Reader samleecole writes: Recently I was looking around at the state of modern image editors and discovered something really disappointing. The issue? Well, even with the rise of modern Photoshop alternatives such as Affinity Photo and Pixelmator, these image editors are not designed to handle animated GIFs. Which means that, despite the fact that I'd certainly love to see what life is like outside of the world of Adobe, it looks like I'm stuck in that ecosystem for a little while longer. Don't get me wrong: Adobe's software is great, if a bit expensive. But I do think that its business model highlights just how consolidated its power actually is -- and it's not talked about nearly enough in the creative space.

[...] Adobe is too powerful and can ignore things it doesn't want to do -- whether in the form of cutting prices or ignoring usability concerns -- in part because it carries itself like it's the only game in town. Here's a case in point that matters a lot to me, actually: Apple has supported a native fullscreen mode in Mac OS since 10.7, better known as Lion. It's a fundamental feature, and helps keep windows well-sorted on laptops in particular. It works pretty well in every major Mac application -- except Adobe's. Worse, if you drag a picture from a web browser into Photoshop, the window moves and doesn't stay in the middle of the screen, creating a constant frustration that could be remedied if, again, Adobe bothered to support the native fullscreen mode that has come in Mac OS for the past seven and a half years.

An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 73 for Windows, Mac, and Linux. The release includes support for hardware media keys, PWAs and dark mode on Mac, and the usual slew of developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. Chrome 73 supports Progressive Web Apps (PWAs) on macOS. These apps install and behave like native apps (they don't show the address bar or tabs). Google killed off Chrome apps last year and has been focusing on PWAs ever since. Adding Mac support means Chrome now supports PWAs on all desktop and mobile platforms: Windows, Mac, Linux, Chrome OS, Android, and iOS. Chrome now also supports dark mode on Apple's macOS; dark mode for Windows is on the way, the team promises.

The VentureBeat report includes a long list of developer features included in this release, as well as all the security fixes found by external researchers. Chrome 73 implements a total of 60 security fixes.

Apple is already running on 100% green energy, according to Fast Company. But Apple is still "keen to show it's a good corporate citizen," reports the Australian Financial Review: Apple's annual supplier responsibility report released on Thursday revealed 20 manufacturing supplier facilities had been removed from the company's supply chain for breaches of environmental permits or workplace rules. "Smelters and refiners deeper in our supply chain are held to similar standards and if they exhibit a lack of commitment to meet our supplier code of conduct, they risk losing Apple's business," the report said...

In 2018, Apple completed 770 audits of its supplier manufacturing facilities, logistics and repair centres and contact centre facilities. There were also 279 third-party mineral smelter and refiner audits conducted... Apple's 13th annual supplier responsibility progress report said all final assembly points for iPhone, iPad, Mac, Apple Watch, AirPods and HomePod, were now certified zero waste to landfill, while conserving billions of litres of water and reducing greenhouse gas emissions.

Apple's suppliers in 45 countries have diverted 1 million tonnes of garbage in three years, saved 28.7 gigalitres of water and reduced greenhouse gas emissions by more than 466,000 annualised metric tons, which is the equivalent to taking 100,000 cars off the road for one year.

Jason Snell, writing for Six Colors: This week on the Accidental Tech Podcast (ATP), John Siracusa floated the concept of a MacBook Hierarchy of Needs, a priority list of features for the next time Apple redesigns the MacBook line, as is rumored to happen later this year. It's a fun thought experiment, because it requires you to rank your wish list of laptop features. That's important, because if I've learned anything in this wacky world of ours, it's that you can never get everything you ask for, so you've got to prioritize.

The ATP hosts all made a "good keyboard" their top priority, an idea that would've been surprising a few years ago but now is almost a given. Yes, of course, Apple laptops need to be fast and reliable and have great displays and good battery life, but the past few years' worth of MacBooks have made a lot of people realize the truth: a bad/unreliable laptop keyboard isn't something you can really work around if you're a laptop user. This is why a lot of nice-to-have-features, like SD card slots, have to fall way down the hierarchy of needs. Any feature that can be rectified with an add-on adapter falls immediately to the bottom of the list. You're stuck with a laptop keyboard forever, and if you're committed to the Mac and every single Mac laptop that's sold uses the exact same keyboard, there's nowhere to run.

