Archive for April 5, 2022

Tuesday, April 5, 2022

Using shellcheck With BBEdit

Armin Briegel:

Once you have the shellcheck command installed, you can also invoke from within BBEdit: When you have a script open in BBEdit, verify that the script is recognized as a ‘Unix shell script.’ Then you can select ‘Check Syntax…’ from the ‘#!’ menu (keyboard shortcut ⌘-K). This will open a second window with all the issues shellcheck has found.

Unfortunately, given that Apple is phasing out bash, it doesn’t work with zsh.

Previously:

Update (2022-04-13): Matt Sephton:

zsh -n $FILENAME and/or zsh -x $FILENAME (non_exec and debug mode respectively) are a reasonable workaround. Not shellcheck good but workable.

Forged Emergency Data Requests

William Turton:

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.”

[…]

Cybersecurity researchers suspect that some of the hackers sending the forged requests are minors located in the U.K. and the U.S. One of the minors is also believed to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co. and Nvidia Corp., among others, the people said.

[…]

The guidelines referenced by Apple say that a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple guideline states.

Juli Clover:

Typically, Apple provides this information with a search warrant or subpoena from a judge, but that does not apply with emergency requests because they are used in cases of imminent danger.

Brian Krebs:

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

[…]

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

[…]

“The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?”

Bruce Schneier:

The “credentials” are even more insecure than we could have imagined: access to an email address. And the data, of course, isn’t very secure. But imagine how this kind of thing could be abused with a law enforcement encryption backdoor.

Nick Heer:

Yet again, the most effective techniques for illicitly obtaining information are confidence tricks, not technical expertise.

Brian Krebs:

The current scourge of fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for privileged subscriber data. In July 2021, Sen. Wyden and others introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.

However, hackers could still get unauthorized access to the digital signing key instead of the e-mail account.

Thomas Clement:

This is exactly why end-to-end encryption exists, which iCloud is still not doing.

Previously:

Audio Hijack 4

Paul Kafasis (tweet):

In Audio Hijack, individual blocks that capture, record, and manipulate audio are combined into powerful pipelines. For version 4, we made improving blocks a major focus. We’ve created brand-new blocks, added new features to the way blocks work, and improved nearly every existing block.

[…]

We also optimized many parts of the layout based on real-world usage. The powerful new session sidebar lets you search the Block Library to more quickly find the block you need, particularly great if you have dozens of Audio Units. Recordings and Timers are now grouped logically with their individual sessions, and previews for recordings feature a helpful waveform. The Info sidebar tab even offers a new Notes field, perfect for storing information about your sessions.

[…]

For power users with complex setups, we’ve implemented the ability to manually connect your audio pipeline. Most users will still want to rely on Audio Hijack’s automatic connections, but you now have the option to turn them off. You can then draw wires between blocks to achieve tricky pipeline setups, independent of layout.

[…]

With an all-new JavaScript engine and API, building programmatically-driven workflows in Audio Hijack is now a reality. Scripts can run automatically when sessions start and stop, and process recordings as they’re created.

It’s $64 for new licenses (up from $49 for version 3) or $29 to upgrade—no subscriptions.

See also:

Previously:

Apple Sitting on Applications and Requests

Chris Lacy:

An overlooked point regarding Apple’s stranglehold over iOS developers & their apps is Apple’s one-sided power in approving developers.

My company submitted a developer application in Nov ’21. 140+ days later & the enrollment is still “being processed”, with no updates provided.

Phone calls were not helpful, but a few days after tweeting his application was accepted.

Russell Ivanovic:

I submitted an application for their small business program for my personal account. 3 times. Zero response. It’s been a year now and they still charge me 30% instead of 15%

Matt Cox:

Yep. I’m in this boat as well. Literally zero idea what’s going on.

Previously:

Charging More for Black Products

Stephen Hackett:

The black MacBook was sold alongside the more popular — and less expensive — white MacBook.

[…]

The two machines always shared the same specs when it came to the CPU, RAM and optical drive. However, the black MacBook always came with a larger hard drive for that $200.

However, the Magic Keyboard, Magic Mouse, and Magic Trackpad cost $20 extra for black, without any additional features for capacity.