The Security-Audit Edition Friday, February 8, 2019

Apple Releases iOS 12.1.4 To Fix Group FaceTime Security Flaw, by Tom Warren, The Verge

Apple is releasing iOS 12.1.4 today to fix a security flaw in the company’s Group FaceTime feature. Discovered last week, the bug allowed anyone to call a phone or Mac and listen in before the other person picked up. Apple has now fixed the flaw that let you add yourself to a FaceTime call before the recipient picked up, tricking FaceTime into thinking it was an active call.

Apple To Compensate Teenager Who Found Group FaceTime Eavesdrop Bug, by Zack Whittaker, TechCrunch

“In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security, an Apple spokesperson told TechCrunch. “This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime.”

“To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS,” said Apple.

Google Warns About Two iOS Zero-days 'Exploited In The Wild', by Catalin Cimpanu, ZDNet

A Google top security engineer has revealed today that hackers have been launching attacks against iPhone users using two iOS vulnerabilities. The attacks have happened before Apple had a chance to release iOS 12.1.4 today --meaning the two vulnerabilities are what security experts call "zero-days."

The revelation came in a tweet from Ben Hawkes, team leader at Project Zero --Google's elite security team. Hawkes did not reveal under what circumstances the two zero-days have been used.

Texas Software Engineer Daven Morris Also Reported FaceTime Bug To Apple One Day Before It Made Headlines, by Joe Rossignol, MacRumors

The Wall Street Journal today shared a few details about Morris, noting he is a 27-year-old software engineer who reported the bug to Apple on January 27, several days after the Thompsons but one day before it made headlines. He apparently discovered the bug a week earlier while planning a group trip with friends.

Privacy Matters

Apple Tells App Developers To Disclose Or Remove Screen Recording Code, by Zack Whittaker, TechCrunch

TechCrunch began hearing on Thursday that app developers had already been notified that their apps had fallen afoul of Apple’s rules. One app developer was told by Apple to remove code that recorded app activities, citing the company’s app store guidelines.


Apple gave the developer less than a day to remove the code and resubmit their app or the app would be removed from the app store, the email said.

Apple People

Apple Recently Hired A Prominent Obstetrician, Signaling Interest In Women's Health, by Christina Farr, CNBC

Apple's health team has hired an obstetrician, Dr. Christine Curry, to look into how the company can bolster its efforts in women's health, among other projects, according to three people familiar with the hire.

Angela Ahrendts’ Post-Apple Plans, by Lisa Lockwood, WWD

“I plan to take the summer off,” said Ahrendts, who declined to disclose what type of job she’d be interested in next. She said she plans to enjoy some traveling before making any new commitments. On her agenda are a Rwanda mission and visiting two of her children in London. Ahrendts said that throughout her marriage, her husband has constantly been moving with her to London and then San Francisco, and now it’s time for him to get a turn.

Apple Puts Modem Engineering Unit Into Chip Design Group, by Stephen Nellis, Reuters

Apple Inc has moved its modem chip engineering effort into its in-house hardware technology group from its supply chain unit, two people familiar with the move told Reuters, a sign the tech company is looking to develop a key component of its iPhones after years of buying it from outside suppliers.


Apple’s effort to make its own modem chips could take years, and it is impossible to know when, or in what devices, such chips might appear.

Distruptive Force In Film

Steven Soderbergh’s ‘High Flying Bird’ And The Rise Of iPhone Films, by Ben Lindbergh, The Ringer

High Flying Bird is a product of what Soderbergh believes to be a similar upheaval in the Hollywood system. Shot entirely on an iPhone 8, High Flying Bird is Soderbergh’s second smartphone film, following last year’s psychological thriller Unsane, which he shot in two weeks on an iPhone Seven Plus. Soderbergh, who has habitually sought to upend the economics of movies, remove impediments to production, and concentrate control in filmmakers’ hands, is a predictable proselytizer for a relatively unproven method of moviemaking. In January 2018, just prior to the release of Unsane, Soderbergh declared phones “the future” of filmmaking and, when asked whether he’d use smartphones exclusively for subsequent projects, added, “I’d have to have a pretty good reason not to be thinking about that first.”

The case for smartphones as a disruptive force in film—both as a democratizing implement for low-budget directors and as a budget-slashing or artistically liberating tool for higher-profile projects—is growing stronger as smartphone-camera hardware and the software supporting it improves, and as the list of past precedents lengthens. In addition to helping smartphone manufacturers jockey for market share, each incremental camera upgrade shrinks the visual gap between pocket-containable cameras and the big rigs endemic to studio sets. Even so, it’s not just inertia that’s making iPhone-filmed movies outliers among major projects; some technological limitations are still relegating releases like High Flying Bird to the realm of curiosity. Despite Soderbergh’s unreserved endorsement, taking the smartphone plunge remains a complicated balance of benefits and tradeoffs for most mainstream moviemakers.


