Information Technology

Antivirus vendor NortonLifeLock this afternoon said it will merge with Britain’s Avast PLC in a transaction combining cash and stock in two different options, totaling between $8.1 billion and $8.6 billion in stock. That value is roughly equivalent to the value in U.S. dollars of Avast’s enterprise value, which takes into account its cash and debt, of £6.5 billion, based on the closing price of Avast stock tuesday of £5.68 on the London Stock Exchange.   NortonLifeLock shares rose 2.5% in late trading.The two companies said in the joint press release that their respective boards of directors see an opportunity to “create a new, industry-leading consumer Cyber Safety business, leveraging the established brands, technology and innovation of both groups to deliver substantial benefits to consumers, shareholders, and other stakeholders.”The two companies said the deal will bring together product lines that are broadly complementary, while giving the combined company a user base of over half a billion customers. The deal will broaden the geographic market coverage of the combined company. In addition, the two expect to realize “$280 million of annual gross cost synergies.”Under terms of the deal, “Avast shareholders will be entitled to receive a combination of cash consideration and newly issued shares in NortonLifeLock with alternative consideration elections available.”Based on NortonLifeLock’s closing share price of USD 27.20 on July 13, 2021 (being the last trading day for NortonLifeLock shares before market speculation began in relation to the merger on July 14, 2021, resulting in the commencement of the offer period), the merger values Avast’s entire issued and to be issued ordinary share capital between approximately USD 8.1B and USD 8.6B, depending on Avast shareholders’ elections.In a companion deck of slides, the two companies detail two options for shareholders. Option one is to receive 31% of the deal in cash and 69% in stock, option two is to receive 90% in cash and 10% in stock. 

NortonLifeLock CEO Vincent Pilette called the deal “a huge step forward for consumer Cyber Safety” that he said “will ultimately enable us to achieve our vision to protect and empower people to live their digital lives safely.” Added Pilette, “With this combination, we can strengthen our Cyber Safety platform and make it available to more than 500 million users. We will also have the ability to further accelerate innovation to transform Cyber Safety.” Also: NortonLifeLock fiscal Q4 tops expectations, sees double-digit long-term revenue growth Said Avast CEO Ondřej Vlček, “At a time when global cyber threats are growing, yet cyber safety penetration remains very low, together with NortonLifeLock, we will be able to accelerate our shared vision of providing holistic cyber protection for consumers around the globe.”  Added Vlček, “Our talented teams will have better opportunities to innovate and develop enhanced solutions and services, with improved capabilities from access to superior data insights. Through our well-established brands, greater geographic diversification and access to a larger global user base, the combined businesses will be poised to access the significant growth opportunity that exists worldwide.” Pilette, and NortonLifeLock’s CFO, Natalie Derse, will remain in those positions in the combined company. Avast CEO Vlček will join NortonLifeLock as President and will join the Board of Directors. Pavel Baudiš, a co-founder and current director of Avast, is expected to join the Board as an independent director, the companies said.NortonLifeLock, formerly the consumer security technology arm of Symantec, separated from Symantec when the enterprise security business was purchased by Broadcom in late 2019. Eleven-year-old Avast focuses on software for consumers and small and medium businesses. The take-out price represents a multiple of roughly 9.6 times projected revenue this year for Avast of £678 million, and a multiple of projected Ebitda profit of 17 times. More

Researchers with D3Lab have discovered the data of almost one million credit card holders being sold on an underground forum, according to a blog post released this week. In a sample of 980,930 files acquired by D3Lab analysts on Monday, the batch contained names, addresses, credit card numbers, expirations and CVVs. About 30,000 entries in the data set came from people living in Italy, based on identifications tied to the stolen cards. D3Lab analysts found the information on a carding database called All World Cards. 
D3Lab
All World Cards is a haven for online credit card thieves involved in things like magecart attacks, information stealing malware and point-of-sale attacks. D3Lab noted in their report that carding sites generally get most of their stolen credit cards from point-of-sale attacks at gas stations, supermarkets and some e-commerce sites. The report found that the people behind All World Cards have been marketing their site and services since June and may have purchased stolen credit card data and shared it for free “to entice other criminal actors to frequent their site.”The domain for allworld [.] Cards was created in May and the site now has 2,634,615 stolen credit cards, with more than 1 million coming from the US. 

