An anonymous reader quotes a report from The Register: A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef. On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF]. Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws. Vanhoef, who in 2017 along with co-author Frank Piessens identified key reinstallation attacks (KRACKs) on the WPA2 protocol (used to secure Wi-Fi communication), has dubbed his latest research project FragAttacks, which stands for fragmentation and aggregation attacks.

The dozen vulnerabilities affect all Wi-Fi security protocols since the wireless networking technology debuted in 1997, from WEP up through WPA3. [...] In total, 75 devices -- network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) -- were tested and all were affected by one or more of the attacks. NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units). [...]

Patches for many affected devices and software have already been deployed, thanks to a nine-month-long coordinated responsible disclosure overseen by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI). Linux patches have been applied and the kernel mailing list note mentions that Intel has addressed the flaws in a recent firmware update without mentioning it. Microsoft released its patches on March 9, 2021 when disclosure was delayed tho Redmond had already committed to publication. Vanhoef advises checking with the vendor(s) of Wi-Fi devices about whether the FragAttacks have been addressed. "[F]or some devices the impact is minor, while for others it's disastrous," he said.

As Mother's Day approached, CNN Business Editor Samantha Murphy Kelly clipped a keychain with one of Apple's tiny new "AirTag" Bluetooth trackers onto her son's book bag, in an experiment that "highlighted how easily these trackers could be used to track another person." Location trackers aren't new — there are similar products from Samsung, Sony and Tile — but AirTags' powerful Ultra Wideband technology chip allows it to more accurately determine the location and enables precise augmented reality directional arrows that populate on the iPhone or iPad's screen. While AirTags are explicitly intended for items only, Apple has added safeguards to cut down on unwanted tracking. For example, the company does not store location data, and it will send an alert to an iOS device user if an AirTag appears to be following them when its owner is not around. If the AirTag doesn't re-tether to the owner's iOS device after three days, the tracker will start to make a noise.

"We take customer safety very seriously and are committed to AirTag's privacy and security," the company said in a statement to CNN Business. "AirTag is designed with a set of proactive features to discourage unwanted tracking — a first in the industry — and the Find My network includes a smart, tunable system with deterrents...." The safeguards are a work in progress as the software rolls out and users begin interacting with the devices. When my babysitter recently took my son to an appointment, using my set of keys with an AirTag attached, she was not informed that she was carrying an AirTag — separated from my phone. (She hadn't yet updated her phone's software to iOS 14.5.) Non-iPhone users can hold their phones close to the AirTags and, via short-range wireless technology, information pops up on how to disable the tracker, but that's if the person knows they're being tracked and locates it. In addition, three days is a long time for an AirTag to keep quiet before making a noise....

Apple said one of the main reasons it spent so much time developing safeguards was the sheer size of its Find My app network. But it's the AirTags' reliance on that broader network that creates much of the need for the safeguards in the first place, said Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project and a fellow at the NYU School of Law. "That's because Apple is turning more than a billion iOS devices into a network for tracking AirTags, while Tile will only operate when in range of the small number of people using the Tile app.... The benefits of finding our keys a bit quicker isn't worth the danger of creating a new global tracking network."

An early look at an ongoing analysis of Apple's App Tracking Transparency suggests that the vast majority of iPhone users are leaving app tracking disabled since the feature went live on April 26 with the release of iOS 14.5. MacRumors reports: According to the latest data from analytics firm Flurry, just 4% of iPhone users in the U.S. have actively chosen to opt into app tracking after updating their device to iOS 14.5. The data is based on a sampling of 2.5 million daily mobile active users. When looking at users worldwide who allow app tracking, the figure rises to 12% of users in a 5.3 million user sample size.

With the release of iOS 14.5, apps must now ask for and receive user permission before they can access a device's random advertising identifier, which is used to track user activity across apps and websites. Users can either enable or disable the ability for apps to ask to track them. Apple disables the setting by default. Since the update almost two weeks ago, Flurry's figures show a stable rate of app-tracking opt-outs, with the worldwide figure hovering between 11-13%, and 2-5% in the U.S. The challenge for the personalized ads market will be significant if the first two weeks end up reflecting a long-term trend.