Apple's T2 Proving Troublesome For Some Professional Audio Interface Users, by Roger Fingas, AppleInsider

Those affected by the issue are encountering dropouts, pops, and other similar issues with gear brands like Apogee, Focusrite, Native Instruments, Yamaha, RME, and MOTU, according to complaints on Reddit, Logic Pro Help, Apple's support forums, and elsewhere. USB interfaces have been the most commonly impacted, but trouble may manifest to a lesser extent with Thunderbolt hardware.

iPad Diaries: Using A Mac From iOS, Part 1 – Finder Folders, Siri Shortcuts, And App Windows With Keyboard Maestro, by Federico Viticci, MacStories

Aside from recording podcasts using Mac apps, I rely on the Mac mini as a server that performs tasks or provides media in the background. Any server requires a front-end interface to access and manage it; in my case, that meant finding apps, creating shortcuts, and setting up workflows on my iPad Pro to access, manage, and use the Mac mini from iOS without having to physically sit down in front of it.

In this multi-part series, I'm going to cover how I'm using the 2018 iPad Pro to access my Mac mini both locally and remotely, the apps I employ for file management, the custom shortcuts I set up to execute macOS commands from iOS and the HomePod, various automations I created via AppleScript and Keyboard Maestro, and more. Let's dive in.

Netflix iPhone, iPad Apps Get Smart Download Feature, by Janko Roettgers, Variety

Netflix is bringing smart downloads to its iOS app: The streaming service’s iPhone and iPad apps will now automatically download the next episode of a show when users have finished watching a downloaded episode.


Reflecting On My Failure To Build A Billion-Dollar Company, by Sahil Lavingia, Medium

For years, my only metric of success was building a billion dollar company. Now, I realize that was a terrible goal. It’s completely arbitrary, and doesn’t accurately reflect impact.

I’m not making an excuse or pretending that I didn’t fail. I’m not pretending that it feels good. Even though everyone knows that the failure rate in startups, especially venture-funded ones, is super high, it still sucks when you do.

I failed, but I also succeeded at many other things. We turned $10 million of investor capital into $178 million and counting for creators. And without a fundraising goal coming up, we are just focused on building the best product we can for them. On top of all that, I’m happy creating value beyond our revenue-generating product, like these words you’re reading!

I consider myself “successful” now. Not exactly in the way I intended, though I think it counts. Where did my binary focus on building a billion-dollar company come from in the first place?


How NYT Cooking Became The Best Comment Section On The Internet, by Alison Herman, The Ringer

In a satirical post for the now-defunct website The Toast, writer Daniel Mallory Ortberg once cataloged “All the Comments on Every Recipe Blog.” The results are funny, but also an accurate taxonomy of the species that populate the internet’s open spaces, food-related or not: the user error attributed to the original author (“I didn’t have any eggs, so I replaced them with a banana-chia-flaxseed pulse. It turned out terrible; this recipe is terrible”). The total non sequitur (“[600-word description of what they ate today] so this will make a great addition!”). The public shaming (“If you use olive oil for any recipe that’s cooked over 450°F, the oil will denature and you will get cancer. This post is irresponsible”). Small wonder, then, that comment sections—designated areas for free-flowing discussion and principled debate—have become notorious for being anything but. Whether the topic at hand is border walls or beef bourguignonne, the tragedy of the commons is the same.

There is, however, at least one exception to this otherwise ironclad rule. While I generally go out of my way to avoid comments (including and especially on my own work) like the plague, one form of crowdsourced feedback has become an attraction rather than a repellent—as much of an attraction, even, as the original content it’s attached to. The posts attached to the recipes on The New York Times’ stand-alone Cooking site are everything the archetypal internet comment is not. Held up against Ortberg’s fictional-but-also-too-real responses, Cooking’s are genuinely additive, have a ready-made takeaway, and best of all, inspire downright bonhomie toward my fellow man.

From Selfie Taker To Lifesaver: The Smartphone Grows Up, by Matthew Wall, BBC

As the smartphone falls in price while its capabilities improve, it is becoming a valuable tool in the diagnosis of a growing number of diseases and ailments around the world.

Jeff Bezos Accuses National Enquirer Of ‘Extortion And Blackmail’, by Jim Rutenberg, New York Times

The richest man on earth accused the nation’s leading supermarket tabloid publisher of “extortion and blackmail” on Thursday, laying out a theory that brought together international intrigue, White House politics, nude photos and amorous text messages.

Jeff Bezos, the founder of Amazon and the owner of The Washington Post, made his accusations against American Media Inc., the company behind The National Enquirer, in a lengthy post on the online platform Medium. Last month, The Enquirer published an exposé of Mr. Bezos’ extramarital affair with Lauren Sanchez, a former host of the Fox show “So You Think You Can Dance.”

Bottom of the Page

There are too many things to watch on Netflix, and there are too many shows to listen in my podcast queue.


Thanks for reading.