×
Security

The 'World's Worst' Smart Padlock Is Even Worse Than Previously Thought (sophos.com) 77

Last week, cybersecurity company PenTest Partners managed to unlock TappLock's smart padlock within two seconds. They "found that the actual code and digital authentication methods for the lock were basically nonexistent," reports The Verge. "All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts." The company also managed to snap the lock with a pair of 12-inch bolt cutters.

Today, Naked Security reports that it gets much worse: "Tapplock's cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly." From the report: Stykas found that once you'd logged into one Tapplock account, you were effectively authenticated to access anyone else's Tapplock account, as long as you knew their account ID. You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base -- but you didn't really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets. As a result, Stykas could not only add himself as an authorized user to anyone else's lock, but also read out personal information from that person's account, including the last location (if known) where the Tapplock was opened.

Incredibly, Tapplock's back-end system would not only let him open other people's locks using the official app, but also tell him where to find the locks he could now open! Of course, this gave him an unlocking speed advantage over Pen Test Partners -- by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.

Desktops (Apple)

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com) 133

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.
Businesses

On The Sad State of Macintosh Hardware (rogueamoeba.com) 517

Quentin Carnicelli, the chief technology officer at Rogue Amoeba, a widely-reputed firm that produces several audio software for Apple's desktop operating system: With Apple recently releasing their first developer beta of MacOS 10.14 (Mojave), we've been installing it on various test machines to test our apps. The inevitable march of technology means Mojave won't install on all of our older hardware. There's no shock there, but the situation is rather distressing when it comes to spending money to purchase new equipment. Here is the situation, as reported by the wonderful MacRumor's Buyers Guide: At the time of the writing, with the exception of the $5,000 iMac Pro, no Macintosh has been updated at all in the past year. Here are the last updates to the entire line of Macs: iMac Pro: 182 days ago, iMac: 374 days ago, MacBook: 374 days ago, MacBook Air: 374 days ago, MacBook Pro: 374 days ago, Mac Pro: 436 days ago, and Mac Mini: 1337 days ago.

Worse, most of these counts are misleading, with the machines not seeing a true update in quite a bit longer. The Mac Mini hasn't seen an update of any kind in almost 4 years (nor, for that matter, a price drop). The once-solid Mac Pro was replaced by the dead-end cylindrical version all the way back in 2012, which was then left to stagnate. I don't even want to get started on the MacBook Pro's questionable keyboard, or the MacBook's sole port (USB-C which must also be used to provide power). It's very difficult to recommend much from the current crop of Macs to customers, and that's deeply worrisome to us, as a Mac-based software company.

Nintendo

Sony Is Blocking Fortnite Cross-Play Between PS4, Nintendo Switch Players (theverge.com) 90

Earlier today, Nintendo announced during its E3 press conference that Epic Games' Fortnite would be coming to the Switch console. Unfortunately, when Epic Games PR representative Nick Chester confirmed cross-play compatibility, the PS4 wasn't on the list. The Switch version of Fortnite will only support cross-play with Xbox One, PC, Mac, and mobile. The Verge reports: That aligns with past cross-play implementations between Xbox One, PS4, PC, and mobile, with Sony blocking other console platforms from playing with its own. You can cross-play between PS4, mobile, and PC. Unfortunately, this also suggests that PS4 players of Fortnite won't be able to log in to their Epic accounts on the Switch, meaning you won't be able to have any weekly progress carry over or gain access to any of your skins or emotes. This is because your Epic account is tied up with your PSN username in most cases. For instance, you can't log in to an Epic account tied to PSN on the Xbox One version of Fortnite, and it sounds like the same will be true for the Switch.
Bug

Bugs Allowed Hackers To Make Malware Look Like Apple Software (vice.com) 72

An anonymous reader shares a report: For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple's APIs. A researcher from security firm Okta found that several security products for Mac -- including Little Snitch, xFence, and Facebook's OSquery -- could be tricked into believing malware was Apple code, and let it past their defenses. "I can take malicious code and make it look like it's signed by Apple," Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard. In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple's code-signing APIs when dealing with Mac's executable files known as Universal or Fat files.
Bitcoin