An attack that targeted Apple devices was used to spy on China's Muslim minority -- and US officials claim it was developed at the country's top hacking competition. An anonymous reader shares an excerpt from an MIT Technology Review article: The Tianfu Cup offered prizes that added up to over a million dollars. [It was held in November 2018, shortly after the Chinese banned cybersecurity researchers from attending overseas hacking competitions.] The $200,000 top prize went to Qihoo 360 researcher Qixun Zhao, who showed off a remarkable chain of exploits that allowed him to easily and reliably take control of even the newest and most up-to-date iPhones. From a starting point within the Safari web browser, he found a weakness in the core of the iPhones operating system, its kernel. The result? A remote attacker could take over any iPhone that visited a web page containing Qixun's malicious code. It's the kind of hack that can potentially be sold for millions of dollars on the open market to give criminals or governments the ability to spy on large numbers of people. Qixun named it "Chaos."

Two months later, in January 2019, Apple issued an update that fixed the flaw. There was little fanfare—just a quick note of thanks to those who discovered it. But in August of that year, Google published an extraordinary analysis into a hacking campaign it said was "exploiting iPhones en masse." Researchers dissected five distinct exploit chains they'd spotted "in the wild." These included the exploit that won Qixun the top prize at Tianfu, which they said had also been discovered by an unnamed "attacker." The Google researchers pointed out similarities between the attacks they caught being used in the real world and Chaos. What their deep dive omitted, however, were the identities of the victims and the attackers: Uyghur Muslims and the Chinese government.

Shortly after Google's researchers noted the attacks, media reports connected the dots: the targets of the campaign that used the Chaos exploit were the Uyghur people, and the hackers were linked to the Chinese government. Apple published a rare blog post that confirmed the attack had taken place over two months: that is, the period beginning immediately after Qixun won the Tianfu Cup and stretching until Apple issued the fix. MIT Technology Review has learned that United States government surveillance independently spotted the Chaos exploit being used against Uyghurs, and informed Apple. (Both Apple and Google declined to comment on this story.) The Americans concluded that the Chinese essentially followed the "strategic value" plan laid out by Qihoo's Zhou Hongyi; that the Tianfu Cup had generated an important hack; and that the exploit had been quickly handed over to Chinese intelligence, which then used it to spy on Uyghurs. The US collected the full details of the exploit used to hack the Uyghurs, and it matched Tianfu's Chaos hack, MIT Technology Review has learned. (Google's in-depth examination later noted how structurally similar the exploits are.) The US quietly informed Apple, which had already been tracking the attack on its own and reached the same conclusion: the Tianfu hack and the Uyghur hack were one and the same. The company prioritized a difficult fix.

LeeLynx shares a report from The Register: The majority of Android and iOS apps created for US public and private schools send student data to assorted third parties, researchers have found, calling into question privacy commitments from Apple and Google as app store stewards. The Me2B Alliance, a non-profit technology policy group, examined a random sample of 73 mobile applications used in 38 different schools across 14 US states and found 60 percent were transmitting student data. The apps in question send data using software development kits or SDKs, which consist of modular code libraries that can be used to implement utility functions, analytics, or advertising without the hassle of creating these capabilities from scratch. Examples include: Google's AdMob, Firebase, and Sign-in SDKs, Square's OK HTTP and Okio SDKs, and Facebook's Bolts SDK, among others.

The data that concerns Me2B includes: identifiers (IDFA, MAID, etc), Calendar, Contacts, Photos/Media Files, Location, Network Data (IP address), permissions related to Camera, Microphone, Device ID, and Calls. About 49 percent of the apps reviewed sent student data to Google and about 14 percent communicated with Facebook, with the balance routing info to advertising and analytics firms, many among them characterized as high risk by the Me2B researchers. Among the public school apps, 67 per cent sent data to third parties; private school apps proved less likely to send data to third parties (57 percent). Interestingly, the research group found a signifiant difference across mobile platforms. According to The Register, "91 percent of student Android apps sent data to high-risk third parties while only 26 percent of iOS apps did so, and 20 percent of Android apps piped data to very high-risk third parties while only 2.6 percent of iOS did so."

