Archive for December 8, 2017

Friday, December 8, 2017 [Tweets] [Favorites]

SuperDuper 3.1 Supports APFS Snapshots for Both Source and Destination

Dave Nanian (tweet):

This means you don’t just have to copy from the drive as it is “now” (the default choice). You can select from any existing snapshot, and we’ll copy the state of the files as they were at that time.

[…]

That means there’s not just one available backup on the drive—if you’ve been using Smart Update, there are many! Start up from your backup drive, click the triangle, and you’ll be presented with a list of available snapshots. Pick one, “Copy Now”, and you’ve restored a day ago’s backup, or a week ago’s.

[…]

In fact, not only can you use SuperDuper to copy from these snapshots, you can even open Time Machine, select your backup volume, and see older versions of files, deleted files - they’re all being saved, automatically, every time you Smart Update. Even though you’re not backing up your backup to Time Machine.

[…]

Snapshots are managed by the system, and at present they have some lightly-to-not documented constraints. You need to have about 20% free in a container to create a snapshot, and the system consolidates and removes snapshots according to its own logic.

This may be the best reason to update to macOS 10.13 High Sierra. And I would consider backup drives to be an exception to the general rule of not using APFS with spinning hard drives.

Mailsploit

Sabri Haddouche:

Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.

Bugs were found in over 30 applications, including prominent ones like Apple Mail (macOS, iOS and watchOS), Mozilla Thunderbird, various Microsoft email clients, Yahoo! Mail, ProtonMail and others.

Via Benny Kjær Nielsen:

In short, it tricks some email clients into finding the wrong email address within an email address header like “From”. The email client would then display the wrong sender. The definition of “wrong” here is based on RFC5322.

It is important to understand that spoofing a “From” header has always been easy and, in my opinion, it is still easy.

[…]

In the most recent test release of MailMate I’ve added the following improvement: Whenever the name part of an address header contains a @ then it’s replaced with a skull (💀). That should at least make the user aware of simple attempts to spoof an address header.

SpamSieve 2.9.29 is vulnerable to the spoofing problem, which could manifest as a whitelist rule matching a message that was not actually “from” that address. This is fixed in the public beta.

EagleFiler 1.8.1 is not affected by the spoofing.

Neither is affected by the code injection attacks.

Null characters can cause all sorts of problems outside of e-mail. For example, testing my fix for this bug crashed Xcode’s SourceKitService.

Update (2017-12-08): Here’s the Thunderbird tracking bug.

HomeKit Vulnerability Allowed Remote Access to Smart Accessories Including Locks

Zac Hall:

A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.

[…]

The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.

[…]

I would also like to know — just like with the root security issue that affected the Mac last week — that the development process that led to this vulnerability shipping and the issue remaining live for weeks without users knowing is audited and changes are made if possible.

Update (2017-12-13): Lily Hay Newman:

And while Apple has earned a strong reputation for security, a string of significant vulnerabilities in macOS and iOS have strained Apple’s safety net—and led some security researchers and developers to question whether the issues are systemic.

[…]

“In my opinion, Apple’s desire to get all of its platforms—iOS, macOS, watchOS, and tvOS—on the same public relations, product management, and marketing-friendly annual release cycle is starting to take a toll,” says Pepijn Bruienne, a research and development engineer at Duo Security who focuses on Apple products.

Juli Clover:

The iOS 11.2.1 update addresses bugs and issues that have been discovered since the release of iOS 11.2.

According to Apple’s release notes, the update re-enables remote access for shared users of the Home app. Apple broke remote access for shared users when implementing a fix for a major HomeKit vulnerability last week.

Update (2017-12-18): Phil Schiller:

We just had a bad week. A couple of things happened, that’s all. The team is going to audit the systems and look carefully at the process and do some soul-searching, and do everything that they can to keep this from happening again.

ProtonMail Introduces IMAP/SMTP Bridge

Tim Hardwick:

Basically, the downloadable Bridge app enables ProtonMail users to access their encrypted email accounts using their favorite email client, without compromising on the security provided by the end-to-end encrypted service, and without needing to modify their email application. At the same time, local copies of the emails are stored on the user’s computer, allowing them to use the search features of their email client as normal.

To achieve this, the Bridge app functions like a local IMAP/SMTP email server capable of communicating with the remote ProtonMail server to encrypt and decrypt incoming/outgoing messages locally. In this way, it translates end-to-end encrypted email data into a language that any email client can understand, thus “bridging” the gap between ProtonMail’s end-to-end encryption and a user’s standard email client.

How Brands Secretly Buy Their Way Into Stories

Jon Christian:

Interviews with more than two dozen marketers, journalists, and others familiar with similar pay-for-play offers revealed a dubious corner of online publishing in which publicists, ranging from individuals like Satyam to medium-sized “digital marketing firms” that blur traditional lines between advertising and public relations, quietly pay off journalists to promote their clients in articles that make no mention of the financial arrangement.

People involved with the payoffs are extremely reluctant to discuss them, but four contributing writers to prominent publications including Mashable, Inc, Business Insider, and Entrepreneur told me they have personally accepted payments in exchange for weaving promotional references to brands into their work on those sites. Two of the writers acknowledged they have taken part in the scheme for years, on behalf of many brands.

[…]

One of them, a contributor to Fast Company and other outlets who asked not to be identified by name, described how he had inserted references to a well-known startup that offers email marketing software into multiple online articles, in Fast Company and elsewhere, on behalf of a marketing agency he declined to name. To make the references seem natural, he said, he often links to case studies and how-to guides published by the startup on its own site. Other times, he’ll just praise a certain aspect of the company’s business to support a point in an otherwise unrelated story.

I get requests like these from time to time and have always declined them.

Nick Heer:

An important update to a story I linked to two weeks ago about an Android system service that was collecting location data even when location services were switched off — according to Tony Romm of Recode, Oracle seeded that story to Quartz as part of a PR campaign against Google[…]

[…]

But I don’t necessarily think this reflects poorly on Oracle; if anything, it shakes my confidence in Quartz’s reporting. I don’t know what Quartz’s sourcing attribution guidelines are, but the New York Times’ style guide indicates that a source’s interest in the story should be communicated to readers as candidly as possible. In their story, Quartz did not indicate how they were tipped-off to Android’s behaviour.