Microsoft Excel offers a plethora of tools for representing your data visually. The most basic of these — and arguably the most useful — is the humble chart. But it’s not always easy to know where to begin with charts. We’re here to help.
In this tutorial, we’ll get you started using charts and sparklines in Excel, from understanding the basic chart types to creating and editing charts based on your spreadsheet data.
In this article
What is an Excel chart?
What are sparklines?
Common chart types in Excel
Creating a chart
Editing a chart
Using sparklines
What is an Excel chart?
A chart is a visual representation of the data in an Excel worksheet. Charts allow you to easily see trends, make comparisons, and gain insights that are hard to see from just the raw numbers.
What are sparklines?
Sparklines are tiny charts that are placed within a single cell and used to visually represent trends in your data. While charts typically show an entire data set in one diagram, sparklines show a trend in a row or column, so having multiple sparklines on the same spreadsheet is not uncommon.
Common chart types in Excel
Excel offers a large variety of chart types to choose from. These range from popular general styles such as bar, line, and pie charts to highly specialized styles aimed at particular fields or types of data, such as waterfall charts for financial data. In this story we’ll focus on the most commonly used chart types.
Most of the major chart types have several subtypes — when inserting a bar chart, for example, you can choose from among six subtypes: clustered bar, stacked bar, 100% stacked bar, and 3-D varieties of each. For details about subtypes of the common chart types, see this Microsoft support page.
To get you started using charts, here are the most common types of charts used in Excel and when you’d want to use them:
Column and bar charts: These chart types are very similar, with column charts showing values vertically and bar charts showing them horizontally. Both types are best suited for showing changes in data over time or for quick comparisons. For example, the following simple column chart shows total sales year over year.
Shimon Brathwaite / IDG
Line and area charts: These chart types are best suited for showing changes, particularly small changes, over short or long time periods. Line charts show trends with one or more lines stretching across a grid, whereas area charts fill in the vertical spaces between lines with different colors, highlighting how parts relate to the whole. For this example, let’s look at hypothetical changes in a company’s stock price for 2024 in a line chart.
Shimon Brathwaite / IDG
Pie and donut charts: These chart types show how individual parts compare to the whole and are best used with data sets where no values are negative, zero, or close to zero. Pie charts can show only one data series; donut charts are similar but arrange the data in concentric rings, allowing them to show more than one data series. In this example, the pie chart shows the age ranges of the company’s customer base.
Shimon Brathwaite / IDG
XY (scatter) and bubble charts: These charts are best used to show the relationship between two variables. For example, the scatter chart below shows the relationship between age and average earned income. Bubble charts are similar but use variably sized bubbles instead of dots to indicate values.
Shimon Brathwaite / IDG
These are just a few of the charts that Excel supports. To learn about more chart types that you may need for specialized uses, please see Microsoft’s chart types support page.
Creating a chart
Now that you know the basic chart types, we’ll go over how to get them into your spreadsheet. Copy and paste the following sample data set into a blank Excel worksheet if you want to follow along.
2022
2023
2024
Basketballs
10,000
11,000
12,000
Footballs
8,000
12,000
14,000
Soccer Balls
14,000
12,000
10,000
To create a chart from your data set, first select the whole data set, then choose one of the following options:
Use the Recommended Charts button: The first (and usually best) option for creating a chart is to let Excel suggest which type of chart to use. To use this feature, go to the Insert tab on the Ribbon toolbar and select the Recommended Charts button. This option will examine the data you have highlighted and recommend the best charts to represent it properly. Scroll through the recommendations and choose the chart you want.
Shimon Brathwaite / IDG
Select your own chart type: If you’d rather choose your own chart type, go to the Insert tab and, to the right of Recommended Charts, select the icon for the chart of your choice — in the example shown below, the pie chart icon. A panel will appear letting you choose the chart subtype you like.
Shimon Brathwaite / IDG
Use the Quick Analysis tool (Windows only): Excel for Windows has a handy Quick Analysis tool that you can use to create charts and more. To use this, simply highlight the data that you want to use for the chart, then select the icon that appears at the bottom right corner of the data. On the pane that appears, select Charts and choose from any of the recommended charts that are present.
Tip: If Excel has trouble understanding elements of your data set — for example, failing to recognize column headers as such — try converting your data to table format first. (See our Excel tables tutorial for instructions.) Then select the table and proceed with one of the options above.
(One more way to create a new chart is to start with one of Microsoft’s premade chart templates and customize it to your liking. But a template is meant to provide a framework for you to fill in with your own data, not something you apply to an existing data set.)
Once a chart has been added, you can resize it by selecting any corner and dragging it to enlarge it. To move a chart on the spreadsheet, click and hold the white space next to the chart title, then drag your chart wherever you would like to place it.
Shimon Brathwaite / IDG
Editing a chart
Once your chart is in place, you’ll likely want to edit it in various ways, such as adding data labels or changing its formatting. We’ll use the column chart generated using the Recommended Chart option in the previous section for demonstration purposes.
Customize the chart title: Excel typically uses the placeholder text “Chart Title” at the top of the chart, so the first thing to do is change that to something more appropriate. Double-click the chart title and type in a new name. Let’s call it “Sales Data.”
Shimon Brathwaite / IDG
Change, add, or remove a legend: The legend is the portion of the chart that explains what each column relates to. In our example, the legend has three items: 2022, 2023, and 2024. If you want to change these years, simply select the cell entry that corresponds to that item. For example, if you want to change 2022 to 2021, modify cell B1 and change it to 2021. The chart will auto-update. (Before we proceed with the demo, change 2021 back to 2022 again.)
If your chart doesn’t include a legend, you can add one: select the chart, go to the Chart Design tab on the Ribbon toolbar, click the Add Chart Element button, and select Legend from the menu that appears. Next, choose a location for the legend: Right, Top, Left, or Bottom. To remove a legend if you don’t want one, follow the same steps and choose None.
Add data labels: Data labels add numeric values to a chart, rather than relying solely on visualization. To add data labels, select the chart, navigate to the Chart Design tab, and click Add Chart Element > Data Labels > Outside End. In our example, the numeric labels appear at the top of each column.
Shimon Brathwaite / IDG
Format chart elements: Multiple chart elements can be changed to create different visual effects. To change the chart’s overall appearance, select the chart, go to the Chart Design tab in the Ribbon toolbar, and choose from among the different designs shown. For our demonstration, we’ll select the design with the dark background.
Shimon Brathwaite / IDG
To change the colors of the columns within your chart, stay on the Chart Design tab, select the Change Colors button, and choose a new color scheme.
Shimon Brathwaite / IDG
Change the chart type: If you want to see what your data would look like in a different type of chart, simply select the chart, go to the Chart Design tab, select the Change Chart Type button toward the right end of the Ribbon bar, and then select the chart type that you want. In this case, let’s use a pie chart.
Shimon Brathwaite
As you can see, a pie chart doesn’t suit this type of data well and doesn’t show each product’s years. Undo this change using the Undo button at the top of the Excel window before you continue.