Apple's App Store Officially Bans Cryptocurrency Mining (venturebeat.com) 39

Apple has updated the App Store's Review Guidelines to explicitly ban on-device mining across any type of app, and all of Apple's platforms. The new section 3.1.5 (b), titled Cryptocurrencies, provides five clear rules for what will and won't be allowed in macOS, iOS, tvOS, and watchOS apps going forward. VentureBeat reports: The upshot of the new rules is that while Apple will permit cryptocurrencies to exist on its platforms, it's adding requirements to stop scammers and individuals from exploiting App Store customers, while making explicit that it's blocking developers from eating Apple device processing power for mining activities. As AppleInsider notes, the Review Guidelines were previously less concerned with cryptocurrencies, allowing an app to facilitate crypto and ICO transactions if it complied with the laws in the app's distributed territories.

Since the App Store is virtually the only place to acquire software for iPhones, iPads, iPod touches, Apple TVs, and Apple Watches, Apple's decision will effectively end crypto mining on those devices. On macOS, however, users will continue to be able to acquire apps outside of the Mac App Store, enabling mining and other activities to continue without Apple's seal of approval.

Desktops (Apple)

Clear Linux Beats MacOS in MacBook Pro Benchmark Tests (phoronix.com) 155

To celebrate its 14th birthday, Phoronix.com used a 15-inch MacBook Pro to run system benchmarking tests on the following operating systems:

- Windows 10 Pro

- The latest macOS 10.13 High Sierra

- Windows 10 Windows Subsystem for Linux (WSL) using Ubuntu 18.04

- Ubuntu 18.04 LTS with the Linux 4.15 kernel, GCC 7.3.0, and an EXT4 file-system.

- Clear Linux 22780 with the Linux 4.16 kernel, GCC 8.1.1, and EXT4.

- Fedora Workstation 28 with updates is the Linux 4.16 kernel, GCC 8.1.1, and EXT4.

- OpenSUSE Tumbleweed with the Linux 4.16 kernel, GCC 7.3.1, and default file-system configuration of Btrfs root file-system with XFS home partition.

The results? When it came to outright wins and losses, Clear Linux 22780 was the front-runner 59% of the time followed by macOS 10.13.4 finishing first 21% of the time and then Fedora Workstation 28 with winning 10% of the time.

For losses, to little surprise considering the I/O overhead, Windows 10 was in last place 38% of the time followed by Ubuntu 18.04 being surprisingly the slowest Linux distribution 30% of the time on this 2016 MacBook Pro.

The article also reminds readers that "For those looking for a Linux laptop, there are plenty of better options..."
Software

Should Apple Let Competitors Use FaceTime? (cnet.com) 211

In 2010, Steve Jobs first introduced FaceTime and promised it would become an open industry standard that could be used by Apple's competitors -- not just Apple. Well, eight years later and that still hasn't happened. CNET's Sean Hollister provides a theory as to why that is: There's also an ongoing lawsuit to consider -- as Ars Technica documented in 2013, Apple was forced to majorly change how FaceTime works to avoid infringing on the patents of a company called VirnetX. Instead of letting phones communicate directly with each other, Apple added "relay servers" to help the phones connect. Presumably, someone would have to pay for those servers, and/or figure out a way for them to talk to Google or Microsoft or other third-party servers if FaceTime were going to be truly open. But that doesn't make a broken promise less frustrating. Particularly now that Apple could potentially fix annoying business video calls as well. A Skype-killing video chat service that worked on Mac, iOS *and* Windows, Android and the open web? That's something I bet companies would be happy to pay for, too.
Programming

Apple Deprecates OpenGL and OpenCL in macOS 10.14 Mojave 269

In macOS 10.14 Mojave, which Apple unveiled on Monday, the company is deprecating OpenGL and OpenCL technologies in its desktop operating system. In an announcement post to developers, the company wrote: Apps built using OpenGL and OpenCL will continue to run in macOS 10.14, but these legacy technologies are deprecated in macOS 10.14. Games and graphics-intensive apps that use OpenGL should now adopt Metal. Similarly, apps that use OpenCL for computational tasks should now adopt Metal and Metal Performance Shaders. PCGamer reports that several developers have expressed disappointment over the decision. AnandTech reports that the company is doing away with OpenGL and OpenCL in iOS and its other operating systems as well.
Facebook

