Archive for January 29, 2019

Tuesday, January 29, 2019

Google Asks for API Copyright Case to Be Reviewed

Google (via Joshua Bloch):

Today we asked the Supreme Court of the United States to review our long-running copyright dispute with Oracle over the use of software interfaces. The outcome will have a far-reaching impact on innovation across the computer industry.

Standardized software interfaces have driven innovation in software development. They let computer programs interact with each other and let developers easily build technologies for different platforms. Unless the Supreme Court steps in here, the industry will be hamstrung by court decisions finding that the use of software interfaces in creating new programs is not allowed under copyright law.

Previously:

Previously: AWS, MongoDB, and the Economic Realities of Open Source.

2018 Six Colors Apple Report Card

Jason Snell:

It’s time for our annual look back on Apple’s performance during the past year, as seen through the eyes of writers, editors, developers, podcasters, and other people who spend an awful lot of time thinking about Apple.

[…]

Since I used the same survey as in previous years, I was able to track the change in my panel’s consensus opinion compared to the previous year.

[…]

And did we mention the MacBook keyboards? Matt Deatherage said, “It defies reason for Apple [to offer] keyboards of inferior design and execution.” John Gruber said, “I may be biased as a writer and a keyboard aficionado, but it used to be the case that Apple’s notebook keyboards were widely hailed as the best in the world… that’s no longer the case and I think that’s a problem.” Shahid Kamal Ahmad said that the major failing of the keyboard was not its feel but “the inherent unreliability of the switches and their propensity to fail from the inevitable ingress of a subatomic particle.”

Most people were largely unmoved by the macOS Mojave update.

Nick Heer:

Overall, Apple’s new hardware — particularly the new Apple Watch — has generally shone in every area except reliability, software quality is up while service quality continues to be mixed, and Apple’s TV and home offerings continue to be, charitably, just getting started.

Previously:

2013 Mac Pro Launch Postponed Due to Screws

Joe Rossignol:

The New York Times today published a story explaining why Apple is unlikely to manufacture more of its products in the United States.

The report reveals an interesting anecdote about the latest Mac Pro. In late 2012, Apple CEO Tim Cook touted that the computer would be “Made in the USA,” but sales were supposedly postponed by months in part because Apple could not secure enough custom screws for the computer from U.S.-based suppliers.

Josh Centers has highlighted some interesting quotes.

Greg Koenig:

The real indictment here is about Apple’s sourcing failing them, not US manufacturing. There are well over 100 shops in the US who could knock those screws out easily. And please, I hear the nightmare stories of China sourcing…

Paul Haddad:

Why is no one asking why Apple needs custom screws for a desktop machine?

Colin Cornaby:

While I’m sure Apple is a little more over the top than others, PC workstation vendors still use a lot of custom bits including screws. People everywhere get a bit more demanding about quality when they spend $5k-$10k on a computer.

I think the difference is I’m not sure any of those vendors would have wanted to use a major upgrade as an excuse to bet everything on an experiment with vendors.

Casey Johnston:

this is letting apple off incredibly easily, like letting a child not go to school because it “can’t find” its shoes

John Gruber:

This is a perfect example of how Apple’s China-centered supply chain, built over two decades, is going to be hard to replicate anywhere else in the world — and even if it happens, it’s going to take time.

Apple Still Charging Customers for iPhone 7 Microphone Defect

Joe Rossignol:

In May of 2018, Apple acknowledged a microphone issue affecting some iPhone 7 and iPhone 7 Plus models running iOS 11.3 or later in an internal document made available to Apple Stores and Apple Authorized Service Providers.

[…]

The exemptions abruptly ended in July of 2018, though, when Apple deleted its internal document related to the microphone issue and prevented free repairs from being processed through its service portal. Since then, many Apple retail and support employees have refused to acknowledge the policy ever existed.

[…]

Apple’s out-of-warranty repair fee for this issue is over $300 in the United States, according to affected customers on the MacRumors forums and Twitter.

cfountain72:

This is absolute garbage. I recently brought my wife’s 7 to our local Apple Store (International Plaza Mall) showing these exact same microphone/speaker symptoms. After some diagnostics by the Genius, I was told that the repair would cost $300+...or they would take it in trade for $250 it in trade for a new iPhone Xr. I assumed it was just the result of an older phone, and might be a warning sign of more issues down the road. She did mention it was related to a recent iOS upgrade, but that it only effected a small number of phones and that, since we were out of warranty, we’d have to pay for the repair if we wanted to keep using this model, or trade it in on a newer one. We chose to pay off the remaining balance and trade it in for the Xr. Had we known about this crap, we would’ve definitely lobbied to get the repair and keep the 7. Not sure how effective it would be, but I’d encourage anyone else with similar issues to push harder for the ‘free’ repair.

Joe Rossignol:

I keep receiving the occasional email from customers affected by this, asking for my help, but the only thing I can do is continue to bring awareness to it.

Apple has completely ignored all of my requests for comment.

It’s not right.

Major FaceTime Privacy Bug

MGT7:

My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport...waiting to hear back to provide details. Scary stuff!

Benjamin Mayo (Hacker News, MacRumors):

The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

Naturally, this poses a pretty big privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio.

Dieter Bohn:

The bug requires you have an OS that supports Group FaceTime to work, of course.

What’s more, if one of these “fake” conference calls is happening, if the recipient hits the power or volume button to ignore the call, it not only broadcasts audio to your phone but video as well.

Brian Tong:

This didn’t age well...Three weeks later.👿🍎

Federico Viticci:

This is one of the worst Apple bugs I’ve ever seen.

Please be aware of this and consider disabling FaceTime everywhere (including iPad and Mac) until a fix is out. I disabled mine everywhere.

Perhaps not as bad as the two in High Sierra, but it’s bad.

Wil Shipley:

The FaceTime vulnerability is def. bad but keep in mind you have a record of anyone who tries it on you and when they did so like it’s not a GREAT way to spy on people. (AFAIK you can’t #-spoof FaceTime.)

Marco Arment:

I don’t know how it’s implemented, but possible server-side fixes:

- disabling adding oneself to a group FaceTime
- disabling group FaceTime
- disabling FaceTime

Waiting for a client-side fix is too costly: spying en masse, or people disabling FaceTime and never re-enabling it.

Chance Miller:

Following the exposure of a major FaceTime security hole earlier today, Apple has now taken Group FaceTime completely offline.

Juli Clover:

Hopefully we’re getting more explanation than just a simple fix. How is it even possible for someone to access my camera/mic sans connection/permission? Exactly how long has this been going on?

Josh Centers:

Even after a lot of improvements, Group FaceTime was a hot mess. It works okay with just three people, but the more people you add, the more of a mess it is.

The worst part is the floating face tiles, which make even me, a seasoned FPS player, motion sick. Everyone on the test calls was getting motion sick.

Previously: Group FaceTime Delayed.

Update (2019-01-29): Joe Rossignol:

Once the bug started making headlines on Monday, the Twitter user then shared additional tweets claiming that they had also emailed Apple’s product security team over a week ago. A screenshot of the email was shared, and it appears the team did respond, but what they said is not visible in the screenshot.

The user acknowledges having wanted to receive a monetary reward under Apple’s bug bounty program, but she claims she still proceeded to alert Apple to the bug by phone, fax, and with an official bug report nonetheless. She also wanted to keep the bug private, but she did tweet Fox News about it.

All in all, there is evidence that Apple Support was tagged about an eavesdropping bug eight days before it made headlines, and if the rest of the tweets are truthful, the company was also alerted about the bug via several other avenues.

James Thompson:

I wonder, when they switch on the servers again, if they can block group calls based on OS version number? Otherwise people who don’t update will still be unprotected…

Put it this way, if it’s not part of the protocol already, maybe do that in the future :)

Rich Mogull:

The FaceTime vulnerability was bad. It was quickly blocked. You don’t need to turn FaceTime off. We should all wait to see what Apple says next about how they handled the initial bug report before rushing to judgement

Then judge away, but at least wait a few days for info.

Jeff Rogers:

I would still turn it off so you can wait for feedback and evaluate when it’s ready to be turned back on, rather than letting Apple decide when to turn yours back on.

Josh Centers:

I questioned this in editing and apparently some people have replicated the exploit even after Apple disabled Group FaceTime.

Update (2019-01-31): Bruce Schneier:

This is definitely an embarrassment, and Apple was right to disable Group FaceTime until it’s fixed. But it’s hard to imagine how an adversary can operationalize this in any useful way.

Lloyd Chambers:

You can’t keep making all this stuff up—no one would believe you.

Thomas Reed:

The bug relied entirely on a feature of iOS 12.1 and macOS 10.14.1 called Group FaceTime. If you are using an older version of iOS or macOS, you have nothing to fear.

[…]

There will be some who cite this as a reason to delay installing system updates. They will say that you should wait and let others work out the bugs. However, this is questionable advice. If you stay on an old version of iOS or macOS, you are using a system that has known security issues. That’s a far riskier proposition than updating to a newer version of the system where there aren’t (yet) any known security issues. From a security perspective, you should always install updates in a timely fashion.

In a way, it’s a shame that Apple is now adding big features in point updates throughout the year. This means that it’s not always possible to update in order to get one bug fix without also getting a new feature that potentially adds additional bugs.

John H. Meyer:

Here is a video, recorded & sent to Apple by a 14 yr old & his mom, on JAN 23rd, alerting them to the dangerous #FaceTime bug, that has threatened the privacy of millions.

Ryan Jones:

She demo’ed the entire bug for Apple on Jan 23rd → aka she wasn’t demanding money first.

John H. Meyer:

A quote from the mother of the 14 yr old who discovered the FaceTime bug on 1/19/19…

John H. Meyer:

Here is the mom’s official bug report to Apple. Note that the mom self-describes as “not at all techy” and was baffled that Apple Support asked her, an average citizen, to sign up for an Apple developer account to then submit an official bug report, in order to be taken seriously

josh avant:

Apparently the person who discovered the FaceTime bug was literally told by Apple to ‘File A Radar’ (they’re not devs). Everyone jokes about ‘File A Radar’ but, honestly, Apple’s approach to this is annoyingly tone deaf and needs to be improved already.

Dan Masters:

This perfectly sums Apple up.

And even after she did file it, it was marked as duplicate.

See also: Chris Welch (Hacker New).

Meek Geek:

Reproduced the FaceTime privacy hole with a friend.

Went home hours later to find my iPad burning hot. The bug turned on the iPad screen, even though a Smart Cover was over it, perpetually showing the incoming FaceTime call overlay with video from the front camera.

Michael Love:

Actually, now that we know that Facebook pulled this in response to Apple revoking their certificate last night, the timing on Apple’s part does seem at least a little bit suspicious. (awfully “convenient”, at any rate)

it’s amazing that for once, Apple had an enormous embarrassing privacy bug and FB could take some cover from press

less than 24 hours later….back to the latest Facebook thing

If Apple a) knew about this bug for a few weeks, b) has been scrambling to fix it, c) didn’t want to disable Group FaceTime in the meantime because that would reveal it, but d) feared getting caught anyway, it would be logical to have a distraction like this FB story ready to go.

It would also explain their failure to respond to the woman filing all of those desperate bug reports - they knew about the bug already, but if they’d written back to her it would have instantly blown up into a major story, and they thought they might get a fix in under the wire.

Is there another explanation for the bug being a duplicate besides Apple already knowing about the issue? Why didn’t Apple disable Group FaceTime as soon as they learned of the issue, rather than after it hit the press? Wouldn’t it be much worse for someone to exploit it than for people to wonder why (only Group) FaceTime was down for a while? Waiting to disable Group FaceTime makes it look as though Apple was hoping to silently fix the bug without anyone knowing about it. But I don’t really understand that because I thought they are supposed to disclose all security bugs, anyway.