The report adds: "Nonetheless, the researchers expressed concern that 95 percent of third-party data channels in the surveyed student apps are active even when the user is not signed in and that these apps send data as soon as the app is loaded."

Apple has added extra paid-for advertisements to its App Store, a week after its new operating system limited tracking for ads from other companies. The BBC reports: The new ad space lets app-makers advertise on the App Store search tab, rather than just in the search results. Previously, Apple sold adverts to appear at the top of search results only. The new slot effectively doubles the advertising space for sale. Enders Analysis senior media analyst Jamie MacEwan said: "The timing makes sense. Apple probably anticipates increased demand for exposure on the App Store. That's because Apple's iOS privacy changes have made other options less attractive."

Ad campaigns on other sites had less reliable measurements of success, he said. And app developers ran ads only if they were sure the cost of winning new customers was lower than the amount they would spend on the app. "As its ads business grows, Apple will have to make sure its execution on consent and privacy is impeccable" to avoid accusations of putting itself first, Mr MacEwan added. Some reports suggest Apple's ad sales could be worth more than $2 billion and are growing.

On iOS, Apple wants all the browsers to run WebKit. Even Google Chrome is forced to use WebKit on iOS devices. Alex Russel, Google's engineer, in a blog post outlines his case: Apple's iOS browser (Safari) and engine (WebKit) are uniquely under-powered. Consistent delays in the delivery of important features ensure the web can never be a credible alternative to its proprietary tools and App Store. Alex has cited an example of this by mentioning Stadia and other cloud gaming services. Apple did not allow those services to be available on the App Store and pushed them to use the web instead, which requires Apple to allow gamepad APIs so controllers can be used with these new web apps. That is a function that other browsers have offered for a long time except on iOS. He writes: Suppose Apple had implemented WebRTC and the Gamepad API in a timely way. Who can say if the game streaming revolution now taking place might have happened sooner? It's possible that Amazon Luna, NVIDIA GeForce NOW, Google Stadia, and Microsoft xCloud could have been built years earlier. It's also possible that APIs delivered on every other platform, but not yet available on any iOS browser (because Apple), may hold the key to unlocking whole categories of experiences on the web. Blog WCCFTech adds: Alex has also talked about how iOS browsers are underpowered in several other places compared to the competition. For starters, iOS browsers lack push notifications, standardized Progressive Web App (PWA) install buttons, background sync, and numerous other tools that make it easier for developers to make fully functional web apps. Access to hardware such as Bluetooth, USB, and NFC are also not easily available. Last but not least, the royalty-free AV1 standard is also not available.

The Apple vs. Epic legal battle has brought new documents to light, revealing the strained relationship between Apple and Facebook that dates as far back as 2011. 9to5Mac reports: Around this time, Facebook had not yet released a dedicated app for the iPad, which debuted in 2010. Apple's Scott Forstall, then serving as the company's software chief, sent an email to Phil Schiller and Steve Jobs regarding a meeting he had with Mark Zuckerberg about bringing Facebook to the iPad. At the heart of Facebook's concerns was that Apple would not allow the Facebook for iPad application to include "embedded apps." Forstall wrote: "I just discussed with Mark how they should not include embedded apps in the Facebook iPad app -- neither in an embedded web view or as a directory of links that would redirect to Safari. Not surprisingly, he wasn't happy with this as he considers these apps part of the 'whole Facebook experience' and isn't sure they should do an iPad app without them. Everything works in Safari, so he is hesitant to push people to a native app with less functionality, even if the native app is better for non-third party app features."

Zuckerberg suggested a few compromises to Forstall: Do not include a directory of apps in the Facebook app, links, or otherwise; Do not have third-party apps run in the embedded web view; Allow user posts in the news feed related to apps; and Tapping on one of these app-related links would (1) fast switch to a native app if one exists and the user has it installed, (2) take the user to the App Store if a native app exists and the user has not installed it, (3) link out to Safari otherwise.