Shimon Brathwaite / IDG
Swap X and Y axes: Excel also has a built-in button for swapping the X and Y axes in a chart, which gives you a different view of your data. To use this feature, select your chart and, on the Chart Design tab, select the Switch Row/Column button. In our example, the chart now groups the data by year, with a column for Basketballs, Footballs, and Soccer Balls within each year group.
Shimon Brathwaite / IDG
Note that swapping X and Y axes doesn’t work well with some data sets and might result in a jumbled, hard-to-read chart. If this happens to you when you’re experimenting with charts, simply undo the swap and move on.
Add a trendline: A trendline is simply a line that shows the trend of data in a chart. Starting from our example chart with the X and Y axes swapped (so the columns are grouped by year), select the chart, go to the Chart Design tab, and choose Add Chart Element > Trendline > Linear. On the Add Trendline dialog box that appears, choose Footballs and click OK. A trendline appears on the chart showing the trend in football sales over the three years.
Shimon Brathwaite / IDG
Update or filter the data shown in a chart: You can update your chart at any time by modifying the data set from which it is pulled. To illustrate this, go to cell B3 and change the football sales for 2022 to 15,000. You will notice that the chart — including the trendline — automatically updates.
Shimon Brathwaite / IDG
If you’ve formatted your data set as a table, you can also filter data from the data set, and these changes will be reflected in the chart you’ve created. The best way to do this is through the use of slicers, which are buttons you can use to easily filter data in Excel. See our Excel slicers tutorial for information about using slicers and charts together.
Add a secondary axis: In some instances, based on the type of data being represented, you may want to have a secondary axis. This can help you highlight how two different types of data series relate to one another, especially if their values are dissimilar.
To see how it works, use the following sample data set to create a column chart using the first recommended chart type (Clustered Column):
Month
Units
Defect(%)
January
500
5
February
400
3
March
450
6
April
375
8
May
250
12
The resulting chart shows both “Units sold” and “Defect(%)” columns for each month, but it’s hard to draw any conclusions from the data.
Shimon Brathwaite / IDG
Next, select the chart, go to the Chart Design tab, select Change Chart Type > Combo, and choose the second combo chart option. This changes the chart so that the Defect(%) column is graphed as a line with its own secondary vertical axis on the right. Now we can clearly see the correlation between units sold and defect percentage.
Shimon Brathwaite / IDG
Using sparklines
Sometimes you don’t need a full chart but simply want to highlight a small trend within the data. That’s where sparklines come in. They’re in-cell visualizations that can show the trends within individual rows or columns within Excel. You can think of them as mini charts for small subsets of your data.
To add a sparkline, select a blank cell where you want to add it — typically at the end of a row or the bottom of a column. In this case, select cell E2. Then select Insert > Sparklines > Line. The Create Sparklines dialog box appears asking you to select a data range for the sparkline. If it’s not already selected, select cells B2 to D2 and click OK.
Shimon Brathwaite / IDG
The sparkline will be added to cell E2. To add sparklines to the end of all the rows, select the green square at the bottom right corner of the first cell, drag it down over all the cells where you want sparklines to appear, and release your cursor.
Shimon Brathwaite / IDG
Now we can see at a glance the trends in sales for basketballs, footballs, and soccer balls.
To edit your sparklines, click on any sparkline and then go to the Sparkline tab in the Ribbon toolbar. From here, you can change the color of your sparklines by selecting another option shown in the toolbar or by clicking the Sparkline Color button. You can also change the sparkline type — for example, from line to column.
Shimon Brathwaite / IDG
Sparklines give you a great option for building data visualizations into your data sets rather than creating a standalone chart to summarize or explain your findings.
With charts and sparklines in your Excel toolkit, you’re well on your way to highlighting the most important parts of your data clearly and intuitively.
AMD’s big Advancing AI event in San Francisco on Thursday underlined how quickly the microprocessor industry has pivoted to artificial intelligence (AI) as its main sales pitch.
The company offered three hardware announcements across its processor line-up, each appealing to different parts of the AI market.
The first was the new Instinct MI325X AI accelerator chip, a datacenter-oriented GPU which ups performance on every metric compared to last year’s MI300. The company also showed off its fifth-generation EPYC processors for the enterprise cloud and datacenter sector. And it unveiled the new Ryzen AI PRO 300 series, a family of processors for mobile PCs aimed at enterprise buyers.
Mobile chips have traditionally been low power (and lower performance versions) of their desktop equivalents, but with the focus on AI, that distinction is fast disappearing.
AI requires more raw power, which is now showing up in the specifications for new chips. For example, the Ryzen AI PRO 300 series offers three processors, starting with the Ryzen AI 9 HX PRO 375; it features 12 Zen 5 cores/24 threads, a clock speed that can be boosted to 5.1GHz, and integrated Radeon 890M graphics.
It also features a neural processing unit (NPU) that delivers up to 55 tera operations per second (TOPS), making it the most powerful desktop AI chip of its kind on the market.
Just below that in the line-up is the Ryzen AI 9 HX PRO 370, an identical chip with slightly less NPU performance — up to 50 TOPS. And the entry-level chip is the Ryzen AI 7 PRO 360 with 8 cores/16 threads, a 5GHz clock speed, Radeon 880M graphics, and the same 50 TOPS NPU performance.
NPUs are on the new frontline of desktop competition because they make possible features such as accelerating Microsoft’s Copilot + and AI-intensive tasks such as real-time language translation.
They also pit AMD against traditional rival Intel, which has had NPUs of its own in its Core Ultra CPUs since 2023. Today, NPU AI acceleration is premium priced, but there are signs the technology is likely to jump quickly to more mainstream chips.
“With Ryzen AI, we’ve actually enabled hundreds of different AI functions,” said AMD CEO Lisa Su near the end of a two-hour Advancing AI presentation. “Our latest software stack makes it really easy for developers to optimize thousands of pre-trained models for Ryzen.
“Our Ryzen AI Pro 300 series resets the bar for what a business PC can do,” she said.
Though there are patches affecting Windows, SQL Server, Microsoft Excel and Visual Studio, only the Windows updates require a “Patch Now” schedule — and they’ll need a significant amount of testing because they cover a lot of features: networking, kernel and core GDI components and Microsoft Hyper-V. Printing should be a core focus for enterprise testing and the SQL Server updates will require a focus on internally developed applications.
The team at Readiness has crafted this infographic outlining the risks associated with each of the October updates. A rundown of recent Patch Tuesday releases is available here.
Known issues
There were a few reported issues for the September update that have now been addressed, including:
These are relatively minor concerns compared to dealing with recent problems deploying Windows 11 24H2. Covering both compatibility and security challenges, these include:
TheSafe Exam browser may fail to load. Version 3.7 of this application is currently “hard-blocked” by Microsoft until further notice. This means Microsoft has updated the list of applications that are currently not allowed to run on the target platform.
Fingerprint sensors and readers may not function as expected. According to Microsoft, a firmware update should resolve the issue.
Compatibility issues with specific sound cards (Intel Smart Sound) could cause them to stop working properly.
