This problem affects all features that auto-fill usernames and passwords, whether or not they are native to the browser, or, provided by third-party plugins, so this affects everyone who saves passwords in their browser in any way.
This week I was on the Clockwise Podcast episode 220 at relay.fm/…. Leo Laporte and Megan Morrone talked about my iOS 11 settings Mind Map of Doom on iOS Today episode 372 at around 57:30 into the show. Helma from the Netherlands brings us some networking tips. I bring you the first half of my 2017 Year in Review where I talk about the different software and hardware I’ve told you about during the year and tell you whether they’re still in use and why (or why not). Then Bart Busschots is back with Security Bits where we have two Security Mediums, the HP Keylogger, and Mailsploit.
Some HP laptops shipped with a keyboard driver from Synaptics in which a developer debugging feature was accidentally left enabled. The effect of this mistake is that the driver has built-in support for logging all keystrokes via WPP (a debugging tool that’s built into Windows).
This sounds bad, really bad, but thankfully it’s not actually as bad as it sounds.
Tom Merritt was on Chit Chat Across the Pond to talk net neutrality. I confess that after all my “I have made fire” talk about writing a script for chapter marks, it didn’t actually work. Learn how to make Holiday Card Address Labels using plain old Apple Contacts. Rush Sherman asks our first ever video Dumb Question – why do I use Downcast when I clearly said I used Pocket Casts before? Patreon did a major shift in how they charge patrons and pay creators, and I wanted to tell you how I feel about it and what hopefully will be changing. In a rare moment of music enjoyment, I suggest you buy If Every Day Were Christmas from Slau Halatyn. Bart Busschots brings us Security Bits about the macOS Root Bug, a HomeKit Bug, and changes to iOS Backup Encryption.
A nasty bug was found in macOS 10.13 High Sierra — it was possible to cause the root account to become enabled, and to do so with a blank password.
To trigger this bug all you had to do was go into the control panel, click the padlock to un-lock the sensitive settings, change the username to root, enter no password, then hit enter. At this point the authentication would fail, but, the root account would have been made active. Hit enter again, and root with a blank password will be accepted as valid. At this point you can do anything in the control panel, no matter how restricted your account is in theory, and, anything you can get full terminal access as root.
I’m still working on how to get chapters in the podcast (this show might have them!) Follow up tips from Mike Price and Kaylee Dayo on Reader View. How Sandy and Allister saved Thanksgiving with their tip on saving a workout from last week. Bart brings us a Tiny Tip on a trivially easy way to show and hide hidden files in macOS Sierra and High Sierra. I mind mapped all of the settings in iOS 11, and it was utter madness. In Security Bits Bart and I talk about how Face ID isn’t broken, we learn about USB bugs in the Linux Kernel and how there’s a vulnerability in Intel chips you might need to know about.
Security Medium 1 — No, FaceID isn’t Broken, but it Does Have Limits
A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail.
What the hackers really found was that it’s bloody difficult to trick FaceID — it takes a lot of time and effort, and even after you put all that investment in, your spoof only works in very carefully controlled circumstances.
Possible replacement for Clarify (but maybe we don’t need it), a clean install tip for iOS from Joop Bruggink, a second look at iPhone X after a bit more time, my attempt at Animoji Karaoke, Denise Crown brings us her review of the Hue Motion Sensor. Then we have an installment of Security Bits with Bart Busschots.
Before we look at canvas finger printing, I just want to set the scene with a reminder of one of the most fundamental truths about how the web was designed – each web page load is an independent event. Because that meant websites had no memory of anything that went before, i.e. no concept of state the original web could not cope with concepts like logging in, or shopping baskets. Something had to be bolted on to allow web servers connect individual requests into related groups of requests.
The official mechanism added to the HTTP protocol for retaining state between requests is the humble cookie. Cookies gave us the ability to log in, and basically, the modern web. But, they came with a dark side — as well as enabling all the cool things we like about the modern web, they also enabled tracking.
A report from the Norwegian Consumer Council finds that smart watches aimed at kids are a security and privacy train wreck — nakedsecurity.sophos.com/…
The head of the IRS in the US tells reporters Americans should assume their identity has been stolen and act accordingly — nakedsecurity.sophos.com/…
IRS freezes its fraud prevention contract with Equifax — engadget.com/…
Security researchers warn of a new way to abuse the DDE (Dynamic Data Exchange) Microsoft Office feature to get macro-less remote code execution. TL;DR – don’t click on links in emails and be suspicious of office documents you didn’t expect to receive:
The download server for another Mac software developer, Eltima, have been hacked, and malware was injected into the non-App-Store versions of Elmedia Player (a media player) & Folx (a download manager) — www.intego.com/…