United Kingdom

UK Cyber Security Agency Backs Apple, Amazon China Hack Denials (reuters.com) 56

An anonymous reader quotes a report from Reuters: Britain's national cyber security agency said on Friday it had no reason to doubt the assessments made by Apple and Amazon challenging a Bloomberg report that their systems contained malicious computer chips inserted by Chinese intelligence services. "We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple," said the National Cyber Security Centre, a unit of Britain's eavesdropping agency, GCHQ. AWS refers to Amazon Web Services, the company's cloud-computing unit.

"The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us," it said. Apple's recently retired general counsel, Bruce Sewell, told Reuters he called the FBI's then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer, a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips. "I got on the phone with him personally and said, 'Do you know anything about this?," Sewell said of his conversation with Baker. "He said, 'I've never heard of this, but give me 24 hours to make sure.' He called me back 24 hours later and said 'Nobody here knows what this story is about.'"
The U.S. Department of Homeland Security said on Saturday that it too had no reason to doubt statements from companies that have denied the Bloomberg report.

"The Department of Homeland Security is aware of the media reports of a technology supply chain compromise," DHS said in a statement. "Like our partners in the UK, the National Cyber Security Center, at this time we have no reason to doubt the statements from the companies named in the story," it said.
Medicine

Stunt Woman Tests Apple Watch With Violent Fake Falls (hothardware.com) 96

It seems like everyone's curious about how the Apple Watch 4 detects falls. The Washington Post reports: In the interest of science, I've tried jumping off ledges and throwing myself onto furniture. The thing never went off. (The feature is on by default only for people older than 65, but I turned mine on.) It's possible, even likely, that the Watch could tell I was faking.

What's important is actual falls, not stunts. Apple says it studied the falls of 2,500 people of varying ages. Yet the company hasn't said how often it catches real falls or sets off false alarms. This isn't like claiming the "best camera ever" on a smartphone -- if Apple wants us to think of its products as life aids, it ought to show us the data. Even better: peer-reviewed studies. Apple's disclaimer says: "Apple Watch cannot detect all falls. The more physically active you are, the more likely you are to trigger Fall Detection due to high impact activity that can appear to be a fall."

But there's now also a new video by the Wall Street Journal that tests the watch's fall-detecting capabilities with a professional stuntwoman. Hot Hardware reports: The Wall Street Journal found that the Apple Watch did a very good job of detecting a serious fall while ignoring insignificant or outright fake falls. The stunt double performed a series of falls that are similar to falls in the slides that Apple showed in its keynote explaining the feature. In the testing, the watch was able to identify those falls and offer to call emergency services.

The most interesting part is that even though the stunt woman pulled some serious fake falls, complete with Hollywood-style tumbling down a hill, the Apple Watch was able to figure out if the fall was fake and didn't offer to call emergency services.

The Journal's reporter credits the watch's gyroscope and accelerometer, which can monitor numerous factors including both speed and wrist trajectory. Their conclusion?

"Turns out the Apple Watch really does know when you're just playing around."
China

Apple Insiders Say Nobody Internally Knows What's Going On With Bloomberg's China Hack Story (buzzfeednews.com) 176

An anonymous reader quotes a report from BuzzFeed News: Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely all denied and expressed confusion with a report earlier this week that the company's servers had been compromised by a Chinese intelligence operation. On Thursday morning, Bloomberg Businessweek published a bombshell investigation. The report -- the result of more than a year of reporting and over 100 interviews with intelligence and company sources -- alleged that Chinese spies compromised and infiltrated almost 30 U.S. companies including Apple and Amazon by embedding a tiny microchip inside company servers. Both Amazon and Apple issued uncharacteristically strong and detailed denials of Bloomberg's claims.

Reached by BuzzFeed News multiple Apple sources -- three of them very senior executives who work on the security and legal teams -- said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them. A senior security engineer directly involved in Apple's internal investigation described it as "endoscopic," noting they had never seen a chip like the one described in the story, let alone found one. "I don't know if something like this even exists," this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. "We were given nothing. No hardware. No chips. No emails." Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation -- Bloomberg wrote that Apple "reported the incident to the FBI." A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person's purview and responsibilities are of such a high level that it's unlikely they would not have been aware of government outreach.

