PayPal has announced today that passkeys are being added as a new, password-less login method to secure PayPal accounts for iPhone, iPad, and Mac users on PayPal.com, with plans to expand passkeys to other platforms as they add support. From a report: PayPal passkeys are rolling out to US customers today and will be available to "additional countries" in early 2023. Passkeys are a new type of login credential that replaces passwords with cryptographic key pairs. They are resistant to phishing attempts and are designed to avoid sharing passkey data between platforms, addressing the weakness of current password-based authentication.

Passkeys are supported by Apple, Google, and Microsoft, who have pledged to bring the FIDO Alliance standard to their respective OSes. Reusing passwords across online accounts leaves users open to hacking and other vulnerabilities, but remembering individual login details is no easy task without a secure password manager. A study from Verizon shows that over 2.6 billion records were hacked in 2017, with 81 percent estimated to have been caused by password stealing and guessing.

It's a major Apple update day, as the company is rolling out new versions of its iPhone, iPad and Mac operating systems. While iPhone users at large have already had a taste of iOS 16, this will be the first time that most folks will get their hands on iPadOS 16 and macOS Ventura. From a report: Apple delayed the release of iPadOS 16 amid reports suggesting it needed more time to polish up the Stage Manager multitasking feature (which we felt was unrefined in an early iPadOS 16 beta). In fact, Apple said it was skipping a public release of iPadOS 16 and going straight to version 16.1 -- just in time for the company's latest iPad Pro and entry-level iPad shipping this week.

The latest version of the iPad operating system will include many of the same updates as iOS 16, including significant changes to Mail, Safari, Messages and other key apps. There are more collaboration-centric features, while the Weather and Clock apps are finally coming to iPad. External display support for Stage Manager will arrive within the next couple of months. Also later this year, Apple will release a collaborative productivity iPad app called Freeform. It seems like a souped-up whiteboard where users can sketch out ideas with Apple Pencil. The company says you'll be able to attach just about any kind of file to the canvas, including images, videos, audio, PDFs, documents and URLs, and preview the content inline.

A leaker has claimed that Apple is working on a version of macOS exclusive for the M2 iPad Pro, with it expected at some point in 2023. Apple Insider reports: Leaker Majin Bu's sources have shared that Apple is working on a "smaller" version of macOS exclusively for the M2 iPad Pro. It is said to be codenamed Mendocino and will be released as macOS 14 in 2023. Testing is being done with a 25% larger macOS UI so it is suitable for touch. However, apps run on the product would still be iPad-optimized versions, not macOS ones.

It isn't clear why Apple would move the iPad to a macOS interface in a half-step like this. Those clamoring for macOS on iPad do so for the software more than the interface. [...] The other possible explanation is this wasn't macOS at all. Apple could be working to bring iPadOS even closer to macOS by adding a Menu Bar and other Mac-like interactions. It already introduced a Mac windowing feature in iPadOS 16 called Stage Manager, this could be the next iteration. Majin Bu also suggests that the exclusivity to M2 iPad Pro could be a marketing push. If the feature is only available on that iPad, more people would buy it.

An anonymous reader quotes a report from BetaNews: Slack developer Felix Rieseberg released Windows 95 as an Electron app four years ago, updating it shortly afterwards to allow it to run gaming classics like Doom. Now he rolls out a new version which can run on any Windows, Mac or Linux system. Based on the Electron framework, Rieseberg's Windows 95 is written entirely in JavaScript, so it doesn't run as smoothly as it would if it was a native app, but you shouldn't let that put you off.

This is the second update of the year, which brings it up to version 3.1.1 and includes two important changes:

- Upgraded from Electron v18 to Electron v21 (and with it, Chrome and Node.js)
- Upgraded v86 (sound is back!)

The earlier update (in June) brought the software up to 3.0.0 and introduced the following changes:

- Upgraded from Electron v11 Electron v18 (and with it, Chrome and Node.js)
- Upgraded v86 (now using WASM)
- Upgraded various smaller dependencies
- Much better scaling on all platforms
- On Windows, the link to OSFMount was broken and is now fixed.
- On Windows, you can now see a prettier installation animation.
- On Windows, windows95 will have a proper icon in the Programs & Features menu. You can download the latest version of the Windows 95 app for Windows, macOS, and Linux at their respective links.

