Archive for July 24, 2023

Monday, July 24, 2023

macOS 13.5

Juli Clover (release notes, security, enterprise, developer, full installer, IPSW):

According to Apple’s release notes, macOS Ventura 13.5 introduces important bug fixes and security updates. Apple recommends that all users install the software.

There are no notable feature changes or standout bug fixes in macOS Ventura 13.5, and work on the operating system is wrapping up.

After several updates that worked automatically, I’m back to having to apply the update manually using sudo softwareupdate -irR because it kept failing from System Settings.

See also: Mr. Macintosh and Howard Oakley.


Update (2023-07-28): Howard Oakley (tweet):

Thanks to Maurizio for pointing out a serious bug in 13.5: in System Settings > Privacy & Security > Location Services, all third-party apps have been omitted from the list of services you can control.

Update (2023-07-31): Howard Oakley:

Ever since its introduction in the first betas of Ventura, System Settings has been dogged by inattention to detail. Its most significant omission from the first release of 13.0 was support for network locations, which was belatedly added back in 13.1, camouflaged in a popup menu under an ellipsis so obscure that most don’t even notice its existence, and assume it’s still missing.

Loss of control over Location Services in apps is the more serious because there’s no command tool to act as substitute.


If experience is anything to go by, Apple now seems to delegate most pre-release testing and checks on macOS to third-party beta-testers, and depends on their reporting of issues using Feedback. When we fly, we expect the pilots and engineers to perform thorough checks on the aircraft and its essential functions before declaring that flight ready for takeoff. If they instead walked through the main cabin asking some of their passengers whether they thought everything seemed OK, would you fly with that airline?

Since updating to macOS 13.5, I get at least one crash of transparencyd per day.

Update (2023-08-11): Juli Clover:

Since July, there have been complaints from macOS Ventura users who updated to the new software and then were unable to access and control location permissions for first and third-party apps.

Update (2023-08-23): Howard Oakley:

This was just the wrong time for the bug introduced in macOS Ventura 13.5 that effectively paralysed access to Location Services until it was fixed in last week’s update to 13.5.1. Although not a crashing bug, memory leak or kernel panic, its effect was disastrous. For over three weeks, every Mac that was kept up to date with Ventura lost all user control over access given by macOS to location and related data.

Those who installed some software like Little Snitch were unable to authorise its access to Location Services, while other apps, notably those already installed, were automatically given access without the user having any say in the matter. For a corporation that places privacy and its protection at the heart of its products, this was surely catastrophic: in the latest release of its current computer operating system, the user had absolutely no control over which apps were given access to their location data.


No, the root cause was an intentional design choice that makes all privacy protection vulnerable to a single point of failure. […] Yet the only tool that works with those privacy settings controlled by TCC, tccutil, is deliberately stunted so that all it can do is reset them, and there isn’t any tool to work with Location Services.


macOS 12.6.8 and macOS 11.7.9

Apple (full installer):

This document describes the security content of macOS Monterey 12.6.8.

Apple (full installer):

This document describes the security content of macOS Big Sur 11.7.9.

See also: Howard Oakley.


iOS 16.6 and iPadOS 16.6

Juli Clover (release notes, security):

According to Apple’s release notes for the update, it includes unspecified bug fixes and security improvements. No new features were found during the beta testing period, and Apple’s notes on the software provide no insight into what’s included.

Apple has since published information about the security issues.


Update (2023-07-27): Pierre Igot:

I just had to update a really old iPhone to iOS 12.5.7 (latest available) and a newer iPhone to 16.6. I started both processes simultaneously, side by side.

I really don’t care what the technological reasons/excuses are. It simply does not seem right that the far newer (and far more powerful) phone is taking FOUR TIMES LONGER (at least) to install the 16.6 update than the older phone took to install the 12.5.7 update.

Update (2023-07-31): Joe Rossignol:

Apple has acknowledged a bug with its parental controls feature Screen Time on the iPhone and iPad, and promises it will take additional steps to remedy the situation, according to a report this weekend from The Wall Street Journal.


