Archive for December 5, 2018

Wednesday, December 5, 2018

@rpath What?

Marcin Krzyżanowski:

@rpath stands for Runpath Search Path.

  • In the Xcode, it’s set with LD_RUNPATH_SEARCH_PATH setting.
  • In ld command tool it’s set with -rpath parameter when linking. So it’s a search path for the linker. Runtime Search Path instructs the dynamic linker to search a list of paths in order, to locate the dynamic library.

The value of the parameter may be an absolute path (or multiple paths) to a directory, e.g.: /usr/private/lib or @executable_path/Frameworks.

[…]

However, if we need to modify the @rpath manually, e.g., as a part of installation phase - there’s an app for that: install_name_tool.

Apple Music Analyser

Mitchel Broussard:

Following Apple’s recently launched Data and Privacy portal, which lets customers download a copy of their Apple-related data, developer Pat Murray has built a browser-based app aimed at visualizing your Apple Music activity. With the download of one file on Apple’s Data and Privacy portal, Murray’s app organizes your complete Apple Music listening history since you first started using the service.

The developer promises that none of your data ever leaves your computer in the process, and explained to me that once it’s loaded, the web app will even work offline and still be able to run all computations and present users with their data. The full source of the app is available to read on GitHub, and it’s worth pointing out that Murray’s app is only asking for access to a single CSV file related to your Apple Music activity, and nothing else.

Previously: Requesting Your Personal Data From Apple.

Amazon Offering Apple Products

Amazon:

Apple Music subscribers will be able to enjoy Apple Music’s 50 million songs on Echo devices. Customers will be able to ask Alexa to play their favorite songs, artists, and albums—or any of the playlists made by Apple Music’s editors from around the world, covering many activities and moods. Customers will also be able to ask Alexa to stream expert-made radio stations centered on popular genres like Hip-Hop, decades like the 80s, and even music from around the world, like K-Pop. Just ask Alexa to play Beats 1 to hear Apple Music’s global livestream including in-depth artist interviews— all completely ad-free. Simply enable the Apple Music skill in the Alexa app and link your account to start listening.

John Gruber:

It’s still an open question whether Apple sees subscription content (mostly music now, with more original shows and movies coming soon) as something for its own devices, or cross-platform. Making Apple Music available to Echo devices sure sounds more like the latter.

Joe Rossignol:

Nearly two weeks after Amazon reached an agreement with Apple to sell more of its products, a selection of Apple products are available on Amazon in the United States, including the latest iPad Pro, Apple Watch Series 4, MacBook, MacBook Air, MacBook Pro, iMac, iMac Pro, Mac Pro, and Mac mini models.

[…]

Amazon has yet to begin selling any new iPhones directly from Apple or its network of Apple Authorized Resellers, but the iPhone XS, iPhone XS Max, and iPhone XR are expected to be available soon as part of the deal. One product that won’t be available is the HomePod since it is an Amazon Echo competitor.

Jason Snell:

Apple has often used exclusivity to drive hardware sales, which is one reason why you can’t watch iTunes purchases on Amazon Fire TV or Roku devices. Now the HomePod needs to compete as a high-end premium speaker, rather than as literally the only option if you want to give voice commands to an Apple Music-enabled smart speaker.

This is a move that could have huge ramifications for Apple’s forthcoming TV service, which has left the Apple TV caught between Apple’s current desire to grow services revenue and its classic focus on hardware profit margins. In fact, it brings to mind a similar move from back in 2002 and 2003, when Apple made the iPod compatible with Windows PCs.

Joe Rosensteel:

Apple’s desire to grow services revenue stands in direct opposition to whatever passes for a TV hardware strategy in Cupertino. To grow subscribers they need to lower the cost of the devices required to view video service content, subsidize their sale, or make the service available on the platforms they compete with. If they don’t, then this is over a billion that they wouldn’t be able to make back as a niche, premium content provider.

Previously: Amazon Kicks Off Unauthorized Apple Refurbishers, Amazon Will Stop Selling Nest Smart Home Devices, YouTube Drops Echo Show, Amazon Adds Apple TV, Amazon Prime Video Finally Available for Apple TV, Apple TV 4K, Still a Hobby, Cultural Insularity and Apple TV, The Apple Music and HomePod Strategy.

Update (2018-12-19): JJ:

Alexa works on Sonos One
Apple Music works on Sonos One
Apple Music works with Alexa
Alexa doesn’t work with Apple Music on Sonos One

Update (2018-12-28): Upgrade:

John Siracusa joins Jason to discuss the future of Apple’s ARM processors and how they might change the Mac, Apple Music coming to the Amazon Echo and what that might mean about the future of Apple’s forthcoming TV service, whether they’re using their TiVos as much as they used to, and the prospects for an Apple-built external touchscreen display.

