Archive for February 1, 2021

Monday, February 1, 2021

Old SuperDuper for Big Sur

Dave Nanian (Hacker News, tweet):

To accomplish this, use an old version of SuperDuper—specifically, v3.2.5—to copy the Data volume, which is shown in the older version!

v3.2.5 is well tested, having been on the market for quite some time, and is reliable. So we don’t have to worry about doing a broad beta test of a partially complete new release. It’s already tested, and I’ve been busy doing the additional testing necessary to prove it works on Big Sur.

Again, this will make a copy of the data that you need to preserve your stuff, both Applications and Data, while leaving the Sealed System Volume alone.

And it’s a valid source for “restore” during a clean install or migration! So restoration is easy and fast should it become necessary.

[…]

M1 Macs can’t be copied in a way that makes them bootable. Bare metal recovery on an M1 Mac isn’t possible, since they depend on the contents of their internal drive even when booting externally. And the tools required to make bootable copies of Intel Macs are limited, often fail, and produce inscrutable and undocumented diagnostics when they do.

Previously:

CDC’s Vaccine Data System

Cat Ferguson (via Hacker News, Reddit):

Unless you’re in one of the few states using it, you may not have heard of VAMS. But it was supposed to be a one-stop shop where employers, state officials, clinics, and individuals could manage scheduling, inventory, and reporting for covid shots—and free for anyone to use.

Instead, “VAMS has become a cuss word,” Marshall Taylor, head of South Carolina’s health department, told state lawmakers in January. He went on to describe how the system has badly hurt their immunization efforts so far. Faced with a string of problems and bugs, several states, including South Carolina, are choosing to hack together their own solutions, or pay for private systems instead.

[…]

In May, it gave the task to consulting company Deloitte, a huge federal contractor, with a $16 million no-bid contract to manage “covid-19 vaccine distribution and administration tracking.” In December, Deloitte snagged another $28 million for the project, again with no competition. The contract specifies that the award could go as high as $32 million, leaving taxpayers with a bill between $44 and $48 million.

Why was Deloitte awarded the project on a no-bid basis? The contracts claim the company was the only “responsible source” to build the tool.

Previously:

Misleading and Inaccurate iOS Privacy Labels

Geoffrey A. Fowler (Hacker News, MacRumors):

I downloaded a de-stressing app called the Satisfying Slime Simulator that gets the App Store’s highest-level label for privacy. It turned out to be the wrong kind of slimy, covertly sending information — including a way to track my iPhone — to Facebook, Google and other companies. Behind the scenes, apps can be data vampires, probing our phones to help target ads or sell information about us to data firms and even governments.

As I write this column, Apple still has an inaccurate label for Satisfying Slime. And it’s not the only deception. When I spot-checked what a couple dozen apps claim about privacy in the App Store, I found more than a dozen that were either misleading or flat-out inaccurate. They included the popular game Match 3D, social network Rumble and even the PBS Kids Video app.

[…]

Apple’s big privacy product is built on a shaky foundation: the honor system. In tiny print on the detail page of each app label, Apple says, “This information has not been verified by Apple.”

[…]

Irony alert, there’s a tech giant that is more transparent: Facebook. With a setting called “off-Facebook activity” that it launched in 2020, you can actually see all the different apps and websites that are feeding your data to Facebook and ask the social network to stop using the data to target you with ads.

Previously:

Update (2021-02-19): Michael Potuck:

Now the US House Committee on Energy & Commerce is urging Apple to “improve the validity of its App Privacy labels” along with asking for more specifics on the system.

US House Energy and Commerce Committee chairman Frank Pallone Jr. (D-NJ) and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) penned the letter to Apple CEO Tim Cook this week about concerns over the App Store privacy labels (first spotted by MacRumors).

Update (2021-03-11): John Gruber:

Effectively PBS submitted a privacy nutrition label based on changes to their app that weren’t yet — but soon were — live in the App Store. The rest of the inaccurate nutrition labels Fowler found are rather obscure apps.

[…]

And if Apple’s new privacy labels are useless, why are so many apps making changes to their actual privacy policies? Would PBS have removed the tracking identifier from its PBS Kids app in the first place? I’m guessing not.

iMessage’s BlastDoor Sandbox

Samuel Groß (via Hacker News, MacRumors):

One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed “BlastDoor” service which is now responsible for almost all parsing of untrusted data in iMessages (for example, NSKeyedArchiver payloads). Furthermore, this service is written in Swift, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.

[…]

As can be seen, the majority of the processing of complex, untrusted data has been moved into the new BlastDoor service. Furthermore, this design with its 7+ involved services allows fine-grained sandboxing rules to be applied, for example, only the

[…]

To limit an attacker’s ability to retry exploits or brute force ASLR, the BlastDoor and imagent services are now subject to a newly introduced exponential throttling mechanism enforced by launchd, causing the interval between restarts after a crash to double with every subsequent crash (up to an apparent maximum of 20 minutes). With this change, an exploit that relied on repeatedly crashing the attacked service would now likely require in the order of multiple hours to roughly half a day to complete instead of a few minutes.

John Gruber (tweet):

This is a big deal, and from what I understand, a major multi-year undertaking by the iMessage team. Cimpanu’s report makes it sound like it’s an iOS 14 feature, but it’s on MacOS 11, too — it’s an iMessage feature.

Previously: