WikiLeaks said on Thursday morning it will release new documents it claims are from the Central Intelligence Agency which show the CIA had the capability to bug iPhones and Macs even if their operating systems have been deleted and replaced. From a report on Motherboard: "These documents explain the techniques used by CIA to gain 'persistenc'' on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware," WikiLeaks stated in a press release. EFI and UEFI is the core firmware for Macs, the Mac equivalent to the Bios for PCs. By targeting the UEFI, hackers can compromise Macs and the infection persists even after the operating system is re-installed. The documents are mostly from last decade, except a couple that are dated 2012 and 2013. While the documents are somewhat dated at this point, they show how the CIA was perhaps ahead of the curve in finding new ways to hacking and compromising Macs, according to Pedro Vilaca, a security researcher who's been studying Apple computers for years. Judging from the documents, Vilaca told Motherboard in an online chat, it "looks like CIA were very early adopters of attacks on EFI."

A hacker or group of hackers calling themselves the "Turkish Crime Family" claim they have access to at least 300 million iCloud accounts, and will delete the alleged cache of data if Apple pays a ransom by early next month. Motherboard is reporting that the hackers are demanding "$75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data." From the report: The hackers provided screenshots of alleged emails between the group and members of Apple's security team. One also gave Motherboard access to an email account allegedly used to communicate with Apple. "Are you willing to share a sample of the data set?" an unnamed member of Apple's security team wrote to the hackers a week ago, according to one of the emails stored in the account. (According to the email headers, the return-path of the email is to an address with the @apple.com domain). The hackers also uploaded a YouTube video of them allegedly logging into some of the stolen accounts. The hacker appears to access an elderly woman's iCloud account, which includes backed-up photos, and the ability to remotely wipe the device. Now, the hackers are threatening to reset a number of the iCloud accounts and remotely wipe victim's Apple devices on April 7, unless Apple pays the requested amount. According to one of the emails in the accessed account, the hackers claim to have access to over 300 million Apple email accounts, including those use @icloud and @me domains. However, the hackers appear to be inconsistent in their story; one of the hackers then claimed they had 559 million accounts in all. The hackers did not provide Motherboard with any of the supposedly stolen iCloud accounts to verify this claim, except those shown in the video.

Say good-bye to the iPad Air, it's just the iPad now. From a report on CNET: Apple announced on Tuesday morning that it will be dropping the price of the 9.7-inch iPad by $70. The tablet's A8X processor will be getting an upgrade too, jumping over to the A9 chip used in the iPad Pro. The upgrade will replace the iPad Air 2, but the iPad Mini 4 will live on, starting at $399. The updated pricing will start on Friday, at $329 for the 32GB model and $459 for the 32GB WiFi with cellular service model. It's Apple's cheapest iPad, after the company decided to replace the iPad Mini 2, which started at $269. Although Apple's iPad is leading the tablet market, it's still a tumbling one as demand takes a decline thanks to people holding onto their tablets longer.

Google Maps has received a neat feature that will help users remember where they parked. "This appears as a new menu option when you tap the blue dot, and will place a 'P' icon on the map so you can find your way back to your spot," reports Ars Technica. From the report: Google had already introduced its own proactive parking saving feature via Google Now, but it had worked by tapping into your phone's sensors and making a determination that you had most likely parked at a given spot. Sometimes, you might see this information appear when it was unwarranted, however -- like if you got off a bus or exited a taxi, Google says. The new feature in Google Maps requires a manual entry, but this is actually a bit of an advantage over the guessing done by Google Now, because it allows you to input more information about your spot. Like Apple Maps, you can add notes about where you parked -- something that's helpful for jotting down cross streets or which floor of a garage you're on, for example. But Google Maps also supports adding multiple photos of your parking location -- a common way people often note the parking space number in the garage, and then, via a separate shot, the floor, row, aisle and/or color code for the garage level itself. In addition, Google's parking location saver will let you enter in how much time you have left at the spot. This is handy if you're in a temporary parking area (e.g. "two hour parking"), or at metered space. The time left is displayed on the map, and when it's due to expire, Google Maps will alert you via push notification.

Thomas Claburn, reporting for The Register: The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court opted not to address a lower court's rejection of the defendant's argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination. In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as "John Doe" because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer. The defendant's computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.

Earlier this year, we learned that Andy Rubin, creator of the Android operating system, has built a new company called Essential. The company was reportedly working on a "high-end smartphone with a large edge-to-edge screen that lacks a surrounding bezel." It appears things aren't chugging along so smoothly. From a report: Andy Rubin, a co-creator of Android, lost out on a $100 million investment from SoftBank as Apple deepened ties with the Japanese investor, people familiar with the matter told The Wall Street Journal. Rubin's company, Essential Products, is reportedly planning to release a new high-end smartphone this spring, and SoftBank planned to market the phone in Japan, the Journal said. But Apple subsequently agreed to commit $1 billion to SoftBank's Vision Fund, a move that "complicated" SoftBank's investment in Essential Products, the Journal reported Monday. Apple did not directly block the deal, the Journal said, though Rubin's premium phone would be released ahead of the highly anticipated 10th anniversary iPhone. The deal was "nearly complete," sources told the Journal.

