SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 147: Bill Barr and the Magic Door

Posted on July 25, 2019

Hot enough outside for you? Stay indoors instead and cool off with the refreshing taste of The Checklist — though, in reality, some of our stories could leave a bad taste in your mouth, so keep a tall glass of your favorite beverage handy just in case. On this week’s show, we’re looking at the US government once again demanding the impossible when it comes to encryption and data privacy, how to protect your kids and keep them safe in the world of online dating, and everything you need to know about the latest and greatest versions of all Apple’s operating systems.

Ready to beat the heat and learn something at the same time? Let’s start ticking off the boxes on our list with these stories:

  • The Attorney General and the Magic Door
  • Keeping Kids off Dating Apps
  • Security Fixes in the Latest Apple Updates

Serving as the kickoff for our discussion this week, let’s find out what’s up with the Attorney General’s stance on encryption standards.

The Attorney General and the Magic Door

The War Against Math continues! In other words, demands to produce magically “weaker” encryption that’s not actually less safe in any way have started to make the rounds again, though this time it’s coming from a man of considerably more power than usual: US Attorney General William Barr. Time and again, we’ve seen the same request come up from governments and leaders all over: a magical “back door” through the maze of encryption, but a door that only the so-called “good guys” can use. Whether you’re a longtime listener or a first time visitor, the question you may have is likely the same: is this even possible?

In a word: No!

Apple Insider brings this us story in the wake of Barr making public claims that the widespread availability of secure encryption is harming national security, whether it’s in end-to-end usages such as with messaging apps such as Signal or in the system-wide applications such as the encryption that keeps your iPhone’s data locked down from prying eyes. Barr says these technologies are hampering law enforcement, harming society, and empowering criminals to take bolder, more brazen actions because they believe readily available encryption will shield them from any repercussions. 

What does Barr have to stay to the companies, tech experts, and the little people like us who all say that such a backdoor simply isn’t possible? Well, he’s not too sympathetic to that point of view. Barr says, “It can be [done], and it must be.” Not leaving a whole lot of room for disagreement there, is he? Yet in spite of Barr’s dire pronouncements, demands for action, and insistence that this will be the downfall of all law enforcement efforts if nothing is done, the reality remains the same: it’s not possible to weaken encryption for only the “good guys,” and any compromise to an encryption protocol means that everyone using that protocol is less safe and less secure. 

We understand law enforcement’s desires here — more information is always useful when it comes to taking down the bad guys, and encryption does make their job more difficult. However, the reality is that there is no practical way to implement these ideas safely. Let’s look at an example for a quick peek into why this isn’t possible.

Imagine an encryption system that generated three keys: one for you, one for the person you’re talking to, and a third key that would have the ability to decrypt both sides of the conversation. The big question: who gets to keep that third key? Is it the government — the same government that has admitted to server breaches in everything from NASA to the actual CIA? Is it the police? Here we quickly see the concern: there is no safe place to keep the third key and no trustworthy arbiter of when and how those keys should be released. If the backdoor is available to the good guys, it will inevitably become available to the bad guys, too. 

Before this, we once heard former FBI Director James Comey discuss how the companies themselves should create the backdoor and maintain the keys until the government comes knocking. In other words, they’d like all the benefits with none of the responsibility. Anyone in a private company responsible for maintaining that access would ultimately face the temptation to sell it for a profit to the highest bidder, too. 

There’s another wrinkle, too: let’s say these companies did build in a backdoor. Nothing is stopping a developer with some free time from creating and deploying a new app with end-to-end encryption that the government still can’t access. Nothing is stopping even smaller criminal enterprises from building or commissioning their own separate, secure system. A backdoor only undermines security for the law-abiding citizen.

Barr and others are welcome to continue posturing about these things outside of their control, but it’s not going to do any good — they’re simply asking for the impossible and the unwise.

Keeping Kids off Dating Apps

It’s time to have The Talk — or rather, The Talk about The Talk. Yes, we mean the birds and the bees — though in today’s world it’s really all about the ones and the zeroes. This story comes to us courtesy of SecureMac’s own newsletter, which you can sign up for at the bottom of The Checklist’s homepage. This week, the subject was “Five Ways to Keep Your Kids Off Dating Apps” — and for parents concerned about apps such as Tinder, Bumble, and all the dime-a-dozen online dating platforms, this is some seriously good advice to take into consideration. 

Keeping your kids safe online isn’t as easy as dropping the family computer into the middle of the living room or kitchen anymore. Everyone’s got a smartphone, and everyone’s got apps, and not everyone pays attention to what apps their kids put on their smartphones. Such was the case recently when several parents received a rude surprise — discovering their children, as young as 12, were using dating apps designed for and populated by adults. As frightening as that may be, there’s still good news: there are simple steps you can take right now to protect your kids from the dangers inherent in their presence on these services. 