"I think this is all reasonable, with the possible exception of #3," Forstall wrote in the email. Steve Jobs responded and wrote, "I agree -- if we eliminate Fecebooks third proposal it sounds reasonable." Note Jobs's spelling of Facebook there. A few days later, Forstall followed up and said that Zuckerberg did not like Apple's counterproposal. [...] CNBC adds: "When Facebook's iPad app eventually launched, it said that it would not support its own Credits currency on iOS for apps like Farmville -- a compromise along the lines of what Apple's executives discussed.

iFixit has ripped apart Apple's recently-released AirTag, a small battery-powered tag that will allow you to track your items within Apple's "Find My" app on iOS. An anonymous reader shares an excerpt from an Ars Technica article: Like with most Apple products, it looks like some serious engineering went into the $29 tracker. The device is barely larger than the user-replaceable CR2032 battery that powers it, putting competing devices like the Tile and Samsung Galaxy SmartTags to shame with their comparative bulk. Inside, a single circuit board uses a unique donut-shaped design that crams all the components into a ring under the battery. The hole in the middle of the circuit board lets Apple pack in a surprisingly huge voice coil speaker. The speaker is just for playing ringtones so you can find your AirTagged thing when you lose it, but apparently, the ringtones will be super high quality.

The other very Apple-like quality of the AirTag is that it almost seems designed to sell accessories. The most popular use for these trackers is to help find your car keys, but out of the box, there is no way to attach a keychain to an AirTag. Instead, Apple has enabled a wide ecosystem of AirTag cases ranging from a $13 keyring holder to a $449 (yes, that's four hundred forty-nine dollars) Hermes' luggage tag. iFixit's solution to the much-demanded keyring hole is -- what else -- a power drill! The teardown experts found some suitable dead space inside the AirTag that somehow isn't blocked by either the battery, speaker, or circuit board, and after some careful drilling, iFixit's AirTag now has a keychain hole with the least possible bulk. "The AirTag survived the operation like a champ and works as if nothing happened," the site says. iFixit went on to note that the sound profile "didn't seem to change much," but the IP67 dust and water resistance rating is now greatly compromised.

"Chromium-based web browser Opera is all set to fully integrate with blockchain domain name provider Unstoppable Domains," reports TechRadar, "in a bid to provide millions of its users with decentralized web access." Opera users will now be able to access decentralized websites hosted via the InterPlanetary File System (IPFS) using Unstoppable Domains' popular .crypto NFT addresses from the Opera browser. This will include platforms such as iOS, Android, Windows, Mac or Linux. Right now, Opera has over 320 million monthly active users across its offerings, following the addition of a crypto wallet to its browsers in 2019.

Unstoppable Domains was launched in 2018 and provides domain names to users with no renewal fees. Users of Unstoppable Domains are granted full ownership and control when they claim a domain because it is minted as an NFT on the Ethereum blockchain. Domain names such as .crypto replace complex wallet addresses for payments across over 40 cryptocurrency wallets and exchanges in addition to accessing the decentralized web through Opera.

Maciej Kocemba, Product Director at Opera said that the company believes in giving all people the ability to access the full web, regardless of the technology behind it.
The Opera product director was further quoted by Business Insider: "We have always supported web innovation, and the decentralized web or Web3 is the natural next wave. Making Unstoppable Domains accessible in the Opera browsers means our users can try blockchain technologies for themselves. Registering your .crypto domain, which is forever yours, is a great first step into Web3," the company's product director Maciej Kocemba said.

Opera is quickly becoming a leader in pushing for the adoption of Web 3.0, also often described as the decentralized web.

An anonymous reader quotes a report from TechCrunch: Following a controversial ban on political discussions earlier this week, Basecamp employees are heading for the exits. The company employs around 60 people, and roughly a third of the company appears to have accepted buyouts to leave, many citing new company policies. On Monday, Basecamp CEO Jason Fried announced in a blog post that employees would no longer be allowed to openly share their "societal and political discussions" at work. "Every discussion remotely related to politics, advocacy or society at large quickly spins away from pleasant," Fried wrote. "You shouldn't have to wonder if staying out of it means you're complicit, or wading into it means you're a target."

