DNI Gabbard Believes E2EE Backdoors Violate Privacy; Researchers Propose Standardized Memory Safety; CCPA Shuts Down Unregistered Data Broker

Hang on, this could be an interesting ride. DNI is siding with Apple that providing that backdoor is unacceptable, and Apple is denying requests to create such a back door, now or ever, both of which are good for our privacy. In the meantime, see if enabling Apple's Advanced Data Protection will work for you, particularly for travelers in risky areas; VIP or otherwise.

Lee Neely

While DNI Gabbard is investigating, she should also look at proposed Swedish Riksdag legislation regarding encrypted data. While the company highlighted is different, the result is the same, building backdoor access to an E2EE application that can potentially be misused.

Curtis Dukes

What is really interesting about this situation is that Apple has to balance working and operating between all of these different legal systems, so they've had to modify some of their App Store rules for China, and it would appear that they're modifying their Advanced Data Protection rules for the UK at the moment. I suspect that we will see more and more of this in the future. The question is, what happens when a citizen from the EU stays in the UK for a prolonged period of time, and how does this rule apply to them?

Moses Frost

Having a standardized approach, beyond 'move to a memory safe language,' is going to be more effective as changing languages is not always possible or practical. Having a framework that works with existing languages is definitely worth a deep dive to see where you can raise the bar.

Lee Neely

According to a PWC partner, formerly with the Carnegie-Mellon CERT, memory management failures are implicated in more than sixty percent of vulnerabilities. She asserted that part of the problem was rooted in training failures. However, a more fundamental issue is the vulnerable architectures, operating systems, and development tools that are so widely used.

William Hugh Murray

This is a good thing, because many languages just lack the guidance and design patterns for memory safe usage. In lieu of memory safety in the language that you're used to, many developers are trying to choose memory safe languages like Rust. So if you are a core C++ developer, you may want to start to look at this, as many governments are starting to ask for memory safe code inside their application development stacks.

Moses Frost

This may seem like a minor news item, but regulations need to be enforced to be meaningful, and failures to meet regulations intended to protect data and privacy need to escalate penalties in order to have an impact on the bottom line of companies who put customers at risk.

John Pescatore

Is it likely that an enterprise can survive a three year suspension of business? The business practices of this industry are so pernicious that many, not to say most, would not be missed. As is often the case, California leads the way in privacy protection.

William Hugh Murray

Shutting down a business for three years is tantamount to killing it. That is, unless the business resurrects itself in the form of a new business and registers with the State under "new leadership." I wonder which path they'll take given that the business of data aggregation is so lucrative.

Curtis Dukes

From 2020 to 2023, the California Attorney General maintained the registry; the Delete Act shifted this responsibility to the CCPA Enforcement Division as of January 1st, 2024. Data Brokers who failed to register face a penalty of $200/day, which can increase. Data Brokers are also required to disclose the number of customer deletion requests and mean time to respond, report on specific data type collection, and include a link on their website to consumer rights under CCPA. In this case, Background Alert must shut down for three years or face a $50,000 fine. That fine seems insufficient to be motivating. Even at $200/day for three years, plus $50,000, you're only at $270,000. At that level of fine, it's likely cheaper to face the penalty than shut down.

Lee Neely

Where privacy, AI, and revenue generation cross, it gets confusing. They are attempting to anonymize data where possible; they don't want to own your data, but they need to use it to drive AI as well as satisfy advertisers. This is a good time to review your browser privacy and security settings. Make sure that you've set them to minimize the amount of data shared under Firefox Data Collection and Use, as well as review which services the browser can access, e.g., location, camera, mic, VR, etc. Make sure that installing plugins or extensions requires explicit permission.

Lee Neely

Browsers leak. Both users and providers of them might as well admit it. Moreover, they are so complex that not even their authors can say with any certainty that they are not being used to systematically collect and disseminate sensitive traffic. Software only looks free; there is always a cost. One should prefer purpose built clients, "apps," for sensitive applications.

William Hugh Murray

It was bound to happen. Search partnerships and donations only go so far and there are salaries to pay and infrastructure to keep up. While the change in terms of use is subtle, it stands to provide additional revenue to the for-profit Mozilla Corporation.

Curtis Dukes

On the surface, this appears to be an issue where Mozilla is looking for ways of maybe funding their business. That is complete conjecture on my end, so take that with a grain of salt. It could also be a compliance issue where Mozilla needs to comply with some California privacy directives, some laws in that state would seem to indicate that. Whatever the case may be, many users that were the core fans of Mozilla Firefox for its privacy and independence are now moving elsewhere, and that is a problem for the Mozilla foundation.

Moses Frost

The zero-day, used by Serbian authorities, took advantage of a flaw in Android USB drivers. There is a patch for CVE-2024-53104, out-of-bounds write to USB Video Class Driver, in the February 2025 Android security bulletin. This comes down to using memory safe drivers. Future Android updates are expected to include Linux kernel updates which address this. Make sure you're keeping your Androids updated, particularly if traveling abroad.

Lee Neely

It is almost in the nature of governments to feel threatened by the private communications of their citizens. It is naive to think that any technical measure can resist all government efforts to snoop. A nation state can access any information that it wants to. The limited refuge of the citizen is that it cannot access all the information that it wants to. One does not limit access to one's information because one necessarily has anything to hide but to limit the efficiency of widespread government surveillance.

William Hugh Murray

Cellebrite is in the business of gaining access to digital data. It's a thin line between legitimate and illegitimate use of its forensics tool. Cellebrite is banking on customers who are caught being put in a 'time-out' until the heat dissipates, and they can continue selling their products.

Curtis Dukes

We have a specific view of the way that the laws should work, the way human rights should work, and the way that private property rights also work. Cellebrite is trying to sell their products for investigative purposes to the right governments and law-enforcement agencies. The game that will be played here is that groups like Amnesty International will find misuse of technology and then it's up to the companies to do something about it, and so Cellebrite has taken the opportunity to remove the licensing from the serving authorities. But that is just a cat and mouse game, isn't it?

Moses Frost

Two parts to this: first, if you're a SLTT struggling with resources for cyber, MS-ISAC is one part of CISA which remains un-cut, and may have bandwidth to help. Second, the idea is to aggregate across not just state agencies but across states to help in detection and response of trends/actions. Before throwing that out, have a conversation with your MS-ISAC POC to see what's possible and how it would impact you.

Lee Neely

The affected Cisco RV series routers will not be getting an update for these flaws: you need to replace them, and you can mitigate the risk somewhat by disabling remote administration by blocking access to ports 443 and 60443. The Win32k flaw, when published in 2018, was not being actively exploited, and updates to address it were released in December of 2018. Make sure those are applied. Time to make sure you're migrating old/unsupported Windows versions, keeping in mind end-of-support for Windows 10 is October 14, 2025.

Lee Neely

The only time companies should use the term 'an abundance of caution' is when they can say 'Due to an abundance of caution we prevented or mitigated all attacks with no impact to our business or our customers.' Caution, like wisdom, is most valuable when used in advance of challenges.

John Pescatore

Resetting authentication is standard procedure when credential compromise is suspected. What isn't known is how long the evildoer had access and what else the server was used for.

Curtis Dukes

"Keys" should be stored only in High Security Modules (HSMs) where they can be used but not seen.

William Hugh Murray

Rubrik is being proactive, seeking to avoid a repeat of the 2023 Forta GoAnywhere data theft attacks by the Clop ransomware gang.

Lee Neely