These problems are likely to be resolved with application and firmware updates rather than Microsoft patches and primarily affect users upgrading to Windows 11 24H2. That said, Microsoft has advised there are problems with the “first build” or out-of-boxinstallation of this latest Microsoft release. We suggest that enterprises wait until the next release before serious testing and deployment.
Major revisions
This month, Microsoft published the following major revisions:
CVE-2024-38163: Windows Update Stack Elevation of Privilege Vulnerability. This is a low-level administrator (WinRe) vulnerability that has neither been publicly exploited nor disclosed. This is a documentation update; no further action is required.
CVE-2024-38016: Microsoft Office Visio Remote Code Execution Vulnerability. This “remote code” security issue actually requires local access to succeed. It has not been reported as exploited in the wild and Microsoft has provided an official fix. This is a documentation update only; no further action needed.
Testing Guidance
Each month, Readiness analyzes the latest updates and provides detailed, actionable testing guidance based on a large application portfolio and the patches’ potential impact on the Windows platforms and app installations.
We’ve grouped the critical updates and required testing into separate product and functional areas including:
Microsoft SQL Server
With two updates this month, desktop (or client) testing will be required for data-driven applications. We recommend that the following SQL-related tests be included for October:
Validate SQL Commands and stored procedures.
Ensure data “Refresh” operations perform correctly with Microsoft Active Data (ADOX) objects. These are difficult operations to debug due to the generally large number of inter-connected objects (databases and systems) and the business criticality of these systems. Start early on this effort.
Test queries that accept large numbers of parameters. SQL parameterboundary testing is probably a good idea.
Windows
While the primary testing scenario for this update is really to test printing, there is a lot to check. Microsoft has made significant changes to broad areas in networking, low-level changes to the Kernel and graphics handler (GDI), and updates to core features including Microsoft Hyper-V. A feature-by-feature testing regime should include:
Networking: Test large file transfers (include IPv6) over remote desktop connections, VPNs and varied network conditions. Web browsing tests should include multiple simultaneous connections — and messaging applications such as Microsoft Teams should be included in this cycle.
Security: Ensure that (internal) code still performs cryptographic functions accurately using RSA keys. Authentication should work correctly between both Microsoft and Linux systems. A validation of Kerberos client authentication will also be required.
Remote Desktop: updates to Microsoft Routing and Remote Access Server (RRAS) server will require remote access administrative action testing. Remote desktop licensing will require functionality testing. And the remote desktop related APIs MprConfigFilterSetInfo and MprInfoBlockRemove have been updated, so internally developed systems that connect with RRAS will require an authentication test.
Windows Error Logs: Due to a change in the Windows Common Logging File System (CLFS) a quick test of resultant container files is required.
Again, the primary focus should be on testing printing. Rather than a simple (does it actually print) test, more complex print-related checks are required, including:
Validating text rendering and formatting for entire documents;
Starting, stopping and disabling printer queues;
Printing across a “matrix” of 32- and 64-bit platforms that includes variations of both desktop and server environments. The main challenges will be found with 32-bit applications on 64-bit platforms (Adobe Reader, we’re looking at you).
Install and uninstall third-party software management software on both platforms.
Windows lifecycle and enforcement updates
This section includes important changes to servicing, significant feature deprecations and security-related enforcements across the Windows desktop and server platforms.
Windows 11 Enterprise Version 21H2 Microsoft servicing support ended on Oct. 8, 2024.
Mitigations and workarounds
Microsoft published the following mitigations applicable to this Patch Tuesday.
CVE-2024-43609: Microsoft Office Spoofing Vulnerability. Microsoft has published additional documentation on setting Group Policy Objects (GPOs) referencing the Restrict Outgoing NTLM traffic to remote servers policy that will reduce the scope of this security issue through improved connection request auditing and reporting.
CVE-2024-38124: Windows Netlogon Elevation of Privilege Vulnerability. While not offering specific settings or security configurations, Microsoft does offer advice on how to reduce the impact of this vulnerability with best practice guidance on server naming conventions, name change reporting/auditing and employing multi-factor authentication.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Browsers (Microsoft IE and Edge)
Microsoft Windows (both desktop and server)
Microsoft Office
Microsoft Exchange Server
Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
Adobe (if you get this far)
Browsers
Microsoft released just three updates for the Chromium browser project specific to Microsoft Edge:
The Chromium project has provided a veryhandy dashboard for its latest releases and testing status. Add these browser updates to your standard release schedule.
Windows
Microsoft released one patch with a critical rating and 92 patches rated important. This month, the following key Windows features have been updated:
Microsoft published six updates (all rated important) for the Office platform. These updates do not include any preview pane or reported zero-click vulnerabilities and only affect Excel and SharePoint. Add these to your standard Office update schedule.
Microsoft SQL (nee Exchange) Server
There were no updates for Microsoft Exchange Server. However, Microsoft released two updates to Microsoft SQL Server product group (CVE-2024-43481 and CVE-2024-43612); add them to your standard server update schedule.
Microsoft development platforms
Microsoft released a single update rated critical (CVE-2024-43488) to Visual Studio and eight further updates (all rated important) to the Microsoft .NET platform. None of these security issues have been reported as exploited or publicly disclosed, so add them to your standard developer release schedule.
Adobe Reader (and other third-party updates)
Microsoft did not publish any Adobe Reader related updates. That said, there are critical updates for both Reader and Acrobat that deserve attention. Microsoft included an update for another third-party application (CURL) that addresses a free memory buffer overflow vulnerability (CVE-2024-6197) — just like Reader used to do). The assigning CNA for this issue is named as HackerOne, which we find endearing.
Apple didn’t cast much light on visionOS at WWDC this year, and it hasn’t received much attention since. But don’t mistake this something for nothing. Two recent events indicate there’s a lot going on behind the scenes.
The first is the release of Submerged, the first movie filmed in Immersive Video written and directed by Academy Award-winning filmmaker Edward Berger (All Quiet on the Western Front).
The second is new research from Apple’s Machine Learning teams that shows how to create accurate depth-of-field data from single-lens cameras using conventional computers.
An immersive movie about immersion
Submerged is a claustrophobic, adrenaline-fuelled, 17-minute story set on a sinking ship — in this case a war-damaged submarine — capturing the crew as they fight to stay alive. The movie is made for Vision Pro devices, and reviewers already claim it delivers a sense of immediacy and intimacy they’ve never experienced before.
All of this is interesting, but how can this kind of experience be delivered in an even more powerful way? How can Apple’s technologies support an even more immersive user experience?
That’s what I think Apple is working on based on the second event to have emerged in the last few days: the introduction of an AI-based model Apple calls Depth Pro.
AI provides depth
What this does is powerful. The AI can basically map the depth of a 2D image. The technology behind it seems similar to what you’d expect if you were building an autonomous vehicle, given such vehicles must be able to accurately determine depth using images of nearby objects in real time.
Apple’s researchers seem to have developed this tech so it will run accurately on an iPhone. They claim that apps using the Depth Pro model can produce accurate depth maps based on images captured by a single lens camera in just 0.3 seconds when run on a computer running a standard GPU.