After examining the data, D3Lab researchers sent the information to the banks represented in the leak so that the cards could be cancelled and users could be notified. Half of the cards in the batch are still operational, according to D3Lab. With the help of a BIN database, the researchers managed to verify the stolen records and figure out the companies, issuers and other data on the victims. Of the 980,930 stolen cards, 98% had a valid BIN associated with an emitter, according to D3Lab, while nearly every card came from either Visa or Mastercard.More than 75% of the cards were debit cards and 24% were Gold, Business or Titanium cards. India was the most represented country in the batch, with 20% of cards coming from the country followed by Mexico and the US with 9%. About 4% came from Italy as well. Javvad Malik, security awareness advocate at KnowBe4, told ZDNet that the cards were stolen between 2018 and 2019, making it difficult to determine where the data came from or if it came from multiple sources. Carding has become a lucrative avenue for cybercriminals, explained PerimeterX senior director Uriel Maimon. Attackers use bots to test lists of recently stolen credit card and debit card details on merchant sites. The carders then use the proven credit card details to directly retrieve funds from associated accounts or to purchase gift cards which can easily be converted into high-value goods, such as cell phones, televisions and computers, Maimon explained. “These goods are then resold — often via ecommerce sites offering a degree of anonymity — for a profit. As these cards were stolen between 2018-2019, it stands to reason that most are no longer valid, especially if they’re publicly dumped and multiple actors will jump on them at the same time.” In December 2020, the FBI and Interpol seized four domains operated by Joker’s Stash, the internet’s largest marketplace for buying and selling stolen card data. The site announced it was officially shutting down in February. BleepingComputer noted that cybersecurity company Cyble imported the stolen data into their AmIBreached service, so people can check if their credit card information was involved.  More

Security company McAfee on Tuesday published second quarter financial results, adding more than half a million core Direct to Consumer subscribers in the quarter. Second quarter diluted earnings, including both continuing and discontinued operations, came to 21 cents per share. Net revenue was $467 million, reflecting growth of 22 percent year-over-year. Analysts were expecting earnings of 18 cents per share on revenue $433.99 million.”We are very pleased with our team’s execution this quarter,” said Peter Leav, McAfee’s President and Chief Executive Officer.  “Not only did McAfee deliver another solid quarter with revenue, DTC subscribers, profitability and cash flow from operations growing double-digits, but did so while simultaneously closing the transaction to sell the Enterprise Business…  We look forward to continuing our journey as a pure-play consumer business.”McAfee in Q2 completed the sale of its Enterprise Business for $4 billion in cash. Meanwhile, it added 556,000 DTC subscribers, bringing its total number of subscribers to 19.4 million. A year earlier, the company had 16.6 million core DTC subscribers. McAfee also in Q2 signed a multi-year extended agreement with Samsung to deliver consumer security solutions to Samsung device users.For the third quarter, McAfee expects revenue between $461 million and $467 million.

Tech Earnings More

Microsoft has released 44 security fixes for August’s Patch Tuesday, with seven of the vulnerabilities being rated critical. There were three zero days included in the release and 37 were rated as important. 

ZDNet Recommends

Thirteen of the patches involved a remote code execution vulnerability while another eight revolved around information disclosure. The affected tools included .NET Core & Visual Studio, ASP.NET Core & Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and more.One of the most prominent patches released in the latest batch covers the Windows Print Spooler Remote Code Execution vulnerability, which has been a major topic of discussion since it was discovered in June. Microsoft also faced backlash from the security community for bungling the release of patches meant to address the issue. The fixed zero day bugs include:The Windows Update Medic Service Elevation of Privilege vulnerability is the only one that has been exploited in the wild, according to Microsoft’s report, but they do not explain how, where, or by whom. Security expert Allan Liska said CVE-2021-36948 stood out to him because of its similarities to CVE-2020-17070, which was published in November 2020.

