This week started off with a bang and just kept going. In the wee hours of Saturday night, TikTok cut off access to users in the United States ahead of Sunday’s deadline that forced Apple and Google to remove the video-sharing app from their app stores. While TikTok was dark, US users raced to get around the TikTok ban while several other unexpected apps saw their access to Americans severed as well. By midday on Sunday, however, TikTok access was already coming back in the US. By Monday night, newly inaugurated US president Donald Trump had signed an executive order delaying the TikTok ban by 75 days.
On Tuesday, Trump made good on his promise to free Ross Ulbricht, the imprisoned creator of the Silk Road dark-web market, where users sold drugs, guns, and worse. Ulbricht had spent more than 11 years behind bars after he was arrested by the FBI in 2013 and later sentenced to life in prison. Trump’s decision to pardon Ulbricht is largely seen as linked to the support he’s received from the libertarian cryptocurrency community, which has long considered the Silk Road creator a martyr.
As the world enters the second Trump era, WIRED sat down with Jen Easterly, who recently left her top spot as director of the Cybersecurity and Infrastructure Security Agency to discuss the cyber threats facing the US and CISA’s uncertain future as the frontline watchdog against nation-state hackers and other digital security threats facing the US.
Lastly, we detailed new research that revealed how trivial bugs had exposed Subaru’s system for tracking the locations of its customers’ vehicles. The researchers found they could access a web portal for Subaru employees that allowed them to pinpoint up to a years’ worth of a car’s location—down to the parking spots they use. The flaws are now patched, but Subaru employees still have access to sensitive driver location data.
That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
A US judge in New York this week found that the FBI’s practice of searching data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without obtaining a warrant is unconstitutional. FISA gives the US government the authority to collect the communications of foreign entities through internet providers and companies like Apple and Google. Once this data was collected, the FBI could perform “backdoor searches” for information on US citizens or residents who communicated with foreigners, and it did so without first obtaining a warrant. Judge DeArcy Hall found that these searches do require a warrant. “To hold otherwise would effectively allow law enforcement to amass a repository of communications under Section 702—including those of US persons—that can later be searched on demand without limitation,” the judge wrote.
An “issue” with the basic functionality of internet infrastructure company Cloudflare’s content delivery network, or CDN, can reveal the coarse location of people using apps, including those meant for protecting privacy, according to findings from an independent security researcher. Cloudflare has servers in hundreds of cities and more than 100 countries around the world. Its CDN works by caching peoples’ internet traffic across its servers then delivering that data from the server closest to a person’s location. The security researcher, who goes by Daniel, found a way to send an image to a target, collect the URL, then use a custom-built tool to query Cloudflare to find out which data center delivered the image—and thus the state or possibly the city the target is in. Fortunately, Cloudflare tells 404 Media that it fixed the issue after Daniel reported it.
In one of its first moves after Trump took office on Monday, the Department of Homeland Security let go everyone on the agency’s advisory committees. This includes the Cyber Safety Review Board, which was investigating widespread attacks on the US telecommunications system by the China-backed hacker group Salt Typhoon. US authorities revealed in mid-November that Salt Typhoon had embedded itself in at least nine US telecoms for espionage purposes, potentially exposing anyone using unencrypted calls and text message to surveillance by Beijing. While the future of the CSRB remains uncertain, sources tell reporter Eric Geller that their investigation into Salt Typhoon’s attacks is effectively “dead.”