The next versions of macOS and iPadOS will be released to the general public on October 24, Apple announced today. From a report: The iPadOS 16 update runs on all iPad Pros, the 5th-generation iPad and later, the fifth-generation iPad mini and later, and the 3rd-generation iPad Air and later, dropping support for the venerable iPad Air 2 and a handful of other models (it will also ship on all the new iPads Apple announced today). The macOS Ventura update generally requires a Mac released in 2017 or later, dropping support for various models released between 2013 and 2016. Both updates will enable some iOS 16 features on iPads and Macs, including editing and deletion of iMessages, better search in Mail, passkey support in Safari, and a new large-screened Weather app and redesigned Home app, improved gamepad support, and more. Both also include a version of the Stage Manager window management feature, and Ventura includes a redesigned System Settings app.

DuckDuckGo is rolling out its web browsing app for Mac users as an open beta test. Designed for privacy, the app was announced back in April as a closed beta, but is now available for all Mac users to try before its official public launch. From a report: The desktop browser includes the same built-in protections we've seen already featured in DuckDuckGo's mobile apps, combining DuckDuckGo's search engine, defenses against third-party tracking, cookie pop-up protection, and its popular one-click data clearing 'Fire Button.' Some additional features have been added to the browser (version 0.30) since its original announcement.

Now users can try Duck Player, a feature that protects users from targeted ads and cookies while watching YouTube content. Ads viewed within the Duck Player will not be personalized, which DuckDuckGo claims actually removed most YouTube ads as a result during testing. YouTube will still register your views, but content watched through Duck Player won't contribute to your YouTube advertising profile. Pinned tabs and a new bookmarks bar have been included to address feedback from early beta testing, as well as a way to view your locally stored browsing history. DuckDuckGo's Cookie Consent Pop-Up Manager is also available which works on about 50 percent of sites (with more to come) to automatically choose the most private option and spare users from the annoying pop-up messages. The app also lets you activate DuckDuckGo Email Protection on the desktop to better protect your inbox with email tracker blocking.

Nearly four years after its last major release, VirtualBox 7.0 arrives with a... host of new features. Chief among them are Windows 11 support via TPM, EFI Secure Boot support, full encryption for virtual machines, and a few Linux niceties. From a report: The big news is support for Secure Boot and TPM 1.2 and 2.0, which makes it easier to install Windows 11 without registry hacks (the kind Oracle recommended for 6.1 users). It's strange to think about people unable to satisfy Windows 11's security requirements on their physical hardware, but doing so with a couple clicks in VirtualBox, but here we are. VirtualBox 7.0 also allows virtual machines to run with full encryption, not just inside the guest OSâ"but logs, saved states, and other files connected to the VM. At the moment, this support only works through the command line, "for now," Oracle notes in the changelog.

This is the first official VirtualBox release with a Developer Preview for ARM-based Macs. Having loaded it on an M2 MacBook Air, I can report that the VirtualBox client informs you, extensively and consistently, about the non-production nature of your client. The changelog notes that it's an "unsupported work in progress" that is "known to have very modest performance." A "Beta Warning" shows up in the (new and unified) message center, and in the upper-right corner, a "BETA" warning on the window frame is stacked on top of a construction-style "Dev Preview" warning sign. It's still true that ARM-based Macs don't allow for running operating systems written for Intel or AMD-based processors inside virtual machines. You will, however, be able to run ARM-based Linux installations in macOS Venture that can themselves run x86 processors using Rosetta, Apple's own translation layer.

An anonymous reader quotes a report from The Register: Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place. Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector. In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network.

The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable. "During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."

According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register. "This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures." [...] While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework. "This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

"Apple won a massive reduction in a 1.1 billion euro ($1.1 billion) antitrust fine from French competition regulators," reports CNBC, "in a blow to the ambitions of European authorities to crack down on the dominance of Big Tech companies." The Paris appeals court on Thursday lowered the fine to 371.6 million euros, roughly a third of the value of the original penalty and a reduction of 728.4 million euros, an Apple spokesperson confirmed.According to Reuters, the amount was slashed because the court decided to drop one of the charges related to price fixing, and lower the rate originally used to calculate the fine....

