tsu doh nimh writes: Brian Krebs has a readable and ironic story about a phishing-as-a-service product that iPhone thieves can use to phish the Apple iCloud credentials from people who have recently had an iPhone lost or stolen. The phishing service -- which charged as much as $120 for successful phishing attempts targeting iPhone 6s users -- was poorly secured, and a security professional that Krebs worked with managed to guess several passwords for users on the service. From there, the story looks at how this phishing service works, how it tracks victims, and ultimately how one of its core resellers phished his own iCloud account and inadvertently gave his exact location as a result. An excerpt from the report via Krebs On Security: "Victims of iPhone theft can use the Find My iPhone feature to remotely locate, lock or erase their iPhone -- just by visiting Apple's site and entering their iCloud username and password. Likewise, an iPhone thief can use those iCloud credentials to remotely unlock the victim's stolen iPhone, wipe the device, and resell it. As a result, iPhone thieves often subcontract the theft of those credentials to third-party iCloud phishing services. This story is about one of those services..."

An anonymous reader shares a BBC report: Russia's competition watchdog has found that Apple fixed the prices of certain iPhone models sold in the country. The Federal Anti-Monopoly Service (Fas) said that Apple's local subsidiary told 16 retailers to maintain the recommended prices of phones in the iPhone 5 and iPhone 6 families. Non-compliance with the pricing guidelines may have led to the termination of contracts, it found. At the time of the investigation, Apple denied that it controlled its products' pricing, telling Reuters that resellers "set their own prices for the Apple products they sell in Russia and around the world." The regulator said Apple had now ended its price-fixing practices but has not said whether the company faces a fine. The FAS claimed that Apple Rus monitored the retail prices for the iPhone 5c, 5s, 6, 6 Plus, 6s and 6s Plus.

A new Kickstarter campaign aims to expand the iPhone's functionality with its "Eye Smart iPhone Case," which features a fully functional Android device built into the case itself. The campaign was launched on March 1 and has already raised over $100,000. Mac Rumors reports: An always-on 5-inch AMOLED display is built into the case, which runs the Android 7.1 Nougat operating system. The case connects to the iPhone using its Lightning port to enable file transfers, power delivery, and more. A microSD card slot provides up to 256GB of storage for holding photos, videos, and other media, all of which is accessible using the Android file explorer. A built-in 2,800 mAh battery provides additional charge to the iPhone, and the Eye case itself supports Qi wireless charging. Two SIM card slots are included, and higher-end models support 4G LTE connectivity, so up to three phone numbers can be used with an iPhone. Android exclusive features, like native call recording, the file explorer, customization, file transfers, and Android apps are all made available to iPhone users via the Eye case. A 3.5mm headphone jack lets iPhone owners with an iPhone 7 or an iPhone 7 Plus to use wired headphones with the device, and the Eye case includes NFC, an IR blaster and receiver for controlling TVs and other devices, and a car mount. It's available for the iPhone 6 and later, and will allegedly be available for the new wave of iPhones coming in 2017 within a month of their release. The Smart iPhone Case is available for a Super early bird pledge of $95, with prices going up for 4G connectivity. The estimated retail price is between $189 and $229.

Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court ruled that the company had to hand over emails stored overseas in response to an FBI warrant. From a report: An amicus brief is filed by people or companies who have an interest in the case, but aren't directly involved. In this case, it's in Silicon Valley's interest to keep US law enforcement from accessing customer data stored outside the US. It isn't clear what data Google might have to hand over and, last month, the company said it would fight to the order. In the brief, the companies argue: "When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States -- in the place where the customers' private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer's consent."

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.

New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.

An anonymous reader quotes a report from USA Today: Apple says many of the vulnerabilities to its devices and software that came to light in WikiLeaks' revelations of CIA cyber weapons were already fixed in its latest updates. Late Tuesday, Apple emailed the following statement to USA TODAY: "Apple is deeply committed to safeguarding our customers' privacy and security. The technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest OS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates." For its part, Samsung emailed its own statement Wednesday: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."

