An anonymous reader writes: Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple's disk encryption utility) passwords from a device's memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords. The attack requires physical access, but it takes less than 30 seconds to carry out. A special device is needed, which runs custom software (available on GitHub), and uses hardware parts that cost around $300. Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Apple has launched Single Sign-on, a service designed to make logging into TV apps much less annoying. It "allows cable subscribers to sign in once with their cable credentials to gain access to all cable-restricted content in iOS and tvOS apps," writes Juli Clover via MacRumors: Single Sign-on is limited to the United States, and according to a support document, is available for the following providers: CenturyLink Prism, DirecTV, Dish, GVTC, GTA, Hawaiian Telecom, Hotwire, MetroCast, and Sling. While Single Sign-on was introduced and tested in the tvOS 10.1 and iOS 10.2 betas, the feature was remotely released today to all iOS 10 and tvOS 10 devices. Using Single Sign-on does not require one of the betas, and is instead immediately available to all iPhone and Apple TV users running iOS 10 or tvOS 10. With Single Sign-on, customers with a supported provider will use the Settings options in iOS or tvOS to sign in with their cable credentials. From then on, when accessing a supported app that requires a cable subscription, the app will ask to use the saved sign-on credentials. Most cable channels and content providers offer individual apps on the Apple TV and iOS devices, but still require cable authentication before users can access content. Prior to Single Sign-on, customers were required to enter their credentials in each individual app, a frustrating and time-consuming process.
An anonymous reader writes:Apple has released the open source Darwin code for macOS 10.12 Sierra. The code, located on Apple's open source website, can be accessed via direct link now, although it doesn't yet appear on the site's home page. The release builds on a long-standing library of open source code that dates all the way back to OS X 10.0. There, you'll also find the Open Source Reference Library, developer tools, along with iOS and OS X Server resources. The lowest layers of macOS, including the kernel, BSD portions, and drivers are based mainly on open source technologies, collectively called Darwin. As such, Apple provides download links to the latest versions of these technologies for the open source community to learn and to use.
As if we don't already have enough devices that can listen in on our conversations, security researchers at Israel's Ben Gurion University have created malware that will turn your headphones into microphones that can slyly record your conversations. TechCrunch reports: The proof-of-concept, called "Speake(a)r," first turned headphones connected to a PC into microphones and then tested the quality of sound recorded by a microphone vs. headphones on a target PC. In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially "retasks" the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn't a driver fix, either. The embedded chip does not allow users to properly prevent this hack which means your earbuds or nice cans could start picking up conversations instantly. In fact, even if you disable your microphone, a computer with a RealTek chip could still be hacked and exploited without your knowledge. The sound quality, as shown by this chart, is pretty much the same for a dedicated microphone and headphones. The researchers have published a video on YouTube demonstrating how this malware works.
An anonymous reader quotes a report from Network World: As Phil Schiller explained during today's event, Apple's new MacBook Pros feature four Thunderbolt 3 USB Type-C ports, and conveniently, each of these can be used to charge the machine. Now, USB-C is incredibly versatile, and Apple will use the advanced port for power charging, HDMI and much more. However, with USB-C the only game in town, you might reasonably be wondering: How in the world do I connect my iPhone to my sleek new MacBook Pro? The frustrating answer is that you won't be able to do so out of the box. Instead, you'll have to buy a dongle. This is especially frustrating because many people use their notebooks for a) charging purposes when an outlet isn't necessarily handy and b) for transferring photos and other data. Now, you might reasonably state that you can just rely upon the cloud for items like data transfer, but there's no getting around the fact that Apple's efforts in the cloud still leave much to be desired. How much will it cost to connect your iPhone to your brand new MacBook Pro? Well, Apple sells a USB-C to Lightning cable on its website for $25. While this is undoubtedly frustrating, we can't say that it's entirely unexpected given Apple gave us a preview of its preference for USB-C when it released its 12-in. MacBook last year. Still, it's a funky design choice for a decidedly Pro-oriented device where the last thing a prospective consumer would want to do is spend some extra cash for a dongle after spending upwards of $2,399. Lastly, while we're on the topic of ports, it's worth noting that the new MacBook Pros also do away with the beloved MagSafe connector.