“Obviously, it is bad that it is being exploited in the wild, but we saw almost the exact same vulnerability in November of 2020 but I can’t find any evidence that that was exploited in the wild,” Liska said. “So, I wonder if this is a new focus for threat actors.”Liska added that CVE-2021-26424 is a vulnerability to keep and eye on because its a Windows TCP/IP Remote Code Execution vulnerability impacting Windows 7 through 10 and Windows Server 2008 through 2019.”While this vulnerability is not listed as publicly disclosed or exploited in the wild, Microsoft did label this as ‘Exploitation More Likely’ meaning that exploitation is relatively trivial. Vulnerabilities in the TCP/IP stack can be tricky. There was a lot of concern earlier this year around CVE-2021-24074, a similar vulnerability, but that has not been exploited in the wild,” Liska explained. “On the other hand, last year’s CVE-2020-16898, another similar vulnerability, has been exploited in the wild.” The LSA spoofing vulnerability is related to an advisory Microsoft sent out late last month about how to protect Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam.Discovered in July by French researcher Gilles Lionel, the PetitPotam take on the NTLM Relay attack can “coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.” It was never found to have been exploited. The Zero Day Initiative noted that Adobe also released two patches addressing 29 CVEs in Adobe Connect and Magento. ZDI said it submitted eight of the bugs in the recent Microsoft report and explained that this is the smallest number of patches released by Microsoft since December 2019. They attributed the decline to resource constraints considering Microsoft devoted extensive time in July responding to events like PrintNightmare and PetitPotam.”Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system,” ZDI said.”One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note that it needs neither privileges or user interaction to be exploited.”The next Patch Tuesday is September 14.  More

When choosing a VPN, you’ve got an insane amount of choices. In our best of guide and speed test guide, we’ve narrowed down the list from the wide array of branded commercial options out there to about 10. But that is still a lot to dig through. Which do you choose? In this article, we’ve taken three of our top choices — ExpressVPN, Surfshark, and NordVPN — and compared their characteristics. This isn’t a one-size-fits-all competition. You’ll need to decide which factors matter most to you, and from that, you can choose which product you want to test out. Keep in mind that all three products offer trial periods. We strongly encourage you to take advantage of that period to see which performs best in all of the likely situations where you’ll be using a VPN. And with that, let’s dive in.

Surfshark wins, ExpressVPN implodes

Winner: SurfsharkVPN providers are always tinkering with their pricing, so these numbers are bound to change.That said, Surfshark is the least expensive, by quite a lot. Surfshark’s best deal is what they tout as $2.49 a month plan (you’ll really be paying $59.76 now for two years of service). Nord is asking for $3.67 (or a wallet hit of $89 on signup for two years of service).ExpressVPN’s best deal is what they tout as $6.67 a month (you’ll really be paying $99.95 now for 15 months of service). After that 15 months, you’ll be charged $99.95 every 12 months, so the per-month price is essentially going up about a buck and a half after that first year. If you want two years of service, you’ll be paying $59.76 for Surfshark, $89 for NordVPN, and $150 ($99 for the first 15 months, plus half of $99 for the next 12) for ExpressVPN.Surfshark definitively wins this round by allowing you to run an unlimited number of devices with its Surfshark VPN service, while Nord permits just six six simultaneous connections. And ExpressVPN gives you even less for it’s much more expensive price: just five simultaneous connections.At least all offer a 30-day money-back guarantee.

NordVPN wins by a hair, Surfshark loses by a mile

(Image: ZDNet/David Gewirtz)

Winner: NordVPNIn our fastest VPN guide, we took a look at both our own in-house tests and how the Internet overall rated open VPNs. We compared VPN rankings in speed tests from 10 sites besides ZDNet. Of potentially more interest, we compared the standard deviation of those rankings, which helps us determine whether a given VPN has a consistent ranking all across the internet, or different reviewers got wildly different numbers.As the above slide shows, NordVPN not only had a better aggregate average ranking but a considerably lower standard deviation than either of the other two players. This means that pretty much wherever you are, your NordVPN performance should be pretty good. ExpressVPN gave NordVPN a run for its money. While ExpressVPN’s aggregate speed didn’t quite match Nord’s it was in the ballpark. Likewise, its standard deviation was a bit more wobbly, meaning it was a tad bit less consistent than Nord. But, honestly, either choice would be a win from a speed perspective.By contrast, Surfshark is both slower and considerably less predictable. While Nord and VPN are running pretty much neck and neck, the definitive loser here is Surfshark.

