Thomas Claburn writes via The Register: Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016. Though aware of this, Microsoft's advice continues to be that customers should communicate only with servers they trust. On August 10, 2016, Marco van Beek, managing director at UK-based IT consultancy Supporting Role, emailed the Microsoft Security Response Center to disclose an Autodiscover exploit that worked with multiple email clients, including Microsoft Outlook. "Basically, I have discovered that it is extremely easy to get access to Exchange (and therefore Active Directory) user passwords in plain text," he wrote. "It doesn't necessarily require any breach of corporate security, and at its most secure, is only as secure as file level access to the corporate website." His proof-of-concept exploit code, which affected Outlook (both Mac and PC), default email apps for Android and iOS, Apple Mail for Mac OS X, and others, consisted of 11 lines of PHP, though he insisted the exploit probably could have been reduced to three lines.

Microsoft acknowledged on August 11, 2016, that it had reproduced the issue in van Beek's report. Then on August 30, 2016, the Windows titan responded to van Beek by saying the report doesn't describe a genuine vulnerability: "Our security engineers and product team have reviewed this report and determined that it is not a security issue to be serviced as part of our monthly Patch Tuesday process. 'Never accept an SSL certificate without a matching host name' is already recommended for clients in the doc cited by your report: [link]. Before you send a request to a candidate, make sure it is trustworthy. Remember that you're sending the user's credentials, so it's important to make sure that you're only sharing them with a server you can trust. At a minimum, you should verify: That the endpoint is an HTTPS endpoint. Client applications should not authenticate or send data to a non-SSL endpoint. That the SSL certificate presented by the server is valid and from a trusted authority."

"This response casually forgets to consider that a hacked web server still retains a perfectly valid certificate -- it just happens to use that trusted tunnel to serve up problems," said van Beek. "Also, I have only found one Exchange client so far which actually checks the hostname against the certificate, which is Microsoft's own test tool." Van Beek said he thought it was incredible that Microsoft confirmed the behavior he reported within hours but does not consider it to be a problem. He suggested three mitigations: changing the order of operations so that DNS gets checked first; never accepting an SSL certificate without a matching host name; and reviewing why and when clients respond to authentication requests. When asked if the company plans to take any steps to address credential exposure and whether it believes its guidance adequately addresses the problem, a Microsoft spokesperson said: "We are continuing to investigate the specific scenario shared by the researcher."

A security researcher has published details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year. From a report: Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub. This includes:

1. A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access.

2. A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device.

3. An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device's WiFi information.

Apple CEO Tim Cook has warned employees about leaking company information. Cook's memo: Dear Team,

It was great to connect with you at the global employee meeting on Friday. There was much to celebrate, from our remarkable new product line-up to our values driven work around climate change, racial equity, and privacy. It was a good opportunity to reflect on our many accomplishments and to have a discussion about what's been on your mind.

I'm writing today because I've heard from so many of you were incredibly frustrated to see the contents of the meeting leak to reporters. This comes after a product launch in which most of the details of our announcements were also leaked to the press.

I want you to know that I share your frustration. These opportunities to connect as a team are really important. But they only work if we can trust that the content will stay within Apple. I want to reassure you that we are doing everything in our power to identify those who leaked. As you know, we do not tolerate disclosures of confidential information, whether it's product IP or the details of a confidential meeting. We know that the leakers constitute a small number of people. We also know that people who leak confidential information do not belong here.

As we look forward, I want to thank you for all you've done to make our products a reality and all you will do to get them into customers' hands. Yesterday we released iOS 15, iPadOS 15, and watchOS 8, and Friday marks the moment when we share some of our incredible new products with the world. There's nothing better than that. We'll continue to measure our contributions in the lives we change, the connections we foster, and the work we do to leave the world a better place.

The iOS 15.1 beta that was introduced today allows iPhone users to upload their COVID-19 vaccination status to the Health app and then generate a vaccination card in Apple Wallet. MacRumors reports: The Apple Wallet vaccination card can be shown to businesses, venues, restaurants, and more that are requiring vaccines for entry. As outlined in an announcement to developers, verifiable health records are based on the SMART Health Cards specification. California is using SMART Health Cards, so users in California can add their vaccination records to the Wallet app after installing iOS 15.1. Other states and health organizations that use the SMART Health Cards will be able to use a button to let users know that they can download and store their vaccination information in the Health app and in the Wallet app.

