Howard Oakley:
One of the primary aims of most malware is to trick you into giving it your password. Armed with that, there’s little to stop it gathering up your secrets and sending them off to your attacker’s servers. One of your key defences against that is to know when a password request is genuine, and when it’s bogus. By far the best way to authenticate now is using Touch ID, but many Macs don’t support it, either because they can’t, or because their keyboard doesn’t, and there are still occasions when a genuine request may not offer it. This article looks at the anatomy of a range of genuine password requests. Note that these dialogs aren’t generated by the app, but come from the macOS security system, hence their consistency.
It’s kind of scary that there isn’t really anything about the standard Mac password dialogs that malware couldn’t duplicate. I don’t know why Apple hasn’t figured out a way to modify the rest of the screen in a way that only they could do. But, in practice, the fake dialogs seem to be very sloppily designed, so it’s good to review Oakley’s catalog.
I use a USB keyboard that doesn’t support Touch ID 99% of the time. Even when using my MacBook Pro’s internal keyboard, I tend not to use Touch ID because it rarely works. (It doesn’t work well on my iPad Air, either, though it was very reliable back before iPhones switched to Face ID.)
Mac macOS 15 Sequoia macOS Tahoe 26 Malware Passwords Security Touch ID
Apple:
When a user searches on the App Store, your ad can appear at the top of their search results. And starting in 2026, we’ll be introducing more ads to increase opportunity in search results.
[…]
Your ad will run in either the existing position — at the top of search results — or further down in search results. If you have a search results campaign running, your ad will be automatically eligible for all available positions, but you can’t select or bid for a particular one.
James Thomson:
Me: I really hate the advert when you search on the App Store, I wish Apple would change that.
Apple: Wish granted!
John Gruber (Mastodon):
I have a bad feeling about this.
Marco Arment:
App Store search is ineffective and primitive, and doesn’t reliably show high-quality, relevant results for queries.
How can it be improved?
More advanced search algorithms, like the last two decades? Nope!
AI-assisted relevance and ranking, like this decade? Nope!
When all you have is an insatiable desire for more “services revenue”, you can only see one solution…
Greg Pierce:
Why should Apple just take 30% of the lifetime value of your customers in perpetuity when they can charge you 90% of that just to acquire them!
Jeff Johnson:
Do additional ad positions in App Store search mean that if someone searches for your app by name, Apple can bury your app even lower than its current (hopefully) #2 position in the results?
Previously:
Advertising App Store App Store Search Ads iOS iOS 26
Halimah DeLaine Prado (Reddit):
We filed a suit today against the scraping company SerpApi for circumventing security measures protecting others’ copyrighted content that appears in Google search results. We did this to ask a court to stop SerpApi’s bots and their malicious scraping, which violates the choices of websites and rightsholders about who should have access to their content. This lawsuit follows legal action that other websites have taken against SerpApi and similar scraping companies, and is part of our long track record of affirmative litigation to fight scammers and bad actors on the web.
Google follows industry-standard crawling protocols, and honors websites’ directives over crawling of their content. Stealthy scrapers like SerpApi override those directives and give sites no choice at all. SerpApi uses shady back doors — like cloaking themselves, bombarding websites with massive networks of bots and giving their crawlers fake and constantly changing names — circumventing our security measures to take websites’ content wholesale.
Barry Schwartz:
Google claims SerpApi uses hundreds of millions of fake search requests to mimic human behavior. This allows them to bypass CAPTCHAs and other automated defenses that Google uses to prevent bots from overwhelming its systems.
SerpApi sells a “Google Search API” to third parties. Google argues this is deceptive because Google does not offer a public search API for this type of data. SerpApi is essentially selling a back door to Google’s proprietary search engine.
Google argues that its security systems (like SearchGuard) are “technological measures” that control access to copyrighted work. By bypassing them, SerpApi is allegedly violating Section 1201 of the DMCA. Google claims SerpApi is violating Google’s Terms of Service, which strictly prohibit automated scraping and the use of proxies to hide one’s identity. Google alleges that SerpApi is profiting from Google’s massive investment in organizing the world’s information without contributing to the ecosystem or respecting the rules.
“Google estimates that SerpApi sends hundreds of millions of artificial search requests each day to Google. Over the last two years, that volume has increased by as much as 25,000%,” Google said.
Danny Goodwin:
What SerpApi has said previously. SerpApi argued that “public search data should be accessible,” framing its work as protected by the First Amendment and warning that lawsuits like Reddit’s threaten the “free and open web.”
Nick Heer:
Recent actions taken by U.S. courts, for example, have found Google illegally maintained its search monopoly. In issuing proposed remedies earlier this year, the judge noted the rapidly shifting world of search thanks to the growth of generative artificial intelligence products. “OpenAI” is mentioned (PDF) thirty times as an example of a potential disruptor. However, the judge does not mention OpenAI’s live search data is at least partially powered by SerpApi.
Previously:
Artificial Intelligence Copyright Digital Millennium Copyright Act (DMCA) Google Lawsuit Legal OpenAI SerpApi Web Web Crawlers
Clare Duffy (Reddit):
TikTok has signed the deal backed by President Donald Trump to spin off its US assets to create a new entity with a group of mostly American investors, CEO Shou Chew told employees in a memo Thursday.
Although the transaction is not yet complete, the move brings TikTok one step closer to securing its long-term future in the United States. It comes after a law passed last year required that the US version of the app be spun off from its parent company, ByteDance, or be banned in the United States.
[…]
Under the agreement, the US TikTok app will be controlled by a new joint venture, 50% of which will be owned by a consortium of investors comprised of tech company Oracle, private equity firm Silver Lake and Emirati-backed investment firm MGX. Just over 30% of the joint venture will be held by “affiliates of certain existing investors in ByteDance” and 19.9% will be retained by ByteDance, according to Chew’s memo.
John Gruber (Mastodon):
The craziest aspect of this whole saga is that TikTok has been operating illegally since Trump took office.
Nick Heer:
Oracle is among the companies illegally supporting TikTok for the past year, along with Apple and Google. Instead of facing stiff legal penalties, Oracle will get to own a 15% piece of TikTok.
Karl Bode (Hacker News):
The deal purportedly involves “retraining the content recommendation algorithm on U.S. user data to ensure the content feed is free from outside manipulation,” but given you can’t trust any of the companies involved, the Trump administration, or what’s left of U.S. regulators, that means absolutely nothing. Oracle will be “overseeing data protection,” but that means nothing as well given Oracle is run by an authoritarian-enabling billionaire with a long history of his own privacy abuses.
Also, this seems to ignore that three years ago, during the Biden administration, it was already announced that Oracle was overseeing TikTok’s algorithms and data protection. It’s kinda weird that everyone seems to have forgotten that. This is all, more or less, what was already agreed to years ago.
Nick Heer:
There is a kind of implied for now which should be tacked onto the end of its impact on Canadians. This U.S.-specific version lays the groundwork for a political wedge issue in Canada and elsewhere: should people use the version of the app run by a company headquartered in Beijing and mostly owned by a mix of American, Chinese, and Emirati investors, or should they use the app run by a company based in the U.S and mostly owned by a mix of American, Chinese, and Emirati investors? Or, to frame it in more politically expedient terms, should people be allowed to use the “Chinese” app or should they be pushed into the “American” app? Under that framing, I would not be surprised to see the U.S. version become the dominant client for TikTok worldwide.
Previously:
Acquisition Business China Legal Oracle TikTok Web
