Archive for October 25, 2018

Thursday, October 25, 2018 [Tweets] [Favorites]

Arq Cloud Backup 1.0

Haystack Software:

Arq Cloud Backup is now available! It comes with its own cloud storage, for folks who don’t want to manage the storage separately from the app. Plus it’s super fast!

I like and use regular Arq, but it’s too hard for less technical users to set up. Arq Cloud Backup is a completely separate app that uses its own cloud service, like CrashPlan or Backblaze. And, like those services, you can restore files from a Web interface, which is not possible with regular Arq.

The price is $5.99/month per computer or 1 TB. I did not see any information about the cloud storage provider.

Update (2018-10-26): The cloud provider is Wasabi.

Previously: Arq 5.9 Adds Backblaze B2 and Wasabi Support.

Update (2018-10-31): Haystack Software:

Just changed Arq Cloud Backup pricing to unlimited computers. Just pay $5.99/month per TB of total backups across all your computers

Mojave Fixes QuickLook Cache Vulnerability With a DataVault

Howard Oakley:

I’m delighted to report that Apple has responded to this issue in macOS 10.14 Mojave, and made the QuickLook cache altogether inaccessible, although I wait for news from Wojciech and/or Patrick that they’ve managed to wheedle their way around the new defences! So you can now trash those two apps, which have also been deprived of any access to the QuickLook cache.

What has Apple done? It has locked the QuickLook cache folder away from apps using sandboxing.

[…]

“/var/folders/t9/[long ID]/C/com.apple.QuickLook.thumbnailcache” is a DataVault, which is a new type of privacy container that Apple introduced sometime around 10.13.4. These files/folders are identified by the “UF_DATAVAULT” file flag. These are implemented via SIP (not technically sandboxing, but the same gist). Applications need an entitlement to make or access specific data vaults, or even to stat() a DataVault folder.

These devices are worth some deeper investigation. Apple doesn’t (and apparently has no plans to) issue these entitlements to third-parties. Consider the implications of that – Apple is creating a platform where only data created in Apple applications gets the highest level of security.

Also consider that you (the user) can’t see what’s in these DataVaults without turning off SIP. It’s hard to tell what Apple is keeping in these, but some of them are a bit alarming.

It seems like this fix can still leak private data. If you use Quick Look to view files on an encrypted volume, they could be cached in the DataVault on the boot volume. They could then be exposed by turning off SIP, which only requires the password to the Mac, not the password to the encrypted volume.

Note that DataVaults are not accessible to the user or regular apps, even if you give them Full Disk Access. So their contents are not backed up and can’t be cloned.

Howard Oakley:

macOS Mojave is Apple’s most complex Mac operating system in terms of the controls which it places over access to files and folders. If you still think that this is all done by regular POSIX permissions, you may find this article illuminating, if not downright scary.

Previously: Quick Look Cache Reveals Sensitive Data From Encrypted Drives, Mojave’s New Security and Privacy Protections Face Usability Challenges.

Update (2018-11-05): My guess is that Core Spotlight, whose index is stored in the user’s home folder (and not in a data vault), may also leak private data.

Android App Ad Fraud

Craig Silverman:

But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans. (A full list of the apps, the websites, and their associated companies connected to the scheme can be found in this spreadsheet.)

One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News’ request.

Robin Kurzer:

In its response to the BuzzFeed report, Google explained how the botnet — dubbed TechSnab — works to inflate ad revenue by creating botnets to visit web pages.

[…]

Ad fraud hits marketers directly in the wallet. BuzzFeed reports that the potential for stolen ad revenue related to this scheme could be as high as $750 million. One app connected to the scheme has been installed more than 20 million times.

John Gruber:

The bottom line: if the metric used for charging for advertising can be faked, it will be faked. Ad tracking is both an invasion of privacy and an open invitation to fraud.

Tim Cook Calls for Strong US Privacy Law

Jon Brodkin:

Apple CEO Tim Cook today called on the US government to pass “a comprehensive federal privacy law,” saying that tech companies that collect wide swaths of user data are engaging in surveillance.

Speaking at the International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Brussels, Cook said that businesses are creating “an enduring digital profile” of each user and that the trade of such data “has exploded into a data-industrial complex.”

[…]

Former Facebook security chief Alex Stamos responded to Cook on Twitter today, questioning Apple’s commitment to privacy in China. “Apple needs to document how they protect data stored by a PRC-owned cloud provider,” Stamos wrote. “In particular, Apple should explain under what circumstances [the Chinese state-owned company] can access iCloud backups. iMessage is the only E2E [end-to-end] encrypted app allowed by the Great Firewall; what was required to get this concession from the Ministry of State Security?”

Update (2018-10-26): Alex Stamos:

The missing context? Apple uses hardware-rooted DRM to deny Chinese users the ability to install the VPN and E2E messaging apps that would allow them to avoid pervasive censorship and surveillance. Apple moved iCloud data into a PRC-controlled joint venture with unclear impacts.

Ole Begemann:

Tim Cook on iCloud encryption: “We can decrypt iCloud data because some users expect us to help them when they lose or forget their password. It’s hard to say when, but I believe we will change this practice in the future, and we won’t have a key for user data in iCloud anymore.”

Deep-dive Into the AirPower Charging Animation

Guilherme Rambo:

ChargingViewService is the process responsible for showing the cool animation. When the device is connected to power, a daemon called sharingd detects the presence of a power source for the device, it then checks to see if the power source is a wireless charger manufactured by Apple and then triggers the presentation of the charging UI.

[…]

The most important asset for the animation is a video file, usually called Charging.mov (AirPods have other video files for Left-only, Right-only and Right+Left). This video file consists of two videos side-by-side: one of them is the color video of the 3D device animating into the screen and then rotating and the other one is the same content, but represented as an alpha mask.

Another asset is a SceneKit scene file that contains a plane matching the position of the device’s screen throughout the animation (it lines up with the video). When the engagement animation is presented, the video is sliced in half and is used as a texture in a SceneKit scene, with the color part being used as the diffuse texture and the alpha part being used as the transparency texture, resulting in a video with a transparent background. The wallpaper is composed on top of the video with the plane provided by the scene.

[…]

That “flying back” animation is configured through a series of plist files which are also a part of the assets downloaded from mesu. There are different permutations of the files for each iPhone screen size and also variants for right-to-left languages.