Ashley Carman (via Hacker News):
[The] company has achieved its goals to recruit more creators to the platform with 44% of all podcasts being hosted on Anchor as of July 2022. At the same time, though, not all the podcasters fit the classic show mold. In particular, one segment of users found massive success through Spotify’s tools: white noise creators.
As I wrote last year , these podcasters, whose shows entail playing various noises like crashing waves or bird sounds on repeat, could make at least $18,000 a month through advertisements that Spotify placed in the programming. I posited in that story that some algorithmic magic seemed to be pushing people to this content, and now, over a year later, documentation from Spotify confirms as much.
[…]
Once Spotify realized how much attention was going to white noise podcasts, the company considered removing these shows from the talk feed and prohibiting future uploads while redirecting the audience towards comparable programming that was more economical for Spotify — doing so, according to the document, would boost Spotify’s annual gross profit by €35 million, or $38 million.
Spotify didn’t actually do that, but some podcasters have reported that their episodes mysteriously went missing.
Previously:
Advertising Audio Business iOS iOS 16 iOS App Music Podcasts Spotify
Aaron Trickey:
I’ve been building the iPad version of TimeStory for some time now, and it’s going well. I want to start journaling interesting or useful aspects of the project, and a logical place to start is with the choice of UI toolkit and the basic design for sharing code with the Mac app.
[…]
The main editor layout and chrome are all set up in SwiftUI: the container for the timeline view, the toolbar, the Inspector, the filter bar, and all sheets and popovers. It’s proven very effective and pleasant to use. SwiftUI has arrived at a very good place for these things.
[…]
I tried the SwiftUI document-based app lifecycle, and found it too limiting.
[…]
I use zero SwiftUI in the Mac app.
Previously:
Cocoa iOS iOS 16 iOS App iPadOS iPadOS 16 Mac Mac App macOS 13 Ventura Programming SwiftUI TimeStory
Zack Whittaker (Hacker News):
Microsoft still doesn’t know — or want to share — how China-backed hackers stole a key that allowed them to stealthily break into dozens of email inboxes, including those belonging to several federal government agencies.
In a blog post Friday, Microsoft said it was a matter of “ongoing investigation” how the hackers obtained a Microsoft signing key that was abused to forge authentication tokens that allowed the hackers’ access to inboxes as if they were the rightful owners. Reports say targets include U.S. Commerce Secretary Gina Raimondo, U.S. State Department officials and other organizations not yet publicly revealed.
Dan Goodin (via Hacker News):
In standard parlance among security professionals, this means that Storm-0558 exploited zero-days in the Microsoft cloud services.
[…]
While both conditions are clearly met in the Storm-0558 intrusion, Friday’s post and twoothers Microsoft published Tuesday, bend over backward to avoid the words “vulnerability” or “zero-day.” Instead, the company uses considerably more amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how nation-state hackers tracked the email accounts of some of the company’s biggest customers.
[…]
A plain-English summary of the event would seem to be: Microsoft has patched three vulnerabilities in its cloud service that were discovered after Storm-0558 exploited them to gain access to customer accounts. It would also be helpful if Microsoft provided a tracking designation under the CVE (Common Vulnerabilities and Exposures) system the way other cloud companies do. So why doesn’t Microsoft do the same?
[…]
Besides being opaque about the root cause of the breach and its own role in it, Microsoft is under fire for withholding details that some of the victims could have used to detect the intrusion, something critics have called “pay-to-play security.”
Shir Tamari (via Hacker News):
Microsoft have said that Outlook.com and Exchange Online were the only applications known to have been affected via the token forging technique, but Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services. Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.
Dan Goodin (via Hacker News):
The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were “negligent cybersecurity practices“ that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure’s role in the mass breach.
[…]
Monday’s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.
“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran wrote.
Bruce Schneier (Hacker News):
A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.
Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.
I believe this all traces back to SolarWinds.
Previously:
Update (2023-09-08): Microsoft (via Michael Love, Hacker News):
Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).
We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).
After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key.
Dan Goodin (Hacker News):
Microsoft has said that roughly 25 organizations had one or more of their accounts breached in the campaign, which began on May 15 and lasted until June 16. Microsoft wasn’t aware of the mass hack until a customer tipped it off.
Breach China Microsoft Microsoft Azure Security