Businesses

Bloomberg's Spy Chip Story Reveals the Murky World of National Security Reporting (techcrunch.com) 67

TechCrunch's security editor, Zack Whittaker, analyzes Bloomberg's recent report that China infiltrated Apple, Amazon and others via a tiny microchip inserted into servers at the data centers associated with these companies. With Apple and Amazon refuting Bloomberg's claims, Whittaker talks about the "murky world of national security reporting" and the difficulties of reporting stories of this magnitude with anonymous sources. An anonymous reader shares an excerpt from his report: Today's bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it's not, and a lot of people screwed up. Welcome to the murky world of national security reporting. I've covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories -- including the U.S. government's covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens. Even with this story, my gut is mixed.

Naturally, people are skeptical of this "spy chip" story. On one side you have Bloomberg's decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources -- some inside the government and out -- and presenting enough evidence to present a convincing case. On the other, the sources are anonymous -- likely because the information they shared wasn't theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say "a source familiar with the matter" because it weakens the story. It's the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves -- though transparently published in full by Bloomberg -- are not bulletproof in outright rejection of the story's claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance -- turning the story from an evidence-based report into a "he said, she said" situation. That puts the onus on the reader to judge Bloomberg's reporting. Reporters can publish the truth all they want, but ultimately it's down to the reader to believe it or not.
Whittaker ends by saying "Bloomberg's delivery could have been better," and that they "missed an opportunity to be more open and transparent in how it came to the conclusions that it did."

"Journalism isn't proprietary," Whittaker writes. "It should be open to as many people as possible. If you're not transparent in how you report things, you lose readers' trust. That's where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you -- and I -- have to put a lot of trust and faith in Bloomberg and its reporters."
Security

The Software Side of China's Supply Chain Attack (bloomberg.com) 63

Bloomberg BusinessWeek published a story on Thursday which claimed that data center equipments run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process. Both Amazon and Apple have vehemently refuted Bloomberg's reporting. Bloomberg's reporters, who have spent more than a year on the story and have cited 17 sources for the claims they make in it, have doubled down. In a new story, the news outlet reports that Supermicro was the target of at least two additional forms of attack. This report claims that Facebook was aware of these attacks, too, which has confirmed it. From the story: The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware -- software installed in hardware components -- meant to update their motherboards' network cards, key components that control communications between servers running in a data center. The code had been altered, allowing the attackers to secretly take over a server's communications, according to samples passed around at the time among a small group of Supermicro customers. One of these customers was Facebook.

"In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs," Facebook said in an emailed statement. "While Facebook has purchased a limited number of Supermicro hardware for testing purposes confined to our labs, our investigations reveal that it has not been used in production, and we are in the process of removing them." The victims considered the faulty code a serious breach.
Further reading: Bloomberg's spy chip story reveals the murky world of national security reporting.
Portables (Apple)

Apple's New Proprietary Software Locks Kill Independent Repair On New MacBook Pros (vice.com) 442

An anonymous reader quotes a report from Motherboard: Apple has introduced software locks that will effectively prevent independent and third-party repair on 2018 MacBook Pro computers, according to internal Apple documents obtained by Motherboard. The new system will render the computer "inoperative" unless a proprietary Apple "system configuration" software is run after parts of the system are replaced. According to the document, which was distributed to Apple's Authorized Service Providers late last month, this policy will apply to all Apple computers with the "T2" security chip, which is present in 2018 MacBook Pros as well as the iMac Pro. The software lock will kick in for any repair which involves replacing a MacBook Pro's display assembly, logic board, top case (the keyboard, touchpad, and internal housing), and Touch ID board. On iMac Pros, it will kick in if the Logic Board or flash storage are replaced. The computer will only begin functioning again after Apple or a member of one of Apple's Authorized Service Provider repair program runs diagnostic software called Apple Service Toolkit 2.
Businesses

Apple CEO Tim Cook Says Giving Up Your Data For Better Services is 'a Bunch of Bunk' (washingtonpost.com) 118

Apple chief executive Tim Cook urged consumers not to believe the dominant tech industry narrative that the data collected about them will lead to better services. From a report: In an interview with "Vice News Tonight" that aired Tuesday, Cook highlighted his company's commitment to user privacy, positioning Apple's business as one that stands apart from tech giants that compile massive amounts of personal data and sell the ability to target users through advertising [The link may be paywalled; alternative source]. "The narrative that some companies will try to get you to believe is: I've got to take all of our data to make my service better," he said. "Well, don't believe them. Whoever's telling you that, it's a bunch of bunk." [...] Cook said in the interview that he is "exceedingly optimistic" that the topic of data privacy has reached an elevated level of public debate. "When the free market doesn't produce a result that's great for society you have to ask yourself what do we need to do. And I think some level of government regulation is important to come out on that."
Security