The team says the tech could have big implications for robots, real-time mapping, and improved camera or video effects. You can read the company’s research paper on these features here, or its post concerning Depth Pro on the company’s machine learning website.
Information is power
Being able to take it to the movies suggests Apple now has a technology that can automatically figure out depth from 2D images. Of course, a movie is just a sequence of 2D images, which means the company has tech to figure out spatial positioning based on what you see on screen.
You can already see this to some extent in that visionOS can turn existing photos into spatial images, adding depth to create a stereoscopic effect. It also makes sense to use that tech to generate 3D environments from 2D images.
What next? In August 2023, Apple researchers published a paper explaining FineRecon, which showed how 3D scenes constructed from posed images using AI can be made more accurate and deliver scenes that offer more fidelity. That research couples well with earlier information concerning a project to deliver enhanced 3D indoor scene understanding.
Movies you can walk through
Combine all these ingredients and, in theory, the breakthrough Apple might achieve could involve the creation of tech that can both understand images, and also add to them. After all, if you know that object A is in one position and object B in another, you can more easily deliver the illusion of walking between or even behind those objects to a Vision Pro user.
Generative AI (genAI) solutions already exist that can create video or image “fakes,” but to what extent can the computer exploit its knowledge of depth of field to generate 3D experiences in which you can literally walk behind the objects you see? And how could those technologies be applied to the viewing experience of watching Apple’s Submerged movie?
Even as it is, the experience of being in a sinking submarine is immersive in both senses of the word — but being able to find your own viewpoint within that action in high fidelity would realize every video gamer’s dreams. It would certainly sell a few movies.
Arranging the scenery
It’s important not to jump too far forward. Building technologies to achieve these things is going to be much more challenging than simply pontificating on the possibilities in prose, but there are other potential visionOS implications to the application of accurate depth-of-field data based on 2D images. I’m particularly thinking about use in emergency response, medicine, remote drone control — even space exploration, and all from a single-lens camera, making the tech lightweight and highly portable.
In other words, along with new frontiers for creative expression, there are viable business opportunities about to be unlocked by Apple’s home-grown reality distortion machine. Will we see some of them emerge with visionOS 3.0 at next year’s WWDC? Is it then we’ll really see how Apple Intelligence can work miracles with Spatial Reality?
You start a conversation with someone, wondering if you’ve met them before. But then, your smart glasses tell you their name and where, when, and in what context you actually did meet them.
Is this a helpful, powerful way to avoid offense, reconnect, and gain context about the people you encounter?
Or is it an outrageous or dangerous invasion of the other person’s privacy?
The Privacy Project
Two Harvard engineering students, AnhPhu Nguyen, and Caine Ardayfio, recently demonstrated and published a paper and a YouTube video about an experimental project they call I-XRAY.
The I-XRAY “system” is a kludge that starts with Ray-Ban Meta glasses streaming live video to Instagram, a standard, out-of-the-box feature of that product.
A computer watches the Instagram stream remotely. When specially written software detects a person’s face in the stream for a few seconds, the face is captured as a screenshot.
The software automatically uploads the screenshot of the face to a site called PimEyes, which I wrote about in 2017. PimEyes is a face-recognition service that recognizes a face and shows you where else the same person’s face is posted on the internet.
The software captures and opens the URLs provided by PimEyes and then scrapes the textual data on those sites.
The scraped data is processed with a large language model (LLM), which sifts through the text to extract the person’s name, company name, or any other personally identifiable information (it discards non-personal information).
Then, the I-XRAY software uses personal data to search on a people search site. By entering any basic personal data point about someone — their name, address, phone number, or email address — the people search sites show you the other data points, plus age, relatives, work history, etc.
The personal information gathered is then sent in text form back to the smartphone of the person wearing the glasses, giving them knowledge about a stranger without that person’s permission.
The experiment’s creators presented it as a warning, a cautionary demonstration showing the future danger to privacy posed by AI glasses.
Commentators are also sounding alarms about the demonstration videos posted by the I-XRAY guys, saying that they reveal AI glasses to be creepy, dystopic, and dangerous.
But this take by the I-XRAY creators and commentators is simplistic, misleading, and wrong.
Why I-XRAY isn’t about AI glasses
The title of the I-XRAY paper is headlined with a patently false claim, that the researchers demonstrated “AI glasses that can reveal anyone’s personal details.”
It “feels” like that in their video. In that captured demonstration, one of the creators walks up to a stranger and, just by looking at them, learns their name, plus other personal information such as their occupation or relatives.
What’s actually true is that the “AI glasses” serve no purpose in this scheme other than to take a picture using the embedded camera.
In fact, without any other modifications to the I-XRAY backend system, the students could stream live video to Instagram with their smartphone rather than the Ray-Ban Meta glasses wirelessly connected to their smartphone, and the result would be the same. (Actually, the smartphone would work better because the video would have a higher resolution.)
So why imply the glasses pose some special risk?
At least the glasses have a bright white light that shows others a video is being captured. Anyone could use a telephoto lens or even the zoom feature on their smartphone to capture a picture of someone from far away without their knowledge.
To be clear, the online services they used to enable this outcome are clear and present dangers to your privacy. Specifically, Pimeyes and Facecheck ID can find all the places your picture is posted online and give it to anyone who can upload a photo, either downloaded or captured with a camera.
The database sites they used, including FastPeopleSearch and Instant Checkmate, are also a clear and present danger to your privacy. Your personal information is already in their database, waiting for anyone with an internet connection to add any bit of your personal data to receive back a lot more of your personal data.
Anyone can upload any photo of their face to PimEyes, for example, at any time. The site will return all the URLs where your picture is also available. The person can then grab the other data on those pages, especially your name.
With your name in hand, they can get a massive amount of personal and financial information about you from the other sites.
But here’s the thing: Using a camera that happens to be built into glasses isn’t a special privacy risk compared with any other camera. It’s just a camera.
If you want to protect your privacy, you need to visit each of the websites above one by one and use their tools for opting out.
Opposition to AI glasses will have zero effect. To protect your privacy from the photo-generation side, you would have to advocate for the abolishment of AI glasses — and smartphones, DSLRs, polaroids, webcams, doorbell cams and every other object capable of capturing a photograph or video.
I object to how the I-XRAY project has been presented by the creators and received by the public. The risk lies not with the glasses but with the face recognition sites and the public personal data sites. Glasses have nothing to do with it.
Instead, we should demand face-recognition features in our AI glasses.
Why face-recognition glasses are good
Business cards originated in 15th-century China as social calling cards for the aristocracy. They spread to Europe in the 18th Century as “visiting cards.” But when the Industrial Revolution reached full steam, business cards became the standard tool for exchanging contact information.
Now, we exchange that kind of information electronically. For example, we can share business cards from Apple Wallet or Google Wallet as passes, which (thanks to the vCard format) can go right into our Contact app to live among the business contacts we’ve been collecting throughout our careers.