In 2020, the French competition watchdog fined Apple 1.1 billion euros for allegedly pressuring premium resellers into fixing prices of non-iPhone products, such as its Mac and iPad computers, and abusing the economic dependence of its outside resellers. Tech Data and Ingram Micro, two global electronics wholesalers, were also fined 76.1 million euros and 62.9 million euros, respectively. The regulator accused Apple, Tech Data and Ingram Micro of agreeing not to compete and preventing independent resellers from competing with each other, "thereby sterilizing the wholesale market for Apple products."
Apple response, according to Reuters: "While the court correctly reversed part of the French Competition Authority's decision, we believe it should be overturned in full and plan to appeal.

"The decision relates to practices from more than a decade ago that even the (French authority) recognised are no longer in use."

Apple's vice president of procurement, Tony Blevins, has left the company after a TikTok video showed him making a vulgar comment about women at a car show. CNBC reports: An Apple representative confirmed the departure to CNBC, saying, "Tony is leaving Apple." The departure was spurred by a TikTok video posted Sept. 5, according to Bloomberg, which first reported the news. In the video, reviewed by CNBC, Blevins is getting out of an expensive Mercedes-Benz sports car and is asked what he does for a living by Daniel Mac, who has a channel centered around asking people in expensive cars questions. In the video, Blevins responds, "I race cars, play golf and fondle big-breasted women. But I take weekends and major holidays off." The remark appears to be a reference to a similar quote in the movie "Arthur." It was viewed 1.3 million times, according to the TikTok page. "Blevins was a VP at Apple," notes CNBC. "His main role was to negotiate with suppliers to keep the price Apple pays for computer parts down, according to a Wall Street Journal profile of Blevins from 2020."

Apple is bringing Stage Manager, a new multitasking system exclusive to iPads with the M1 chip, to a number of older devices. Engadget reports: Probably the biggest change Apple announced with iPadOS 16 earlier this year is Stage Manager, a totally new multitasking system that adds overlapping, resizable windows to the iPad. That feature also works on an external display, the first time that iPads could do anything besides mirror their screen on a monitor. Unfortunately, the feature was limited to iPads with the M1 chip -- that includes the 11- and 12.9-inch iPad Pro released in May of 2021 as well as the M1-powered iPad Air which Apple released earlier this year. All other older iPads were left out.

That changes with the latest iPadOS 16 developer beta, which was just released. Now, Apple is making Stage Manager work with a number of older devices: it'll work on the 11-inch iPad Pro (first generation and later) and the 12.9-inch iPad Pro (third generation and later). Specifically, it'll be available on the 2018 and 2020 models that use the A12X and A12Z chips rather than just the M1. However, there is one notable missing feature for the older iPad Pro models -- Stage Manager will only work on the iPad's build-in display. You won't be able to extend your display to an external monitor. Apple also says that developer beta 5 of iPadOS 16. is removing external display support for Stage Manager on M1 iPads, something that has been present since the first iPadOS 16 beta was released a few months ago. It'll be re-introduced in a software update coming later this year.

Apple could decide to release its remaining products for 2022, which includes an updated iPad Pro, Mac mini, and 14-inch and 16-inch MacBook Pros, through a press release on its website rather than a digital event, according to Bloomberg's Mark Gurman. MacRumors reports: In his latest Power On newsletter, Gurman said that Apple is currently "likely to release its remaining 2022 products via press releases, updates to its website and briefings with select members of the press" rather than a digital event. Rumors had suggested that Apple was planning a second fall event in October that would focus on the Mac and iPad, but that may no longer be the case. Apple has three things on the roster for the remainder of 2022: an 11-inch and 12.9-inch iPad Pro with the M2 chip, an updated Mac mini with the M2 and yet announced "M2 Pro" chip, and updated 14-inch and 16-inch MacBook Pros.

Apple announced the M2 chip in June for the redesigned MacBook Air and 13-inch MacBook Pro earlier this June at WWDC. Other than the new chip, the updates to the Mac and iPad will be relatively incremental upgrades with no major design changes rumored for the products. Apple has released products via press release in the past, such as the AirPods Max and the original AirPods Pro.