China Infiltrated Apple, Amazon and Other US Companies Using Spy Chips on Servers, According To Bloomberg; Apple, and Amazon, Among Others Refute the Report (bloomberg.com) 369

Data center equipment run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process, Bloomberg BusinessWeek reported Thursday, citing 17 people at Apple, Amazon, and U.S. government security officials, among others. The compromised chips in question came from a server company called Supermicro that assembled machines used in the centers, the report added. The scrutiny of these chips, which were used for gathering intellectual property and trade secrets from American companies, have also been the subject of an ongoing top secret U.S. government investigation, which started in 2015, the news outlet reported. Amazon, which runs AWS, Apple, and Supermicro have disputed summaries of Bloomberg BusinessWeek's reporting.

The report states that Amazon became aware of a Supermicro's tiny microchip nested on the server motherboards of Elemental Technologies, a Portland, Oregon based company, as part of a due diligence ahead of acquiring the company in 2015. Amazon acquired Elemental as it prepared to use its technologies for what is now known as Prime Video, its video streaming service. The report adds that Amazon informed the FBI of its findings. From the report: One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. [...] [Update: Some counterpoint: According to an earlier report by The Information, security concerns were indeed a reason why Apple and Supermicro parted ways.] A U.S. official says the government's probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack. Some background on Supermicro, courtesy of Bloomberg: Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards -- its core product -- are nearly all manufactured by contractors in China. The company's pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. Further reading: Amazon Offloaded Its Chinese Server Business Because it Was Compromised, Report Says.
Security

Some Apple Laptops Shipped With Intel Chips In 'Manufacturing Mode' (zdnet.com) 36

An anonymous reader writes: Apple has quietly fixed a security issue affecting some laptops that shipped with Intel chips that were mistakenly left configured into "manufacturing mode." The issue was discovered by two security researchers bug hunting for security flaws in Intel's Management Engine. While digging around through the tens of ME configuration options, the two spotted a feature that they believed could lead to problems, if left enabled by accident on Intel chips.

The configuration they eyed was named Manufacturing Mode, and it's an Intel ME option that desktop, server, laptop, or mobile OEMs can enable for Intel chips and use it for testing ME's remote management features. As the name implies, this configuration option should be enabled only on manufacturing lines to enable automated configuration and testing operations, but disabled before shipping the end product. Leaving an Intel ME chip in Manufacturing Mode allows attackers to change ME settings and disable security controls, opening a chip for other attacks.

The two researchers said they only tested Lenovo and Apple laptops for the presence of Intel ME chips in Manufacturing Mode. Other laptops or computers may also be affected. Instructions on how to spot Intel ME chips in Manufacturing Mode and how to disable it are available here. Apple fixed the issue in June, with the release of macOS High Sierra 10.13.5, and Security Update 2018-003 for macOS Sierra and El Capitan.

Transportation

Ex-Apple Engineers Unveil a Next-Generation Sensor For Self-Driving Cars (theverge.com) 32

An anonymous reader quotes a report from The Verge: Aeva, a Mountain View, California-based startup founded only just last year, has built what its two-cofounders claim is a next-generation version of LIDAR, the 3D mapping technology that has become instrumental for how self-driving cars measure the distance of objects and effectively see the road in front of them. And today, the company is officially unveiling its product, a tiny box that can more directly measure objects in a given scene and the distance and velocity of those objects relative to one another.