California, Louisiana, New York, Virginia, Hawaii, and some Maryland counties support Smart Health Cards, as do Walmart, Sam's Club, and CVS Health. So those in the specific supported states should be able to look up their information in state databases, but those who were vaccinated through companies like Walmart and CVS will also be able to add their information to the Health and Wallet apps because it's the same system.

On the day Apple released iOS 15, a Spanish security researcher disclosed an iPhone lock screen bypass that can be exploited to grant attackers access to a user's notes. From a report: In an interview with The Record, Jose Rodriguez said he published details about the lock screen bypass after Apple downplayed similar lock screen bypass issues he reported to the company earlier this year. "Apple values reports of issues like this with up to $25,000 but for reporting a more serious issue, I was awarded with $5,000," the researcher wrote on Twitter last week. [...] Because of the unprofessional way Apple handled his bug report, the researcher published today a variation of the same bypass, but this time one that uses the Apple Siri and VoiceOver services to access the Notes app from behind the screen lock. Further reading: Apple Pays Hackers Six Figures To Find Bugs in Its Software. Then It Sits On their Findings.

Apple today released iOS 15 and iPadOS 15, the newest operating system updates designed for the iPhone, iPad, and iPod touch. From a report: As with all of Apple's software updates, iOS and iPadOS 15 can be downloaded at no cost. iOS 15 is available on the iPhone 6s and later while iPadOS 15 is available on the iPad Air 2 and later. The new software can be downloaded on eligible devices over-the-air by going to Settings - General - Software Update. It may take a few minutes for the updates to propagate to all users due to high demand.

A new Focus mode cuts down on distractions by limiting what's accessible and who can contact you, and notifications can now be grouped up in daily summaries. There's an option for a new Safari design that moves the tab bar to the bottom of the interface, and Tab Groups keep all of your tabs organized. Maps has been overhauled with even more detail, a 3D view in major cities, a globe view, improved transit, a close-up driving view when navigating complicated routes, and AR walking directions. Across the operating system, there's a new Live Text feature that detects text in any image and lets you copy, paste, and translate it, plus there's a system-wide translation feature. In Photos, plants, pets, landmarks, and more can be identified, and there's a system-wide translation feature that goes well with Live Text. iCloud+ with iCloud Private Relay protects your IP address and obscures your location to prevent websites from tracking you, and a Hide My Email feature lets you create temporary email addresses. You can even use your personal domain with iCloud in iOS 15. Further reading: 19 Things You Can Do in iOS 15 That You Couldn't Do Before.

"2021 Is the Year of Linux on the Desktop," writes PC Magazine. "No, really..." Walk into any school now, and you'll see millions of Linux machines. They're called Chromebooks. For a free project launched 30 years ago today by one man in his spare time, it's an amazing feat.... Linux found its real niche — not as a political statement about "free software," but as a practical way to enable capable, low-cost machines for millions...

Chrome OS and Android are both based on the Linux kernel. They don't have the extra GNU software that distributions like Ubuntu have, but they're descended from Linus Torvalds' original work. Chromebooks are the fastest growing segment of the traditional PC market, according to Canalys. IDC points out that Canalys' estimates of 12 million Chromebooks shipped in Q1 2021 are only a fraction of the 63 million notebooks sold that quarter, but once again, they're where the growth is. Much of that is driven by schools, where Chromebooks dominate now. Schoolkids don't generally need a million apps' worth of generic computing power. They need inexpensive, rugged ways to log into Google Classroom. Linux came to the rescue, enabling cheap, light, easy-to-manage PCs that don't have the Swiss Army Knife cruft of Windows or the premium price of Macs...

One great thing about open-source hacker projects is that they can be taken in unexpected directions. Linux isn't controlled, so it can adapt, Darwinian-style. It was a little scurrying mammal in the time of the dinosaurs, and then the mobile-computing asteroid hit. Linux could evolve. Windows couldn't. When you're building something that fits in your hand and has to sip battery, you can't just keep throwing processors and storage at it. Microsoft had a tough time adapting its monstrous megakernel OS to the new, tiny world. But *nix platforms thrive there: Android (based on Linux) and iOS.
"Android and Chrome water down the Linux philosophy," the article argues, "but they are Linux..."