Veteran technology columnist Walt Mossberg believes that Google, Apple, Microsoft, Amazon, and Facebook, or Gang of Five -- as he likes to call them, are casting a big shadow over how today's startups foster, a phenomenon he believes will continue to happen over the years to come. From his column for The Verge: What we have now in consumer tech, in 2017, is an oligopoly, at least superficially similar to the old industrial-era American corporate groups that once dominated key industries. I think that their enduring and growing power casts a shadow over the Silicon Valley legend that there are lots of great new consumer tech innovations being incubated right now in garages or dorm rooms somewhere that will be taken all the way to becoming great companies, the way each of the Gang of Five was. What I fear is more likely to happen to any such startup is that, if they're good, they get acquired by a member of the Gang, or that their idea is turned into a feature for one of the Gang's products. And, even if that never happens and a startup thrives, too often it can only thrive by being successful on a platform controlled by one or more Gang members, with the big guy maybe taking a cut. For instance, Snap, the parent company of Snapchat, which went public last week, famously spurned a $3 billion takeover offer from Gang member Facebook in 2013. But it depends for its very operation on the cloud services of Google and on the mobile app platforms of Apple and Google. And plenty of other companies which either presented threats or opportunities to the Gang have been snapped up by them. Each of the five companies actively scoops up numerous smaller companies every year, in many cases just for their talent and / or patents. In fact, I'd be amazed if there weren't plenty of startups whose main goal is to be purchased by the Gang.

Jason Koebler, writing for Motherboard: Statehouse employees in Minnesota say that lobbying efforts by big tech companies and John Deere are on the verge of killing right to repair legislation in the state that would have made it easier for consumers and small businesses to fix their electronics. According to two of the bill's sponsors, the bill, which would have introduced "fair repair" requirements for manufacturers in the state, will not get a hearing that's necessary to move the legislation forward. Minnesota Senate rules automatically kills any bills that do not have a hearing scheduled by a certain date (this year, it's March 10). Last year, tech industry lobbying killed a similar bill in New York. "Unfortunately, it's not going to make deadline this session," Republican Sen. David Osmek, one of the sponsors, told me in an email. Osmek would not give additional specifics about his colleagues' concerns with the bill, but a legislative assistant for the bill's other sponsor told me that electronic manufacturer lobbying is likely to blame, while another source close to the legislature told me that tractor manufacturer John Deere -- a long time enemy of fair repair -- helped kill the bill as well.

Apple has long permitted "hot code push", a feature that allows developers to continuously deploy changes to their mobile apps and have those changes reflect in their apps instantly. This allowed developers to make quick changes to their apps without having to resubmit the new iteration and get approval from the Apple Store review team. But that's changing now. In response to a developer's query, Apple confirmed that it no longer permits "hot code push." The company told the developer: Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app's behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app's behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.

Ben Lovejoy, writing for 9to5Mac: We reported back in October on an iOS exploit that caused iPhones to repeatedly dial 911 without user intervention. It was said then that the volume of calls meant one 911 center was in 'immediate danger' of losing service, while two other centers had been at risk -- but a full investigation has now concluded that the incident was much more serious than it appeared at the time. It was initially thought that a few hundred calls were generated in a short time, but investigators now believe that one tweeted link that activated the exploit was clicked on 117,502 times, each click triggering a 911 call. The WSJ reports that law-enforcement officials and 911 experts fear that a targeted attack using the same technique could prove devastating. Of the 6,500 911 call centers nationwide, just 420 are believed to have implemented a cybersecurity program designed to protect them from this kind of attack.