Basecamp's departures are significant. According to Twitter posts, Basecamp's head of design, head of marketing and head of customer support will all depart. The company's iOS team also appears to have quit en masse and many departing employees have been with the company for years. [...] According to Platformer, Fried's missive didn't tell the whole story. Basecamp employees instead said the tension arose from internal conversations about the company itself and its commitment to DEI work, not free-floating arguments about political candidates. Fried's blog post does mention one particular source of tension in a roundabout way, referencing an employee-led DEI initiative that would be disbanded. "We make project management, team communication, and email software," Fried wrote. "We are not a social impact company."

According to The Verge, citing a new deposition made public as part of the Epic case, Apple's senior VP of software and services, Eddy Cue, pushed to bring iMessage to Android as early as 2013. "[...] Cue wanted to devote a full team to iMessage support on Android, only to be overruled by other executives," adds The Verge. From the report: The latest deposition cites a specific email exchange between Cue and Craig Federighi, currently Apple's SVP of software engineering, beginning on April 7th and 8th, 2013. The exchange came after news circulated that Google had attempted to purchase WhatsApp for $1 billion. According to the exchange, Cue took the rumors as a sign that iMessage should expand to Android to cement Apple's hold on messaging apps:

Cue: We really need to bring iMessage to Android. I have had a couple of people investigating this but we should go full speed and make this an official project.... Do we want to lose one of the most important apps in a mobile environment to Google? They have search, mail, free video, and growing quickly in browsers. We have the best messaging app and we should make it the industry standard. I don't know what ways we can monetize it but it doesn't cost us a lot to run.

Federighi: Do you have any thoughts on how we would make switching to iMessage (from WhatsApp) compelling to masses of Android users who don't have a bunch of iOS friends? iMessage is a nice app/service, but to get users to switch social networks we'd need more than a marginally better app. (This is why Google is willing to pay $1 billion -- for the network, not for the app.)...In the absence of a strategy to become the primary messaging service for [the] bulk of cell phone users, I am concerned [that] iMessage on Android would simply serve to remove an obstacle to iPhone families giving their kids Android phones.

Elsewhere in the deposition, Cue says, "I remember the time of wanting to do an iMessage app on Android ourselves." "Would there have been cross-compatibility with the iOS platform so that users of both platforms would have been able to exchange messages?" the questioner responds. "That was certainly the discussion and the view that I had," Cue says. [...] The line of questioning is likely to play a significant role in Epic's antitrust lawsuit, which argues that iOS app store exclusivity represents an illegal use of market power. Epic has made clear in previous filings that it plans to make iMessage exclusivity part of that argument, citing a 2016 email from Phil Schiller that argues iMessage expansion "will hurt us more than help us."

Apple on Monday released iOS 14.5, which bring a range of new features to iPhone, including the ability to unlock iPhone with Apple Watch while wearing a face mask, more diverse Siri voices, new privacy controls, skin tone options to better represent couples in emoji, and much more. iOS 14.5 builds on the reimagined iPhone experience introduced in iOS 14, and is available today as a free software update. Regarding the new privacy controls, Apple has described it as: App Tracking Transparency requires apps to get the user's permission before tracking their data across apps or websites owned by other companies for advertising, or sharing their data with data brokers. Apps can prompt users for permission, and in Settings, users will be able to see which apps have requested permission to track so they can make changes to their choice at any time.

destinyland writes: Mystery Science Theater 3000 will be coming back — with a new home online. Though Netflix didn't pick them up for another season after 2019, "We still want to keep making new episodes," series creator Joel Hodgson explains in an online video on Kickstarter. (Also available through the URL MakeMoreMST3K.com.)

And with 12 days left to go, 18,969 online fans have already pledged $3,348,705, funding six new episodes...

But in addition the first $2 million funded the creation of the Gizmoplex, "our very own virtual online theatre," while the first stretch goal was also funded — the creation of MST3K apps for Android, iOS, and streaming services like AppleTV and Roku. "I'm tired of other people deciding if our show lives or dies," explains Crow T. Robot in the Kickstarter video. "I wanna do that." New host Jonah Heston adds, "If we want MST3K to keep going long-term, maybe networks aren't the most reliable option. Maybe it should be up to the fans to decide how long we keep going..."