Does this make any long-time geeks feel vindicated? In the original submission wiredog (Slashdot reader #43,288) looks back to 1995, remembering that "my first Linux was RedHat 2.0 in the beige box, running the 0.95(?) kernel and the F Virtual Window Manager...

"It came with 2 books, a CD, and a boot floppy disk."

Apple has officially announced the high-end part of the iPhone 13 lineup: the iPhone 13 Pro and 13 Pro Max. It's got a faster A15 Bionic chip, three all-new cameras, and an improved display with up to a 120Hz ProMotion high refresh rate display that can go as bright as 1,000 nits. The iPhone 13 Pro will start at $999, while the iPhone 13 Pro Max will start at $1099. Both will be available to order on Friday, shipping on September 24th. From a report: The OLED screens on both models are the same sizes as last year at 6.1 and 6.7 inches but with slightly smaller notches that should allow for more space in the iOS status bar. Apple says the phones have an all-new three-camera system. The ultrawide should offer better low-light photography, and the telephoto now goes up to 3x zoom, enabling 6x optical zoom across the three cameras. All three cameras now have night mode, and there's a new macro mode for photographing subjects at just 2cm.

South Korea's competition regulator on Tuesday announced it will fine Google 207.4 billion Korean won ($176.9 million) for allegedly using its dominant market position in the mobile operating system space to stifle competition. From a report: Google's Android operating system currently holds the lion's share of the smartphone market, ahead of Apple's iOS platform. The U.S. tech giant allegedly used its market position to block smartphone makers like Samsung from using operating systems developed by rivals, according to the Korea Fair Trade Commission. Yonhap News added that the regulator, which published its decision in Korean, said the tech giant required smartphone makers to agree to an "anti-fragmentation agreement (AFA)" when signing key contracts with Google over app store licenses and early access to the operating system. That agreement prevented device makers from installing modified versions of the Android operating system, known as "Android forks," on their handsets, Yonhap reported. The regulator alleged that Google's practice stifled innovation in the development of new operating systems for smartphones, the news site added. The KFTC has asked the tech giant to stop forcing companies to sign AFAs and ordered it to take corrective steps, according to Yonhap.

Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices. From a report: The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said "may have been actively exploited." Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.

Last month, Citizen Lab said the zero day flaw -- named as such since it gives companies zero days to roll out a fix -- took advantage of a flaw in Apple's iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist's phone. Pegasus gives its government customers near-complete access to a target's device, including their personal data, photos, messages and location.

WhatsApp said on Friday it will give its two billion users the option to encrypt their chat backups to the cloud, taking a significant step to put a lid on one of the tricky ways private communication between individuals on the app can be compromised. From a report: The Facebook-owned service has end-to-end encrypted chats between users for more than a decade. But users have had no option but to store their chat backup to their cloud -- iCloud on iPhones and Google Drive on Android -- in an unencrypted format. [...] Now WhatsApp says it is patching this weak link in the system.

The company said it has devised a system to enable WhatsApp users on Android and iOS to lock their chat backups with encryption keys. WhatsApp says it will offer users two ways to encrypt their cloud backups, and the feature is optional. In the "coming weeks," users on WhatsApp will see an option to generate a 64-digit encryption key to lock their chat backups in the cloud. Users can store the encryption key offline or in a password manager of their choice, or they can create a password that backs up their encryption key in a cloud-based "backup key vault" that WhatsApp has developed.

Facebook announced their long-awaited foray into the smart glasses space Thursday morning, launching the Ray-Ban Stories smart glasses in partnership with eyewear giant EssilorLuxottica. From a report: The svelte frames are some of the most low-profile yet available to consumers and will allow users to snap photos and videos with the two onboard 5 MP cameras, listen to music with in-frame speakers and take phone calls. The glasses need to be connected to an iOS or Android device for full functionality, though users can take and store hundreds of photos or dozens of videos on the glasses before transferring media to their phones via Facebook's new View app. The twin cameras will allow users to add 3D effects to their photos and videos once they upload them to the app.

