(Sub)Urban boyscout.Tech-whisperer. Tech-skeptic.
1040 stories
·
11 followers

13-inch iPad Pro review: hardware of the future running software of the past

1 Share
Apple's 13-inch iPad Pro is a testament to the power and efficiency of Apple Silicon, but WWDC has to address at least some of the shortcomings of iPadOS for those hardware upgrades to mean anything.

An iPad Pro with Nano Texture in direct sunlight outdoors with a blue sky.
13-inch iPad Pro review

As Apple shaves away every millimeter from the iPad, it gets closer to realizing the dream of offering information on a sheet of glass. At 5.1 millimeters, there's not much else Apple can do to the hardware without physics getting in the way.

However, the only thing in the way of improving iPad software is Apple and its philosophy surrounding the tablet. While iPad is the perfect work device for some, there are obvious limitations and shortcomings that need to be addressed.


Continue Reading on AppleInsider | Discuss on our Forums
Read the whole story
chrisrosa
11 days ago
reply
San Francisco, CA
Share this story
Delete

Researcher: Windows 11 Recall a ‘Disaster’

1 Share

Windows 11’s Recall feature has garnered a lot of attention since being announced, and much of that has focused on the potential privacy implications of software that basically tracks everything you do on your PC.

Cybersecurity expert Kevin Beaumont has taken a look at the feature, and uhhhhhh:

Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.

Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.

He explains more in a post on Medium:

Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder. This database file has a record of everything you’ve ever viewed on your PC in plain text.

Tom Warren at The Verge:

Microsoft maintains Recall is an optional experience and that it has built privacy controls into the feature. You can disable certain URLs and apps, and Recall won’t store any material that’s protected with digital rights management tools. “Recall also does not take snapshots of certain kinds of content, including InPrivate web browsing sessions in Microsoft Edge, Firefox, Opera, Google Chrome, or other Chromium-based browsers,” says Microsoft on its explainer FAQ page.

However, Recall doesn’t perform content moderation, so it won’t hide information like passwords or financial account numbers in its screenshots. “That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry,” warns Microsoft.

Warren also notes:

Microsoft is currently planning to enable Recall by default on Copilot Plus PCs. In my own testing on a prerelease version of Recall, the feature is enabled by default when you set up a new Copilot Plus PC, and there is no option to disable it during the setup process unless you tick an option that then opens the Settings panel. Microsoft is reportedly discussing whether to change this setup process, though.

Gulp.

Read the whole story
chrisrosa
12 days ago
reply
San Francisco, CA
Share this story
Delete

British traveler's exotic fruit tasting leaves face blistered and burning

1 Comment
cashew apple

When Thomas Watson, a 28-year-old construction worker from Bedfordshire, decided to sample an exotic fruit during his travels in Mexico, he had no idea it would lead to a painful lesson in botany. Watson, an avid Instagram travel chronicler, was exploring a market in Campeche on the Yucatán Peninsula when he encountered a cashew apple. — Read the rest

The post British traveler's exotic fruit tasting leaves face blistered and burning appeared first on Boing Boing.

Read the whole story
chrisrosa
17 days ago
reply
The truly sad part is that his reproductive organs are no where near where his mouth is.
San Francisco, CA
freeAgent
16 days ago
I don't necessarily blame him, though I'm sure if he'd asked ANYONE around, they would have told him that was a stupid thing to do. Cashews are from the same family as poison ivy.
chrisrosa
15 days ago
Oh man! Had no idea! Just seems pretty idiotic to assume something is edible.
Share this story
Delete

Nomad Unveils New Find My 'Tracking Card' With MagSafe Charging

1 Comment


Nomad has announced the release of a new 'Tracking Card' with support for Apple Find My and MagSafe charging.

Tracking Card is remarkably slim and seamlessly integrates with Apple's native Find My app for effortless wallet tracking. Plus, it's fully rechargeable on any Qi or MagSafe charger.