ExpressVPN wins

Winner: ExpressVPNAll three VPN players support the big four: iOS, Android, Mac, and Windows.ExpressVPN also supports Linux, routers, and Kindle Fire. It supports Xbox, Playstation, and the Nintendo Switch as well as browsers Chrome, Edge, and Firefox. When it comes to TV support, ExpressVPN lists Apple TV, Amazon FireTV, Samsung, Roku, Nvidia Shield, Chromecast, LG Smart TVs, Android TV, and others that require more of a manual setup process. Additionally, it offers setup instructions for Synology and QNAP NAS appliances.In addition to its big four clients, NordVPN lists Android TV, Linux, and Chrome and Firefox extensions on its download page, but has a support page for installing NordVPN on other platforms, including routers, Raspberry Pi, and NAS boxes including Synology, Western Digital My Cloud, and QNAP.Besides iOS, Android, Mac, and Windows, Surfshark also supports Linux, FireTV, Apple TV/iPhone, and what it calls “other TVs.” It supports Xbox and Playstation as well as browsers Chrome and Firefox.The fact is, all three products support a reasonably wide range of devices, but we have to give the win to ExpressVPN. You can keep digging down in the support pages and there are more and more devices with install tutorials, the deeper you dig.

Three-way tie

Winner: ExpressVPN, Surfshark, and NordVPNI always like to make sure this point is stressed in all my VPN coverage: if you’re counting on a VPN for your physical freedom or to protect your life, it’s important that you do a lot more research than just reading an article like this. With that said, let’s look at the overall security profile for these three vendors.NordVPN has got a lot of mileage out of its Panamanian corporate registration, claiming that Panama puts its records out of the legal reach of governments and lawyers. As I discussed in great depth in my analysis of NordSec, it’s possible that countries with Mutual Legal Assistance Treaties (MLAT) may well be able to pierce the corporate veil.Although I didn’t do as deep an in-depth analysis of ExpressVPN, the company has similar claims and limits as Nord. ExpressVPN lists its registry in the British Virgin Islands but is a company with developers based in many MLAT countries as well.Surfshark also has the same basic claims and limits as Nord. Surfshark lists its registry in the British Virgin Islands, but like Nord and ExpressVPN, it’s a company with developers based in many MLAT countries as well. Surfshark boasts a private DNS service among its advanced features so you can be protected even while using public Wi-Fi whether you’re in Australia, Hong Kong, the Netherlands, the USA, or anywhere in between. Surfshark also says it passed the German company Cure53’s security audit and offers uncrackable AES-256 bit encryption alongside its strict no-logs policy, but the German audit was limited to Surfshark’s browser extensions.All three vendors tout a no-logs policy. All three say they don’t capture VPN connection time stamps, used bandwidth, traffic logs, IP addresses, or browsing data but there are some nuances here. NordVPN says it doesn’t track used bandwidth, while ExpressVPN says it tracks the total amount of daily data transmitted each day. ExpressVPN also tracks the location of VPN servers you connect to. That’s not good, because it means they can tell where your connection originated from (or at least the country) and where you’re trying to connect to. All three offer warrant canaries. All three also capture email addresses and billing information. NordVPN says it doesn’t track used bandwidth, while ExpressVPN says it tracks total amount of daily data transmitted each day. ExpressVPN also tracks the location of VPN servers you connect to. That’s not good, because it means they can tell where your connection originated from (or at least the country) and where you’re trying to connect to.All three accept cryptocurrencies. This makes it safer to use apps such as PayPal and use your credit card without having fear of security breaches. ExpressVPN says it tracks the total amount of daily data transmitted each day. ExpressVPN also tracks the location of VPN servers you connect to. That’s not good, because it means they can tell where your connection originated from (or at least the country) and where you’re trying to connect to.So, which is more secure? Honestly, they’re very close. We probably wouldn’t feel comfortable putting our lives in the hands of any of these three companies (not that they’re doing anything wrong, but just because it’s a scary concept), but we’d certainly feel reasonably comfortable letting them protect our Wi-Fi surfing when out and about.