Their next stretch goal of $4.4 million would fund three more episodes, but will also allow them to invite backers to the Gizmoplex for live monthly events, "for at least a year." And if they reach their goal of $5.5 million, they'll fund three more episodes — so an entire 12-episode season — as well as 12 short-subject films.

The ultimate hope is to host frequent live screenings, premieres, and community events in the Gizmoplex — while fans can even host their own MST3K watch parties whenever they want. And their Kickstarter page even suggests they might someday extend the Gizmoplex into virtual reality (accessible on computer and headsets).
I still remember how back in 2008 Joel Hodgson answered questions from Slashdot readers. "I've been a fan so long, I can't even remember when," posted CmdrTaco.

Now that Apple's lost item finder AirTag has officially been introduced, competitor Tile is going on record ahead of its testimony in front of Congress tomorrow about how it perceives Apple's latest product. In a statement, Tile CEO CJ Prober said today: "Our mission is to solve the everyday pain point of finding lost and misplaced things and we are flattered to see Apple, one of the most valuable companies in the world, enter and validate the category Tile pioneered. The reason so many people turn to Tile to locate their lost or misplaced items is because of the differentiated value we offer our consumers. In addition to providing an industry leading set of features via our app that works with iOS and Android devices, our service is seamlessly integrated with all major voice assistants, including Alexa and Google. And with form factors for every use case and many different styles at affordable prices, there is a Tile for everyone.

Tile has also successfully partnered with top brands like HP, Intel, Skullcandy and fitbit to enable our finding technology in mass market consumer categories like laptops, earbuds and wearables. With over 30 partners, we look forward to extending the benefits of Tile to millions of customers and enabling an experience that helps you keep track of all your important belongings. We welcome competition, as long as it is fair competition. Unfortunately, given Apple's well-documented history of using its platform advantage to unfairly limit competition for its products, we're skeptical. And given our prior history with Apple, we think it is entirely appropriate for Congress to take a closer look at Apple's business practices specific to its entry into this category. We welcome the opportunity to discuss these issues further in front of Congress tomorrow.

Apple has launched a Tile-like item tracker that will work with the company's software and services. From a report: Dubbed AirTag, the small circular tag will allow you to track items within Apple's "Find My" app on iOS. Much like Tile, Apple's AirTags will be useful for tracking items like keys or wallets, and you'll be provided with notifications when you're separated from your item. The AirTag itself is a small puck-like device that includes a built-in speaker, accelerometer, Bluetooth LE, and a user-replaceable battery. Apple says the tracker should last for a year of battery life, and you can use an NFC tap to activate a lost mode. AirTag will be available for $29 on April 30th, or $99 for a four-pack of the devices. Apple is also working with accessory makers to create luggage tag and keyring enclosures for the AirTag itself.

Reddit unveiled its take on a Clubhouse-like social audio product on Monday, called Reddit Talk. The Verge reports: The company is billing Monday's announcement as a "sneak preview," since the feature isn't widely available yet. Moderators that want to try the feature out in their subreddit can add themselves to a waitlist for access. Based on Reddit's description and images shared by the company, Reddit Talk appears to look a lot like Clubhouse, Twitter Spaces, and other social audio products. Talks will "live" within subreddits, according to Reddit.

During the initial tests, only subreddit moderators will be able to initiate a Talk, and Talk hosts will have the ability to invite, mute, and remove speakers. While only mods can kick off Talks in the beginning, anyone on iOS and Android can listen to one. Moderation has been an issue for Clubhouse, so it's notable that Reddit is starting small and giving access only to moderators first. At some point in the future, mods will be able to bring on trusted community members as co-hosts. The company says it is "testing ways" for hosts to customize how Talks look with emojis and different background colors, and users will be able to change their avatar, too. Earlier today, Facebook also announced that the company is working on a Clubhouse clone.

