Archive for July 1, 2020

Person Who Discovered A macOS Security Bug Goes Public After Months Of Apple Not Fixing It

Posted in Commentary with tags on July 1, 2020 by itnerd

Software developer Jeff Johnson discovered and told Apple about a privacy bypass vulnerability opening up protected files in macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur. This he thought was the responsible thing to do. But that was over six months ago. And the best Apple could come up with was that it was “investigating” what he reported. So after feeling that the folks at 1 Apple Park weren’t taking this security issue seriously, he’s decided to go public via this blog post that went online yesterday. In this blog post he’s laid out the timeline in terms of when it was reported and what happened next. Then he says this:

For technical reasons, I don’t believe that the issue will be fixed by Apple before Big Sur is released to the public in the Fall. I’ve seen no evidence that Big Sur makes any effort in this direction, and Apple’s email to me shows no evidence of that either. Therefore, I’m disclosing the issue now. It’s been over 6 months since I reported the issue to Apple. This is well beyond the bounds of “responsible disclosure”, which is typically 90 days after reporting an issue to a vendor. It’s also becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time. I’m not interested in waiting years for a bounty. I can’t speak for anyone else, but my personal experience is that the Apple Security Bounty Program has been a disappointment, and I don’t plan to participate again in the future. 

Well, that’s a pretty damming statement when it comes to Apple’s Security Bounty program. If people don’t have confidence that Apple will act on the things that they report, then they won’t use it. And what is really bad is that  he revealed a similar issue last October after reporting it in February of that year and waited eight months for Apple to fix it without success.

Besides that, he gives readers this to think about:

Should you be worried about this issue? That depends on how you feel in general about macOS privacy protections. Prior to Mojave, the privacy protections feature did not exist at all on the Mac, so you’re not any worse off now than you were on High Sierra and earlier. My personal opinion is that macOS privacy protections are mainly security theater and only harm legitimate Mac developers while allowing malware apps to bypass them through many existing holes such as the one I’m disclosing, and that other security researchers have also found. I feel that if you already have a hostile non-sandboxed app running on your Mac, then you’re in big trouble regardless, so these privacy protections won’t save you. The best security is to be selective about which software you install, to be careful to avoid ever installing malware on your Mac in the first place. There’s a reason that my security research has focused on macOS privacy protections: my goal is to show that Apple’s debilitating lockdown of the Mac is not justified by alleged privacy and security benefits. In that respect, I think I’ve proved my point, over and over again. In any case, you have the right to know that the systems you rely on for protection are not actually protecting you.

Here’s my $0.02 worth. Apple makes a lot of noise about privacy and security. But reading the above statement makes it appear that Apple is only paying lip service to privacy and security. If Apple were actually serious about this, they would not only respond to this developer in public and address his claims in public, but they would also make a statement about why users of their products should trust in their products to keep them secure, and what they are going to do to walk the walk as opposed to just talking the talk. But I am not naive. That won’t happen because Apple isn’t that sort of company. They never have been. And clearly they never will be. And that will come back to haunt them sooner or later.

The Belkin NetCam Is Dead…. And This Will Haunt Belkin For A Very Long Time

Posted in Commentary on July 1, 2020 by itnerd

I have been reporting for a while now about Belkin’s plans to end of life the back end services that run their NetCam products. By killing the back end services, Belkin in effect have taken perfectly working cameras and made them useless. While they did get a bit of a reprieve, the back services finally went dark overnight. Much to the dismay of users like this one:

Now if Belkin was hoping that the blowback from this decision would eventually go away, they might want to reconsider that belief.

For starters, they did this in the middle of a pandemic. And there are many who bought these cameras to keep an eye on cottages, second homes, and the like. Now these people are left high and dry. And if their location is still in the middle of some sort of lockdown related to the pandemic where traveling is heavily restricted or outright illegal, they can’t easily drive out to these properties to install new cameras. At least not without potentially breaking the law. That’s #Fail number one.