Under the right circumstances (both parties using iPhones running iOS 17 or later), we can easily exchange business card-type information by simply holding the two phones near each other.
To give a business card is to grant permission for the receiver to possess the personal information thereon.
It would be trivial to add a small bit of code to grant permission for face recognition. Each user could grant that permission with a checkbox in the contacts app. That permission would automatically share both the permission and a profile photo.
Face-recognition permission should be grantable and revokable at any time on a person-by-person basis.
Ten years from now (when most everyone will be wearing AI glasses), you could be alerted at conferences and other business events about everyone you’ve met before, complete with their name, occupation, and history of interaction.
Collecting such data throughout one’s life on family and friends would also be a huge benefit to older people suffering from age-related dementia or just from a naturally failing memory.
Shaming AI glasses as a face-recognition privacy risk is the wrong tactic, especially when the glasses are being used only a camera. Instead, we should recognize that permission-based face-recognition features in AI glasses would radically improve our careers and lives.
You might not know it from all the panic-inducing headlines out there, but Android is actually packed with practical and powerful security options. Some are activated by default and protecting you whether you realize it or not, while others are more out of the way but equally deserving of your attention.
So stop wasting your time worrying about the overhyped Android malware monster du jour and instead take a moment to look through these far more meaningful Android settings — ranging from core system-level elements to some more advanced and easily overlooked options.
A rarely spoken reality of Android security is that your own negligence — either in failing to properly secure your device in some way or in leaving open too many windows that allow third-party apps access to your info — is far more likely to be problematic than any manner of malware or scary-sounding boogeyman.
So let’s address the first part of that right off the bat, shall we? Despite what some sensational stories might lead you to believe, Android apps are never able to access your personal data or any part of your phone unless you explicitly give ’em the go-ahead to do so. And while you can’t undo anything that’s already happened (unless you happen to own a time-traveling DeLorean — in which case, great Scott, drop me a line), you can go back and revisit all your app permissions to make sure everything’s in tip-top shape for the future.
That’s advisable to do periodically, anyway, and particularly now — as a few recent Android versions have included some important new app permission options.
Specifically, you can now let apps access your location only when they’re actively in use, instead of all the time (as of Android 10); you can approve certain permissions only on a one-time, limited-use basis (as of Android 11); and you can determine how detailed of a view any given app gets of your location when you grant it that access (as of Android 12). But any apps that were already on your phone by the time those upgrades arrived would’ve already had full, unrestricted access to those areas of your device. And it’s up to you to revisit ’em and update their settings as needed.
So do this: Head into the Security & Privacy section of your Android settings, tap “Privacy,” and find the “Permission manager” line. (Depending on your device, you might have to tap a line labeled “Privacy” before you see it.) That’ll show you a list of all available system permissions, including especially sensitive areas such as location, camera, and microphone — the same three areas, incidentally, that can be limited to one-time use only on any phone running at least Android 11.
JR Raphael, IDG
Tap on a specific permission, and you’ll see a breakdown of exactly which apps are authorized to use it and in what way.
JR Raphael, IDG
You can then tap on any app to adjust its level of access and bring it down a notch, when applicable, or remove its access to the permission entirely — and, if you’ve got Android 12 or higher, also select whether the app should get access to your precise location or only a far less specific approximate view of where you are.
JR Raphael, IDG
If there’s one section of your Android settings worth spending the time to revisit, this is without a doubt it.
(And if you don’t see a “Permission manager” option on your phone, try looking in the Apps section of your Android settings instead. You can then pull up one app at a time there and find its permissions that way.)
Android security setting #2: Play Protect
Speaking of apps on your phone, this is a fine time to talk about Google Play Protect — Android’s native security system that, among other things, continuously scans your phone for any signs of misbehaving apps and warns you if anything suspicious emerges.
Unless you (or someone else) inadvertently disabled it at some point, Play Protect should be up and running on your phone already — but it certainly can’t hurt to double-check and make sure.
To do so, just open up the Security & Privacy section of your Android settings. Tap the line labeled “App security,” then tap “Google Play Protect,” if needed, and tap the gear icon in the upper-right corner of the screen and make sure both of the toggles in the screen that comes up are activated.
Back on the main Play Protect screen, you’ll see a status update showing you that the system is active and running. It works entirely on its own, automatically, but you can always trigger a manual scan of your apps on that same page, if you’re ever so inclined (or maybe just feeling twitchy).
JR Raphael, IDG
Android security setting #3: Safe Browsing
Chrome is typically the default Android browser — and as long as you’re using it, you can rest a little easier knowing it’ll warn you anytime you try to open a shady site or download something dangerous.
While Chrome’s Safe Browsing mode is enabled by default, though, the app has a newer and more effective version of the same system called Enhanced Safe Browsing. And it’s up to you to opt in to it.
Here’s how:
Open up Chrome on your phone.
Tap the three-dot menu icon in the app’s upper-right corner and select “Settings” from the menu that comes up.
Tap “Privacy and security,” then select “Safe Browsing.”
Tap the dot next to “Enhanced protection” on the next screen you see.
While you’re there, back yourself out to the main Chrome settings menu and select “Safety check.” That’ll reveal a handy one-tap tool for scanning your various browser settings and saved passwords and letting you know of anything that needs attention.
Android security setting #4: Extra phishing protection
From the web to your messages, one of the most common forms of digital chicanery is a modern-day ruffian attempting to trick you into sharing your personal info — either by posing as some official-seeming source and convincing you to send sensitive details or by conning you into clicking a link that does something dicey.
On at least some devices running Android 14 or higher, Google’s got an option to help protect you from some of these shenanigans. And it’s well worth checking to see if it’s available on yours.
The simplest way is to search your system settings for the word deceptive. If you see an option called “Scanning for deceptive apps,” tap it — then make sure the toggle next to “Use scanning for deceptive apps” is active within it.
If you don’t see that option, scratch your head in befuddlement and then set yourself a reminder to check this again in a month or two to see if it magically reappears.
Android security setting #5: Lock screen info
If someone else ever gets their sweaty paws on your phone, you don’t want ’em to be able to access any of your personal and/or company information — right?
Well, take note: Android typically shows notifications on your lock screen by default — which means the contents of emails or other messages you receive might be visible to anyone who looks at your device, even if they can’t unlock it.
If you tend to get sensitive messages or just want to step up your security and privacy game, you can restrict how much notification info is shown on your lock screen by going to the Security & Privacy section of your Android settings, tapping the line labeled “More privacy settings,” if you see it — then tapping “Notifications on lock screen” and changing its setting from “Show all notification content” to either “Show sensitive content only when unlocked” (which will filter your notifications and put only those deemed as “not sensitive” onto the lock screen) or “Don’t show notifications at all” (which, as you’d expect, will not show any notifications on your lock screen whatsoever).
If you’re using a Samsung phone, you’ll find those same options within the Notifications section of the system settings — though, unfortunately, with less nuance involved (as Samsung has for no apparent reason removed the “sensitive” notification differentiation from the settings on its version of Android).