Audacity, a popular open-source and cross-platform audio editor, has received a "maintenance" update that brings several improvements. Dubbed v2.1.3, the biggest new addition appears to be support for Windows 10 OS. For Mac users, Audacity now works in tandem with the Magic Mouse. "We now support Trackpad and Magic Mouse horizontal scroll without SHIFT key and Trackpad pinch and expand to zoom at the pointer," the release note says. We also have new "Scrub Ruler" and "Scrub Toolbar" scrubbing options in the application now. Read the full changelog here.

Apple is beefing up its staff with acquisitions and some big hires to help design augmented reality glasses and iPhone features, according to Bloomberg. From a report: Apple is working on "digital spectacles" that could connect to an iPhone and beam content like movies and maps, Bloomberg's Mark Gurman reported on Monday. The Cupertino, Calif.- based company is also working on augmented reality features for the iPhone that are similar to Snapchat, Bloomberg said. To make its augmented reality push, Apple has acquired augmented reality start-ups FlyBy Media and Metaio, and hired major players from Amazon, Facebook's Oculus, Microsoft's HoloLens, and Dolby.

Apple paid no income tax to New Zealand's Inland Revenue Department for the last 10 years, according to an article shared by sit1963nz, prompting calls for the company to "do the right thing" even from some American-based Apple users. From the New Zealand Herald: Bryan Chaffin of The Mac Observer, an Apple community blog site founded in 1998...wrote that Apple was the largest taxpayer in the United States, but 'pays next to nothing in most parts of the world... [L]ocal taxes matter. Roads matter. Schools matter. Housing authorities matter. Health care matters. Regulation enforcement matters. All of the things that support civil society matter. Apple's profits are made possible by that civil society, and the company should contribute its fair share.'"
Apple's accounts "show apparent income tax payments of $37 million," according to an earlier article, "but a close reading shows this sum was actually sent abroad to the Australian Tax Office, an arrangement that has been in place since at least 2007. Had Apple reported the same healthy profit margin in New Zealand as it did for its operations globally it would have paid $356 million in taxes over the period."

"It is absolutely extraordinary that they are able to get away with paying zero tax in this country," said Green Party co-leader James Shaw. "I really like Apple products -- they're incredibly innovative -- but it looks like their tax department is even more innovative than their product designers."

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."

tsu doh nimh writes: Brian Krebs has a readable and ironic story about a phishing-as-a-service product that iPhone thieves can use to phish the Apple iCloud credentials from people who have recently had an iPhone lost or stolen. The phishing service -- which charged as much as $120 for successful phishing attempts targeting iPhone 6s users -- was poorly secured, and a security professional that Krebs worked with managed to guess several passwords for users on the service. From there, the story looks at how this phishing service works, how it tracks victims, and ultimately how one of its core resellers phished his own iCloud account and inadvertently gave his exact location as a result. An excerpt from the report via Krebs On Security: "Victims of iPhone theft can use the Find My iPhone feature to remotely locate, lock or erase their iPhone -- just by visiting Apple's site and entering their iCloud username and password. Likewise, an iPhone thief can use those iCloud credentials to remotely unlock the victim's stolen iPhone, wipe the device, and resell it. As a result, iPhone thieves often subcontract the theft of those credentials to third-party iCloud phishing services. This story is about one of those services..."

An anonymous reader shares a BBC report: Russia's competition watchdog has found that Apple fixed the prices of certain iPhone models sold in the country. The Federal Anti-Monopoly Service (Fas) said that Apple's local subsidiary told 16 retailers to maintain the recommended prices of phones in the iPhone 5 and iPhone 6 families. Non-compliance with the pricing guidelines may have led to the termination of contracts, it found. At the time of the investigation, Apple denied that it controlled its products' pricing, telling Reuters that resellers "set their own prices for the Apple products they sell in Russia and around the world." The regulator said Apple had now ended its price-fixing practices but has not said whether the company faces a fine. The FAS claimed that Apple Rus monitored the retail prices for the iPhone 5c, 5s, 6, 6 Plus, 6s and 6s Plus.

A new Kickstarter campaign aims to expand the iPhone's functionality with its "Eye Smart iPhone Case," which features a fully functional Android device built into the case itself. The campaign was launched on March 1 and has already raised over $100,000. Mac Rumors reports: An always-on 5-inch AMOLED display is built into the case, which runs the Android 7.1 Nougat operating system. The case connects to the iPhone using its Lightning port to enable file transfers, power delivery, and more. A microSD card slot provides up to 256GB of storage for holding photos, videos, and other media, all of which is accessible using the Android file explorer. A built-in 2,800 mAh battery provides additional charge to the iPhone, and the Eye case itself supports Qi wireless charging. Two SIM card slots are included, and higher-end models support 4G LTE connectivity, so up to three phone numbers can be used with an iPhone. Android exclusive features, like native call recording, the file explorer, customization, file transfers, and Android apps are all made available to iPhone users via the Eye case. A 3.5mm headphone jack lets iPhone owners with an iPhone 7 or an iPhone 7 Plus to use wired headphones with the device, and the Eye case includes NFC, an IR blaster and receiver for controlling TVs and other devices, and a car mount. It's available for the iPhone 6 and later, and will allegedly be available for the new wave of iPhones coming in 2017 within a month of their release. The Smart iPhone Case is available for a Super early bird pledge of $95, with prices going up for 4G connectivity. The estimated retail price is between $189 and $229.