The Document Foundation, the organization that tends the open source productivity suite LibreOffice, has decided to start charging for one version of the software. The Register reports: LibreOffice is a fork of OpenOffice and is offered under the free/open source Mozilla Public License Version 2.0. A Monday missive from the Document Foundation reveals the org will begin charging 8.99 euros for the software -- but only when sold via Apple's Mac App Store. That sum has been styled a "convenience fee ... which will be invested to support development of the LibreOffice project."

The foundation suggests paying up in the Mac App Store is ideal for "end users who want to get all of their desktop software from Apple's proprietary sales channel." Free downloads of LibreOffice for macOS from the foundation's site will remain available and arguably be superior to the App Store offering, because that version will include Java. The foundation argued that Apple does not permit dependencies in its store, so it cannot include Java in the 8.99 euro offering. The version now sold in the App Store supersedes a previous offering provided by open source support outfit Collabora, which charged $10 for a "Vanilla" version of the suite and threw in three years of support. The foundation's marketing officer Italo Vignoli said the change was part of a "new marketing strategy."

"The Document Foundation is focused on the release of the Community version, while ecosystem companies are focused on a value-added long-term supported versions targeted at enterprises," Vignoli explained. "The distinction has the objective of educating organizations to support the FOSS project by choosing the LibreOffice version which has been optimized for deployments in production and is backed by professional services, and not the Community version generously supported by volunteers."

"The objective is to fulfil the needs of individual and enterprise users in a better way," Vignoli added, before admitting "we know that the positive effects of the change will not be visible for some time. Educating enterprises about FOSS is not a trivial task and we have just started our journey in this direction."

Logitech makes some of the most popular webcams in the world, but using them on some of the most popular computers, like the M2 MacBook Air or M1 Pro MacBook Pro, is a less than stellar experience. From a report: Plugging one into any M1 or M2 Mac for a video call isn't an issue, but if you want to tweak in-depth settings or use some of these webcams' highlight features, doing that right now ranges from clumsy to impossible. That's because its most capable webcam software, Logitech Capture, isn't available on computers with Apple silicon. Logitech switched up its software plan for people who use newer Mac laptops and desktops without making much effort to tell anyone. Instead of offering Logitech Capture, its de facto software focused squarely on webcam settings and content creation features, it has two distinct and lesser Mac applications to choose from: Logi Tune and Logitech G Hub.

Tune is a confusing app that lets you toggle settings for Logitech gadgets, with calendar integration added in, for some reason. G Hub was built for gamers who want to tweak RGB lighting and sensitivity settings for gaming-focused products and, now, webcams. Each app's interface looks different and lets you switch different settings, so you've got a choice with which app you use -- too much choice, if you ask me, given how limited the functionality is within each one. But neither offers as many options as Logitech Capture. You can access basic settings, like the ability to zoom in for a tighter crop or make a host of adjustments to the picture settings (or set them to auto settings), but you can't adjust the frame rate or the resolution. What that means is people who own an M1 or M2 Mac cannot utilize its face-tracking feature or switch between horizontal or vertical orientations on a nice, relatively high-end webcam like the $160 Logi StreamCam.

Google has released Chrome 105.0.5195.102 for Windows, Mac, and Linux users to address a single high-severity security flaw, the sixth Chrome zero-day exploited in attacks patched this year. From a report: "Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the company said in a security advisory published on Friday. This new version is rolling out in the Stable Desktop channel, with Google saying that it will reach the entire user base within a matter of days or weeks. It was available immediately when BleepingComputer checked for new updates by going into the Chrome menu > Help > About Google Chrome. The web browser will also auto-check for new updates and automatically install them after the next launch.

What's the deal with that supposed 30TB external SSD being sold for just $31.40 on China-based online shopping site AliExpress? It's also listed on Walmart's website for just $39 — but first, listen to cybersecurity researcher calling himself "Ray [REDACTED]". Scammer gets two 512MB Flash drives. Or 1 gigabyte, or whatever. They then add hacked firmware that makes it misreport its size... when you go to WRITE a big file, hacked firmware simply writes all new data on top of old data, while keeping directory (with false info) intact.
Ars Technica goes over the details: On the inside, this "SSD" looks like two small-capacity microSD cards hot glued to a USB 2.0-capable board. This board's firmware has been modified so that each of these cards reports its capacity as "15.0TB" to the operating system, for a total of 30TB, even though the actual capacity of the cards is much lower.... It preserves the directory structure of whatever you're copying, but when it's "copying" your data, it just keeps writing and rewriting over the tiny microSD cards.