An anonymous reader writes: "A team of scientists from two U.S. universities has devised a method of bypassing ASLR (Address Space Layout Randomization) protection by taking advantage of the BTB (Branch Target Buffer), a component included in many modern CPU architectures, including Intel Haswell CPUs, the processor they used for tests in their research," reports Softpedia. The researchers discovered that by blasting the BTB with random data, they could run a successful collision attack that reveals the memory locations where apps execute code in the computer's memory -- the very thing that ASLR protection was meant to hide. While during their tests they used a Linux PC with a Intel Haswell CPU, researchers said the attack can be ported to other CPU architectures and operating systems where ASLR is deployed, such as Android, iOS, macOS, and Windows. From start to finish, the collision attack only takes 60 milliseconds, meaning it can be embedded with malware or any other digital forensics tool and run without needing hours of intense CPU processing. You can read the research paper, titled "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR," here.
An anonymous reader quotes a report from Motherboard: First the headphone jack, now the USB port? Rumor has it that Apple may get rid of the USB 3.0 port and the Magsafe port (where the charger plugs in) on the next generation of MacBooks. Japanese tech site Macotakara, which accurately predicted that Apple would kill the headphone jack on the iPhone 7, now also claims that the USB port is on the way out. The move would be similar to Apple's latest 12-inch MacBook and its streamlined profile. There's also word that Apple may discontinue the 11-inch MacBook Air to focus instead on the 13-inch laptop. Discontinuing the 11-inch MacBook Air would also potentially boost sales on the 12-inch MacBook. If these rumors are in fact true, then the new MacBooks will have only a USB-C and Thunderbolt 3 ports. Both of these ports are about the size of the part of an iPhone charger that plugs into the phone. But since most laptop accessories still plug in via the USB port, Apple owners might have to use an adaptor, or upgrade their technology. Meanwhile, the new MacBooks would likely be charged through the USB-C port or Thunderbolt 3 port. Currently, Apple already sells a USB-C dock with other USB and HDMI ports for $79. The USB-C port uses USB 3.1 Standard, according to PCWorld, which will connect to a wide variety of accessories, such as external hard drives, cameras, and printers. The USB 3.1 can also transfer data between the host computer and the peripheral accessories at a speed of 10 gigabits per second, which is twice as fast as the USB 3.0. Apple is expected to reveal the new Macs at an October 27th event in Cupertino, California.
Evernote has sent an email to users warning of a serious bug "in some versions of Evernote for Mac that can cause images and other attachments to be deleted from a note under specific conditions." The company claims only "a small number of people" are affected, but those who have received the email will need to update their Mac app as soon as possible. The glitch occurs in the September version of the software, and less frequently in the versions released since June. TechCrunch reports: In these applications, certain sequences of events can cause an image or other attachments to be deleted from notes without warning, but text is not affected. For example, the bug can be triggered by skimming quickly through a large number of notes, Evernote says. The email explains that once the company identified the problem, it worked quickly to implement a solution and attempted to restore all lost data. The issue was under discussion in Evernote's forums earlier this month. For heavy Evernote users, the bug could have a major impact. One user in the forums posted that they had 20,000 notes in their Evernote account, as part of their PhD research. Hundreds (or maybe even thousands) of their notes may have now become corrupted, according to their post. Unfortunately for some affected users, data recovery was not possible through automated means, the company's email stated. Instead, Evernote is advising those users who are missing attachments to use Evernote's note history feature in Evernote Premium to try to recover the missing data.