Apple, Microsoft, Amazon, and Cisco have filed an amicus brief in support of Google, after a Pennsylvania court ruled that the company had to hand over emails stored overseas in response to an FBI warrant. From a report: An amicus brief is filed by people or companies who have an interest in the case, but aren't directly involved. In this case, it's in Silicon Valley's interest to keep US law enforcement from accessing customer data stored outside the US. It isn't clear what data Google might have to hand over and, last month, the company said it would fight to the order. In the brief, the companies argue: "When a warrant seeks email content from a foreign data center, that invasion of privacy occurs outside the United States -- in the place where the customers' private communications are stored, and where they are accessed, and copied for the benefit of law enforcement, without the customer's consent."

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.

New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.

An anonymous reader quotes a report from USA Today: Apple says many of the vulnerabilities to its devices and software that came to light in WikiLeaks' revelations of CIA cyber weapons were already fixed in its latest updates. Late Tuesday, Apple emailed the following statement to USA TODAY: "Apple is deeply committed to safeguarding our customers' privacy and security. The technology built into today's iPhone represents the best data security available to consumers, and we're constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest OS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates." For its part, Samsung emailed its own statement Wednesday: "Protecting consumers' privacy and the security of our devices is a top priority at Samsung. We are aware of the report in question and are urgently looking into the matter."

Veteran technology columnist Walt Mossberg believes that Google, Apple, Microsoft, Amazon, and Facebook, or Gang of Five -- as he likes to call them, are casting a big shadow over how today's startups foster, a phenomenon he believes will continue to happen over the years to come. From his column for The Verge: What we have now in consumer tech, in 2017, is an oligopoly, at least superficially similar to the old industrial-era American corporate groups that once dominated key industries. I think that their enduring and growing power casts a shadow over the Silicon Valley legend that there are lots of great new consumer tech innovations being incubated right now in garages or dorm rooms somewhere that will be taken all the way to becoming great companies, the way each of the Gang of Five was. What I fear is more likely to happen to any such startup is that, if they're good, they get acquired by a member of the Gang, or that their idea is turned into a feature for one of the Gang's products. And, even if that never happens and a startup thrives, too often it can only thrive by being successful on a platform controlled by one or more Gang members, with the big guy maybe taking a cut. For instance, Snap, the parent company of Snapchat, which went public last week, famously spurned a $3 billion takeover offer from Gang member Facebook in 2013. But it depends for its very operation on the cloud services of Google and on the mobile app platforms of Apple and Google. And plenty of other companies which either presented threats or opportunities to the Gang have been snapped up by them. Each of the five companies actively scoops up numerous smaller companies every year, in many cases just for their talent and / or patents. In fact, I'd be amazed if there weren't plenty of startups whose main goal is to be purchased by the Gang.

Jason Koebler, writing for Motherboard: Statehouse employees in Minnesota say that lobbying efforts by big tech companies and John Deere are on the verge of killing right to repair legislation in the state that would have made it easier for consumers and small businesses to fix their electronics. According to two of the bill's sponsors, the bill, which would have introduced "fair repair" requirements for manufacturers in the state, will not get a hearing that's necessary to move the legislation forward. Minnesota Senate rules automatically kills any bills that do not have a hearing scheduled by a certain date (this year, it's March 10). Last year, tech industry lobbying killed a similar bill in New York. "Unfortunately, it's not going to make deadline this session," Republican Sen. David Osmek, one of the sponsors, told me in an email. Osmek would not give additional specifics about his colleagues' concerns with the bill, but a legislative assistant for the bill's other sponsor told me that electronic manufacturer lobbying is likely to blame, while another source close to the legislature told me that tractor manufacturer John Deere -- a long time enemy of fair repair -- helped kill the bill as well.

Apple has long permitted "hot code push", a feature that allows developers to continuously deploy changes to their mobile apps and have those changes reflect in their apps instantly. This allowed developers to make quick changes to their apps without having to resubmit the new iteration and get approval from the Apple Store review team. But that's changing now. In response to a developer's query, Apple confirmed that it no longer permits "hot code push." The company told the developer: Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app's behavior or functionality after App Review approval, which is not in compliance with section 3.3.2 of the Apple Developer Program License Agreement and App Store Review Guideline 2.5.2. This code, combined with a remote resource, can facilitate significant changes to your app's behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes.