Archive for May 21, 2020

Thursday, May 21, 2020

Apple Purchasing Podcasts

Lucas Shaw and Mark Gurman:

Apple Inc. is ramping up its push into original podcasts by seeking an executive to lead the initiative and buying shows that would be exclusive to its services.

The technology giant has begun acquiring two types of original podcasts, according to people familiar with the matter: one category is audio spinoffs of existing movies and programs on its Apple TV+ service, and the other is original programs that could eventually be adapted into future TV+ video content.


Separate from its work on originals, Apple has asked some producers working on podcasts to provide versions of their offerings without advertisements, which fits into TV+’s ad-free approach.


HEIC and the College Board

Monica Chin (via Nilay Patel):

Nick Bryner, a high school senior in Los Angeles, had just completed his AP English Literature and Composition test last week. But when he snapped a photo of a written answer with his iPhone and attempted to upload it to the testing portal, it stopped responding.

The website got stuck on the loading screen until Bryner’s time ran out. Bryner failed the test.


[The] testing portal doesn’t support the default format on iOS devices and some newer Android phones, HEIC files. HEIC files are smaller than JPEGs and other formats, thus allowing you to store a lot more photos on an iPhone.

I like HEIC because overall it saves me lots of storage space on my iPhone and Mac. But it’s a shame it isn’t more widely supported.

Even Lightroom seems to only partially support it. It treats HEIC files like RAW images and maintains a huge Adobe Camera Raw 2 cache folder of the ones that it has recently converted so that it can work with them.


Update (2020-05-22): Josh Centers:

The College Board says that 1 percent of students experienced problems, which means that, if they are representing the failure rate accurately, only tens of thousands will have to retake their tests.


Nonetheless, it would behoove Apple to contribute resources to upgrading open-source image-processing libraries so HEIC could be supported as easily as other, more common image formats.

Remote Code Execution in qmail

Qualys (via Marcel Weiher, Matthew Garrett, Hacker News):

Surprisingly, we re-discovered these vulnerabilities during a recent qmail audit; they have never been fixed because, as stated by qmail’s author Daniel J. Bernstein:

This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.

Indeed, the memory consumption of each qmail-smtpd process is severely limited by default (by qmail-smtpd’s startup script); for example, on Debian 10 (the latest stable release), it is limited to roughly 7MB.

Unfortunately, we discovered that these vulnerabilities also affect qmail-local, which is reachable remotely and is not memory-limited by default[…]

See also: Some thoughts on security after ten years of qmail 1.0 (PDF).

“Lack of Action” on Siri Recordings

Alex Hern (via Julian Mair):

A former Apple contractor who helped blow the whistle on the company’s programme to listen to users’ Siri recordings has decided to go public, in protest at the lack of action taken as a result of the disclosures.

In a letter announcing his decision, sent to all European data protection regulators, Thomas le Bonniec said: “It is worrying that Apple (and undoubtedly not just Apple) keeps ignoring and violating fundamental rights and continues their massive collection of data.

I don’t understand what more he wants Apple to do.

Juli Clover:

Apple resumed Siri quality control practices in the fall with the release of the opt-out option. Siri quality control is no longer handled by third-party contractors and is done in-house, and Apple has made changes to minimize the amount of data that reviewers have access to.


iOS 13.5

Juli Clover:

Apple today released iOS and iPadOS 13.5, major updates that come more than a month after the launch of iOS and iPadOS 13.4.1. iOS 13.5 is a major health-related update that brings many features related to the ongoing public health crisis.


Apple has tweaked Group FaceTime, adding a new toggle to disable the feature that automatically enlarges the tile of the person who is speaking.


Hide UI

Olivia Solon (via John Gruber):

Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect’s passcode when it’s entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.


In order for this feature to work, law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect[…] For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device.

See also: USB Restricted Mode in iOS 13: Apple vs. GrayKey, Round Two.