Microsoft this week revamped Skype's browser-based client with a slew of new features. From a report: The Seattle company this week announced the rollout of a major Skype for Web update, which introduces high-definition video calling, a redesigned notifications panels, a revamped media gallery, and more. It's available on any PC running Windows 10 and Mac OS X 10.12 or higher with the latest versions of Google Chrome or Microsoft Edge. The bulk of the new capabilities debuted in preview last October, but they're available widely starting this week. Skype for Web does not support Safari, Firefox, and Opera browsers, Microsoft has confirmed.

Version 6.50 of the PlayStation 4's firmware now allows you to remotely play your PS4 games from an iPhone or iPad. "To access it, you'll need to download the Remote Play app for your iOS device, and then pair it with your console," reports The Verge. "Compatible games can then be played over Wi-Fi using the on-screen buttons." From the report: Announced back in 2013, Remote Play originally let you stream games from a PS4 console to the handheld PlayStation Vita, but later in 2016, Sony released Remote Play apps for both Windows and Mac. Although Sony has yet to announce a broader Android version of the service, the existence of an Android version of the app that's exclusive to Sony Xperia phones suggests there aren't any technical barriers. Bringing the functionality to iOS is a huge expansion for Remote Play, although it's a shame that you're not officially able to pair a DualShock 4 controller with the app via Bluetooth for a more authentic experience (although some users have reported being able to get the controller working via a sneaky workaround). If you're prepared to use a non-Sony controller, then you'll be happy to know that MacStories is reporting that other MFi gamepads (such as the SteelSeries Nimbus) work just fine with the iOS app. Other limitations with the functionality are that you'll need an iPhone 7 or 6th-generation iPad or later to use it, and it's also only available over Wi-Fi. You can't use Remote Play from another location over a mobile network.

PS4 version 6.50 also adds the ability for you to remap the X and O buttons on the controller.

Google's bug-hunting researchers known as Project Zero have revealed a fresh zero-day vulnerability in macOS called "BuggyCow." "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory." From the report: Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes -- some of which could be more highly privileged, sensitive programs than the one requesting the change.

Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive -- basically loading a whole collection of files rather than altering just one -- the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using. Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it. To even start carrying out this Rube Goldberg -- style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory. Project Zero says it warned Apple about BuggyCow back in November, but Apple hadn't acted to patch it ahead of last week's public reveal.

Jessica Roy, writing for LA Times: Thirty years ago, Maxis released "SimCity" for Mac and Amiga. It was succeeded by "SimCity 2000" in 1993, "SimCity 3000" in 1999, "SimCity 4" in 2003, a version for the Nintendo DS in 2007, "SimCity: BuildIt" in 2013 and an app launched in 2014. Along the way, the games have introduced millions of players to the joys and frustrations of zoning, street grids and infrastructure funding -- and influenced a generation of people who plan cities for a living.

For many urban and transit planners, architects, government officials and activists, "SimCity" was their first taste of running a city. It was the first time they realized that neighborhoods, towns and cities were things that were planned, and that it was someone's job to decide where streets, schools, bus stops and stores were supposed to go.

Last December, Microsoft announced that it has embraced Google's Chromium open source project for Edge development on the desktop, a move that shocked many. We now have some leaked screenshots of the browser in its current state, and they appear to show a browser resembling Google Chrome. Neowin reports: A lot of the design language and icons have remained similar to what they were like before, but there are definitely many changes that will be familiar to Chrome users. For one, the options to see all your tabs and to set aside the currently open tabs have been removed compared to the current version of Edge. To the right of the address bar, you'll be able to find your extensions, as well as your profile picture similar to what Chrome looks like. Bing is integrated into the browser -- as you'd expect of a Microsoft-made browser -- and the New Tab background can be set to rotate based on Bing's image of the day. Scrolling down will reveal a personalized news feed powered by Microsoft News, similar to the old Edge. The layout of the feed can be customised based on your preference from among a number of options.