Aeva's technology is able to separate objects based on distance and whether the object is moving away from or toward it. It's also able to measure the velocity of the object, which enables the software to predict where cars and pedestrians are going. The company even says its sensing system is capable of completely shutting out interference from other, similar sensors -- including those from other companies -- and operating in all weather conditions and in the dark, thanks to a reflectivity sensor. Not only is Aeva's version of LIDAR superior to the variety found in most self-driving test vehicles on the road today, the company says, but the lightweight, low-power box it's housed in also contains all the other types of sensors and cameras necessary for an autonomous vehicle to see and make sense of every component within its field of vision.
Aeva's new system sounds a lot more promising when you consider the company's co-founders, Soroush Salehian and his business partner Mina Rezk, are former Apple engineers who both worked on Apple's "Special Projects" team. Although they will not say so, they likely helped progress the company's secretive autonomous car division. The Verge notes that Salehian also "worked on developing the first Apple Watch and the iPhone 6, while Rezk is a veteran of Nikon where he worked on optical hardware."
Programming

Former Students Say Steve Wozniak's $13,200 Coding Bootcamp Is 'Broken' and Sometimes Links To Wikipedia (9to5mac.com) 135

Last year, Apple co-founder Steve Wozniak announced a coding program called Woz U that's designed with the goal of offering an affordable education. "Our goal is to educate and train people in employable digital skills without putting them into years of debt," Wozniak said last fall. "People often are afraid to choose a technology-based career because they think they can't do it. I know they can, and I want to show them how."

Now that a round of students have been through the 33-week program, a number of problems have appeared. Former student, Bill Duerr, called the program "broken," and that "lots of times there's just hyperlinks to Microsoft documents, to Wikipedia." 9to5Mac reports: "Duerr said typos in course content were one of many problems. So-called 'live lectures' were pre-recorded and out of date, student mentors were unqualified, and at one point, one of his courses didn't even have an instructor," reports CBS. CBS heard from over 24 current and former students and employees that reiterated Duerr's experiences. Instead of a quality program, Duerr said Woz U was comparable to an ultra expensive e-book: "'I feel like this is a $13,000 e-book,' Duerr said. While it was supposed to be a program written by one of the greatest tech minds of all time, 'it's broken, it's not working in places, lots of times there's just hyperlinks to Microsoft documents, to Wikipedia,' he said."

A former Woz U enrollment counselor said that at times he had to do things that didn't feel right: "Asked whether he regrets working for Woz U, Mionske said, 'I regret in the aspect to where they're spending this money for, it's like rolling the dice. [...] But on the reverse side, I have to support my family.'"
According to Business Insider, Steve Wozniak said that he's "not involved" in the "operational aspects" of Woz U and doesn't know anything about the report this morning.
Iphone

Some iPhone XS, XS Max Devices Are Experiencing Charging Issues (theverge.com) 50

Poor cellular reception doesn't appear to be the only issue affecting some new iPhone XS and XS Max owners. "Dozens of users have reported charging issues with their iPhone XS and XS Max devices, and shared their experiences on the MacRumors forums and Apple's support forums," reports The Verge. From the report: Specifically, users are experiencing issues where phones will not charge if the Lightning cable is plugged in while the device is asleep. The problem appears to be a software bug -- perhaps related to the phone's USB accessory settings -- and requires iPhones to be unlocked (or at least have the screen lit up) in order to begin charging. Tech vlogger Lewis Hilsenteger demonstrated the issues on nine different iPhone X, XS, and XS Max devices on his YouTube channel Unbox Therapy. Some iPhones respond immediately to being plugged into a charger, while others have to be tapped to awaken, and others freeze up. If you are experiencing this issue, you should find relief by upgrading to the iOS 12.1 beta, which apparently eliminates the problem entirely. "For now, others suggest going into Settings, FaceID and Passcode, scrolling down to 'Allow access when locked' and turning on USB Accessories," reports The Verge.
Programming

Apple Watch Apps Instantly Went 64-Bit Thanks To Obscure Bitcode Option (venturebeat.com) 149

Jeremy Horwitz, writing for VentureBeat: An obscure feature in Apple's Xcode development software enabled Apple Watch apps to make an instant transition from 32-bit to 64-bit last month, an unheralded win for Apple Watch developers inside and outside the company. The "Enable Bitcode" feature was introduced to developers three years ago, but the Accidental Tech Podcast suggests that it was quietly responsible for the smooth launch of software for the Apple Watch Series 4 last month.

