recentpopularlog in

apple

« earlier   
Another Bloomberg Story about Supply-Chain Hardware Attacks from China - Schneier on Security
Bloomberg has another story about hardware surveillance implants in equipment made in China. This implant is different from the one Bloomberg reported on last week. That story has been denied by pretty much everyone else, but Bloomberg is sticking by its story and its sources. (I linked to other commentary and analysis here.)
Again, I have no idea what's true. The story is plausible. The denials are about what you'd expect. My lone hesitation to believing this is not seeing a photo of the hardware implant. If these things were in servers all over the US, you'd think someone would have come up with a photograph by now.
EDITED TO ADD (10/12): Three more links worth reading.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
36 minutes ago by rgl7194
TaoSecurity: Network Security Monitoring vs Supply Chain Backdoors
On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.” From the article:
Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.
Companies mentioned in the story deny the details, so this post does not debate the merit of the Bloomberg reporters’ claims. Rather, I prefer to discuss how a computer incident response team (CIRT) and a chief information security officer (CISO) should handle such a possibility. What should be done when hardware-level attacks enabling remote access via the network are possible?
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
37 minutes ago by rgl7194
More commentary on China, Apple, and supply-chain hacking | Mac Virus
Following up the previous story Supply chain hacking: bull in a China shop? [updated]…
[Additional: Motherboard – The Cybersecurity World Is Debating WTF Is Going on With Bloomberg’s Chinese Microchip Stories]
Paul Ducklin for Sophos: Apple and Amazon hacked by China? Here’s what to do (even if it’s not true) – more useful than most of the commentary I’ve seen!
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
37 minutes ago by rgl7194
Government Perspective on Supply Chain Security - Schneier on Security
This is an interesting interview with a former NSA employee about supply chain security. I consider this to be an insurmountable problem right now.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
37 minutes ago by rgl7194
Bloomberg blunder highlights supply chain risks - Malwarebytes Labs | Malwarebytes Labs
Ooh boy! Talk about a back-and-forth, he said, she said story!
No, we’re not talking about that Supreme Court nomination. Rather, we’re talking about Supermicro. Supermicro manufacturers the type of computer hardware that is used by technology behemoths like Amazon and Apple, as well as government operations such as the Department of Defense and CIA facilities. And it was recently reported by Bloomberg that Chinese spies were able to infiltrate nearly 30 US companies by compromising Supermicro—and therefore our country’s technology supply chain.
If you’ve been trying to follow the story, it may feel a bit like this...
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
40 minutes ago by rgl7194
Daring Fireball: 'Your Move, Bloomberg'
Washington Post media critic Erik Wemple:
Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed. […]
The best journalism lends itself to reverse engineering. Though no news organization may ever match the recent New York Times investigation of Trump family finances, for instance, the newspaper published documents, cited sources and described entities with a public footprint. “Fear,” the recent book on the dysfunction of the Trump White House, starts with the story of a top official removing a trade document from the president’s desk, an account supported by an image of the purloined paper.
Bloomberg, on the other hand, gives readers virtually no road map for reproducing its scoop, which helps to explain why competitors have whiffed in their efforts to corroborate it. The relentlessness of the denials and doubts from companies and government officials obligate Bloomberg to add the sort of proof that will make believers of its skeptics. Assign more reporters to the story, re-interview sources, ask for photos and emails. Should it fail in this effort, it’ll need to retract the entire thing.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  daring_fireball 
51 minutes ago by rgl7194
Should Bloomberg retract? | Mac Virus
John Gruber cites Amazon Web Services CEO Andy Jassy’s tweet while considering Bloomberg’s decreasingly convincing insistence on the Apple/Amazon/etc. supply chain story: AWS CEO ANDY JASSY: ‘BLOOMBERG SHOULD RETRACT’
I have to agree: Bloomberg’s position is not looking very tenable.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain 
52 minutes ago by rgl7194
Daring Fireball: AWS CEO Andy Jassy: 'Bloomberg Should Retract'
Amazon Web Services CEO Andy Jassy on Twitter:
@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.
If you want a taste of Bloomberg’s attitude toward Apple’s and Amazon’s protestations, check out this video from Bloomberg TV from the day after the story was originally published. Jordan Robertson, co-author of the story, says this:
In addition, there is no consumer data that is alleged to have been stolen. This attack was about long term access to sensitive networks. So by that logic, companies are not required to disclose this information, so there’s no advantage for these companies in confirming this reporting.
This shows their dismissive attitude toward Amazon’s and Apple’s strenuous, unambiguous denials. Rather than give them pause, they blew it off.
I would argue that Amazon and Apple have a tremendous amount to lose — their credibility. If they wanted to hide something, whether for publicity or national security reasons (or both), the way to do it without risking their credibility is not to comment at all. Both Amazon and Apple have instead vigorously denied the veracity of this story.
amazon  apple  china  chip  hack  privacy  security  server  supply_chain  daring_fireball 
52 minutes ago by rgl7194
Now apps can track you even after you uninstall them • Bloomberg
Gerrit de Vynck:
<p>Uninstall tracking exploits a core element of Apple Inc.’s and Google’s mobile operating systems: push notifications. Developers have always been able to use so-called silent push notifications to ping installed apps at regular intervals without alerting the user—to refresh an inbox or social media feed while the app is running in the background, for example. But if the app doesn’t ping the developer back, the app is logged as uninstalled, and the uninstall tracking tools add those changes to the file associated with the given mobile device’s unique advertising ID, details that make it easy to identify just who’s holding the phone and advertise the app to them wherever they go.

The tools violate Apple and Google policies against using silent push notifications to build advertising audiences, says Alex Austin, CEO of Branch Metrics Inc., which makes software for developers but chose not to create an uninstall tracker. “It’s just generally sketchy to track people around the internet after they’ve opted out of using your product,” he says, adding that he expects Apple and Google to crack down on the practice soon. Apple and Google didn’t respond to requests for comment.

At its best, uninstall tracking can be used to fix bugs or otherwise refine apps without having to bother users with surveys or more intrusive tools. But the ability to abuse the system beyond its original intent exemplifies the bind that accompanies the modern internet, says [EFF tech policy director Jeremy] Gillula.</p>


How likely that Apple or Google tries to find some way to block this? Apple more likely than Google.
apple  google  developers 
3 hours ago by charlesarthur
Hackintosh-KVM Guide: High Sierra+ Using QEMU's i440fx Chipset - The Passthrough POST
This guide assumes that you already have set up a GPU pass-through virtual machine in the past and have experience with QEMU and libvirt, no support/steps will be given in the Hackintosh-KVM guide for setting up QEMU/libvirt for GPU pass-through, networking, CPU pinning, etc. If you need help with setting that up, refer to the The Passthrough POST Discord server.
apple  hackintosh  macos  virtualization 
6 hours ago by WIZARDISHUNGRY
Canopy – Studio Neat
Supernice apple wireless keyboard case
case  apple  product  keyboard  travel 
6 hours ago by roggedoggelito

Copy this bookmark:





to read