is something that a lot of people are actually trying. And it sounds like from this Verge article that this is becoming more prevalent, than this is something that people need to be aware of, from the consumer side to be aware that this stuff is out there and to watch out for this.
Kirk McElhearn 23:48
Just a couple of weeks ago, I was writing an article for a blog where I write about writing. And I asked GPT to give me some bullet points for an article about a specific topic. And it gave me some quotes from two authors Stephen King and JK Rowling. I looked up the Stephen King quote on Google, and it’s repeated everywhere apparently was from his book “On Writing”. Now I have On Writing on my Kindle. So I searched for the quote, and it doesn’t exist in that book. The JK Rowling quote was more interesting, because there were no Google hits for it. So on the one hand, GPT found a quote that’s widely reported, but that isn’t right. On the other hand, it just made up a quote, because I couldn’t source it anywhere. And when we say the word hallucination, this is the term for GPT or AI bots making things up. There have been a number of cases recently of lawyers who’ve had AI bots generate briefs and have cited cases that didn’t exist and have been penalized for doing this. So we got to be really careful now with information on the web. And I’m thinking even more, let’s say you look up an article how to do this on my iPhone. And it gives you instructions that actually could be dangerous because either it’s a hallucination or it’s someone that’s actually malicious. Who’s added some instructions in it that’s dangerous, and you end up losing your data or doing something else. So the one thing that you said about if you see a source you don’t know on Google, that’s hard because not everyone knows the real authoritative sources in certain fields. It takes a lot of familiarity with websites to be able to decide what is reliable and what isn’t.
Josh Long 25:22
That’s true, there is an element of knowing who the actual experts are. And that’s tricky, because if you’re searching for something where you don’t know who the experts are, who to turn to, then well, good luck, I hope you’ve come across the right information from the right website. And getting even more meta with this. Considering that these bots are scraping content from the internet to generate new information. As we get to into further generations. This could get even worse where bots are scraping data from past bots that had incorrect information. And it could just continue to get progressively worse as time goes on.
Accidental emergency calls are not limited to iPhones
Kirk McElhearn 26:03
Okay, very quickly, before we close, we talked last year about Apple’s Emergency SOS feature, and about how it was being triggered by people on rollercoasters, things like that. Android has a similar problem, when a side button is pressed repeatedly. Here in the UK, the 999 service, that’s the emergency numbers getting overwhelmed with calls. So I think that all of these features for Emergency SOS, and access and help and all that they’re really wonderful. But it takes a while for these to be ironed out. And one of the problems is Android can be updated. But a lot of phone carriers don’t update Android often enough. So this is more of a problem on Android where you may be having phones for years that have this problem. Whereas with iPhones they get fixed a little bit more quickly.
Josh Long 26:52
Right. And another problem with this being part of the Android ecosystem is you have tons of different phone models that you’re dealing with where Apple’s smaller number of different phone models that support that operating system that need to be updated. And with Android devices, well, you’ve got a ton of manufacturers a ton of models among each of those manufacturers that may all need that patch. And again, you know, like you say, these Android patches are not getting out there as quickly as even iPhone patches are and we know that sometimes those are delayed between when the update is actually released and when you get the notification about it. In the case of Android phone manufacturers, usually that means that usually when there’s an Android update, the manufacturer has to kind of do their approval, and sometimes they rework it and then push it out to users. So there can be even further delays for both security updates and also for things like this to fix a bug where people are accidentally calling the emergency services.
Kirk McElhearn 27:57
Well, the Ars Technica article that I’ll link to in the show notes points out that this feature was released a year and a half ago. But since Android updates are rolled out over time, it’s only now hitting enough people to become a national problem. And it was even flagged back in 2021 on Pixel devices when it was first launched. And it’s the delay in the rollout is what’s caused the problem now and we’re going to have the same delay for another year and a half maybe until it’s fixed. Anyway, not a problem for Apple users. But always something to keep in mind that sometimes these features that are designed to help you can have bad side effects. Josh, until next week, stay secure. Remember, Tour de France starts on Saturday.
Josh Long 28:37
All right, stay secure.
Voice Over 28:40
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