The settings options for the browser have also changed. While Edge settings are currently available via a slide-out menu from the right, the new Edge's settings are accessible through a new tab similar to Chrome. It'll show the Microsoft account you're logged into, as well as the usual array of toggles and tidbits you'd expect. Ominously, the about page for the browser now acknowledges the contributions of the Chromium project, as well as other open source software, a stark reminder that this isn't the Microsoft of yesteryear. This is a new browser, and a new Microsoft.

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

An anonymous reader quotes BGR: Sales from individual song downloads have unsurprisingly been falling with no end in sight, thanks to the convenience of streaming options like Spotify and Apple Music. A new report, though, makes clear just how few people there are these days who will buy individual digital songs -- there are so few of them, in fact, that they were outnumbered in 2018 by people who went old-school and bought actual compact discs and vinyl records.

According to the Recording Industry Association of America, total download sales in 2018 -- for which iTunes led the pack -- dropped almost 30%, to a little more than $1 billion. Purchases of full album downloads likewise fell, by 25%. To put that in context, download sales represented more than 40% of the music industry's revenue back in 2013. Last year? About 11%.

Meanwhile, that drop in sales has resulted in a lop-sided reality that harkens back to the pre-iTunes days. Sales of physical media including CDs and vinyl, according to the RIAA's new report, were down 23 percent but totaled $1.15 billion, thus edging out digital download sales. Another interesting takeaway from the new report: Music fans bought almost $420 million worth of vinyl in 2018, which Cult of Mac notes in a piece today is almost as much as people spent buying album downloads from iTunes last year.
The RIAA reports that "virtually all the revenue growth" for 2018 came from streaming music platforms like Spotify, Apple Music, Amazon Music, and Tidal, which last year collectively added 1 million new subscribers every single month, and now have a record number of more than 50 million subscribers.

"By the way, don't be fooled into reading something positive about CDs from the title of this post," adds BGR. "While physical media sales were down 23%, CD sales themselves slipped 34% for the year to $698 million. That's the first time CD yearly revenue has come in below $1 billion since 1986."

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.

Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."

"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."

Developers and Intel officials have told Axios that Apple is expected to move its Mac line to custom ARM-based chips as soon as next year. "Bloomberg offered a bit more specificity on things in a report on Wednesday, saying that the first ARM-based Macs could come in 2020, with plans to offer developers a way to write a single app that can run across iPhones, iPads and Macs by 2021," reports Axios. "The first hints of the effort came last year when Apple offered a sneak peek at its plan to make it easier for developers to bring iPad apps to the Mac." From the report: If anything, the Bloomberg timeline suggests that Intel might actually have more Mac business in 2020 than some had been expecting. The key question is not the timeline but just how smoothly Apple is able to make the shift. For developers, it will likely mean an awkward period of time supporting new and classic Macs as well as new and old-style Mac apps. The move could give developers a way to reach a bigger market with a single app, although the transition could be bumpy. For Intel, of course, it would mean the loss of a significant customer, albeit probably not a huge hit to its bottom line.

Mark Gurman, reporting for Bloomberg: Apple wants to make it easier for software coders to create tools, games and other applications for its main devices in one fell swoop -- an overhaul designed to encourage app development and, ultimately, boost revenue. The ultimate goal of the multistep initiative, code-named "Marzipan," is by 2021 to help developers build an app once and have it work on the iPhone, iPad and Mac computers, said people familiar with the effort. That should spur the creation of new software, increasing the utility of the company's gadgets.

Later this year, Apple plans to let developers port their iPad apps to Mac computers via a new software development kit that the company will release as early as June at its annual developer conference. Developers will still need to submit separate versions of the app to Apple's iOS and Mac App Stores, but the new kit will mean they don't have to write the underlying software code twice, said the people familiar with the plan. In 2020, Apple plans to expand the kit so iPhone applications can be converted into Mac apps in the same way. Further reading: Tim Cook, in April 2018: Users Don't Want iOS To Merge With MacOS.