See also: Facebook Pays Teens to Install VPN That Spies on Them.

Update (2019-02-01): Joe Rossignol:

Apple issued the following statement to MacRumors today in which it apologized for a major FaceTime eavesdropping bug:

We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

This is a bit strange. It implies that the bug was only on the servers, but that is hard to believe given what we know about it and that a client software update will be needed. Earlier this week, Apple said that the bug would be fixed this week, but now the update is not coming until next week. Is Apple claiming it’s a server bug in order to not miss its self-imposed deadline?

The second paragraph at first sounds like Apple acted quickly, but it’s actually a roundabout way of saying that it took a long time for the bug to get routed to the proper team.

John Gruber:

Good on Apple for thanking the Thompson family, and for acknowledging that something is wrong with their process for escalating critical bugs reported by regular customers.

Joe Rossignol:

For absolute clarity, we’ve since confirmed that this means Group FaceTime will remain permanently disabled on iOS 12.1 through iOS 12.1.3. To access Group FaceTime, users will need to update their iPhone, iPad, or iPod touch to a software update coming next week that is likely to be iOS 12.1.4.

Peter Cao:

While we originally reported on the bug, a 14-year-old actually discovered it nearly a week beforehand. High school freshman, Grant Thompson, said in an interview with MarketWatch, that he was surprised that “this glitch happened in the first place” and shared “I found it by accident.”

Update (2019-02-04): Benjamin Mayo:

CNBC reports that an unnamed “high-level Apple executive” met with the Thompsons at their home in Tucson, Arizona on Friday. They apparently discussed how Apple could improve its bug reporting process and indicated that Grant would be eligible for the Apple bug bounty program.

[…]

Apple’s bug bounty system is typically invite-only and limited to specific categories of security flaws, like accessing iCloud account data or demonstrating ways for iPhone apps to escape the security sandbox of iOS. Monetary rewards are not given out to any random individual who happens to find a bug in Apple software.

Update (2019-02-07): Juli Clover:

The U.S. Committee on Energy & Commerce is now seeking answers from Apple over the Group FaceTime flaw that allowed people to eavesdrop on conversations.

Juli Clover:

Apple is today releasing an updated version of iOS 12.1.4, which is designed to address a major FaceTime bug that was widely publicized last Monday.

Juli Clover:

Apple today released a new version of macOS 10.14.3, which is designed to address a major Group FaceTime bug affecting both iOS and macOS.

See also Natalie Silvanovich:

Using this setup, I was able to fuzz FaceTime calls and reproduce the crashes. I reported three bugs in FaceTime based on this work. All these issues have been fixed in recent updates.

Update (2019-02-11): Nick Heer:

The way this bug presented itself caused me to think that video and microphone data was being transmitted from the device before the recipient answered the call. Apple’s phrasing in the “Impact” section here means that I misinterpreted how this bug behaved.

Reuters (Hacker News):

The technology giant said it would compensate the Thompson family and make an additional gift toward 14-year-old Grant’s education.

Joe Rossignol:

The Wall Street Journal today shared a few details about Morris, noting he is a 27-year-old software engineer who reported the bug to Apple on January 27, several days after the Thompsons but one day before it made headlines. He apparently discovered the bug a week earlier while planning a group trip with friends.

Update (2019-02-13): See also: Accidental Tech Podcast.

Update (2019-02-18): MacRumors:

Unfortunately, Group FaceTime even under iOS 12.1.4 hasn’t quite been restored to its former functionality. A MacRumors forum thread started the day after 12.1.4's release revealed users who found themselves unable to add more users to a FaceTime call. As it turns out, it appears that users are no longer able to add a person to a one-on-one FaceTime call. The “Add Person” button remains greyed out and inactive in this situation. The only way to add another person to a Group FaceTime call at this time is to start the call with at least two other people. This slight distinction appears to be the source of confusion for many users.

MacRumors forum user Bob-K persisted in his support calls with Apple, and was finally told that the “Add Person” button not working in that situation was a known issue and that they didn’t know when it would be fixed.