Support for Bitcode was originally added to Xcode 7 in November 2015, subsequently becoming optional for iOS apps but mandatory for watchOS and tvOS apps. Bitcode is an "intermediate representation" halfway between human-written app code and machine code. Rather than the developer sending a completely compiled app to the App Store, enabling Bitcode provides Apple with a partially compiled app that it can then finish compiling for whatever processors it wants to support.
The report suggests that this change allowed Apple to avoid the great "appocalypse" which occurred when it decided to kill support for 32-bit apps on iOS.
Iphone

FBI Forced Suspect To Unlock His iPhone X Through Face ID (engadget.com) 238

In what may be a world first, the FBI has forced a suspect to unlock his iPhone X using Apple's Face ID feature. From a report: Agents in Columbus, Ohio entered the home of 28-year-old Grant Michalski, who was suspected of child abuse, according to court documents spotted by Forbes. With a search warrant in hand, they forced him to put his face on front of the device to unlock it. They were then able to freely search for his photos, chats and any other potential evidence. The FBI started investigating Michalski after discovering his ad on Craigslist titled "taboo." Later, they discovered emails in which he discussed incest and sex with minors with another defendant, William Weekly.
Desktops (Apple)

FBI Solves Mystery Surrounding 15-Year-Old Fruitfly Mac Malware Which Was Used By a Man To Watch Victims Via their Webcams, and Listen in On Conversations (zdnet.com) 111

The FBI has solved the final mystery surrounding a strain of Mac malware that was used by an Ohio man to spy on people for 14 years. From a report: The man, 28-year-old Phillip Durachinsky, was arrested in January 2017, and charged a year later, in January 2018. US authorities say he created the Fruitfly Mac malware (Quimitchin by some AV vendors) back in 2003 and used it until 2017 to infect victims and take control off their Mac computers to steal files, keyboard strokes, watch victims via the webcam, and listen in on conversations via the microphone. Court documents reveal Durachinsky wasn't particularly interested in financial crime but was primarily focused on watching victims, having collected millions of images on his computer, including many of underage children. Durachinsky created the malware when he was only 14, and used it for the next 14 years without Mac antivirus programs ever detecting it on victims' computers. [...]

Describing the Fruitfly/Quimitchin malware, the FBI said the following: "The attack vector included the scanning and identification of externally facing services, to include the Apple Filing Protocol (AFP, port 548), RDP or other VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from third party data breaches." In other words, Durachinsky had used a technique know as port scanning to identify internet or network-connected Macs that were exposing remote access ports with weak or no passwords.

Apple

Apple Went Rotten After Steve Jobs' Death, Former Engineer Claims (siliconvalley.com) 182

An anonymous reader quotes the Bay Area Newsgroup: Apple turned against customers and its own employees after the death of co-founder and CEO Steve Jobs, a fired Apple engineer claims in a lawsuit. "No corporate responsibility exists at Apple since Mr. Jobs' death," Darren Eastman alleged in a lawsuit over his termination and patents related to his work at the Cupertino tech giant... Eastman, who is representing himself in court, started working as an engineer for Apple in 2006, largely because Jobs was interested in his idea for a low-cost Mac for education, and wanted him hired straight out of graduate school, Eastman said in the filing. Eastman claims to have invented the "Find my iPhone" function. When Jobs headed Apple, he told Eastman to notify him of any unresolved problems with the company's products, and employees in general were expected to raise such concerns, Eastman said in a lawsuit filed Thursday in Santa Clara County Superior Court.

That changed after Jobs died in 2011, he claimed. "Many talented employees who've given part of their life for Apple were now regularly being disciplined and terminated for reporting issues they were expected to (report) during Mr. Jobs tenure," Eastman alleged in the filing. "Cronyism and a dedicated effort to ignore quality issues in current and future products became the most important projects to perpetuate the goal of ignoring the law and minimizing tax. Complying with the law and paying what's honestly required is taboo at Apple, with judicial orders and paying tax (of any kind) representing the principal frustration of Apple's executives... Notifying Mr. Cook about issues (previously welcomed by Mr. Jobs) produces either no response, or, a threatening one later by your direct manager," Eastman claimed.... "There's no accountability, with attempts at doing the right thing met with swift retaliation."

Eastman even claims one Apple employee was fired for reporting toxic mold in the building, and alleges that employees were intentionally fired just before their stock options were vesting. In fact, his entire lawsuit is over just $165,000 worth of Apple common stock, plus $326,400 in damages, $32,640 in interest -- and resolution of an alleged patent-ownership issue.