Second, this whole experience was badly handed by Belkin on multiple fronts. They gave users very little notice and only extended the kill date when the blowback became epic. Most companies tend to broadcast this sort of thing many months or years in advance so that users don’t react the way that NetCam users have. That’s #Fail number two.

Then there’s their plan to refund people who might have recently bought these cameras. From what I see, that didn’t work so well:

That’s #Fail number three. But the major #Fail is the fact that Belkin really didn’t give users any other option in terms of using their cameras. It clearly is possible to use these cameras without Belkin’s back end service as there is a GitHub project that was published by Vladimir Sobolev in 2018 that is out there. And if Belkin really wanted to avoid the level of blow back that is seen here, they might have considered it:

But clearly Belkin went the route of not even considering any way to let users keep using their cameras. And as a result, I’m here talking about it. And I am going to go out a limb and say that Belkin isn’t going to get a whole lot of angry NetCam camera owners buying Belkin products in the future.

Now while there’s a bit of a lesson to be learned here. Specifically that if you buy any sort of IoT gear, you have to be aware that this scenario can be the result. But even with that, the way this was handled this was craptastic. Based on the fact that the two stories that I did on this got thousands upon thousands of page views, I am certain that his is going to haunt Belkin for a very long time. The NetCam may be dead, but in the process Belkin may have harmed their reputation for a very long time.

Apple Rumored To Be Dropping Earphones And Chargers From The Packaging Of The iPhone 12

Posted in Commentary with tags on July 1, 2020 by itnerd

Rumors have been circulating for a week or so that Apple is about to make some radical changes as to what comes in the box of the iPhone 12. The rumors come from a couple of reliable sources. The first being Ming-Chi Kuo who is a reliable source for this sort of information. The second is a Twitter user that goes by the handle of L0vetodream who is a recent entrant into the Apple rumor game and has an excellent track record in terms of accuracy. His latest tweet is below:

Now Apple dropping the earphones makes sense on a number of fronts. First of all, I am going to go out on a limb and suggest that only a handful of people use the earphones that come from the box. Most users will use their own earphones because they have better sound quality, and/or they are wireless. Thus the supplied earphones that come with iPhones are wasted a lot of the time. Plus if people really wanted them, they could easily buy them as an add on when they get their iPhone. Or they could by AirPods or Beats headphones when they get their iPhone. Regardless, I don’t see this as being a big deal.

Now not including a charger in the box is a big deal. Apple has taken flack for not including a fast charger in the box in the past. This despite the fact that modern iPhones are fast charge capable if you use a Lightning to USB-C cable and a USB-C fast charger. They sort of fixed that when the iPhone 11 Pro and Pro Max came out by including those items in the box. But I guess that because the iPhone 11 wasn’t a “Pro” device, they left it out of that. Still, there was a charger in the box.

I have to assume that Apple either has a reason related to the environment, or a reason related to cost (as in they want to use this as a vehicle to lower the cost of the iPhone) as to why they would ever consider going this route. In terms of the former, I am guessing that they would argue that people charge wirelessly using third party wireless chargers, or they buy third party fast chargers. So there’s no need for a charger to be put into the box. Now there is some truth in that. But not enough truth in my opinion to omit a charger from the box. The latter reason is simply cynical on Apple’s part if they are actually thinking that.

Here’s why this is a big deal. It is handy to have a wired charger for traveling, or for emergency reasons. Plus with all of us working from home because of the pandemic, it is simply faster to use a wired charger to give your phone a quick jolt of energy before your next conference call. And that doesn’t include first time iPhone users who get a phone and are shocked to find that there’s no charger in the box. Imagine how they would feel and how they would perceive Apple. Thus including one in the box is in my mind something that Apple should do as a matter of course.

Potentially not including a charger in the box of future iPhoens is a step too far for Apple as far as I am concerned. They are a company that will take bold moves like this and try to convince us that it’s for our own good. But this isn’t bold. It’s stupid. And hopefully Apple will reconsider this move before it’s too late.