You might have set up TOTP and removed SMS 2FA on Gmail but don't forget to remove your phone number as a recovery method as this can be equally devastating when exploited by SIM Swapping.
I can't understand the 'microchip in vaccines' issue. You mean to tell me that my iPhone can't last a full day on a battery charge, however we have microscopic tech capable of tracking location data and relaying it somewhere and doesn't need charging once injected into the body?
That's a 'dumb` RFID chip. I don't think folks are too concerned with offline chips that require close proximity scanning (for power). RFID also doesn't 'track' dogs. They contain information about the dog to get them back to their owner. The info is static and contains NO location data.
You may want to re-evaluate your opinion. The "tracking microchip" conspiracies mostly stem from tracking chips (dumb RFID) used to tag wildlife.
These people don't know how the technology works, but they do know that we tag and track animals. They're not wrong that we use microchips in this fashion.
I'm assuming you are talking about ARGOS tags (more sophisticated tag that actually transmits GPS (last comment was talking about pet tags (which are RFID)), but it's FAR from microscope / injectable via needle. I get it, people's lack of understanding about technology is what fuels the conspiracy theories. They don't realize that no company NEEDS to track them as they have already traded all of that information away years ago.
I have some close friends that subscribe to such theories and no amount of tech discussion will convince them otherwise.
Work on this. I have built my consultancy over the past 6 years and it started with me doing freelance and now we do over $1m/year in revenue.
I attribute the majority of success to networking. Here are some of the things I did early on (and still continue to some extent).
1. Local meetups. Great place to show off, hear about leads, etc...
2. Find influencers / networkers in your area and buy them coffee. Ask tons of questions and end with "Who else do you think I should be talking to?"
3. Build stuff - I decided I wanted our team to be known locally for doing crypto dev, so I just started building cool stuff and showing it off at the local dev meetups. Now we have tons of crypt contracts!
Whatever you do, come at it with the attitude of wanting to contribute to the community using your gifts/skills. The work will follow.
We have a mix of employees / contractors but usually hover around 9-10.
As far as asking questions, it’s about the long game. I aim to build relationships with people and establish myself/my team as an authority on software dev.
Almost none of my meetings are “sales” meetings, in fact we never do advertising at all. All leads come from people who eventually want work or refer their colleagues. Some meetings pan out and others don’t.
Never sell yourself the first time you're meeting someone. Explain what you do and turn the conversation back the person you're talking to. People love hearing their own voice, so let them talk. Take a genuine interest in what they do and they'll remember you as a good person.
If you can help them, reach out the next day with the whole "I was thinking about X. We do Y, perhaps we could help." If you can connect them to someone who can solve their problem that isn't you, do that as well.
As the parent says, people remember and refer / think of you first when you're needed.
This is great. I've just launched a product consultancy and I really need to start presenting at meetups about the technology we're using. It just seems like such a perfect way to get work that aligns with what you want to be doing in the first place.
And remember that all this works only if you have local meetups or someone to network at your area at all. Living in major city provides a lot more opportunity for this than a small dying town countryside.
I did quite a bit of Jailbreak/tweak dev in the past, and I was curious if you could just hook into AVAudioRecorder and show an alert any time it was invoked.
So, I did this sort of thing years ago when I wrote a tweak for the InPulse smartwatch (later became Pebble) https://github.com/brandontreb/inPulseNotifier .I was able to hook into the system messaging, forward it to a custom bluetooth stack (sending it to the watch) and forward the message up the stack to be displayed by the system.
It would stand to reason that the same sort of process would be effective for catching Facebook invoking audio recording. Once you hook into the AVAudioRecorder's interface, you could theoretically observe the following:
1. Open the Audio Recorder app and hit Record - An alert should show to prove your tweak is working.
2. Open the Facebook app. If you receive a similar alert at some point, you could at least prove that FB is invoking the audio recorder at some point without the user's expressed permission.
It's possible Facebook could be using an exclusive method to access hardware more directly, much like how Uber had access to restricted developer debugging tools which allowed them to record the screen even when the app was closed.
If you want to get paranoid... Maybe it can detect jailbreak and do nothing. or even better, detect jail break, use it to detect if there is hooks into the audioRecord interface, if no hooks, record even more with it's new found powers :)
Do you have the hashes to prove that what you tested matches what is actually installed elsewhere?
No, I'm not actually claiming there actually are different versions in the wild. I just find it strange that anybody can make broad claims about what widespread software may or may not be doing. Widespread use of "A/B testing" and forced remote updates should make everyone question the nature of every binary, even when they have the same name (including version number).
Fb's well known for large scale A/B testing though. Isn't it more than possible that the binaries/versions/etc that you tested simply weren't part of the test?
On the Android side, it's not terribly difficult to send a copy of the app to a computer and decompile it. Then you can simply search for any code that invokes the Android function for mic access.
Delete Uber for a good reason, such as the fact that ride sharing makes driving unreliable as a source of income. Professional drivers have seen their incomes decrease and hours increase drastically.
The article in question starts out breathlessly accusing Uber of spying on users, only to completely walk back the claim by the end. Just by reading the article alone we see that the permission was granted to overcome a capability lapse in the Apple Watch.