The lightweight glasses weigh less than 50 grams and come with a leather hardshell charging case. The battery lift is advertised as "all-day" which TechCrunch found to be accurate during our review of the frames. Users will be able to control the glasses with a couple physical buttons including a "capture" button to record media and an on-off switch. A touch pad on the right arm of the glasses will allow users to perform functions like swiping to adjust the volume or answering a phone call. An onboard white LED will glow to indicate to the people around the wearer that a video is being recorded. The glasses will start at $299, with polarized and transition lens options coming in at a higher price point.

"Germany's Federal Criminal Police Office (BKA) purchased access to NSO Group's Pegasus spyware in 2019 after internal efforts to create similar iOS and Android surveillance tools failed," reports AppleInsider. The news comes less than a month after the Digital Agenda committee chairman of Germany's federal parliament, Manual Hoferlin, declared Apple to be on a "dangerous path" with plans to enact on-device child sexual assault material monitoring. He said the system undermines "secure and confidential communication" and represents the "biggest breach of the dam for the confidentiality of communication that we have seen since the invention of the Internet." From the report: The federal government revealed the agreement with NSO in a closed-door session with the German parliament's Interior Committee on Tuesday, reports Die Zeit. When the BKA began to use Pegasus is unclear. While Die Zeit says the tool was purchased in 2019 and is currently used in concert with a less effective state-developed Trojan, a separate report from Suddeutsche Zeitung, via DW.com, cites BKA Vice President Martina Link as confirming an acquisition in late 2020 followed by deployment against terrorism and organized crime suspects in March.

Officials made the decision to adopt Pegasus in spite of concerns regarding the legality of deploying software that can grant near-unfettered access to iPhone and Android handsets. As noted in the report, NSO's spyware exploits zero-day vulnerabilities to gain access to smartphones, including the latest iPhones, to record conversations, gather location data, access chat transcripts and more. Germany's laws state that authorities can only infiltrate suspects' cellphone and computers under special circumstances, while surveillance operations are governed by similarly strict rules.

BKA officials stipulated that only certain functions of Pegasus be activated in an attempt to bring the powerful tool in line with the country's privacy laws, sources told Die Zeit. It is unclear how the restrictions are implemented and whether they have been effective. Also unknown is how often and against whom Pegasus was deployed. According to Die Zeit, Germany first approached NSO about a potential licensing arrangement in 2017, but the plan was nixed due to concerns about the software's capabilities. Talks were renewed after the BKA's attempts to create its own spyware fell short.

Microsoft is launching Microsoft Start today, a personalized news feed that integrates into Windows 11 and is accessible online and on iOS and Android. Microsoft Start is very similar to the MSN feed that exists today and to Microsoft News. Microsoft is rebranding these into Microsoft Start and integrating the feed into the Windows 11 widgets section and the Windows 10 taskbar. From a report: Much like Microsoft News, Microsoft Start includes news and media channels from more than 1,000 publishers. Microsoft uses AI and machine learning algorithms to sort through which news is presented to users and to personalize content based on interests and how you engage with content. There's also some "human moderation" involved, but Microsoft did layoff dozens of journalists and editorial workers at its Microsoft News and MSN organizations last year, so it's not clear how involved editors will be. Microsoft Start will surface top stories, personalized recommendations, and sports scores or the weather in its feed.

Apple has delayed plans to roll out its child sexual abuse (CSAM) detection technology that it chaotically announced last month, citing feedback from customers and policy groups. From a report: That feedback, if you recall, has been largely negative. The Electronic Frontier Foundation said this week it had amassed more than 25,000 signatures from consumers. On top of that, close to 100 policy and rights groups, including the American Civil Liberties Union, also called on Apple to abandon plans to roll out the technology. In a statement on Friday morning, Apple told TechCrunch: "Last month we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them, and limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features."

Apple will start asking for permission to enable Personalized Ads in iOS 15, the company's method of serving relevant ads in the App Store and Apple News by analyzing what you read, purchase, and search for on your device. From a report: The company used to collect that information by default, but now it plans to ask for permission. Apple required other developers to seek users' permission with the debut of App Tracking Transparency, so it seems like it's showing that it will hold itself to a similar standard. The Personalized Ads pop-up should show up when you open the App Store if you're running the most recent iOS 15 beta. In the pop-up, Apple writes that the ads will help you discover relevant apps, products, and services while protecting your privacy by using "device-generated identifiers and not linking advertising information to your Apple ID."