Apple Jams Facebook's Web-Tracking Tools (bbc.com) 117

The next version of iOS and macOS "will frustrate tools used by Facebook to automatically track web users," reports BBC. At the company's developer conference, Apple's software chief Craig Federighi said, "We're shutting that down," adding that Safari would ask owners' permission before allowing the social network to monitor their activity. BBC reports: At the WWDC conference - held in San Jose, California - Mr Federighi said that Facebook keeps watch over people in ways they might not be aware of. "We've all seen these - these like buttons, and share buttons and these comment fields. "Well it turns out these can be used to track you, whether you click on them or not." He then pointed to an onscreen alert that asked: "Do you want to allow Facebook.com to use cookies and available data while browsing?" "You can decide to keep your information private."

Apple also said that MacOS Mojave would combat a technique called "fingerprinting", in which advertisers try to track users who delete their cookies. The method involves identifying computers by the fonts and plug-ins installed among other configuration details. To counter this, Apple will present web pages with less details about the computer. "As a result your Mac will look more like everyone else's Mac, and it will be dramatically more difficult for data companies to uniquely identify your device," Mr Federighi explained.

Desktops (Apple)

Apple Brings iOS Apps Into Mac, But Won't Merge Platforms (cnet.com) 46

Stephen Shankland, writing for CNET: With its next-generation MacOS Mojave software, Macs will be able to run some apps written for iPhones and iPads, a big new step in bringing the two technology platforms closer together. Craig Federighi, Apple's senior vice president of software engineering, announced the change Monday at Apple's Worldwide Developer Conference in San Jose. And he said Mojave will include four apps Apple itself brought from its iOS mobile software to MacOS: Home, Stocks, News and Voice Memo. "There are millions of iOS apps out there, and we think some of them would look great on the Mac," Federighi said. For now, it's only Apple that has the ability to move iOS apps to MacOS. But that'll change in 2019.
Operating Systems

Apple Unveils macOS 10.14 Mojave With Dark Mode and Finder Photo Tools (venturebeat.com) 99

Alongside iOS 12, at its developer conference WWDC on Monday, Apple also unveiled macOS 10.14 -- named "Mojave" -- the upcoming software update for the company's laptop and desktops lineups. The headline feature of macOS 10.14 is dark mode, a feature that people who work during late hours might appreciate. VentureBeat: A new Mojave feature called Dynamic Desktop can subtly change the desktop throughout the day, morning, afternoon, and evening. There's also Desktop Stacks, which can automatically clean up a messy desktop by arranging desktop contents into stacks based on content, date, or tag. Gallery View in the Finder lets you see content in a Photos-like display, including full metadata from cameras that can appear in an optional second sidebar; you can rotate photos and do basic automation of Actions within the Finder. The macOS screenshot creation tool has been expanded, as well, to enable instant creation of screengrabbed videos from current screen content.

Continuity has been expanded with Continuity Camera, leveraging your phone's camera to instantly add photos and scans to programs that request them. It also includes a Mac version of the Apple News aggregation app that debuted on iOS two years ago, including the Stocks feature and new sidebar that were shown off for the updated iPad version of News earlier in the Keynote. Voice Memos is also being brought to the Mac, as is Home, the HomeKit app from iOS. Apple also announced a collection of heightened security features for macOS, including protection by default of camera access, microphone access, your mail database, message history, and other private data.
Apple has also redesigned the App Store, and is bringing favicons to Safari tabs.
Desktops (Apple)

ProtonMail Launches Free ProtonVPN Service For Macs (bleepingcomputer.com) 30

The creators of popular encrypted email service ProtonMail have released a free version of their ProtonVPN software for macOS. From a report: Even though the free version does not contain the full features that you would come to expect from a paid VPN service it is more than capable of obfuscating IP addresses and your location. While ProtonVPN has already released Windows and Android versions, according to Dr. Andy Yen, CEO of ProtonMail, their reason for releasing the free macOS version "is to make the world a safer place by ensuring that citizens around the world have access to an Internet free of spying and censorship. Releasing a free VPN service for macOS is another important step in that direction."
Chrome