Seems like an insufficient reason to me. Many software developers automate processes which in turn eliminates jobs entirely. It's a little different, but still a case of one person/group benefitting at the cost of another's livelihood.
It is, however when building a mobile substrate tweak, you have visibility / access to the headers of every single system class. One could theoretically hook into any number of audio recording mechanisms (assuming they knew where to look ;) )
The Microphone access switch in Privacy settings is not just to make users feel better – it enforces that the app has zero access to the microphone. If someone has reason to believe that's not the case, they should report it to Apple Security.
The tricky bit is when users give microphone access to the app (i.e. for video recording functionality), but want to verify it's only being used then.
That is the marketing statement, yes. But the technical implementation is somewhat more complex and possible to bypass than your boilerplate comment suggests.
The technical implementation is called the sandbox, and it's a fundamental part of iOS security. Yes, it is possible to bypass the sandbox, but it would involve exploiting security vulnerabilities on the user's device, which Apple offers up to a $25k bounty for. You generally have bigger problems if something escapes the sandbox on your device, though :)
My theory is that a different 3rd party app is listening and that FB/Goog are buying the data without even knowing the 3rd party app is listening. Some of the coincidences could be frequency illusion, but I really don't think so. Some of the coincidences are just too strange.
> On the other hand, facebook can check (at least on IOS) easily if the device is jailbroken and behave differently.
I'm not 100% sure what's involved in jailbreaking iOS, but I'm pretty sure on a rooted Android you could put measures in place to "fake" results for any root checks the Facebook app would run. You could patch any APIs Facebook could use to make such checks.
Indeed, that's the whole point of having "root" --- to have complete control over the device and what the applications on it see.
It is a bit of a cat and mouse game, but as the long history of software cracking shows, as long as they still own the machine, the crackers always have the upper hand.
But if they decide to do, I think best way of action will be some defensive programming around it, with plausible deniability.
I am guessing they are already checking binary integrity etc, also they can probably push code updates from server. So when you put this pieces together, they have everything they need technically.
So, code updates from the server doesn't matter as we can hook all of the audio recording APIs at a system level. Their _only_ defense IMHO is to NOT do it on Jailbroken devices. You are right, it's super easy to detect jailbroken devices.
If I were Facebook and I were trying to surreptitiously record users via the microphone, I think I would do it by using lower-level hardware APIs rather than high-level Cocoa APIs.
Disclaimer: I don't really know a) if there is some other way to interface with the mic or b) what I'm talking about in general.
I am not an expert in this at all, but I would think they would need special permission from apple; many of these undocumented APIs get your app auto rejected.
My impression was that involved a great deal of trust, and if they breached that trust Apple wouldn’t hesitate to smite them. Recording people’s mic seems like it’s pretty harmful to the iPhone brand... But you are right, this could be happening today, and Apple is giving them too much trust, and the smite-ing is yet to come.
Not disagreeing but this is this the hook... facecrook on one hand, you would think would want to save face from a pr perspective. However, on the other they have huge economic incentives to not give af. Given their track record we as individuals assume the best at our own peril.
you mean introduce a traceable side effect in the underlying dll/system-api? Sure that could work (many debuggers do that), but perhaps they are just not using the same API, or just find another way to stream the data without go through the same interfaces (idk, perhaps through browser APIs or they keep recording all time and just send portions of data which is locally inspected)... it is a good challenge and certainly observing the interruptions hardware could be the right way to go.
In the other hand that is a considerable effort for someone who does not usually work with this part of the stack... would you be able to introduce this changes in an android OS?
See my response to the other comment about them using private APIS. Basically, we would have to try and guess which APIs they were accessing under the hood.
But you are right, this would def be a considerable effort for someone not in the jailbreaking space. I would love to hack it up, but unfortunately haven't dabbled in JB dev since 2011.
That's why I posted the comment to HN. In hopes it might inspire someone in that space to build it. Might also be worth jumping in the theos IRC channel. For someone with the toolchain already set up and a jailbroken iOS device, the code is actually pretty trivial.
This method would be a waste of time and energy. Just reverse the app and find it out. No need to play it like a binary is a magic black box that's impossible to inspect.
As a thought experiment, such content would likely be encrypted. The request size can give away the content type, but speech-to-text could be done on device, making it harder to guess the contents based on request size (assuming the identified speech would be significantly smaller compressed relative to audio).
Then correlate speaking with CPU usage. Processing audio is always going to have /some/ cost /somewhere/, and likely one we can detect for the time being.
If both of those are true then your concern is of the form "ANY party records audio data and sells it".
Which is why we don't want random apps having permanent mic access. Or permanent anything access. This is why data mining is bad, not just because the party doing the mining can get the data, but because they can sell it to third parties who combine it in unexpected ways to leak data that you really don't want to be public.
Totally agree. Although now might be a good time to raise the issue that "an obfuscated single-line mention buried in a 60-page clickwrap license presented in an 80x4 character window resulting in over 9000 pages of bullshit that you can't possibly realistically read does not 'consent' make".
This must be a common joke amongst programmers. We often joke that we should all become potato farmers. Being outside, watching things grow, working with something physical. I totally get the appeal.