And speaking of the lock screen…
Android security setting #6: Lock screen controls
By default, Android makes all of the shortcuts in your phone’s Quick Settings area — y’know, that panel of one-tap tiles that shows up when you swipe down from the top of the screen — available even when the device is locked.
Anything that takes you to another area of the operating system will still require authentication, of course, but the simple on-off tiles can be tapped and toggled by anyone who’s holding the phone.
More often than not, that’s an added convenience. Say you want to flip on your phone’s Bluetooth for a fast connection, for instance, or flash on your flashlight to find that stray cheesy poof that slipped out of your sticky grabbers and fell onto the floor. Being able to do those things with a couple quick taps and without having to unlock your phone can certainly be handy.
At the same time, though, it can also allow someone else to do something like change your phone’s sound settings, disable its Wi-Fi connection, or even put it into airplane mode. And if you’re really aiming for the tightest security available, you probably don’t want that sort of stuff to be possible.
Here’s the good news: If you’ve got a device with a reasonably recent Android version, you can take control and turn at least some of those controls off in the lock screen environment. With Android 12 and up, march into the Display section of your Android settings and tap “Lock screen.” Turn the toggle next to the “Use device controls” option into the off position, then make a celebratory squawking sound and get yourself a soda.
With Samsung phones, you’ll instead need to head into the Lock Screen section of your settings and tap the line labeled “Secure lock settings.” There, you’ll find an option to “Lock network and security,” which prevents any network-related toggles from being used in that context.
Android security setting #7: NFC protection
While we’re thinking about your lock screen, take two seconds to secure any digital transfer mechanisms connected to your phone and make sure they’re available only when your device is unlocked.
It’s one of the most obvious-seeming Android settings, and yet, if you don’t actively enable it, it won’t be present — and everything from credit cards to locally stored data could be significantly more susceptible to theft as a result.
This option’s present only in Google’s core Android software and not in Samsung’s heavily modified implementation of the operating system.
If you’ve got a Pixel or another phone that’s using a more unadulterated Android setup, though, search your system settings for NFC and look for the line labeled “Require device unlock for NFC.” Flip the toggle next to it into the on position, then rest easy knowing no manner of wireless transfer can occur when your device is locked.
Android security setting #8: Extend Unlock
Security is only useful if you actually use it — and given the extra level of inconvenience it often adds into our lives, it’s all too easy to let our guards down and get lazy after a while.
Android’s Extend Unlock feature (known as Smart Lock until Google recently renamed it to drive us all completely batty) is designed to counteract that tendency by making security a teensy bit less annoying. It can let you automatically keep your phone unlocked whenever you’re in a trusted place — like your home, your office, or that weird-smelling restaurant where you eat barbeque sandwiches almost disgustingly often — or even when you’re connected to a trusted Bluetooth device, like a smartwatch, some earbuds, or your car’s audio system.
JR Raphael, IDG
The exact placement of this system can vary considerably, so the simplest thing to do is to search your system settings for the word extend to find it and explore all the available possibilities.
And if you ever find the Trusted Places part of Smart Lock Extend Unlock isn’t working reliably, by the way, here’s the 60-second fix.
This next one’s technically a Google account security option and not specific to Android, but it’s very much connected to Android and your overall smartphone experience.
You know what two-factor authentication is by now, right? And you’re using it everywhere you can — especially on your Google account, which is probably associated with all sorts of sensitive data? RIGHT?!
For most people, I’d recommend using your phone’s own “Security Key” option as the default method, if it’s available, followed by “Google prompts” and an authenticator app as secondary methods. For that last part, you’ll need to download and set up an app like Google’s own Authenticator or the more flexible Authy to generate your sign-in codes.
If you really want to take your Google account security to the max, you can also go a step further and set up a Google passkey on your phone for even stronger security — or purchase a specific standalone hardware key that’ll control the process and be required for any successful sign-in to occur.
It’ll add an extra step into your sign-in sequence, but this is one area where the minor inconvenience is very much worth the tradeoff for enhanced protection.
Android security setting #10: Lockdown mode
Provided you’re using a phone with Android 9 or higher (and if you aren’t, switching over to a current phone that actually gets active software updates should be your top security priority!), an Android setting called lockdown mode is well worth your while to investigate. Once enabled, it gives you an easy way to temporarily lock down your phone from all biometric and Extend Unlock security options — meaning only a pattern, PIN, or password can get a person past your lock screen and into your device.
The idea is that if you were ever in a situation where you thought you might be forced to unlock your phone with your fingerprint or face — be it by some sort of law enforcement agent or just by a regular ol’ hooligan — you could activate the lockdown mode and know your data couldn’t be accessed without your explicit permission. No notifications will ever show up on your lock screen while the mode is active, and that heightened level of protection will remain in place until you manually unlock your phone (even if the device is restarted).
The trick, though, is that on certain phones — including most Samsung Android devices — you have to enable the option ahead of time in order for it to be available. To confirm that it’s activated on your device, open up your Android settings, search for the word lockdown, and make sure the toggle alongside “Show lockdown option” is set to the on position.
If you’re using a current phone and don’t see any results for that search, the option is probably just automatically enabled — and you shouldn’t have to do anything to make it available.
Either way, once the system’s up and running, you should see a command labeled either “Lockdown” or “Lockdown mode” anytime you press and hold your phone’s power button (or press and hold the power button and volume-up button together, on certain devices). With any luck, you’ll never need it. But it’s a good added layer of protection to have available, just in case — and now you know how to find it.
Android security setting #11: App pinning
One of Android’s most practical settings is also one of its most hidden. I’m talkin’ about app pinning — something introduced way back in 2014’s Lollipop era and rarely mentioned since.
App pinning makes it possible for you to lock a single app or process to your phone and then require a password or fingerprint authentication before anything else can be accessed. It can be invaluable when you pass your phone off to a friend or colleague and want to be sure they don’t accidentally (or maybe not so accidentally) get into something they shouldn’t.
To use app pinning, you’ll first need to activate it by opening that trusty ol’ Security & Privacy section in your Android settings and then finding the line labeled “App pinning,” “Screen pinning,” or possibly “Pin app” or “Pin windows.” (You’ll probably have to tap a line labeled “Advanced settings,” “More security settings,” or “Other security settings” to reveal it.) Tap those words, whatever they are on your specific device, then turn the feature on and also make sure the toggle to require authentication before unpinning is activated.
Then, the next time you’re about to place your phone in someone else’s grubby hands, first open up your system Overview interface — either by swiping up from the bottom of your screen and holding your finger down, if you’re using Android’s gesture system, or by pressing the square-shaped button, if you’re still hangin’ onto the old-school three-button nav setup.
On any phone running reasonably recent software, you’ll then tap the icon of the app you want to pin, directly above its card in that Overview area. And there, you should see the Pin option.
JR Raphael, IDG
Once you’ve tapped that, you won’t be able to switch apps, go back to your home screen, look at notifications, or do anything else until you exit the pinning and unlock the device. To do that, with gestures, you’ll swipe up from the bottom of your screen and hold your finger down — and with the old three-button nav setup, you’ll press the Back and Overview buttons at the same time.