Apple already fixed an issue with Screen Time settings failing to stick with iOS 16.5, released in May, but the report claims that some parents have continued to experience the issue on devices updated to iOS 16.6 and the iOS 17 public beta.


Why You Can No Longer Roll Back a macOS Update

Howard Oakley:

As some of us learned in the last week, it’s easy to uninstall a troublesome Rapid Security Response (RSR). Several naturally asked why that isn’t possible with a macOS update, pointing out that it was available and worryingly popular between High Sierra and Catalina 10.15.2, since when the ability has been lost.


To be able to roll back to the previous SSV, all the firmlinks between the updated SSV and the Data volume would have to be broken, and remade between the old SSV and the same Data volume. All the evidence is that wouldn’t be easy, could be unreliable, and may not even be feasible. Without that, roll back couldn’t work.

This pretty disappointing, as it negates a major benefit of APFS snapshots. It’s not clear to me that the SSV is more useful than being able to roll back a bad update. And rolling back manually, e.g. using a backup utility to make or restore bootable backups, is harder than before. I don’t really understand why firmlinks are so difficult to work with—is there an intrinsic limitation or was this just not prioritized? If the two pieces can’t be made to fit together, I wonder why Apple designed the SSV this way. There must have been other ways the content could be verified.

Howard Oakley:

Although traditional Unix architectures bring some separation, there are many directories that contain mixtures of files, some that are part of the system, and others that the user installs. The solution Apple’s engineers came up with is the firmlink, an essential part of the structure and function of macOS since Catalina.


Apple has never documented firmlinks in any detail, and doesn’t provide the user with any tools for working with them. They don’t appear to be easy to create, though, and rejoining existing volumes using firmlinks may not be possible. During the early days with Big Sur, it was all too easy to end up with orphaned Data volumes that had lost their firmlinks to the System volume. At that time, it appeared that firmlinks had to be created early in the life of a volume, probably before its file system had been populated with files. Currently, there doesn’t appear to be any method for the user to join together any given pair of System and Data files using their firmlinks.

Howard Oakley:

Without wishing to deepen the conundrum, all these answers are correct: the System volume isn’t itself encrypted, but it can only be mounted when FileVault has been unlocked, because of the firmlinks that splice the Data volume into it.


Update (2023-08-04): I got a volume hash mismatch.

Apple Opposes Updated UK Investigatory Powers Act

Benjamin Mayo (Hacker News, MacRumors):

Facing possible legislation that would require messaging services to offer backdoors in end-to-end encryption, Apple is saying it would rather remove apps like iMessage and FaceTime entirely from the UK market (via BBC News).


The UK government wants the ability to scan end-to-end encrypted messages, for child-abuse material and other illegal content. They argue the existing law accommodates this but is technically outdated by the security provisions of modern technology.

Apple has submitted a nine-page opposition to the planned bill.

Nick Heer:

While Kleinman broke this news, it was Jonny Evans at Apple Must who obtained and posted the full letter:

The threat was presented to the UK within Apple’s response to the government in relation to these proposals. You can read the nine-page criticism here (PDF).

Suzanne Smalley (via Hacker News):

A bill requiring social media companies, encrypted communications providers and other online services to report drug activity on their platforms to the U.S. Drug Enforcement Administration (DEA) advanced to the Senate floor Thursday, alarming privacy advocates who say the legislation turns the companies into de facto drug enforcement agents and exposes many of them to liability for providing end-to-end encryption.

The bipartisan Cooper Davis Act — named for a Kansas teenager who died after unknowingly taking a fentanyl-laced pill he bought on Snapchat — requires social media companies and other web communication providers to give the DEA users’ names and other information when the companies have “actual knowledge” that illicit drugs are being distributed on their platforms.


Vox Media Stops Using Chorus

Sara Fischer and Kerry Flynn (Hacker News):

CMS licensing was once seen as a lucrative opportunity for publishers looking to grow revenue beyond ad dollars. But WordPress’ continued dominance in the space has made it harder to compete.