Apple "declined to comment on the claims made in the lawsuit."
Apple

Apple Watch's Fall Detection Could Get Users Into Legal Trouble (arstechnica.com) 125

AmiMoJo writes: Apple has released more details about how the Watch 4 will contact emergency services if the watch detects that you've had a hard fall. If the watch detects that the wearer is "immobile for about a minute," it begins a 15-second countdown. After that, the Watch will contact emergency services.

Elizabeth Joh, a law professor at the University of California, Davis, was quick to point out that, by inviting the police into your home, Apple Watch wearers may be opening themselves up to criminal liability. If police are alerted by an Apple Watch of a possible injury, they do not need a warrant to enter a home under the "community caretaking" exception to the Fourth Amendment.

Any evidence of a crime in plain view (e.g. a joint) could land the owner in trouble.

The article notes the "(mostly) opt-in nature" of the service, though one New York-based criminal defense attorney had an even better idea.

He said he "would much prefer a feature that can automatically dial a user-determined contact."
Google

Apple Demands $9 Billion From Google For Default Search On iOS (neowin.net) 122

A new report from Goldman Sachs analyst Rod Hall suggests that Apple may be demanding $9 billion from Google to have its search engine as the default in Safari on iOS. This is a steep increase to last year's estimated $3 billion licensing costs and $1 billion licensing costs in 2014. Hall suggests that Apple may even increase the costs to $12 billion in 2019. Neowin reports: It's unclear if Google's supplanting Microsoft as the default search provider for Siri and Spotlight last year is responsible for the purported price hike from Apple, though it may, at least partially, explain the sudden jump. The other explanation could be that previous estimates of the value of the agreement between the two tech giants were undervalued, given that apart from the $1 billion figure from 2014, we don't really have any hard evidence pertaining to the actual sum of these payments. Hall does indicate that "Apple is one of the biggest channels of traffic acquisition for Google' and despite the high cost, it is quite likely that Google will agree to pay the increased sum."
Desktops (Apple)

An Ex-NSA Hacker Who Has Organized the First-Ever Mac Security Conference (vice.com) 46

Motherboard's Lorenzo Franceschi-Bicchierai spoke with Patrick Wardle, the ex-NSA hacker who's organizing a security conference exclusively dedicated to Macs. Despite what Apple has famously promoted in the mid 2000s that Macs don't get "PC viruses," Mac computers do in fact have bugs, vulnerabilities, and even malware targeted at them. From the report: "People are peeking behind the curtain and realizing that the facade of Mac security is not always what it's cracked to be," Wardle told Motherboard in a phone interview. "Any company that designs software is going to have issues -- but Apple has perfected the art of a flawless public facade that masks many security issues." Wardle would know. After hacking primarily Windows computers at Fort Meade, for the last few years Wardle been finding several issues in MacOS, so many that he considers himself a "thorn" on Apple's side. But his conference is not an exercise in shaming or finger pointing, Wardle said he hopes to educate and teach people about Mac security, especially now that so many companies are using Macs as their corporate computers.

The conference is called Objective By the Sea, a wordplay on Objective-See, the name of Wardle's suite of free Mac security products (which is itself a wordplay on Apple's main programming language called Objective-C.) It will be held in Maui, Hawaii on November 3 and 4. The conference will be free for residents of Hawaii, and for patrons of Objective-See. That's why Wardle said he can't afford to pay for all speakers to attend, but he had no trouble finding people who wanted to participate. One group that doesn't want to come to Maui, at least for now, is Apple. Wardle said he reached out to the company, essentially offering it carte blanche to talk about whatever it wanted. But the company, so far, has not responded, according to him.

Iphone

iPhone XS Passcode Bypass Hack Exposes Contacts, Photos (threatpost.com) 23

secwatcher shares a report from Threatpost: A passcode bypass vulnerability in Apple's new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone. The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple's latest iOS 12 beta and iOS 12 operating systems. Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and "office clerk" based in Spain who has also found previous iPhone hacks.

Rodriguez posted a video of the bypass on his YouTube channel under the YouTube account Videosdebarraquito, where he walks viewers through a complicated 37-step bypass process in Spanish. Threatpost has independently confirmed that the bypass works on a number of different iPhone models including Apple's newest model iPhone XS. The process involves tricking Siri and Apple's accessibility feature in iOS called VoiceOver to sidestep the device's passcode. The attack works provided the attacker has physical access to a device that has Siri enabled and Face ID either turned off or physically covered (by tape, for instance).

Slashdot Top Deals