Category: Technology

Upgrading Your Unsupported Mac to Mojave

macOS Mojave was released last night. As is often the case with major macOS updates, Mojave dropped support for a slew of older platforms. But just because Apple doesn’t support installing Mojave on older computers doesn’t mean that it can’t be installed. dosdude1 has a utility that allows you to install Mojave on a lot of officially unsupported Macs.

I’ve used his patch utility to get High Sierra on my unsupported 2010 MacBook Pro and haven’t had an issues. I attempted to upgrade my 2010 Mac Mini to Mojave last night but discovered that the utility currently has a problem decrypting encrypted APFS containers. dosdude1 is aware of this problem and will hopefully be able to figure out what is going on so it can be fixed. However, if your older Mac isn’t utilizing APFS or FileVault 2 (which it really should be utilizing), you should be good to go.

Cloudflare Makes Tor Use More Bearable

One of the biggest annoyances of using the Tor Browser is that so many sites that rely on Cloudflare services throw up CAPTCHA challenges before allowing you to view content. Yesterday Cloudflare announced a change to its service that should make life more bearable for Tor users:

Cloudflare launched today a new service named the “Cloudflare Onion Service” that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser.

The new Cloudflare Onion Service needed the Tor team to make “a small tweak in the Tor binary,” hence it will only work with recent versions of the Tor Browser –the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month.

Hallelujah!

Uncontrolled Release of Energy

Your smartphone has a rather sizable appetite for energy. To keep it running just for one day it needs a battery that is capable of storing a rather notable amount of energy. The same is true for your laptop, tablet, smartwatch, and any other sophisticated portable electronic device. For the most part we never think about the batteries that power our portable electronics until they degrade to such a point that we find ourselves recharging them more often than we’re comfortable with. But what happens when something besides the usual wear and tear goes wrong with our batteries? What happens if a battery decides to release its stored energy all at once? This is a problem plaguing companies that specialize in recycling electronics:

MADISON, Wis. — What happens to gadgets when you’re done with them? Too often, they explode.

As we enter new-gadget buying season, spare a moment to meet the people who end up handling your old stuff. Isauro Flores-Hernandez, who takes apart used smartphones and tablets for a living, keeps thick gloves, metal tongs and a red fireproof bin by his desk here at Cascade Asset Management, an electronics scrap processor. He uses them to whisk away devices with batteries that burst into flames when he opens them for recycling.

One corner of his desk is charred from an Apple iPhone that began smoking and then exploded after he opened it in 2016. Last year, his co-worker had to slide away an exploding iPad battery and evacuate the area while it burned out.

Due to their popularity, lithium-ion batteries are receiving a lot of attention at the moment but the problem of uncontrolled energy release isn’t unique to them. Anything capable of storing energy so that it can be released in a controlled manner can suffer a failure that causes the energy to be released in an uncontrolled manner. Consider the gas tank in your vehicle. Under normal operating conditions the energy stored in your gas tank is released in a controlled manner by your engine. But a crash can cause the energy to be released in an uncontrolled manner, which results in a fire or explosion.

Anything that can store a large quantity of energy should be treated with respect. If you’re repairing your smartphone or laptop, be careful around the battery. If you smell something odd coming from one of your battery-powered devices, put some distance between it and yourself (and anything that can catch fire and burn).

You Are Responsible for Your Own Security

One of the advertised advantages of Apple’s iOS platform is that all software loaded onto iOS devices has to be verified by Apple. This so-called walled garden is meant to keep the bad guys out. However, anybody who studies military history quickly learns that sitting behind a wall is usually a death sentence. Eventually the enemy breaches the wall. Enemies have breached Apple’s walls before and they continue to do so:

In a blog post entitled “Location Monetization in iOS Apps,” the Guardian team detailed 24 applications from the Apple iOS App Store that pushed data to 12 different “location-data monetization firms”—companies that collect precise location data from application users for profit. The 24 identified applications were found in a random sampling of the App Store’s top free applications, so there are likely many more apps for iOS surreptitiously selling user location data. Additionally, the Guardian team confirmed that one data-mining service was connected with apps from over 100 local broadcasters owned by companies such as Sinclair, Tribune Broadcasting, Fox, and Nexstar Media.

iOS has a good permission system and users can prevent apps from accessing location information but far too many people are willing to grant access to their location information to any application that asks. If a walled garden were perfectly secure, users wouldn’t have to worry about granting unnecessary permissions because the wall guards wouldn’t allow anything malicious inside. Unfortunately, the wall guards aren’t perfect and malicious stuff does get through, which brings me to my second point.