Last year, a Washington Post investigation found several instances of miners -- including children -- labored in hazardous, even deadly, conditions at Congo's artisanal cobalt supply chain. Amnesty International and other human rights groups also have alleged problems. Earlier this week, British broadcaster Sky New published an investigation that alleged continued problems in the cobalt supply chain. The Washington Post now reports: Apple said it has temporarily stopped buying cobalt mined by hand in Congo while it continues to deal with problems with child labor and harsh work conditions. The Post connected this troubling trade to Zhejiang Huayou Cobalt Company, a Chinese firm that is the largest buyer of artisanal cobalt in Congo and whose minerals are used in Apple products. Last year, Apple pledged to clean up its cobalt supply chain, but the tech giant said it wanted to avoid hurting the Congolese miners by cutting them off. Mining provides vital income for hundreds of thousands of people in one of the poorest countries in the world. Now, Apple says it has stopped -- for now -- buying cobalt from artisanal mines (Editor's note: the link could be paywalled; alternate source). "We have been working with Huayou on a program that will verify individual artisanal mines, according to our standards," Apple said in a statement, "and these mines will re-enter our supply chain when we are confident that the appropriate protections are in place."

Apple has opened a new front in its global patent war with Qualcomm. From a report: The Cupertino, Calif.-based company has sued Qualcomm in a U.K. court, accusing the chipmaker of violating patents and design concepts Apple owns. Details on exactly which patents Qualcomm has violated and why Apple believes Qualcomm has violated the patents were not disclosed in the public court records, according to Bloomberg, which earlier reported on the lawsuit. The lawsuit is the latest in a string of disputes Apple and Qualcomm have engaged in around the world. The main dispute resides in the U.S., where Apple has accused Qualcomm of using its position as a prominent chipmaker to hurt competition in the mobile marketplace. Apple, which has used Qualcomm chips for its iPhone's wireless connectivity, claims Qualcomm owes the company $1 billion in rebates the chip maker allegedly held back after Apple spoke to South Korean regulators about Qualcomm's business practices.

After 43 years working in one of Japan's leading banks, 81-year-old Masako Wakamiya has launched an iPhone app called "Hinadan" that shows users how to stage traditional dolls for the Hinamatsuri festival. From a report on CNN Money: She says she felt compelled to do something after noticing a shortage of fun apps aimed at people her age. "We easily lose games when playing against young people, since our finger movements can't match their speed," Wakamiya told CNN. The retired banker asked a bunch of people to create games for seniors, but no one was interested. So she took matters into her own hands and achieved something many people half her age haven't done. "I wanted to create a fun app to get elderly people interested in smartphones," she said. "It took about half a year to develop." Wakamiya started using computers at age 60 when she was caring for her elderly mother and finding it difficult to get out and socialize with friends.

Apple is losing its grip on American classrooms, which technology companies have long used to hook students on their brands for life. From a report on MacRumors: According to research company Futuresource Consulting, in 2016 the number of devices in American classrooms that run iOS and macOS fell to third place behind both Google-powered laptops and Windows devices. Out of 12.6 million mobile devices shipped to primary and secondary schools in the U.S., Chromebooks accounted for 58 percent of the market, up from 50 percent in 2015. Meanwhile, school shipments of iPads and Mac laptops fell to 19 percent, from about 25 percent, over the same period, while Microsoft Windows laptops and tablets stayed relatively stable at about 22 percent.

An anonymous reader quotes a report from Rob Pegoraro via Yahoo Finance: Two things unite almost every phone on display here at Mobile World Congress 2017: Android and a headphone jack. Apple doesn't exhibit its wares at this trade show, so the domination of Google's operating system is predictable. But the headphone jack's persistence did not look so inevitable when Apple cut it from the iPhone 7 and iPhone 7 Plus last September. Lenovo's Motorola subsidiary had already shipped a phone without a headphone hack, the Moto Z, and Apple's influence over the rest of the smartphone industry remains formidable -- indeed, within months, the Chinese firm LeEco had debuted a lineup of Android phones devoid of headphone jacks. As my colleague David Pogue predicted in a post approving Apple's move: "Other brands worldwide will be following suit." The hardware on display here at the world's largest mobile tech conference, though, suggests otherwise. Two days of walking around the show floor showed companies expressing a consistent unwillingness to abandon the humble headphone jack, even on models as thin as, or thinner than, the iPhone 7. The MWC floor revealed only one company willing to do away with the headphone jack: HTC. The Taiwan-based firm, which has struggled financially for years despite shipping such well-reviewed models as the HTC 10, used its exhibit to showcase the U Ultra and the U Play, which rely on their USB-C ports for audio output. Unlike, Apple, though, the company didn't make the move to save space, but rather to incorporate its "USonic" feature, which lets the phones' headphones calibrate themselves to your ears and provide noise cancellation.

