Archive for October 5, 2018

Friday, October 5, 2018 [Tweets] [Favorites]

T2 Macs Require Apple-Authorized Repair

Jordan Kahn:

Apple has recently documented a new data recovery process internally for Macs that utilize its T2 chip introduced with the iMac Pro and the 2018 MacBook Pro. The new process for repair staff is being introduced due to the T2 chip’s advanced security features including hardware encryption for SSD storage that isn’t compatible with Apple’s previous data recovery methods used on older machines.

Joe Rossignol:

Due to advanced security features of the Apple T2 chip, iMac Pro and 2018 MacBook Pro models must pass Apple diagnostics for certain repairs to be completed, according to an internal document from Apple obtained by MacRumors.

[…]

If any of these parts are repaired in an iMac Pro or 2018 MacBook Pro, and the Apple diagnostics are not run, this will result in an inoperative system and an incomplete repair, according to Apple’s directive to service providers.

Jason Koebler (Hacker News):

The software lock will kick in for any repair which involves replacing a MacBook Pro’s display assembly, logic board, top case (the keyboard, touchpad, and internal housing), and Touch ID board. On iMac Pros, it will kick in if the Logic Board or flash storage are replaced. The computer will only begin functioning again after Apple or a member of one of Apple’s Authorized Service Provider repair program runs diagnostic software called Apple Service Toolkit 2.

A separate internal training presentation obtained by Motherboard about how to use the diagnostics states that the “Apple Service Toolkit and Apple Service Toolkit 2 are available only to persons working at Apple-authorized service facilities.” This means that it will become impossible for you to repair your new MacBook Pro at home, or for an independent repair provider to repair it for you.

Dave Mark:

I can’t imagine, if true, that this is an effort from Apple to keep all those sweet, sweet repair dollars all to themselves. I’d expect this has something to do with protecting the chain of security, preventing malware from somehow gaining a foothold.

Previously: Apple Fighting New “Right to Repair” Legislation.

Update (2018-10-09): Adam O’Camb (Hacker News):

This service document certainly paints a grim picture, but ever the optimists, we headed down to our friendly local Apple Store and bought a brand new 2018 13” MacBook Pro Touch Bar unit. Then we disassembled it and traded displays with our teardown unit from this summer. To our surprise, the displays and MacBooks functioned normally in every combination we tried. We also updated to Mojave and swapped logic boards with the same results.

That’s a promising sign, and it means the sky isn’t quite falling—yet. But as we’ve learned, nothing is certain.

Update (2018-10-10): Nick Heer:

Rather than compromising the security and privacy of their products, I’d like to see more progress made on certifying independent technicians and making Apple’s official tools more accessible. The security threat model isn’t the same as it once was; your phone probably has a lot more information on it than your computer of ten years ago. Yes, it’s more complicated to replace parts now, but it’s not entirely because companies like Apple want to lock out independent repair shops. Apple’s diagnostic tools could play a great role in this: imagine if you could take a printed report of a successful repair and type in a serial number on Apple’s website to verify that your device was serviced with genuine parts and passed Apple’s testing.

SMS Text Message Login Codes Autofill But Remain Insecure

Glenn Fleishman:

Sites originally chose to use SMS-based code validation for 2FA to lower the barriers to  2FA—more people understand SMS than authentication apps. And, regardless of the vulnerabilities of SMS, it’s far better to use a second factor than not, because it deters wholesale attacks against accounts. Even if an attacker gained access to all the decrypted passwords for a service, every account with 2FA enabled would still be able to resist unauthorized logins. But SMS-based 2FA is vulnerable to targeted attacks and identity theft.

Apple’s proprietary 2FA system for macOS and iOS remains extremely robust, but it still allows the use of SMS and voice calls as a backup when trusted devices aren’t available.

[…]

While it’s admirable Apple has streamlined SMS code entry, it would be even more so if the company would kickstart the move away from SMS.

Finding and Exploiting Safari Bugs Using Publicly Available Tools

Ivan Fratric (Hacker News):

The original advisories most likely didn’t include all the issues because Apple wanted to wait for the issues to also be fixed on MacOS before adding them. However, this practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case.

Furthermore, the practice of not publishing fixes for mobile or desktop operating systems at the same time can put the desktop customers at unnecessary risk, because attackers could reverse-engineer the patches from the mobile updates and develop exploits against desktop products, while the desktop customers would have no way to update and protect themselves.

Why Matthew Green Is Done With Chrome

Matthew Green (Hacker News):

In this setting, Chrome was a beautiful solution. Even if the browser never produced a scrap of revenue for Google, it served its purpose just by keeping the Internet open to Google’s other products. As a benefit, the Internet community would receive a terrific open source browser with the best development team money could buy. This might be kind of sad for Mozilla (who have paid a high price due to Chrome) but overall it would be a good thing for Internet standards.

[…]

A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.

[…]

Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense.

This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.

Chris Siebenmann:

In theory, I’m not affected by this behavior. I almost never log into any Google site in the first place and I’m basically always doing so in incognito mode, where this doesn’t (currently) apply. In practice, this has pushed me to deciding that this is a bridge too far and I no longer want to use Chrome if I can avoid it, and fortunately I can these days.

Paul Frazee:

There’s a reason people are reacting to Chrome like this. This isn’t an overreaction over one single event. It’s a delayed reaction to a pattern of bad behavior.

It’s contextualized by the very messed-up power dynamic between Google and the open Web.

Matthew Green (Hacker News):

The tech backlash even caused Google to back down, sort of. It announced a forthcoming update last Wednesday: Chrome’s auto-sign-in feature will still be the default behavior of Chrome. But you’ll be able to turn it off through an optional switch buried in Chrome’s settings.

This pattern of behavior by tech companies is so routine that we take it for granted. Let’s call it “pulling a Facebook” in honor of the many times that Facebook has “accidentally” relaxed the privacy settings for user profile data, and then—following a bout of bad press coverage—apologized and quietly reversed course. A key feature of these episodes is that management rarely takes the blame: It’s usually laid at the feet of some anonymous engineer moving fast and breaking things.

Update (2018-10-18): Renaud Lienhart:

WTH: Chrome is now forcing you to “Hold ⌘Q to quit”, breaking one of the most sacrosanct macOS convention.

It’s not as though it will forget the open tabs when you quit.

Facebook Access Tokens Stolen

Guy Rosen (Hacker News, MacRumors):

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Will Oremus:

Facebook’s Guy Rosen just confirmed that the breach would have allowed hackers to access not only your Facebook account, but your accounts on other sites where you used Facebook as your login.

Also—separate from the question of third-party apps—Facebook says users affected by the breach who have Instagram or Oculus accounts linked to their Facebook account will have to un-link and re-link them.

See also: Mike Isaac and Sheera Frenkel, Nick Heer.

Update (2018-10-16): Glenn Chapman:

Facebook said Friday that hackers accessed personal data of 29 million users in a breach at the world’s leading social network disclosed late last month.

The company had originally said up to 50 million accounts were affected in a cyberattack that exploited a trio of software flaws to steal “access tokens” that enable people to automatically log back onto the platform.

“We now know that fewer people were impacted than we originally thought,” Facebook vice president of product management Guy Rosen said in an online post.

See also: Facebook, Ryan Mac (tweet).