NordVPN and Surfshark tie

Winner: NordVPN and SurfsharkAll three vendors offer a kill switch, which we consider table stakes in terms of VPN special features.Both Nord and Express offer split tunneling, allowing you to channel some traffic through the VPN and the rest through your local connection without VPN interference.Surfshark offers a multi-hop connection, which is similar to NordVPN’s feature causing your IP address to change twice before reaching the destination VPN server.ExpressVPN says it’s running a private DNS, but any VPN provider is going to need to do domain name resolving. So while other vendors don’t list “Private DNS” as a feature, they all need to be running a DNS as a consequence of their role in packet forwarding.Surfshark and NordVPN support P2P, allowing you to torrent your favorite Linux distros (and possibly other digital sharing activities of dubious legality, which we categorically do not recommend). ExpressVPN makes no mention of P2P.NordVPN has a few interesting features not provided by either ExpressVPN or Surfshark. NordVPN also provides Onion Over VPN, which allows you to use both the Onion anonymizer and Nord’s VPN together. NordVPN also allows you to buy a dedicated IP address, which can help if you’re dealing with anonymous servers or gaming connections. NordVPN also offers business plans.NordVPN and Surfshark offer malware and adware filtering, although Surfshark’s AdBlock VPN feature appears to be somewhat more comprehensive. Surfshark also offers what it calls Camouflage Mode, which the company says can prevent your local ISP from knowing you’re surfing using a VPN. While NordVPN has a blog post on whitelisting, they don’t appear to have whitelisting as an actual client feature. By contrast, Suftshark uses its split-tunneling feature as a whitelister.ExpressVPN has an interesting blog post about how it prevents its apps from getting malware but doesn’t offer malware protection or adware filtering for traffic run over its VPN network. All three vendors come to the game with most of the features you’d expect. Nord has a few more business-focused features while Surfshark has some features that may afford a limited degree of additional personal privacy — but this would need in-depth testing to truly validate. ExpressVPN appears to just be phoning it in.It’s a tight contest, but we’re awarding wins to both Surfshark and NordVPN. ExpressVPN just gets a participation award.

ExpressVPN vs. Surfshark vs. NordVPN: Your decision tree

So, how do you choose between the three?

Well, if you just count up the wins, Surfshark comes in first, then NordVPN, and then ExpressVPN. But the wins and losses aren’t particularly pronounced. Instead, we recommend you use this decision tree below. Before that, you might want to take a spin through The fastest VPN: NordVPN, Hotspot Shield, and ExpressVPN compared. We didn’t just test VPN provider performance in this in-depth analysis. We go out onto the internet, gather performance data from all across the Web, and let you know which provider is the best overall.So, now, let’s decide:If price is your top concern, Surfshark will save you about $30 over two years over NordVPN and nearly a hundred bucks over ExpressVPN.If predictably fast download performance is key, then NordVPN is more consistently fast in overall performance.If you need a VPN for a NAS appliance, then either NordVPN or ExpressVPN will do.If you want a VPN for your Xbox or PlayStation instead of a mobile device or mobile apps, choose Surfshark or ExpressVPN.If you want a VPN for something that’s not in the usual list, ExpressVPN is more likely to have a documented setup process.If you want a dedicated IP address or more business-oriented features, choose NordVPN.So, there you go. NordVPN and Surfshark have distinctly different personalities, but each do the job in their own way. It’s hard to get excited about ExpressVPN, except for its wide range of device support. NordVPN also seems the most predictable of the bunch.

How do these choices fit your needs? Have you chosen a VPN provider already? What capabilities and characteristics helped you to make up your mind.You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Google has simplified its range of Titan security keys by dropping its Bluetooth Titan Security Key and making greater use of NFC.Moving forward, NFC will now be offered on both the USB-A and USB-C keys, which means that most users will be able to streamline their keys down to a single unit.Must read: Best security keys: Protect your online accounts
If you have an older system with USB-A ports, Google recommends that you buy a USB-A + NFC security key, which should work with most smartphones and tablets. This is the key recommended for iPad users who have a Lightning port on the iPad (they will also need an Apple Lightning adapter).USB-A + NFC security key
Google
If you have a more modern system that makes use of USB-C, then the key for you will be the USB-C + NFC security key.USB-C + NFC security key
Google
Bluetooth Titan Security Keys will continue to work, and warranties will continue to the honored by Google.The USB-A+NFC security key, which comes with a USB-A to USB-C adapter, costs $30, while the USB-C+NFC security key costs $35. Both are available from the Google Store.