BrianFagioli quotes a report from BetaNews: As more and more consumers buy Mac computers, evildoers will have increased incentive to write malware for macOS. Luckily, users of Apple's operating system that choose to use Google Chrome for web surfing will soon be safer. You see, the search giant is improving its Safe Browsing initiative to better warn macOS users of malicious websites and attempts to alter browser settings. "As part of this next step towards reducing macOS-specific malware and unwanted software, Safe Browsing is focusing on two common abuses of browsing experiences: unwanted ad injection, and manipulation of Chrome user settings, specifically the start page, home page, and default search engine. Users deserve full control of their browsing experience and Unwanted Software Policy violations hurt that experience," says Google. The search giant further explains, "The recently released Chrome Settings API for Mac gives developers the tools to make sure users stay in control of their Chrome settings. From here on, the Settings Overrides API will be the only approved path for making changes to Chrome settings on Mac OSX, like it currently is on Windows. Also, developers should know that only extensions hosted in the Chrome Web Store are allowed to make changes to Chrome settings. Starting March 31 2017, Chrome and Safe Browsing will warn users about software that attempts to modify Chrome settings without using the API."

An anonymous reader quotes a report from 9to5Mac: The U.S. Court of Appeals for the Federal Circuit made a decision today to throw out the verdict of a two-year old legal case against Apple based on data storage patents. The original verdict reached by a Texas jury stuck Apple with $533 million in damages. Smartflash LLC targeted game developers who largely all settled out of court in 2014, but Apple defended its use of data storage management and payment processing technology in court. Reuters has more on the new developments: "The trial judge vacated the large damages award a few months after a Texas federal jury imposed it in February 2015, but the U.S. Court of Appeals for the Federal Circuit said on Wednesday the judge should have ruled Smartflash's patents invalid and set aside the verdict entirely. A unanimous three-judge appeals panel said Smartflash's patents were too 'abstract' and did not go far enough in describing an actual invention to warrant protection."

Alison Griswold, writing for Quartz: The public is not happy with Uber. Incensed by allegations of sexism and harassment in the company's corporate halls, people are once again #deleting Uber, while one-star ratings and withering critiques of its service are piling up in Apple's iOS App Store. From Jan. 1 through Feb. 22, Uber accumulated 4,479 one-star reviews from US users in the iOS App Store, according to data from analytics firm App Annie (the highest possible rating is five stars). Several of the most recent reviews cite the horrifying and explosive account of sexual harassment published by former Uber engineer Susan Fowler over the weekend. "Was harassed and scammed by an Uber driver for two hours in the car," reviewer "Jorwl" wrote on Feb. 20. But far more reviewers have another gripe: Uber's apparent disregard for user privacy. The monthly volume of one-star ratings for Uber in the App Store first spiked last November, after the company redesigned its app and infringed on user privacy by eliminating an iOS setting that let users grant Uber access to their location only "while using" the app. Users are now forced to choose between letting Uber track their location "always" and "never".

An anonymous reader quotes a report from 9to5Mac: AOL announced today that it is starting to cut off third-party app access to its Instant Messenger service. As first noticed by ArsTechnica, AOL began notifying users of at least one third-party app, Adium, that it would become obsolete starting on March 28th. At this point, it's unclear whether or not all third-party applications will be rendered useless come March 28th, but the message presented to Adium users seemed to strongly imply that: "Hello. Effective 3/28, we will no longer support connections to the AIM network via this method. If you wish to use the free consumer AIM product, we invite you to visit http://www.aim.com/ for more information." What this likely means is that AOL is shutting down the OSCAR chat protocol that is used to handle AIM messages. The service will, however, continue to be available via AOL's own chat app that is supported on macOS, Windows, iOS, and Android.