Google Chrome 67 Released for Windows, Mac, and Linux (bleepingcomputer.com) 85

An anonymous reader shares a report: Google released earlier today Chrome 67, the latest stable release of its web browser. According to changelogs released with Chrome 67, this version adds support for a Generic Sensors API, improves AR and VR experiences, and deprecates the HTTP-Based Public Key Pinning (HPKP) security feature. Probably the biggest change in Chrome 67 is the addition of the Generic Sensors API. As the name implies, this is an API that exposes data from device sensors to public websites. The new API is based on the Generic Sensor W3C standard. This API is meant primarily for mobile use, and in its current version, websites can use Chrome's Generic Sensors API to access data from a device's accelerometer, gyroscope, orientation and motion sensors. Another API that shipped with Chrome is the WebXR Device API. Developers can use this API to build virtual and augmented reality experiences on Chrome for mobile-based VR headsets like Google Daydream View and Samsung Gear VR, as well as desktop-hosted headsets like Oculus Rift, HTC Vive, and Windows Mixed Reality Headsets.
Encryption

Russia Demands Apple Remove Telegram From Russian App Store (macrumors.com) 113

The Russian government is asking Apple to help it block Telegram by removing it from the country's App Store. Mac Rumors reports: A Russian court in April ordered carriers and internet providers in the country to block Telegram back in April, after Telegram refused to provide Russia with backdoor access to user messages. Despite issuing the block order back in April, Russia has only been able to disrupt Telegram's operations in the country by 15 to 30 percent. Given the government's inability to block the app, Roskomnadzor, the division of the government that controls media and telecommunications, has demanded that Apple remove the Telegram app from the Russian App Store. The group first asked Apple to remove the app in April, but is appealing to Apple again.

"In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company's further actions to resolve the problematic issue," the regulator wrote. Roskomnadzor has given Apple one month to remove the Telegram app from the App Store. Roskomnadzor's director Alexander Zharov said he did not want to "forecast further actions" should Apple not comply with the request following the 30 day period.

Security

In Apple Mail, There's No Protecting PGP-Encrypted Messages (theintercept.com) 25

It has been nearly two weeks since researchers unveiled "EFAIL," a set of critical software vulnerabilities that allow encrypted email messages to be stolen from within the inbox. The Intercept reports that developers of email clients and encryption plugins are still scrambling to come up with a permanent fix. From the report: Apple Mail is the email client that comes free with every Mac computer, and an open source project called GPGTools allows Apple Mail to smoothly encrypt and decrypt messages using the 23-year-old PGP standard. The day the EFAIL paper was published, GPGTools instructed users to workaround EFAIL by changing a setting in Apple Mail to disable loading remote content. Similarly, the creator of PGP, Phil Zimmermann, co-signed a blog post Thursday stating that EFAIL was "easy to mitigate" by disabling the loading of remote content in GPGTools. But even if you follow this advice and disable remote content, Apple Mail and GPGTools are still vulnerable to EFAIL.

I developed a proof-of-concept exploit that works against Apple Mail and GPGTools even when remote content loading is disabled (German security researcher Hanno Bock also deserves much of the credit for this exploit, more on that below). I have reported the vulnerability to the GPGTools developers, and they are actively working on an update that they plan on releasing soon.

Desktops (Apple)

Razer Slims Down Blade, Debuts MacOS-Compatible eGPU Enclosure (arstechnica.com) 40

An anonymous reader quotes a report from Ars Technica: Today, Razer debuted big updates to its Razer Blade laptop, focusing on design and performance to usher the gaming notebook into 2018. While the new Blade still looks unmistakably "Razer," its design has changed dramatically for the better. Razer upped the screen size from 14 inches to 15.6 inches, reducing the surrounding bezels to just 4.9mm so that the device fits in with the other nearly bezel-less ultrabooks popular today. Razer is offering 1080p 60Hz or 144Hz panels, along with a 4K touchscreen option as well. The larger display panel makes the laptop slightly heavier than its predecessor, and it's a bit wider overall, too (4.7 pounds and 9.3 inches, respectively). However, the slimmer bezels, sharper edges, and aluminum unibody make the new Razer Blade look like a clear upgrade from the previous model.