A good alternative to Google’s Titan security keys are the YubiKey line, and come in a wide variety of options.  More

Digital Rights Watch (DRW) and Electronic Frontiers Australia (EFA) have sternly warned that if big tech giants including Apple, Google, Amazon, and Microsoft continue to be allowed to behave as monopolies when it comes to repairs, it could stifle innovation and competition. “Repair monopolies held by major tech companies, heavy handed Digital Rights Management (DRM) technologies, and onerous restrictions on documentation, parts, and third-party repair options significantly harm Australian consumers, innovation, and the planet,” they said in a joint submission [PDF] for the Productivity Commission’s right to repair inquiry. The pair believes introducing the right to repair would be one way to address that market imbalance.”A right to repair would enable consumers to make use of an inbuilt market mechanism to counter attempts at abuse of market power,” the submission said. “This counterbalance to market power would act as a kind of automatic stabiliser without the need to involve market regulators to intervene if a market failure occurred. We believe this is particularly important for technology products as the majority of such products are not manufactured in Australia.”The submission pointed out how Apple, for instance, uses “serialisation” to actively prevent independent repair of their iPhones. According to the pair, serialisation prevents hardware to be replaced even with identical parts made by the same manufacturer, unless the serial number of that component matched that which it originally was bought with.”It is inevitable that premature replacements of technological products will continue to occur at some degree, due to consumers choosing to purchase new items. Yet we believe it is important to address negative externalities created by manufacturers that actively promote a ‘disposable technology’ culture,” it said.

“The development of a right to repair may play a role in discouraging technology companies from such practices, and motivate them to pursue other, more environmentally sustainable revenue models. “The right to repair will also be essential in order to create a culture shift away from wasteful consumer habits. We cannot expect consumers to take part in a circular economy if the mechanisms and incentives are not in place for them to do so, or if the incentives are actively antithetical to a circular economy.”The submission added that if repairs remained monopolised, technology manufacturers would be creating additional barriers to careers and hobbies in technology. “Digital skills and hardware skills are fundamentally intertwined, and the ability to take apart and fix hardware, as well as inspect its code, is a critical part of developing these skills necessary to build a future-proof economy,” it said. “Proprietary machinery that deliberately obfuscates its components to ensure it cannot be repaired by third parties further abstracts the relationship between humans and the tools we use, which makes this educational journey much more difficult.”The DRW and EFA also took the opportunity to highlight that as the commission investigates how to best approach right to repair, factors such as digital security, environmental sustainability, and issues related to fairness should not be overlooked. They pointed out, for instance, that under the Competition and Consumer Act 2010, vendors are not currently required to service and repair goods for their full useful life, rather only for a “reasonable” amount of time. However, implementing a right to repair that includes software as well as hardware would ensure potentially vulnerable devices can be made safe.”A right to repair would ensure that vulnerable devices purchased by consumers can be made safe by repairing the software running on those devices, thereby reducing the threat to themselves and to others,” it said. “This would not require the participation of the vendor, which may no longer exist, and would prevent consumers from being punished for ‘jail-breaking’ devices they own and sharing the code, if the software vendor is no longer supporting the device. This facilitates community-based software support and repair efforts, as well as supporting the rights of a hardware owner to install software of their choice on their devices.”Meanwhile, the National Farmers’ Federation (NFF) noted the cost of inaction with respect to repairs could result in higher repair cost; inability to use preferred repairer outside of the authorised dealer network, who is often more experienced and qualified; long distance travel to access authorised repairs as use of local repairers would void warranties; and significant delays in repairs, which the NFF described as being be “fatal” for a farm business. The NFF also knocked back claims that access to software for the purpose of right to repair would supposedly harm public safety or cybersecurity. “Any right to repair regime would not entail an open access data regime, where there is a free-for-all with respect to consumers’ repair data. A properly defined right-to-repair regime would put consumers in the driving seat in providing access to their data, where they see benefit, and the use of data would be governed by the development of codes on the use and dissemination of data,” the NFF said in its submission [PDF]. “The claims … [are] unfounded.” Communications Alliance, on the contrary, argued that enabling unauthorised repairers to use uncertified parts or install uncertified firmware on devices, could result in making devices vulnerable to hacking or illegal interception. “We are concerned by the commission’s assertion in the draft report that security concerns may be overstated. Cybersecurity is a key focus for government, and the ACCC is actively working to educate and protect consumers from scams,” the Australian telco body stated in its submission [PDF].”Allowing unauthorised third-party repairers to work on these devices, and/or to use unapproved replacement parts, could both impact connectivity and create risks to communication networks — which are deemed critical infrastructure by government and subject to extensive rules and regulations to ensure they are protected,” the Communications Alliance added.MORE ON RIGHT TO REPAIR MOVEMENT  More

