iOS services intended solely for diagnostics: 'I don’t buy it for a minute'

QuoTW This was the week when Edward Snowden revealed that not only is the National Security Agency (NSA) snooping on everyone, violating their privacy and raking through their online information, they’re also sniggering at their nudie pics.

Snowden told The Guardian that one of the “perks” of the job of snooping on everyone’s web data was the opportunity to see some risqué private photos:

You've got young enlisted guys, 18 to 22 years old. They've suddenly been thrust into a position of extraordinary responsibility where they now have access to all of your private records.

During the course of their daily work they stumble upon something that is completely unrelated to their work in any sort of necessary sense – for example, an intimate nude photo of someone of in a sexually compromising situation, but they're extremely attractive. So what they do? They turn around in their chair and show their co-worker.

Obviously, the NSA doesn’t have a whole lot of oversight of this kind of surveillance going on – after all, Snowden sauntered out with huge swathes of internal records – so the whole activity of looking at people’s private pics is just seen as a “fringe benefit”.

In the world of fanbois, an Apple software update for the 2011 Macbook Air failed miserably when it refused to download on some machines and totally borked others. Bereft Jobsians took to the firm’s support pages to detail their tales of woe. One unlucky Greek fan, already tragically living in a country without an Apple store, said:

The update seemed to install fine, then asked for a reboot. The MBA shutdown and never came back on. Tried SMC reset, with and without power adapter. Nothing. The thing is dead.

Another farflung fanboi’s story went:

My son is on an internship in a somewhat remote place in Alaska (read: no Apple genius to bring it to), with his Macbook Air. He sent me a text informing me that his perfectly working MBA won't power on at all after applying a firmware update this morning. It's dead, killed by Apple, and it is out of warranty.

Meanwhile, some of the faithful were certain the Air would rise from the dead:

I just realised the fan is running quietly, so maybe not dead, just having a terrible dream. Anyway, the laptop after standing around for two hours (I kid you not) rebooted by itself. A scary two hours.

In other Apple news, security expert Jonathan Zdziarski has revealed that most iDevice owners are unknowingly letting plenty of spies in the backdoor of their iOS – though it may not be as wide open as other reports have suggested. He told The Reg:

There are certain steps that have to be taken to get this data. Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access.

But although Apple has told the media that the services identified by him are actually for diagnostic purposes and enterprise IT bods, not government spooks, he remains unconvinced:

The problem with this is that these services dish out data (and bypass backup encryption) regardless of whether or not 'Send Diagnostic Data to Apple' is turned on or off, and whether or not the device is managed by an enterprise policy of any kind.

Every single device has these features enabled and there’s no way to turn them off, nor are users prompted for consent to send this kind of personal data off the device.

The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user

I don’t buy for a minute that these services are intended solely for diagnostics. The data they leak is of an extreme personal nature. There is no notification to the user. A real diagnostic tool would have been engineered to respect the user, prompt them like applications do for access to data, and respect backup encryption.

The BBC was at the forefront of service outages this week, suffering downtime across the weekend on its iPlayer and website and continuing to glitch into the week, depriving Brits of their dose of Auntie-made telly. Despite the many tweets that flooded its Twitter account, the corporation chose to resolutely stick with the whole “we’re working hard to resolve” line, without any further details. Folks were not happy:

@BBCiPlayer Nearly 48 hours of outage. Any information about what is wrong and when it will be fixed. Come on. You're not children.

— Zio Bastone (@ziobastone) July 21, 2014

It took until Thursday for the state broadcaster to let folks in on what happened, in a lengthy tech-heavy blog post from digital distie controller Richard Cooper that still failed to say exactly what kicked off the problem. After a description of the servers the Beeb runs and how it has two data centres running simultaneously to back each other up, Cooper basically admitted that the service got overloaded, but how that happened didn’t feature in the post:

At 9.30 on Saturday morning (19th July 2014) the load on the database went through the roof, meaning that many requests for metadata to the application servers started to fail.

The immediate impact of this depended on how each product uses that data. In many cases the metadata is cached at the product level, and can continue to serve content while attempting to revalidate. In some cases (mostly older applications), the metadata is used directly, and so those products started to fail.

Apparently at the same time as the database hit the rocks, the BBC homepage and iPlayer both ran into trouble as well:

At almost the same time we had a second problem. We use a caching layer in front of most of the products on BBC Online, and one of the pools failed. The products managed by that pool include BBC iPlayer and the BBC homepage, and the failure made all of those products inaccessible. That opened up a major incident at the same time on a second front.

So good on the problem descriptions, but how exactly did the Beeb end up with tech failure on two fronts? Auntie can’t, or won’t, say:

We will now be completing the forensics to make sure that we’ve fully understood the root causes, and put in place the measures necessary to minimise the chances of such interruptions in the future.

And finally, the Yorkshire police appear to have mistaken the open Wi-Fi hotspot network BT Fon for private home wireless connections and issued a warning to householders to tighten their security. A Reg reader from Heckmondwike claims that local cops wrote to residents about the issue after he had a run-in with a neighbour:

One particular local householder (who is known for obnoxiously flaunting the cross of St George) threw a fit after catching me reading The Register on my tablet, using a BT Fon hotspot.

After a rant about stealing internet access, he must have phoned the police because our local plod then sent letters to all the householders advising them that someone is stealing internet access, so they should change their passwords.

Ironically, changing the password will do sweet FA to actually turn off [a Fon] hotspot, which just goes to show how thick our dear plods are. You would have hoped that the office plod in charge might just know how BT achieves the 5 million hotspots it claims.

I hope they aren't this incompetent when it comes to stopping people who want to blow us up.

BT Fon works by reserving a bit of every BT user’s network capacity to be used by passing roamers, thereby giving a widespread network to BT users for free.

Inspector Neil Money of the Batley and Spen Neighbourhood Policing Team told The Reg that the warning to residents was just a general one on simple security advice. ®