By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: February 7, 2019

Thursday, 7 February 2019

Jeff Bezos Exposes Extortion Attempt From National Enquirer ★

Jeff Bezos:

Something unusual happened to me yesterday. Actually, for me it wasn’t just unusual — it was a first. I was made an offer I couldn’t refuse. Or at least that’s what the top people at the National Enquirer thought. I’m glad they thought that, because it emboldened them to put it all in writing. Rather than capitulate to extortion and blackmail, I’ve decided to publish exactly what they sent me, despite the personal cost and embarrassment they threaten. […]

Well, that got my attention. But not in the way they likely hoped. Any personal embarrassment AMI could cause me takes a back seat because there’s a much more important matter involved here. If in my position I can’t stand up to this kind of extortion, how many people can? (On that point, numerous people have contacted our investigation team about their similar experiences with AMI, and how they needed to capitulate because, for example, their livelihoods were at stake.)

Reminiscent of when David Letterman exposed an extortion attempt regarding extramarital affairs in 2009.

Purported Exploit Exposes Keychain Passwords on MacOS ★

Thomas Brewster, Forbes:

Just last week it emerged that a 14-year-old uncovered a bug that allowed snooping on iPhone and Mac users thanks to a problem in FaceTime. Now German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.

To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.

Henze hasn’t released code (thankfully), only a video purporting to show his exploit in action. I’d be skeptical except that Patrick Wardle has tested the exploit and vouches for it, telling Sergiu Gatlan at the website Bleeping Computer:

Yes, I was able to test it on a fully patched system and it worked lovely… It’s a really nice bug inspiringly so… If I’m a hacker or piece of malware this would be the first thing I do once I gain access to the system… Dump various keychains to extract passwords private keys signing certificates and sensitive tokens. It’s unfortunate that there is yet another bug in the keychain access… One would hope something like a keychain which is supposed to be secure would, in fact, be secure but unfortunately, that’s not the case.

This looks like a really bad vulnerability — especially so since Henze isn’t sharing details with Apple.

Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.

Apple Is Compensating the 14-Year-Old Who Discovered Major FaceTime Security Bug ★

Tom Warren, reporting for The Verge:

Apple released iOS 12.1.4 today to fix a major security flaw in FaceTime that allowed people to eavesdrop on iPhone users. The bug was originally reported to Apple by Michele Thompson after her 14-year-old son, Grant, discovered that you could add yourself to a Group FaceTime call and force recipients to answer immediately. Apple was initially slow to respond, but the company has now credited the discovery to Grant Thompson of Catalina Foothills High School.

Apple also tells The Verge that it’s compensating the Thompson family for discovering the vulnerability, and providing an additional gift to fund Grant Thompson’s tuition. Apple hasn’t revealed exactly how much it’s paying the Thompson family.

Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years ★

Joseph Cox, reporting for Motherboard:

Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017. The documents list not only the companies that had access to the data, but specific phone numbers that were pinged by those companies.

In some cases, the data sold is more sensitive than that offered by the service used by Motherboard last month, which estimated a location based on the cell phone towers that a phone connected to. CerCareOne sold cell phone tower data, but also sold highly sensitive and accurate GPS data to bounty hunters; an unprecedented move that means users could locate someone so accurately so as to see where they are inside a building. This company operated in near-total secrecy for over 5 years by making its customers agree to “keep the existence of CerCareOne.com confidential,” according to a terms of use document obtained by Motherboard.

This story from January — also broken by Cox — just got a whole lot worse.

Reuters: ‘Apple Puts Modem Engineering Unit Into Chip Design Group’ ★

Stephen Nellis, reporting for Reuters:

Apple Inc has moved its modem chip engineering effort into its in-house hardware technology group from its supply chain unit, two people familiar with the move told Reuters, a sign the tech company is looking to develop a key component of its iPhones after years of buying it from outside suppliers.

Modems are an indispensable part of phones and other mobile devices, connecting them to wireless data networks. Apple once used Qualcomm Inc chips exclusively but began phasing in Intel Corp chips in 2016 and dropped Qualcomm from iPhones released last year.

Johny Srouji, Apple’s senior vice president of hardware technologies, took over the company’s modem design efforts in January, the sources said. The organizational move has not been previously reported.

Recall the Cook Doctrine:

We believe that we need to own and control the primary technologies behind the products we make, and participate only in markets where we can make a significant contribution.

Right now Apple only has two choices for modems: Qualcomm and Intel. Qualcomm’s modems have historically been superior, and probably still are, but Apple’s relationship with Qualcomm is contentious, to say the least. At Qualcomm’s FTC trial last month, Jeff Williams said “We had a gun to our head” when it came to negotiating with Qualcomm for iPhone modems, and that it cost Apple $1 billion a year in licensing fees Apple considers unfair. Considering that Apple’s only alternative is Intel, who’ve always been second-fiddle to Qualcomm in modems, yeah, I’d say this qualifies as a “primary technology” Apple needs to “own and control”.

Imagine what a spot Apple would be in if they relied on Qualcomm for CPUs.

OnePlus Photo Contest Winner Stole His Photo From Instagram User – Who Used a Canon DLSR to Shoot It ★

Michael Zhang, writing for PetaPixel:

In September 2018, the Chinese smartphone maker OnePlus announced the winners of a #ShotonOnePlus photo contest in India to celebrate the best photos captured by its phone cameras. One of the winning shots was a shock to photographer Aman Bhargava: it looked strangely similar to a photo he had captured two years earlier on his Canon DSLR.

Submitted by photographer Pratyush Yadav, the photo looked like a slightly cropped version of a photo Bhargava captured in 2016 and posted to Instagram on May 22, 2017.

(The link to the contest winners has since been taken down by OnePlus.)

So there are two levels of fraud here. First, Yadav clearly stole the photo from Bhargava. There’s no question they’re identical, not merely very similar. Second, OnePlus selected it as a winner even though it was shot with a Canon DSLR, not one of their own phones.

Yadav was so bad at covering his tracks that he submitted the image with EXIF data (which is easily forged) that indicated the photo was shot in April 2017 using a OnePlus A6000 — a model that didn’t come out until May 2018.

Amidst the hubbub over Apple’s current Shot on iPhone contest, it occurred to me that Apple surely goes to extraordinary lengths to verify that the photos it advertises as having been “shot on iPhone” really were shot on an iPhone — and that they were shot by the photographer claiming to have shot them. This guy Yadav is the fraudster here, but it’s OnePlus that had the most to lose. Can you even imagine the bad publicity that would result if something like this — either a stolen photograph or a photo shot with an SLR (let alone both) — was named a winner in Apple’s contest?