This week kicked off with significant developments and continued to escalate. In the early hours of Saturday night, TikTok abruptly cut off access for users in the United States, just ahead of a Sunday deadline that required Apple and Google to remove the video-sharing app from their app stores. While TikTok was offline, US users scrambled to circumvent the ban, and several other unexpected applications also faced restrictions. However, by midday Sunday, TikTok access was already being restored in the US. By Monday evening, newly inaugurated US President Donald Trump had signed an executive order postponing the TikTok ban by 75 days.
On Tuesday, Trump fulfilled his promise to grant clemency to Ross Ulbricht, the imprisoned mastermind behind the Silk Road dark-web marketplace, where drugs, weapons, and more were sold. Ulbricht had been incarcerated for over 11 years following his arrest by the FBI in 2013 and his subsequent life sentence. Trump’s decision to pardon Ulbricht is widely viewed as a nod to the support he has garnered from the libertarian cryptocurrency community, which has long regarded the Silk Road creator as a symbol of resistance.
As the world embarks on another chapter under Trump, WIRED engaged in a conversation with Jen Easterly, who recently stepped down from her role as the director of the Cybersecurity and Infrastructure Security Agency (CISA) to discuss the cyber threats confronting the US and the uncertain trajectory of CISA as a crucial defender against nation-state hackers and other digital security risks.
Additionally, we presented new findings that highlighted how minor software bugs had compromised Subaru’s tracking system for its customers’ vehicles. Researchers discovered they could access a web portal designated for Subaru employees, enabling them to track up to a year’s worth of a vehicle’s location—down to the specific parking spots used by the owners. Although the vulnerabilities have been addressed, Subaru staff continue to have access to sensitive driver location data.
But that’s not all. Each week, we compile the security and privacy news that we haven’t thoroughly covered ourselves. Click on the headlines to read the complete stories. And remember to stay safe out there.
A US judge in New York ruled this week that the FBI’s practice of accessing data on US persons under Section 702 of the Foreign Intelligence Surveillance Act without a warrant is unconstitutional. FISA permits the US government to gather communications from foreign entities through internet service providers and companies like Apple and Google. Once this data is amassed, the FBI could conduct “backdoor searches” for information concerning US citizens or residents who had interacted with foreigners, all without obtaining a warrant first. Judge DeArcy Hall concluded that a warrant is necessary for these searches. “To rule otherwise would essentially allow law enforcement to accumulate a repository of communications under Section 702—including those of US persons—that can later be searched indiscriminately,” the judge stated.
A flaw within the basic functionality of Cloudflare’s content delivery network (CDN), an internet infrastructure company, can expose the approximate locations of individuals using applications designed for privacy protection, according to an independent security researcher. Cloudflare operates servers in hundreds of cities and more than 100 countries globally. Its CDN caches users’ internet traffic across its servers, delivering that data from the nearest server to the individual. The researcher, identified as Daniel, discovered a method to send an image to a target, retrieve the URL, and then employ a customized tool to query Cloudflare to ascertain which data center transmitted the image—effectively revealing the state or potentially the city of the target’s location. Fortunately, Cloudflare informed 404 Media that it has resolved the issue since Daniel reported it.
In one of its initial actions following Trump’s inauguration on Monday, the Department of Homeland Security dismissed all personnel from the agency’s advisory committees. This action impacted the Cyber Safety Review Board (CSRB), which was probing significant attacks on the US telecommunications sector by the China-backed hacker group Salt Typhoon. US authorities disclosed in mid-November that Salt Typhoon had infiltrated at least nine US telecom companies for espionage purposes, placing any users of unencrypted communication at risk of surveillance from Beijing. While the future of the CSRB is now uncertain, sources have informed reporter Eric Geller that their investigation into Salt Typhoon’s activities is effectively “terminated.”