An anonymous reader writes: Apple's new Mac products might have a serious audio glitch for professional users. The company's newest Mac products with its T2 security chip suffer from a software-related bug that leads to issues with audio performance. The issue seemingly affects devices with the T2 chip -- that includes the iMac Pro, Mac Mini 2018, MacBook Air 2018, and MacBook Pro 2018. Although Apple's T2 chip is designed to offer improved security, it's affecting users in the pro audio industry.

As CDM reports, there is a bug in macOS that leads to dropouts and glitches in audio whenever a Mac automatically updates its system clock through the system time daemon. Users have been reporting the issue across a bunch of different pro audio forums for months, and it seems like the issue has never been acknowledged by Cupertino. The issue here is pretty simple to understand, as explained by a DJ software developer on Reddit: whenever the system time daemon automatically updates the system time, it somehow sends a 'pause-audio-engine' message to the kernel, leading to dropouts and glitches in audio.

Apple is planning an "all-new" MacBook Pro design for this year, well-connected analyst Ming-Chi Kuo has said. From a report: The lineup is reportedly led by a model with a screen of between 16 and 16.5 inches, which would make it the biggest screen in a Mac notebook since the 17-inch models stopped being sold in 2012. Kuo says the lineup may also include a 13-inch model with support for 32GB of RAM; right now only the 15-inch MacBook Pro can be configured with that amount of memory.

[...] More interestingly, Kuo has the first credible details of the external monitor that will mark Apple's return to the pro display market. It's said to be a 31.6-inch 6K display with a "Mini LED-like backlight design." Apple discontinued its last monitor, the Thunderbolt Display, back in 2016; right now the best option for owners of more modern Macs is the Apple-sanctioned but imperfect 27-inch LG UltraFine 5K.

18,000 Android apps with tens or hundreds of millions of installs on the Google Play Store have been found to violate Google's Play Store Advertising ID policy guidance by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs. Bleeping Computer reports: AppCensus is an organization based in Berkeley, California, and created by researchers from all over the world with expertise in a wide range of fields, ranging from networking and privacy to security and usability. The project is supported by "grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab." By highlighting this behavior, AppCensus shows that while users are being offered the option to reset the advertising ID, doing so will not immediately translate into getting a new "identity" because app developers can also use a multitude of other identifiers to keep their tracking and targeting going.

Google did not yet respond to a report sent by AppCensus in September 2018 containing a list of 17,000 Android apps that send persistent identifiers together with ad IDs to various advertising networks, also attaching a list of 30 recipient mobile advertising related domains where the various IDs were being sent. While looking at the network packets sent between the apps and these 30 domains, AppCensus observed that "they are either being used to place ads in apps, or track user engagement with ads." In a statement to CNET, a Google spokesperson said: "We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies."

Some of the most popular applications found to be violating Google's Usage of Android Adverting ID policies include Clean Master, Subway Surfers, Flipboard, My Talking Tom, Temple Run 2, and Angry Birds Classic. The list goes on and on, and the last app in the "Top 20" list still has over 100 million installations.

A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

For those hoping the next iPhone would ditch the Lightning port in favor of the more versatile USB-C port, you'll surely be disappointed by the latest rumor. "Japanese site Macotakara says that not only will the 2019 iPhone use Lightning, Apple will also continue to bundle the same 5W charger and USB-A to Lightning cable in the box," reports 9to5Mac. "This is seen as a cost saving measure. It seems that customers wanting faster iPhone charge times will still have to buy accessories, like the 12W iPad charger." From the report: The site explains that Lightning port is not going anywhere and Apple is resistant to changing the included accessories to maintain production costs. Apple can benefit from huge economies of scale by selling the same accessories for many generation. As such, Apple apparently will keep bundling Lightning EarPods, Lightning to USB-A cable, and the 5W USB power adaptor, with the 2019 iPhone lineup. This is disappointing as Apple began shipping an 18W USB-C charger with its iPad Pro line last fall, and many expected that accessory to become an iPhone standard too. Even if the iPhone keeps the Lightning port, Lightning can support fast-charging over the USB Type-C protocol. It's not clear if the cost savings of this decision would be passed on to consumers with lower cost 2019 iPhone pricing.