Apple has approved Parler's return to the iOS app store following improvements the social media company made to better detect and moderate hate speech and incitement, according to a letter the iPhone maker sent to Congress on Monday. From a report: The decision clears the way for Parler, an app popular with conservatives including some members of the far right, to be downloaded once again on Apple devices. The letter -- addressed to Sen. Mike Lee and Rep. Ken Buck and obtained by CNN -- explained that since the app was removed from Apple's platform in January for violations of its policies, Parler "has proposed updates to its app and the app's content moderation practices." On April 14, Apple's app review team told Parler that its proposed changes were sufficient, the letter continued. Now, all Parler needs to do is to flip the switch. "Apple anticipates that the updated Parler app will become available immediately upon Parler releasing it," Apple's letter said. Parler, an alternative to Facebook and Twitter that bills itself as a haven for free speech, was removed from major tech platforms in early January following the US Capitol riots of Jan. 6.

According to app developer Kosta Eleftheriou, Apple's App Store hosted a kid's game that's actually a front for gambling websites. "The secret password isn't one you'd be likely to guess: you have to be in the right country -- or pretend to be in the right country using a VPN," writes Sean Hollister via The Verge. "But then, instead of launching an ugly monkey-flipping endless runner game filled with typos and bugs, the very same app launches a casino experience." From the report: The app, "Jungle Runner 2k21," has already disappeared from the App Store, presumably thanks to publicity from Gizmodo and Daring Fireball, who each wrote about Eleftheriou's finding earlier today. It's not the only one, though: the same developer, "Colin Malachi," had another incredibly basic game on the App Store called "Magical Forest - Puzzle" that was also a front for gambling. [...] I accessed them from a VPN server in Turkey; While Daring Fireball notes that users in other non-US countries like Italy also seem to have been able to access the gambling sites, I tried them with a number of other locations including Italy without success.

Unlike the multi-million dollar App Store scams that Eleftheriou uncovered earlier this year, it's not hard to see why Apple's App Store review program might have missed these -- they largely look like your typical shovelware if you don't know the trick, with only a handful of tells... like the fact that Jungle Runner uses a Pastebin for its privacy policies. It's not necessarily clear to me that they'd be violating very many of Apple's App Store policies, either. Gambling apps are permitted by Apple, as long as they're geo-restricted to regions where that gambling is permitted by law, and you could maybe argue that's exactly what this developer did by checking your IP address.

A new report from The Washington Post reveals how the FBI gained access to an iPhone linked to the 2015 San Bernardino shooting. Apple refused to build a backdoor into the phone, citing the potential to undermine the security of hundreds of millions of Apple users, which kicked off a legal battle that only ended after the FBI successfully hacked the phone. Thanks to the Washington Post's report, we now know the methods the FBI used to get into the iPhone. Mitchell Clark summarizes the key findings via The Verge: The phone at the center of the fight was seized after its owner, Syed Rizwan Farook, perpetrated an attack that killed 14 people. The FBI attempted to get into the phone but was unable to due to the iOS 9 feature that would erase the phone after a certain number of failed password attempts. Apple attempted to help the FBI in other ways but refused to build a passcode bypass system for the bureau, saying that such a backdoor would permanently decrease the security of its phones. After the FBI announced that it had gained access to the phone, there were concerns that Apple's security could have been deeply compromised. But according to The Washington Post, the exploit was simple: [An Australian security firm called Azimuth Security] basically found a way to guess the passcode as many times as it wanted without erasing the phone, allowing the bureau to get into the phone in a matter of hours.

The technical details of how the auto-erase feature was bypassed are fascinating. The actual hacking was reportedly done by two Azimuth employees who gained access to the phone by exploiting a vulnerability in an upstream software module written by Mozilla. That code was reportedly used by Apple in iPhones to enable the use of accessories with the Lightning port. Once the hackers gained initial access, they were able to chain together two more exploits, which gave them full control over the main processor, allowing them to run their own code. After they had this power, they were able to write and test software that guessed every passcode combination, ignoring any other systems that would lock out or erase the phone. The exploit chain, from Lightning port to processor control, was named Condor. As with many exploits, though, it didn't last long. Mozilla reportedly fixed the Lightning port exploit a month or two later as part of a standard update, which was then adopted by the companies using the code, including Apple.