Twitter's latest beta update introduces support for providing content creators with Bitcoin tips using the "Tip Jar" feature that Twitter introduced earlier this year. MacRumors reports: Bitcoin isn't yet available to select as a tip option for beta users, but code in the beta suggests that Twitter is in the process of rolling it out. When the Tip Jar was first introduced, Twitter allowed users to add Bandcamp, Cash App, Patreon, PayPal and Venmo links to their Twitter profile, but soon, there will be a Bitcoin option.

Details in the latest Twitter beta indicate that users will be directed through a Bitcoin tutorial that includes details on the Bitcoin Lightning Network and custodial and non-custodial Bitcoin wallets. Twitter gives Strike, Blue Wallet and Wallet of Satoshi as examples of custodial wallets and Muun, Breez, Phoenix and Zap as examples of non-custodial wallets. Twitter also informs users that a Strike account is required. "We use Strike to generate Bitcoin Lightning invoices so you'll need to connect your account to accept Bitcoin tips" reads the text.

Apple's plan to digitize your wallet is slowly taking shape. What started with boarding passes and venue tickets later became credit cards, subway tickets, and student IDs. Next on Apple's list to digitize are driver's licenses and state IDs, which it plans to support in its iOS 15 update expected out later this year. From a report: But to get there it needs help from state governments, since it's the states that issue driver's licenses and other forms of state identification, and every state issues IDs differently. Apple said today it has so far secured two states, Arizona and Georgia, to bring digital driver's license and state IDs. Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah are expected to follow, but a timeline for rolling out wasn't given.

Apple said in June that it would begin supporting digital licenses and IDs, and that the TSA would be the first agency to begin accepting a digital license from an iPhone at several airports, since only a state ID is required for traveling by air domestically within the United States. The TSA will allow you to present your digital wallet by tapping it on an identity reader. Apple says the feature is secure and doesn't require handing over or unlocking your phone. The digital license and ID data is stored on your iPhone but a driver's license must be verified by the participating state. That has to happen at scale and speed to support millions of drivers and travelers while preventing fake IDs from making it through. The goal of digitizing licenses and IDs is convenience, rather than fixing a problem. But the move hasn't exactly drawn confidence from privacy experts, who bemoan Apple's lack of transparency about how it built this technology and what it ultimately gets out of it.

An anonymous reader quotes a report from 9to5Mac, written by Filipe Esposito: Google this week announced the beta release of Chrome 94, the next update to Google's desktop web browser. In addition to general improvements, the update also adds support for the new WebGPU API, which comes to replace WebGL and can even access Apple's Metal API. As described by Google in a blog post, WebGPU is a new, more advanced graphics API for the web that is able to access GPU hardware, resulting in better performance for rendering interfaces in websites and web apps.

For those unfamiliar, Metal is an API introduced by Apple in 2014 that provides low-level access to GPU hardware for iOS, macOS, and tvOS apps. In other words, apps can access the GPU without overloading the CPU, which is one of the limitations of old APIs like OpenGL. Google says WebGPU is not expected to come enabled by default for all Chrome users until early 2022. The final release of Chrome 94 should enable WebCodecs for everyone, which is another API designed to improve the encoding and decoding of streaming videos.

Apple announced today it has reached a proposed settlement in a lawsuit filed against it by developers in the United States. The agreement, which is still pending court approval, includes a few changes, the biggest one being that developers will be able to share information on how to pay for purchases outside of their iOS app or the App Store -- which means they can tell customers about payment options that aren't subject to Apple commissions. The settlement also includes more pricing tiers and a new transparency report about the app review process. From a report: The class-action lawsuit was filed against Apple in 2019 by app developers Donald Cameron and Illinois Pure Sweat Basketball, who said the company engaged in anticompetitive practices by only allowing the downloading of iPhone apps through its App Store. In today's announcement, Apple said it is "clarifying that developers can use communications, such as emails, to share information about payment methods outside of their iOS app. As always, developers will not pay Apple a commission on any purchases taking place outside of their app or the App Stores."