What happens when a malicious app manages to breach Apple’s walled garden? Ideally it should be immediately removed but the universe isn’t ideal:

Adware Doctor is a top app in Apple’s Mac App Store, sitting at number five in the list of top paid apps and leading the list of top utilities apps, as of writing. It says it’s meant to prevent “malware and malicious files from infecting your Mac” and claims to be one of the best apps to do so, but unbeknownst to its users, it’s also stealing their browser history and downloading it to servers in China.

In fairness to Apple, the company did eventually remove Adware Doctor from its app store. Eventually is the keyword though. How many other malicious apps have breached Apple’s walled garden? How long do they manage to hide inside of the garden until they are discovered and how quickly do the guards remove them once they are discovered? Apparently Apple’s guards can be a bit slow to react.

Even in a walled garden you are responsible for your own security. You need to know how to defend yourself in case a bad guy manages to get inside of the defensive walls.

Why Connecting Things to the Internet Doesn’t Give Me Warm Fuzzies

The tend in seemingly every market is to take features that function perfectly well without an Internet connection and make them dependent on an Internet connection. Let’s consider two old automobile features: remote door unlocking and engine starting. Most modern vehicles have the former and many now come equipped with the latter. These features are usually activated by a remote control that is attached to your key chain and have a decent range (the remote for my very basic vehicle can reliably start the engine through several walls). Tesla decided that such a basic feature wasn’t good enough for its high-tech cars and instead tied those features to the Internet. Needless to say, the inevitable happened:

Tesla’s fleet network connection is currently down, which means that owners of the EV brand of cars aren’t able to sign into the mobile app. Unfortunately, this means that they can’t remote start or remote unlock their cars, and they’re also unable to monitor their car’s charging status.

In all fairness, this isn’t an issue unique to Tesla. Any product that makes features dependent on an Internet connection will run into a service outages at one point or another. Your “smart” coffee maker’s service will eventually go down, which will force you to walk over and press the brew button like a goddamn barbarian instead of kicking off the brew cycle from an app as you continue lying in bed.

When these Internet dependent features really bite you in the ass though is when the service provider goes out of business, especially if the product itself cannot operate without the Internet service. There are a lot of current “smart” devices that will soon end up in a landfill not because they mechanically failed but because their service provider went bankrupt. While the features that became unavailable when Tesla’s service went down weren’t critical for the functionality of the vehicle, no longer being able to remotely unlock doors, start the engine, or check the charging status would really degrade the overall user experience of the company’s vehicles.

Going the Way of Cable

Cable companies have been feeling pressure from Internet streaming services. Every day more people appear to be waking up to the fact that paying money to watch a bit of interesting content between commercials isn’t a great proposition. The glory days of ad-free subscription streaming services may be coming to and end though. Last week Netflix began experimenting with display ads to customers:

Now Netflix users might start to see ads for other shows during those countdown seconds, as the streaming giant has said it is testing out recommendations.

“We are testing whether surfacing recommendations between episodes helps members discover stories they will enjoy faster,” it said in a statement given to the website Cord Cutters.

Following in Netflix’s footsteps is Twitch, which announced that it will soon be stripping paying subscribers of their ad-free experience:

As we have continued to add value to Twitch Prime, we have also re-evaluated some of the existing Twitch Prime benefits. As a result, universal ad-free viewing will no longer be part of Twitch Prime for new members, starting on September 14.

Twitch Prime members with monthly subscriptions will continue to get ad-free viewing until October 15. If you already have an annual subscription, or if you upgrade to an annual subscription before September 14, you will continue with ad-free viewing until your next renewal date.