Another new addition to the Razer lineup is the Core X, a Thunderbolt 3 external graphics enclosure with space for large, three-slot wide graphics cards. The Core X joins the Core V2 graphics enclosure as one of Razer's solutions for gamers who want to add desktop-like graphics power to their laptops -- and it's more affordable than the V2 as well. While it's a bit stockier than Razer's existing enclosure, the Core X has an aluminum body with open vents to properly handle heat, regardless of the task at hand. The Core X connects to a compatible notebook through one Thunderbolt 3 port, providing eGPU access and 100W of power thanks to its 650 ATX power supply. It's both cheaper and seemingly easier to use than the V2, but that comes with some compromises: the Core X doesn't have Chroma lighting, and it lacks USB and Ethernet ports.
Some other specs of the new Blade include a Intel Core i7-8750H processor, Nvidia GTX 1060 or 1070 with Max-Q graphics, up to 32GB of RAM, up to 2TB of PCIe-based SSD, and 80Whr battery. There are three USB-A 3.1 ports, one proprietary charging port, one Thunderbolt 3 port, a Mini DisplayPort, and an HDMI port.
Businesses

Twitter Is Killing Several of Its TV Apps, Too (techcrunch.com) 29

Twitter is shutting down its TV apps on Roku, Android TV and Xbox starting on May 24, the company announced this morning. From a report: The news of the apps' closure comes at a time when Twitter is now trying to steer its users to its first-party mobile apps and its desktop website by killing off apps used by a minority of its user base -- like the Twitter for Mac app it shut down earlier this year. And more recently, it has attempted to kill off popular third-party Mac apps with a series of unfriendly API changes.

It's unclear why this has become Twitter's agenda. While it can be a burden for a company to support a broader ecosystem of apps where some only have a niche audience, in some cases those "niche" users are also the most influential and heavy users. And arguably, anyone launching Twitter's app on their TV must be a die-hard user -- because who is really watching that much Twitter on their TV?

Transportation

Tesla's Engineering Chief Takes Leave of Absence (wsj.com) 57

Tesla's senior vice president of engineering, Doug Field, is taking a leave of absence from the company (Warning: source may be paywalled; alternative source) at a crucial moment when the electric-car maker is struggling to boost production of the Model 3 sedan. While Tesla declined to say when he would come back, one person familiar with the matter described the absence as a "six-week sabbatical." The Wall Street Journal reports: Mr. Field has been a key leader at Silicon Valley auto maker since joining in 2013 from Apple. He oversees the engineering of Tesla's vehicles, and last year he was also given oversight of production to better align the two efforts. That changed this spring when Chief Executive Elon Musk acknowledge he retook control of production. The Silicon Valley auto maker is at a critical juncture as it tries to produce enough Model 3 cars to generate cash to fund the business and instill confidence in investors the company can create its first mass-market vehicle.

Tesla has a history of key executives departing on so-called sabbaticals. Jerome Guillen, Tesla's current vice president of truck and programs, for example, took a sabbatical in 2015 from his role as vice president of worldwide sales and service only to return in the new role. He had led development of the Model S sedan. The hiring of Mr. Field from Apple, where he was vice president of Mac hardware engineering, was touted as a win for Mr. Musk who had big ambitions for the electric-car company. Mr. Field had also worked at Ford and Segway, giving him unique experience in both the tech and autos industry.

Firefox

Firefox Moves Browsers Into Post-Password Future With WebAuthn Tech (cnet.com) 132

Today, Mozilla released Firefox 60 for Windows, Mac, Linux and Android, and with it arrives Web Authentication API for desktop browsers. From a report: Firefox 60 supports technology called Web Authentication, or WebAuthn for short, that can be used to grant you access to websites with a physical authentication device like a YubiKey dongle, biometric identity proof using an Android phone's fingerprint reader or the iPhone's Face ID, and some other alternatives to passwords.

Passwords are a particular problem on the web. Fake websites can coax you to type in credentials that then can be used to steal money from your bank account or snoop your email -- a problem called phishing. Even if you pick hard-to-guess passwords, never reuse them on multiple sites and always remember them, passwords still aren't that strong a foundation for security these days. We're still a long way away from a post-password future, but WebAuthn is an important step, if nothing else, in making sites more secure.

Slashdot Top Deals