An anonymous reader quotes a report from Ars Technica: Yesterday, software developer John Brooks released what is clearly a work of pure love: the first update to an operating system for the Apple II computer family since 1993. ProDOS 2.4, released on the 30th anniversary of the introduction of the Apple II GS, brings the enhanced operating system to even older Apple II systems, including the original Apple ][ and ][+. Which is pretty remarkable, considering the Apple ][ and ][+ don't even support lower-case characters. You can test-drive ProDOS 2.4 in a Web-based emulator set up by computer historian Jason Scott on the Internet Archive. The release includes Bitsy Bye, a menu-driven program launcher that allows for navigation through files on multiple floppy (or hacked USB) drives. Bitsy Bye is an example of highly efficient code: it runs in less than 1 kilobyte of RAM. There's also a boot utility that is under 400 bytes -- taking up a single block of storage on a disk. The report adds: "In addition to the Bitsy Boot boot utility, the ProDOS 2.4 'floppy' includes a collection of utilities, including a MiniBas tiny BASIC interpreter, disk imaging programs to move files from physical floppies to USB and other disk storage, file utilities, and the 'Unshrink' expander for uncompressing files archived with Shrinkit."
An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.
New reader puenktli writes: Just five months after Transmission was infected with the first 'ransomware' ever found on the Mac, the popular BitTorrent client is again at the center of newly uncovered OS X malware. Researchers at security website We Live Security have discovered the malware, called OSX/Keydnap, was spread through a recompiled version of Transmission temporarily distributed through the client's official website. OSX/Keydnap executes itself in a similar manner as the previous Transmission ransomware KeRanger, by adding a malicious block of code to the main function of the app, according to the researchers. Likewise, they said a legitimate code signing key was used to sign the malicious Transmission app, different from the legitimate Transmission certificate, but still signed by Apple and thereby able to bypass Gatekeeper on OS X.
prisoninmate writes from a report via Softpedia: LibreOffice 5.2 is finally here, after it has been in development for the past four months, during which the development team behind one of the best free office suites have managed to implement dozens of new features and improvements to most of the application's components. Key features include more UI refinements to make it flexible for anyone, standards-based document classification, forecasting functions in Calc, the spreadsheet editor, as well as lots of Writer and Impress enhancements. A series of videos are provided to see what landed in the LibreOffice 5.2 office suite, which is now available for download for GNU/Linux, Mac OS X, and Microsoft Windows operating systems.
An anonymous reader writes from a report via The Next Web: The Safari browser included in Apple's iOS 10 and macOS Sierra software is testing WebP, technology from Google that allows developers to create smaller, richer images that make the web faster. Basically, it's a way for webpages to load more quickly. The Next Web reports: "WebP was built into Chrome back at build 32 (2013!), so it's not unproven. It's also used by Facebook due to its image compression underpinnings, and is in use across many Google properties, including YouTube." Microsoft is one of the only major players to not use WebP, according to CNET. It's not included in Internet Explorer and the company has "no plans" to integrate it into Edge. Even though iOS 10 and macOS Sierra are in beta, it's promising that we will see WebP make its debut in Safari latest this year. "It's hard to imagine Apple turning away tried and true technology that's found in a more popular browser -- one that's favored by many over Safari due to its speed, where WebP plays a huge part," reports The Next Web. "Safari is currently the second most popular browser to Chrome." What's also interesting is how WebP isn't mentioned at all in the logs for Apple's Safari Technology Preview.
theodp writes: The Verge reports Apple is making good on an earlier threat to create a reality TV show about app developers. An open casting call has been issued for "Planet of the Apps," with the goal of finding "100 of the world's most talented app creators" -- news which VentureBeat suggests must be making Steve Jobs' ghost weep. Apple has teamed up with Propagate, a new production company created by the producer of "The Biggest Loser." The description of the show says: "Join us on the search for the next great app in a new original series. Those selected will have the chance to receive hands-on guidance from some of the most influential experts in the tech community, featured placement on the App Store, and funding from top-tier VCs." The show is expected to be released in 2017.
Reader itwbennett writes: Researchers from Cisco Systems' Talos group have found three memory corruption errors in the widely used open-source library libarchive that can result in arbitrary code execution and can be exploited by passing specially crafted files to applications that contain the vulnerable code. "The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS," writes Lucian Constantin. "Developers can also include the library's code in their own projects, so it's hard to know how many other applications or firmware packages contain it." (Original blog post) So, while the libarchive maintainers have released patches for the flaws, it will likely take a long time for them to trickle down through all the affected projects.