To charge Tracking Card, simply place it on any Qi or MagSafe charger. The small circular light on the top right corner will turn green once the card is fully charged. To check your Tracking Card's percentage, navigate to the device in your Find My app.

Continue Reading



Spotlight Deal:
Apple iPad 10 On Sale for $299.99 [Lowest Price Ever]

Share Article:
Facebook,  Twitter,  LinkedIn,  Reddit,  Email

Follow iClarified:
Facebook,  Twitter,  LinkedIn,  Newsletter,  App Store,  YouTube

Read the whole story
chrisrosa
18 days ago
reply
I got my Chipolo CARD back in March of 2022, and the battery is still going strong. I'm kind of amazed. It doesn't have the fine detailed tracking of a regular AirTag, but it's been good enough. And it's very loud too.
So this MagSafe charging feature is odd to me.
San Francisco, CA
Share this story
Delete

Why Your Wi-Fi Router Doubles as an Apple AirTag

1 Comment and 2 Shares

Image: Shutterstock.

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.

Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.

With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.

Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.

In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.

That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.

They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.

UMD Associate Professor David Levin and Ph.D student Erik Rye found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the Institute of Electrical and Electronics Engineers (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.

Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.

A “heatmap” of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.

The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.

A heatmap of Starlink routers in Ukraine. Image: UMD.

The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.

“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”

In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.

“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”

A simplified map of where BSSIDs that enter the Donbas and Crimea regions of Ukraine originate. Image: UMD.

Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.

Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.

UMD researchers shared this graphic, which shows their ability to monitor the location and movement of Starlink devices by BSSID dropped precipitously in the past month.

They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:

“In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”

The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.

“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”

In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.

Apple updated its privacy and location services policy in March 2024 to allow people to opt out of having their Wi-Fi access point indexed by its service, by appending “_nomap” to the network’s name.

Asked about the changes, Apple said they have respected the “_nomap” flag on SSIDs for some time, but that this was only called out in a support article earlier this year.

Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.

“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”

The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.

“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”

The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.

“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”

The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.

“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”

For example, they discovered that certain commonly used travel routers compound the potential privacy risks.

“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”

A copy of the UMD research is available here (PDF).

Update, May 22, 4:54 p.m. ET: Added response from Apple.

Read the whole story
freeAgent
24 days ago
reply
_why do I have to ruin my cool SSID to opt-out, Apple?
Los Angeles, CA
chrisrosa
23 days ago
reply
San Francisco, CA
Share this story
Delete

How secure is Secure Erase (EACAS)?

1 Share

This week has brought worrying reports that securely erased devices have seemingly ‘recovered’ old images stored on them before their erasure, a bug addressed by the iOS/iPadOS 17.5.1 update. Although this doesn’t appear to affect Macs, it has led some to claim that securely erasing your Mac or device may not remove all old data from it. This article explains why that’s incorrect, and how those reports are false.

Structure of internal storage

Since macOS Catalina, Macs have started up not from a single system volume, but from a group of volumes. This is simpler on the internal storage of an Intel Mac, which now has five volumes, of which the relevant ones are the System and Data volumes.

bootdiskstructureintelvent

The internal SSD in an Apple silicon Mac consists of three APFS containers, and lacks the legacy EFI partition. Only the Apple_APFS container is normally mounted, and that has a similar structure to the boot container of an Intel Mac.

Since Big Sur, the System volume remains unmounted, and the boot system is a read-only snapshot stored on that volume. Outside macOS installation and updating, nothing can write to either of those, so the only volume capable of storing user data is the Data volume. If old images were to be stored anywhere, they could only be on the Data volume.