Android security setting #12: Guest Mode
If you want to go a step further and let someone else use all parts of your phone without ever encountering your personal information or being able to mess anything up, Android has an incredible system that’ll let you do just that — with next to no ongoing effort involved.
It’s called Guest Mode, and it’s been around since 2014, despite the fact that most folks have completely forgotten about it. For a detailed walkthrough of what it’s all about and how you can put it to use, see my separate Android Guest Mode guide.
Just note that if you have a Samsung phone, that guide won’t do you much good — as Samsung has for no apparent reason opted to remove this standard operating system element from its software (insert tangentially related soapbox rant here). On Google’s own Pixel phones and most other Android devices, though, it’ll take you all of 20 seconds to set up and get ready.
Android security setting #13: Find My Device
Whether you’ve simply misplaced your phone around the house or office or you’ve actually lost it out in the wild, always remember that Android has its own built-in mechanism for finding, ringing, locking, and even erasing a device from afar.
Like Play Protect, the Android Find My Device feature should be enabled by default. You can make sure by heading into the Security & Privacy section of your Android settings and tapping the line labeled “Find My Device” — or possibly first “Device finders” and then “Find My Device.” Double-check that the toggle at the top of the screen is turned on.
Using a Samsung phone? Samsung provides its own superfluous, redundant service called Find My Mobile, but the native Google Android version will bring all of your devices — not only those made by Samsung — together into a single place, and it’s also much more versatile in how and where it’s able to work. On a Samsung device, the easiest way to find the Android Find My Device setting is to search your system settings for the phrase Find My Device.
Once you’ve confirmed the setting is enabled, if you ever need to track your phone down, just go to android.com/find from any browser. (There’s also an official Find My Device Android app, if you have another Android device and want to keep that function standing by and ready.)
As long as you’re able to sign into your Google account, you’ll be able to pinpoint your phone’s last known location on a map and manage it remotely in a matter of seconds.
Android security setting #14: Emergency contact
Find My Device is a fantastic resource to have — but in certain situations, you might get a missing phone back even faster with the help of a fellow hominid.
Give people a chance to do the right thing by adding an emergency contact that can be accessed and dialed with a few quick taps from your phone’s lock screen. To start, go to either the About Phone section of your Android settings or the Safety & Emergency section, if you have it, and then find and tap the line labeled either “Emergency information” or “Emergency contacts.”
Follow the prompts there to add in an emergency contact — a close friend, family member, significant other, random raccoon, or whatever makes sense for you. (Hey, I’m not here to judge.)
JR Raphael, IDG
Easy peasy, right? Well, almost: The only challenge is that the emergency contact info isn’t exactly obvious or simple to find on the lock screen — go figure — so anyone who picks up your phone might not even notice it.
But wait! You can increase the odds considerably with one extra step: Head into the Display section of your settings and tap “Lock screen” (which may be hidden within an “Advanced” subsection, depending on your device), then tap the line labeled “Add text on lock screen.”
However you get there, once you find yourself facing a blank space for text input, enter something along the lines of: “If you’ve found this phone, please swipe up and then tap ‘Emergency call’ and ‘View emergency information’ to notify me” (or whatever specific instructions make sense for the required steps on your specific device).
That message will then always show up on your lock screen — and as an added bonus, if there’s ever an actual emergency, you’ll be ready for that, too.
Using a Samsung phone? For no apparent reason (sensing a theme here?), Samsung has removed the direct emergency contact system and instead offers only the ability to place plain text on your lock screen. You can find that, though, by making your way into the Lock Screen section of your system settings and looking for the line labeled “Contact information.”
If you don’t see that option, try instead pressing and holding your finger onto the actual lock screen on your Samsung phone and then tapping the line toward the bottom labeled “Contact information.”
However you get there, you can then type your emergency contact info directly into that area and hope that someone finds it and dials it from their own phone if the situation ever comes up.
Android security setting #15: Theft detection
Our final four Android security settings revolve around the worst-case scenario of someone deliberately swiping your device and then trying to get at the data — whether yours or your company’s — that’s stored within it.
As of October 2024, Google’s actively in the midst of rolling out a trio of new Android theft detection security features that are designed exactly with this possibility in mind. The first, Theft Detection Lock, relies on a combination of your phone’s sensors and AI to identify motions commonly associated with a phone being forcefully stolen.
If such actions occur, Android instantly and automatically locks the device on your behalf.
The option will soon be present on all Android devices running 2019’s Android 10 software and higher. To see if it’s available for you, head into the Security & Privacy section of your system settings, tap “Device unlock,” and look for a new “Theft protection” section within that area.
JR Raphael, IDG
And if you don’t see it yet, set yourself a reminder to check back every week or two until it shows up for you. It should be there soon!
Android security setting #16: Offline locking
Going hand in hand with that Theft Detection Lock option is another new (as of October 2024) Android security feature called Offline Device Lock.
It looks for on-screen behaviors that make it look like a phone’s fallen into the wrong hands — like an unusually long period of Wi-Fi and mobile data disconnection or a series of failed attempts at getting past your lock screen. And if any such activity is detected, it automatically locks the device to keep any intruders out.
This option is in that same “Theft protection” section of Android’s Security & Privacy “Device unlock” menu — or at least will be once the associated update makes its way to you.
Android security setting #17: Remote locking
One last late-2024 addition to the Android security picture is something Google’s calling Remote Lock. It’s essentially an extra way to manually and quickly lock down your device from afar without having to use the full-fledged Android Find My Device system we went over a moment ago.
Once more, this one’s on its way out into the world as of October 2024, so check that “Theft protection” section to see when it becomes available for you.
Android security setting #18: SIM card safeguard
Last but not least, if your phone ever falls into the wrong hands and its finder has less-than-honorable intentions, you want to do anything you can to keep that person from being able to take over the device entirely.
And you’d never know it, but Android has an often-off-by-default option designed to protect you in exactly that way. Or, at least, some Android devices do.
Start by searching your system settings for SIM. Depending on your device and your specific configuration, you might see a couple of different options appear in the results — anything from “Confirm SIM deletion” to “Lock eSIM settings” or “SIM card lock.” If you see any of those options, tap ’em and then follow the subsequent steps to secure that SIM.
It’s almost shockingly easy to handle — so long as you have the foresight to protect yourself before the need actually arises.
One more thing…
Now that you’ve got your Android security settings optimized and in order, set aside a bit of time to perform an Android security checkup. It’s an 18-step process I’ve created for the state of security on both your phone and your broader Google account — and it’s well worth doing at least once a year.
The best part of this checkup? It’s completely painless — and unlike with most preventative exams, removing your pants is entirely optional.
Get even more Googley knowledge with my Android Intelligence newsletter — three new things to try every Friday and three special bonus tips in your inbox today.
One of two plants that mine high-purity quartz and silica sand needed for the production of semiconductors and other high-tech hardware has reopened operations after being shut down for more than a week.
Sibelco today announced the restart of production at its Spruce Pine, NC mining and processing operations following the disruption caused by Hurricane Helene. Sibelco had previously announced that all its employees are safe.