First up: use the tools Apple has already built into iOS. While it would be a wonderful world if the App Store were 100% safe, there are no guarantees, and things slip through the cracks in Apple’s efforts. However, the company has many options for parents who want to implement screen time restrictions and parental controls on their children’s phones. All you need to do is head into the Settings app on your child’s phone to start looking at Content & Privacy Restrictions. Here, you can block certain kinds of app downloads, implement blockable web searches, and receive regular reports on your child’s activity. With this, you can create a safer, more age-appropriate version of your iOS experience, simply contained within a “sandbox” of your own making. 

Next: believe that your kids might be on these apps. Trusting your kids is great — it can be the foundation for a healthy relationship based on respect. However, kids are also kids, and they have their own ideas. While you might think “my child would never do that,” that’s a bit of a naive perspective: think back to the things you got up to as a kid their age, and we’re confident you’ll remember plenty of things you did that you weren’t “supposed to do.” Be open to the idea that they might use one of these apps. 

There are literally millions of registered iOS developers, and that means there are tons of apps flowing into the App Store every day. Apple’s process can’t catch everything, unfortunately, and that means you, the parent, must step in to fill their shoes. Keep up to date on what apps are out there and monitor what your child downloads. If you don’t recognize an app, investigate what it does and disallow it if it breaks your rules.

What’s step three? Stay away from tracking software. We’ve talked about the perils and pitfalls of these programs a few times on the show, but here’s a quick refresher as to why honesty and trust between you and your child trumps spy software every time. Remember, the developers of these apps want to make money. They have every incentive to collect and sell data on your child. You might know where your kids are every moment of the day, but so does the company that made the app. That’s valuable information. Not only that, but you could mistakenly create a security risk for yourself and your kids if the developers aren’t taking precautions with their own security. 

That leads us to step four: talk to your kids and warn them of the dangers out there. That doesn’t mean you should scare them, but let them know what they could face. Kids aren’t stupid, after all, but they are inexperienced. Sometimes inexperience leads to overconfidence, and overconfidence leads to danger. Give common sense guidelines with a realistic sense of what to do when they face dangers online. The best thing you can do is to prepare them to protect themselves, rather than hovering and trying to stop everything yourself. 

Finally: stay informed. If you don’t know cybersecurity basics or how to use Apple’s built-in iOS features, you’ll have a harder time keeping your kids safe online. But hey, staying informed is easy — in fact, you’re already in the perfect place to learn much of what you need to know. 

Security Fixes in the Latest Apple Updates

Big Apple fan? Just about everything you own got an update this week, from your iPhone to your AppleTV to your Mac and even the Apple Watch. Thanks to MacRumors for details about the updates — we’re bringing you all the in-depth news about them you need while you wait for your updates to download. That is if they haven’t undergone automatic installation already! The first big release we saw in this slew of updates was an update for macOS Mojave, which moved up to version 10.14.6. Apple included a bunch of new tweaks for Apple News+, corrected a problem with Boot Camp and hard drive partitions, and addressed some issues with system graphics. 

More importantly, though, Apple says that this macOS update squashed 25 security problems. Many of these fixes aimed to stop memory leaks, but there was also apparently an issue with FaceTime that could have let an attacker run their own code on your Mac. In other words, if someone called you and had a good sense of what they were doing, they could make your life annoying and do all kinds of un-fun things on your Mac.

Not using Mojave? Don’t worry —Apple hasn’t forgotten about you, as they also released Security Update 2019-004 for Sierra and High Sierra. Snag that one directly from Apple’s site here for Sierra and here for High Sierra

What about the computer in your pocket? iOS 12.4 adds a neat new feature that lets you wirelessly transfer your old phone’s data directly to a new phone, but also addresses 19 security bugs in total. That nasty FaceTime bug from macOS is here in iOS too, but that’s fixed in this release too. That said, this update fixes a bunch of wide-open WebKit vulnerabilities. Think about how much time you spend browsing the internet on your phone: now think about your phone’s web browser having vulnerabilities. Apple fixed tons of memory leaks, cross-site scripting problems, and much more. Stay safe online on your mobile device and grab this update ASAP. Apple also released supplemental updates for older iOS versions that fixed a small bug related to GPS.

What about watchOS 5.3? — The much-awaited update that restores the Walkie-Talkie functionality, making it so that bad guys can’t eavesdrop on you any longer, and it also fixes 16 security issues in total. One of the most important is a bug fix that stops users from making accidental purchases while on the lock screen of the phone. Tired of mistakenly buying even more Fortnite dances? Download this update today.

tvOS rounds out the slate with 14 security fixes, though the majority of these are common to the many other updates Apple released this week. Some arbitrary code execution flaws get fixes, though, so save your Apple TV from a hostile takeover and make sure you’re running the latest version today. Once you’ve got everything downloaded, you’re all set — at least until the next update.

And with that, it’s time to draw to a close another edition of the show. Don’t forget to update, and don’t forget that this is never the end of the line. You can always take a turn into The Checklist Archives, where you’ll find every episode from the first one to today’s and eventually even next week’s and beyond. Listen to our conversations again, peruse the in-depth show notes, or chase down the links yourself for a firsthand view of the facts — all right here.

Join our mailing list for the latest security news and deals