Data volume encryption

Intel Macs without T2 chips only encrypt the Data volume when FileVault is turned on. However, Data volumes on the internal SSD in T2 and Apple silicon Macs are invariably encrypted; the SSD is connected directly to the Secure Enclave, which performs its encryption and decryption using keys generated and stored within it. Keys and processes involved are shown in the diagram below.

filevaultpasswords1

All volumes on the internal SSD that are encrypted have a Volume Encryption Key (VEK), protected by two internal keys, one the unique hardware UID from the Secure Enclave, the other from xART and intended to protect from replay attacks. The VEK isn’t exposed outside the Secure Enclave, nor is it handled by CPU cores. When FileVault is enabled, the same encryption is applied to the Data volume, but its VEK is additionally protected by a Key Encryption Key (KEK) requiring entry of the user password for that to be unwrapped, and give access to the VEK.

Data volume encryption is all-or-none, and can’t be partial. It applies to the volume’s file system, its data, metadata, even its snapshots. macOS can’t forget to encrypt some parts of the volume, indeed it’s not possible for any of the Data volume to be stored unencrypted, nor can its contents be ‘cached’ somehow to the System volume, which isn’t even mounted. Decryption can only succeed when the whole VEK is used; you can’t provide part of the VEK or KEK to decrypt part of the volume.

EACAS

Intel Macs with a T2 chip and Apple silicon Macs can take advantage of this scheme of encryption when they need to be securely erased. This is offered by Erase All Content and Settings (EACAS), or Erase Assistant, and Erase Manager. This is initiated from System Settings > General > Transfer or Reset > Erase All Content and Settings…. In older versions of macOS still using System Preferences, open them and this is available as a command in the app menu there.

eacas

EACAS handles all the signing out that’s required before disposing of a Mac, and disables Find My Mac and Activation Lock. But most importantly it ensures that no one can access the contents of its Data volume, by destroying the encryption keys (both KEK and VEK) used to encrypt that volume. Without those keys, it’s practically impossible for anyone to break that encryption and recover any of the protected data.

This has the effect of destroying the Data volume, as it can’t be mounted or accessed in any way without being decrypted. When that Mac is started up after EACAS has been used, it has to create a new Data volume using a fresh VEK before that can be mounted and macOS goes through its configuration and personalisation sequence. Once complete, that Mac uses the new Data volume and the storage used by the previous Data volume is freed for reuse.

Potential problems

For the great majority of users, secure erase using EACAS is quick, simple, and completely reliable. Unfortunately, there can’t be an equivalent for older Intel Macs without T2 chips, but many of them don’t have internal SSDs, so can be erased conventionally using Disk Utility. Neither does EACAS work with external storage, as that can’t use hardware encryption and the Secure Enclave, so must also be erased conventionally if required.

If your Mac has more than one boot volume group installed on its internal SSD, you might wonder whether you have to run EACAS from each of those systems in turn. Although Apple’s description isn’t accurate, it appears that running EACAS will destroy all encryption keys for internal storage, including other boot volume groups, even Boot Camp. However, as explained above, it doesn’t erase the System volume, which isn’t encrypted anyway.

Claims

As far as I can tell, claims made about securely erased devices recovering old images originate from a single post on Reddit, since deleted by the person who posted it. Although that brought a series of cogent responses pointing out how that isn’t possible, it was picked up and amplified elsewhere, under the title iOS 17.5 Bug May Also Resurface Deleted Photos on Wiped, Sold Devices, which is manifestly incorrect. Sadly, even those who should know better have piled in and reported that single, retracted claim as established fact.

No doubt that will soon be making its way into AI, where we’ll be told that EACAS isn’t reliable, and we should revert to traditional secure erase tools that attempt to overwrite the entire contents of the internal SSD of a Mac we’re going to dispose of.

Summary

  • Use Erase Assistant (EACAS) to securely erase your Mac’s internal storage before disposing of it, when it’s available.
  • When someone makes an outlandish claim, verify before you amplify. If you do get it wrong, retract promptly.


Read the whole story
chrisrosa
23 days ago
reply
San Francisco, CA
Share this story
Delete
Next Page of Stories