“While the road to full recovery for our communities will be long, restarting our operations and resuming shipments to customers are important contributors to rebuilding the local economy,” Sibelco CEO Hilmar Rode said in a statement.
The devastation to the mountain town in western North Carolina by Hurricane Helene brought to a halt the mining and refining of high-purity quartz by both the Sibelco and The Quartz Corp mines in Spruce Pine, NC, the two primary sources of the precious crystalline mineral.
The Quartz Corp did not immediately have an update on its operation’s status today.
Sibelco, the far larger of the two mining companies in the region, said in a statement last week that its operations had no power, but its infrastructure had only sustained minor damage. “The repair of power lines leading to our plants has progressed significantly,” Sibelco said. “Our final product stock has not been impacted. We are working closely with our customers to assess their needs and plan the restart of product shipments as soon as we can.”
Ultra-pure quartz, which formed millions of years ago in the Appalachian Mountain region, is used to create “crucibles” in which a pure polysilicon is melted down to be used in creating silicon chips. The ultra-high quality quartz can both withstand the extreme temperatures needed to melt silicon and ensures no impurities are introduced in the process.
Shutterstock/BJP7images
From 70% to 90% of the crucibles used in silicon production worldwide are made from Spruce Pine quartz, according to a report.
The high‑purity silicon dioxide particles that result from processing by the plants are the raw materials from which computer chips and other high-tech hardware is made, including fiber‑optic cables and solar photovoltaic cells.
On Oct. 2, The Quartz Corp. said in a statement that most of the damage to its quartz processing plant was to “ancillary units.” May Kristin Haugen, a spokesperson for The Quartz Corp, told Computerworld it has “brought in numerous experts to assess the three different plants.
“All our three plants in Spruce Pine are affected, though in different ways,” Haugen said. “They are situated in different locations and the consequences for production will likely vary.”
Sibelco
Based on outside “expert assessment,” the company plans to communicate the status and restoration plans when it’s ready. “Our restoration plan will, however, depend on the surrounding infrastructure such as power, water, roads, and railway. Depending on the damage, it can take time to restore production, but we will get there,” she said.
The Quartz Corp said the COVID-19 pandemic taught it the value of “sizable safety stocks,” and between that and its multiple locations, it’s not concerned about shortages “in the short or medium term.”
Apple-focused IT admins using device management software should perhaps temporarily disable iPhone Mirroring across their device fleets to prevent inadvertent privacy or compliance challenges as a result of using the new macOS Sequoia feature. (Apple is supposed to be working on a fix already.)
It appears at present that when you use iPhone Mirroring with a Mac running Sequoia your computer gathers a small amount of information about the iPhone apps being used. It doesn’t gather all the data, just very basic information concerning app name, time of use, and so on — and while some MDM systems reportedly don’t parse this information, some of the most commonly used data compliance tools do review it.
What is the real threat here?
Ultimately the problem is two-fold:
Privacy: First, managed workplace Macs are gathering data concerning apps used on personally-owned iPhones, which can be a privacy failure and could be a bigger problem in some contexts. (For instance, an employee in an authoritarian state in which use of VPN or LGBTQ apps is proscribed might find their app use shared by this bug, with potentially serious consequences.)
Compliance: The second problem concerns regulatory compliance: If a compliance audit tool picks up use of an unauthorized iPhone app on a corporate network, which they will do due to the architecture of this bug, IT will be forced to explain and look into that use. This poses enterprise-wide compliance challenges, and also means admins could be forced to waste time on what should be a relatively trivial problem.
The iPhone Mirroring SNAFU isn’t a problem for smaller firms that don’t use device management or compliance tools, as in theory at least, the information gathered is not made available to anyone but the registered Apple ID/user of a system. Though the fact the data exists at all might pose an additional attack surface for data exfiltration.
What is the problem?
The snag was first spotted in late September by Sevco Security, a company that does not develop for the Mac. It found that when iPhone Mirroring is used, any iPhone app creates an entry in a library item on your Mac. Effectively that is because the Mac treats these apps as native Mac apps, even though they are being run on iPhone.
You can read an in-depth account of the behavior courtesy of Sevco (above), but essentially if you run the mdfind CLI (Command Line Interface) in Spotlight you should see a complete list of both iPhone and Mac apps run on the Mac. You usually can only see the Mac apps used, but with iPhone Mirroring you now see iPhone apps, too. That information is then maintained in a deeply-stashed library file on the Mac, which most users will never see.
The problem is that most compliance, network, and endpoint security and audit tools will interrogate the library files to discover what apps are being run, including apps run on the Mac via iPhone. (They can’t see any of thew app data but could still provide insights that threaten privacy or compliance.)
Apple is working on a fix
Apple is working on a patch for the flaw, but it doesn’t seem to have appeared in the latest beta. At the same time, it’s worth noting that rather than giving Apple 30 days to rectify the problem (which is the usual approach for revelations of this kind), Sevco disclosed the problem just 12 days after informing Apple of it, citing the public interest as many Mac users work with iPhone Mirroring.
Sevco did say: “We appreciate Apple’s rapid response and urgency addressing the issue.”
What you should do now
Sevco offers the following advice pending a fix:
“Employees should not use iPhone Mirroring on work computers;
“Companies should communicate to employees that they should avoid using iPhone Mirroring on work computers (this may be a legal or regulatory requirement);
“Companies should identify any enterprise IT systems that collect software inventory from Macs and work with those vendors to mitigate the risk until a patch is available.”
It is important to stress that since Apple is working on a fix, this is unlikely to be a permanent concern. And most enterprises handling confidential data should already have forbidden the use of iPhone Mirroring on managed devices to prevent other forms of data exfiltration.
Switch it off and on again?
Some admins have noted that in cases in which such information has already been collected, getting users to log out of their Apple Account and login again might destroy the information held on the Mac. They can then disable iPhone Mirroring pending Apple’s fix. While logging out of an Apple Account seems a rather large hammer for a relatively small problem, if you are handling sensitive information, or have apps you don’t want to share the names of, it may be a useful step. (I’ve not tested this myself so cannot be certain this will completely wipe away the information.)
Should you panic?
This is not a red alert. Apple will rectify this problem soon, and its existence is unlikely to tarnish Apple’s reputation for security — certainly not in comparison to the appalling multi-billion dollars damage wrought by the recent Microsoft/Crowdstrike failure. While the flaw does pose compliance and privacy challenges, and the collection of the information itself flies in the face of Apple’s general promise to collect as little data as possible about what users do, it can be rectified.
At the same time, it is likely that Windows-invested security experts will redouble their attempts to poke holes in Apple’s reputation for security as they recognize the growing threat Apple now provides to the ecosystem in which they have so much invested. That’s particularly true now that Delta Airlines has hired David Boies’ feared law firm to pursue damages generated by the Crowdstrike mess.
From the editors of Computerworld, this enterprise buyer’s guide helps IT staff understand what the various digital whiteboard software options can do for their organizations and how to choose the right solution.