Vox Media will move its own websites off of Chorus and into WordPress VIP, the enterprise arm of the 20-year-old CMS company.

The migration is part of a broader strategic partnership that will allow Vox Media to extend the reach of Concert and Coral, while focusing on its core revenue streams, like advertising and subscriptions.


“If you’re not a tech company, it’s really hard to do this,” Brown told Axios. “It’s really hard to service it. It’s really hard to maintain it.”

I was not aware of WordPress VIP, but apparently it’s used by Meta, Salesforce, CNN, and News Corp. Plans start at $25,000/year, a bargain compared with maintaining an internal development team after going down from six external clients to zero.

Nick Heer:

Last year, Vox stopped licensing Chorus to third parties, but some sites are still using the platform, including the Ringer and the Chicago Sun-Times. Incredibly, Vox Media also operates two other proprietary CMSes: Clay and Pinnacle. In a press release from September, Vox said it planned to move everything to a new “publishing platform” called Duet, which Axios says will continue to be used on the front-end.


Kevin Mitnick, RIP

Kelly Kasulis Cho (via ednl):

Mr. Mitnick branded himself the “world’s most famous hacker,” as KnowBe4 called him in a Thursday statement. As the World Wide Web was slowly being adopted across the globe, he broke into the computer systems of companies such as Motorola, Nokia and Sun Microsystems, causing what prosecutors alleged was millions of dollars in damage.


In 1999, Mr. Mitnick pleaded guilty to several counts of wire fraud and other cybercrimes. He was sentenced to five years in prison. Upon his release in 2000, taking into account time already served in detention, he was prohibited from using the internet without government authorization, a right he won back only after a lengthy tussle with authorities.


It was not clear if Mr. Mitnick made significant financial gains from cybercrime, though he had the opportunity to do so. “My motivation was a quest for knowledge, the intellectual challenge, the thrill and the escape from reality,” he told a Senate committee hearing several months after he was freed from incarceration.

Alex Traub:

Ultimately, he was caught and spent five years in prison. Yet no evidence emerged that Mr. Mitnick used the files he had stolen for financial gain. He would later defend his activities as a high stakes but, in the end, harmless form of play.


Mr. Mitnick’s most spectacular crimes were his attempts to evade capture by the authorities. In 1993, he gained control of phone systems in California that enabled him to wiretap the F.B.I. agents pursuing him and confuse their efforts to track him. At one point they raided what they thought was Mr. Mitnick’s home, only to find there a Middle Eastern immigrant watching TV.


Mr. Mitnick ran into trouble on Christmas Day 1994, when he stole emails from a fellow hacker named Tsutomu Shimomura and taunted him. When he learned of the attack, Mr. Shimomura suspended a cross-country ski trip he was on and volunteered to help track down Mr. Mitnick.

Obituary (Hacker News):

Kevin emerged from his final prison term, which he deemed a ‘vacation,’ in January 2000. He was a changed individual, and began constructing a new career, as a White Hat hacker and security consultant.


The bus driver who saw young Kevin memorize the bus schedules, punch cards and punch tool systems so he could ride the buses all day for free testified as a character witness for Kevin during his federal trial. The federal prosecutor offered his testimony that Kevin never tried to take one dime from any of his “victims.” The probation officer assigned to monitor Kevin after prison gave Kevin permission to write his first book on a laptop when he was not yet supposed to have access to computers. Shawn Nunley, the star witness in the FBI’s case against Kevin, became so disillusioned with the government’s treatment of Kevin that he contacted Kevin’s defense team, helped garner Kevin’s release, and became one of Kevin’s dearest friends.

Jason Koebler:

We made this video with him a few years back, about how he convinced Motorola to send him their source code[…] and here’s how he hacked a McDonald’s drivethru when he was 16[…]

John Gruber:

Mitnick was technically gifted, but his greatest hacking skill was social engineering.

Nick Heer:

Mitnick’s exploits are legendary, and his first book [The Art of Deception] remains an essential read for anyone curious about security, hacking, manipulation, or human behaviour.