I’m always amused by how marketing departments try to spin the fact that their customers will be paying the same amount and receiving less. Netflix’s department has the easier task because at the moment the ads are house ads, not for third-party products. But if the company’s subscribers don’t revolt over this those house ads will begin to feature “favored partners” and if subscribers don’t revolt after that, anybody with some money in hand will be able to buy ads.

Twitch Prime’s marketing department had to justify its company’s actions by claiming that its move is good for streamers, err, creators (goddamn I love marketing speak) and then pointing out that all of the other benefits will remain as they were… until they’re eventually stripped or watered down as well.

The only solace to the cablefication of Internet streaming services is that a competitor will likely arise that will provide content without ads to paying customers, at least long enough to steal a bunch of disgruntled Netflix and Twitch customers. Then, of course, the cycle will begin anew.

Another Day, Another Exploit Discovered in Intel Processors

The last couple of years have not been kind to processor manufacturers. Ever since the Meltdown and Specter attacks were discovered, the speculative execution feature that is present on most modern processors has opened the door to a world of new exploits. However, Intel has been hit especially hard. The latest attack, given the fancy name Foreshadow, exploits the speculative execution feature on Intel processors to bypass security features meant to keep sensitive data out of the hands of unauthorized processes:

Foreshadow is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds. Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.

It should be noted that, as the site says, this exploit is not known to work against ARM or AMD processors. However, it would be wise to keep an eye on this site. The researchers are still performing research on other processors and it may turn out that this attack works on processors not made by Intel as well.

As annoying as these hardware attacks are, I’m glad that the security industry is focusing more heavily on hardware. Software exploits can be devastating but if you can’t trust the hardware that the software is running on, no amount of effort to secure the software matters.

Nothing But the Best

What’s the worst that could happen if the programmer for your pacemaker accepts software updates that aren’t digitally signed or delivered via a security connection? It could accept a malicious software update that when pushed to your pacemaker could literally kill you. With stakes so high you might expect the manufacturer of such a device to have a vested interest in fixing it. After all, people keeling over dead because you didn’t implement basic security features on your product isn’t going to make for good headlines. But it turns out that that isn’t the case:

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

Killing people through computer hacks has been a mainstay of Hollywood for a long time. When Hollywood first used that plot point, it was unlikely. Today software is integrated into so many critical systems that that plot point is feasible. Security needs to be taken far more seriously, especially by manufacturers to develop such critical products.

Optimism

The American Civil Liberties Union (ACLU), which finds its spine from time to time, is pointing out what it believes are limitations of Amazon’s facial recognition system:

The American Civil Liberties Union of Northern California said Thursday that in its new test of Amazon’s facial recognition system known as Rekognition, the software erroneously identified 28 members of Congress as people who have been arrested for a crime.

Emphasis mine.

The only flaw I see in Amazon’s facial recognition system is that it’s too optimistic. As the identified members of Congress are members of Congress they deserve to be arrested.

Don’t Be Evil

There seems to be a rule that startups appeal to and play by standards while those at the top disregard standards in order to toss wrenches into their competitors’ machinery. In Google’s early days it was a fan of standards. Now that it’s at the top of the pyramid, it seems like enthusiastic about them and has demonstrated a willingness to disregard them, usually when doing so appears to cause some issues for its competitors:

YouTube page load is 5x slower in Firefox and Edge than in Chrome because YouTube’s Polymer redesign relies on the deprecated Shadow DOM v0 API only implemented in Chrome.

Now that Google’s browser owns the market, it appears to be pulling the same stunt Microsoft when Internet Explorer was the dominant browser. By redesigning YouTube and having it rely on a deprecated API that is only currently supported in Chrome, Google has effectively made its browser appear faster than Firefox or Edge. Ends users who know nothing about such matters will only see that Chrome appears to load YouTube faster and use that criteria to declare it the best browser.

This is just the latest move in a series of moves that Google has taken that demonstrates that its old slogan, “Don’t be evil,” was meant only to develop goodwill with the community long enough to become the top dog. Now that it’s the top dog it’s more than happy to be evil.