Everything will look fine until you go to access a file, only to find that the data isn't there.

Replies to Ray Redacted's thread are full of alternate versions of this scam, including multiple iterations of the hot-glued microSD version and at least one that hid a USB thumb drive inside a larger enclosure. Fake USB storage devices are neither new nor rare, though this one makes spectacularly egregious claims about its price-per-gigabyte. When it comes to buying storage online, common-sense advice is best: stick to name brands, buy from trustworthy sellers.... and know that if a deal seems too good to be true, it almost certainly is.

Polygon reports that during a streaming event, the publisher of the Magic: the Gathering card game promised a new themed set of cards commemorating Doctor Who's 60th anniversary. But that's not their only new set: The Lord of the Rings: Tales from Middle-earth is also releasing in Q3 of 2023, but it will be a fully draftable booster set and legal in modern format of competitive play....

Individual cards portray familiar heroes and villains including Frodo, Gandalf and the Balrog. In order to capture the scale of J.R.R. Tolkien's fantasy battles, the set will also feature new borderless scene cards. Each has a piece of art that can stand alone, but 18 of them will come together to produce a particularly epic scene from the trilogy — such as the Battle of the Pelennor Fields from The Return of the King. The art from Tyler Jacobson, who's provided illustrations for more than 100 Magic cards and for Dungeons & Dragons books including The Wild Beyond the Witchlight, is full of small details including the Dark Tower Barad-dûr in the background.
The article points out that the game publisher has previously published crossover decks for The Walking Dead and Fortnite.

This story is for long-time Slashdot reader tezbobobo, who argued earlier this week that Slashdot's been remiss in its coverage of Magic: the Gathering news: For years I've seen Dungeons & Dragons, Sony Playstation and Nethack show up occassionally on the front page of Slashdot. So where are the rest of the nerd games?

Magic: the Gathering has one of the most loyal and active fanbases, and the creators have been churning out new and interesting cards for decades. Even as it tops the trading card pile, it's made inroads into the digital sphere, with online version in Arena and Magic Online. It's available on PC, Mac, Ipad.

An anonymous reader quotes a report from Ars Technica: Skirting the official macOS system requirements to run new versions of the software on old, unsupported Macs has a rich history. Tools like XPostFacto and LeopardAssist could help old PowerPC Macs run newer versions of Mac OS X, a tradition kept alive in the modern era by dosdude1's patchers for Sierra, High Sierra, Mojave, and Catalina. For Big Sur and Monterey, the OpenCore Legacy Patcher (OCLP for short) is the best way to get new macOS versions running on old Macs. It's an offshoot of the OpenCore Hackintosh bootloader, and it's updated fairly frequently with new features and fixes and compatibility for newer macOS versions. The OCLP developers have admitted that macOS Ventura support will be tough, but they've made progress in some crucial areas that should keep some older Macs kicking for a little bit longer.

[...] First, while macOS doesn't technically include system files for pre-AVX2 Intel CPUs, Apple's Rosetta 2 software does still include those files, since Rosetta 2 emulates the capabilities of a pre-AVX2 x86 CPU. By extracting and installing those files in Ventura, you can re-enable support on Ivy Bridge and older CPUs without AVX2 instructions. And this week, Grymalyuk showed off another breakthrough: working graphics support on old Metal-capable Macs, including machines as old as the 2014 5K iMac, the 2012 Mac mini, and even the 2008 cheese grater-style Mac Pro tower. The OCLP team still has other challenges to surmount, not least of which will involve automating all of these hacks so that users without a deep technical understanding of macOS's underpinnings can continue to set up and use the bootloader. Grymalyuk still won't speculate about a timeframe for official Ventura support in OCLP. But given the progress that has been made so far, it seems likely that people with 2012-and-newer Macs should still be able to run Ventura on their Macs without giving up graphics acceleration or other important features.

The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.

With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.

It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.