Finding New Ways to Spy on iPhones

Lorenzo Franceschi-Bicchierai:

Governments around the world have been willing to spend a fortune on iOS malware. Saudi Arabia paid $55 million to purchase iPhone malware made by NSO Group, according to a recent report by Israeli newspaper Haaretz. There’s several companies specializing in iOS malware, such as Azimuth, NSO Group, and some more. But despite the appearances, iOS malware isn’t only in the hands of big companies and their government customers.

[…]

Mobile Device Management or MDM is a feature in iOS that allows companies to manage and monitor devices given to their employees. By installing an MDM profile or certificate on an iPhone, a user gives the MDM owner some control over the device. This mechanism can be used by malware creators. In July, security firm Talos found that a hacking group used MDM to target a few iPhones in India (Mobile Device Management can be turned on for every iPhone.)

[…]

It’s unclear how government hackers get the malware on target’s iPhones. Kaspersky Lab researchers speculated it may be via social engineering “using fake mobile operators sites.” In other words, this malware does not leverage any bugs or exploits in iOS, but instead takes advantage of MDM, which is a specific design feature in the operating system. In this way, it relies on a tried-and-tested social hacking technique—tricking users into installing something. For many years, the average user could essentially click on any link, download any app, and otherwise use their iPhone without worrying about targeted surveillance. That may soon no longer be the case.

Thomas Reed:

Sad truth: malware for iOS exists, but there’s absolutely no way to detect that it’s installed due to sandboxing restrictions in iOS.

Patrick Wardle:

^^this 💯

I have no idea how to check if my iPhone is hacked 😰

Nation States actually ♥️ hacking iPhones - largely because once they’re in (and yes, they can get in even remotely), the chance of detection is essential 0%🤭

Custom ARM Processor for Amazon Web Services

Tom Krazit:

After years of waiting for someone to design an Arm server processor that could work at scale on the cloud, Amazon Web Services just went ahead and designed its own.

Vice president of infrastructure Peter DeSantis introduced the AWS Graviton Processor Monday night, adding a third chip option for cloud customers alongside instances that use processors from Intel and AMD. The company did not provide a lot of details about the processor itself, but DeSantis said that it was designed for scale-out workloads that benefit from a lot of servers chipping away at a problem.

The new instances will be known as EC2 A1, and they can run applications written for Amazon Linux, Red Hat Enterprise Linux, and Ubuntu.

Chris Williams:

Up until 2015, Amazon and AMD were working together on a 64-bit Arm server-grade processor to deploy in the internet titan’s data centers. However, the project fell apart when, according to one well-placed source today, “AMD failed at meeting all the performance milestones Amazon set out.”

In the end, Amazon went out and bought Arm licensee and system-on-chip designer Annapurna Labs, putting the acquired team to work designing Internet-of-Things gateways and its Nitro chipset, which handles networking and storage tasks for Amazon servers hosting EC2 virtual machines.

Update (2018-12-11): See also: Hacker News.

Starwood/Marriott and Quora Breaches

Nicole Perlroth et al. (Hacker News):

The hotel chain asked guests checking in for a treasure trove of personal information: credit cards, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests.

The assault started as far back as 2014, and was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau Equifax.

Marriott (via Dave Kennedy):

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

Bob Burrough:

Generally, business executives don’t know what questions to ask to make sure this doesn’t happen. But worse, most professional software developers don’t either.

The best way to prevent data from being leaked is to not store it.

Nick Heer:

Think about it: a breach of tens- or hundreds-of-millions of individuals’ extremely private information — including, in this case, passport numbers and hashes of credit card numbers — couldn’t happen if the system were designed to purge this information at the earliest possible chance.

Perry E. Metzger:

Today’s news about the Marriott breach should finally drive home a lesson that has been missed for years now: “we’ve been doing what every other big company does” means you are insecure and have to change your ways, because the median large company has terrible security.

Brian Krebs:

The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.

Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.

However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data.

Brian Krebs:

But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

[…]

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

Adam D’Angelo (via Troy Hunt):

For approximately 100 million Quora users, the following information may have been compromised:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.

Nick Heer:

However, I want to give kudos to Quora on three fronts.

Update (2018-12-19): Bruce Schneier:

The New York Times and Reuters are reporting that China was behind the recent hack of Marriott Hotels. Note that this is still uncomfirmed, but interesting if it is true.

See also: Hacker News.

Update (2019-03-12): Catalin Cimpanu (via Hacker News):

Marriott International CEO Arne Sorenson testified in front of a US Senate subcommittee yesterday, revealing new details about a security breach the hotel chain disclosed last year.

Speaking in front of the Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations, Sorenson apologized to the company’s customers but also shot down rumors that China was behind the hack.

Update (2024-05-03): See also: Bruce Schneier (2020).

Evan Schuman (2024, via Hacker News):

For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.

In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.