Image: Apple
Apple has produced an FAQ [PDF] in response to criticism levelled at it after announcing plans to have devices scan for child abuse material in images uploaded to iCloud. The child sexual abuse material (CSAM) detection system will have devices running iOS 15, iPadOS 15, watchOS 8, and macOS Monterey matching images on the device against a list of known CSAM image hashes provided by the US National Center for Missing and Exploited Children (NCMEC) and other child safety organisations before an image is stored in iCloud. If a hashing match is made, metadata that Apple is calling “safety vouchers” will be uploaded along with the image, and once an unnamed threshold is reached, Apple will manually inspect the metadata and if it regards it as CSAM, the account will be disabled and a report sent to NCMEC. Much of the criticism has revolved around the idea that even if Apple was well-intentioned and currently limited, the system could be expanded by Apple alone, or following a court order, it could hunt for other types of material. Apple said its processes were designed to prevent that occurrence from happening. “CSAM detection for iCloud Photos is built so that the system only works with CSAM image hashes provided by NCMEC and other child safety organizations,” Apple said. “There is no automated reporting to law enforcement, and Apple conducts human review before making a report to NCMEC. As a result, the system is only designed to report photos that are known CSAM in iCloud Photos.

“In most countries, including the United States, simply possessing these images is a crime and Apple is obligated to report any instances we learn of to the appropriate authorities.” On the prospect of being forced to add other hashes to its dataset, Apple referred to its past refusals to help US law enforcement. “Apple will refuse any such demands,” it said. “We have faced demands to build and deploy government-mandated changes that degrade the privacy of users before, and have steadfastly refused those demands. We will continue to refuse them in the future. “Let us be clear, this technology is limited to detecting CSAM stored in iCloud and we will not accede to any government’s request to expand it. Furthermore, Apple conducts human review before making a report to NCMEC. In a case where the system flags photos that do not match known CSAM images, the account would not be disabled and no report would be filed to NCMEC.” Apple claimed its system would prevent non-CSAM images being injected and flagged since the company does not add the set of hashes used for matching, and humans are involved in the verification process. “The same set of hashes is stored in the operating system of every iPhone and iPad user, so targeted attacks against only specific individuals are not possible under our design,” Apple said. “As a result, system errors or attacks will not result in innocent people being reported to NCMEC.” The iPhone maker reiterated its claims that the solution had privacy benefits over being able to scan images uploaded to it. “Existing techniques as implemented by other companies scan all user photos stored in the cloud,” it said. “This creates privacy risk for all users. CSAM detection in iCloud Photos provides significant privacy benefits over those techniques by preventing Apple from learning about photos unless they both match to known CSAM images and are included in an iCloud Photos account that includes a collection of known CSAM.” Apple also said the feature would not run if users have iCloud Photos disabled and would not work on “private iPhone photo library on the device”. On the scanning of images in iMessage, Apple expanded on the requirements for parents to be alerted once a family group is created and parents opt-in. “For child accounts age 12 and younger, each instance of a sexually explicit image sent or received will warn the child that if they continue to view or send the image, their parents will be sent a notification. Only if the child proceeds with sending or viewing an image after this warning will the notification be sent,” it said. “For child accounts age 13-17, the child is still warned and asked if they wish to view or share a sexually explicit image, but parents are not notified.” Apple said it was looking at adding “additional support to Siri and Search to provide victims — and people who know victims — more guidance on how to seek help”. Although the CSAM system is currently limited to the US, Cupertino could soon be facing pressure from Canberra to bring it to Australia. On Monday, the government unveiled a set of rules for online safety that will cover social media, messaging platforms, and any relevant electronic service of any kind. The provider is expected to minimise the availability of cyberbullying material targeted at an Australian child, cyber abuse material targeted at an Australian adult, a non-consensual intimate image of a person, class 1 material, material that promotes abhorrent violent conduct, material that incites abhorrent violent conduct, material that instructs in abhorrent violent conduct, and material that depicts abhorrent violent conduct. The expectations also boast additional expectations, such as that the provider of the service will take reasonable steps to proactively minimise the extent to which material or activity on the service is or may be unlawful or harmful. Australia’s eSafety Commissioner will have the power to order tech companies to report on how they are responding to these harms and issue fines of up to AU$555,000 for companies and AU$111,000 for individuals if they don’t respond. Related Coverage More