An anonymous reader quotes a report from Network World: Ahead of Apple's WWDC keynote this year, one of the more bizarre and sketchy rumors we saw take shape claimed that Apple was planning to deliver iMessage to Android. As is typically the case, the rumor mill took this somewhat ridiculous rumor and ran with it. The only problem is that some people were so busy trying to figure out the ramifications of iMessage hitting Android that they didn't take a step back and try and figure out if this is something Apple would even contemplate in the first place. Remember, every move Apple makes is strategic and geared towards making more money, either via device sales or software. That being the case, iMessage on Android would not only be a free app, but it would also eliminate a user-experience advantage of iOS. Interestingly enough, Walt Mossberg of The Verge asked a senior Apple executive about the rumor whereupon the nameless executive all but indicated that iMessage will never be coming to Android. Walt Mossberg writes: "First, he said, Apple considers its own user base of 1 billion active devices to provide a large enough data set for any possible AI learning the company is working on. And, second, having a superior messaging platform that only worked on Apple devices would help sales of those device -- the company's classic (and successful) rationale for years."
An anonymous reader writes: At their Worldwide Developers Conference in San Francisco today, Apple CEO Tim Cook said, "We believe coding should be a required language in all schools." To help achieve this goal, Apple introduced Swift Playgrounds, a new app that is meant to teach kids basic coding skills in Apple's chosen language. It teaches concepts like loops and conditionals, and uses an animated character tasked with performing simple challenges in a digital maze to help make learning fun. The app also offers suggested coding languages and will be completely free. Tim Cook described it as "a powerful new way for kids to learn to code," and went on to compare writing code to basic literacy. "I wish Swift Playgrounds was around when I was first learning to code," said Apple's senior vice president of Software Engineering Craig Federighi. "Swift Playgrounds is the only app of its kind that is both easy enough for students and beginners, yet powerful enough to write real code. It's an innovative way to bring real coding concepts to life and empower the next generation with the skills they need to express their creativity." Apple announced a host of new features and improvements made to iOS and Mac OS X. Not only did they announce that OS X will now be called macOS, but the first version update will be called macOS Sierra. One of the biggest new features of the new OS is support for Siri.
An anonymous reader quotes a report from Mac Rumors: A large number of MacBook Pro owners running OS X El Capitan are reporting widespread system freezes since installing the 10.11.4 update to Apple's Mac OS. The problem appears to be concentrated on 13-inch Retina MacBook Pros (Early 2015) running 10.11.4. Users report that their system becomes totally unresponsive at seemingly random times, with no way to regain access to their Mac other than to force a hard reboot. The issue was initially reported by MacRumors forum member Antonnn on March 25, four days after Apple released what is the third update to the Mac OS. In Antonnn's case, the freezes have been occurring "about once a week," first when browsing in Safari, but then also during the use of other Mac apps, including Adobe Photoshop and several third-party browsers. The freeze seems to affect not only the screen and mouse cursor but also the Mac's Force Touch trackpad, which completely loses feedback. Apple Support is apparently aware of the issue but have so far offered no concrete solution. Meanwhile, some users have resorted to downgrading their system to 10.11.3 by restoring from a Time Machine backup or performing a clean install. Hundreds of others have posted to a dedicated thread discussing the issue. Bill Mattheis posted a video on YouTube of the freezing he has experienced on his MacBook Pro.
An anonymous reader writes: Recent Mac versions come bundled with a very old version of Git (2.6.4) that is vulnerable to two security flaws that allow attackers to execute code on the device when the user forks a Git repo holding "malicious" code. The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs. "If you rely on machines like this, I am truly sorry. I feel for you," the researcher wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."
Opera co-founder and former CEO Jon von Tetzchner on Wednesday launched the v1.0 of Vivaldi browser. Vivaldi v1.0, which is aimed at "power users", is available to download from the company's website for Windows, OS X, and Linux platforms. The Norway, Oslo company has been working on it since 2013. Vivaldi offers a range of features such as support for Chrome extension, Tab Stacks, Rewind and Fast Forward, and built-in support for custom keyboard shortcuts and mouse gestures. There are plenty of other handy tools including the ability to check how much data a Web page has consumed in real time.