MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
I'm sorry but that's just plain wrong on Apple's side (and clearly we've been here before). It does not matter how important the update is, I specifically don't have "automatically download updates" on, and force-downloading content to my computer is totally wrong! ...
This behavior may be due to some idiosyncrasy in my System but Mojave did not reset the update preferences on my machine after a postponed install. I maintain the following settings:
  • Automatically keep my Mac up to date - unchecked
  • Check for updates - checked
  • Download new updates when available - unchecked
  • Install macOS updates - dimmed and unchecked
  • Install app updates from the App Store - dimmed and unchecked
  • Install system data files and security updates - checked
Note that I use my computer on a non-admin account most of the time.

So, I manually requested the most recent Mojave update yesterday. I wasn't ready to install it when the download finished, so I hit "Later" and chose the wait-an-hour option. I was ready to run the updater before the hour had elapsed so I went to Apple Menu/About This Mac/Software Update and started the update myself.

After the update completed, the settings listed above were unchanged. As always, your milage may vary...
 



Running macOS 10.14.6 with "automatic updates" and "automatic downloads" turned off:
... Immediately, a new notification appears stating "Automatic updates have been turned ON" with two options "OK" and "Turn Off".
Me, too, but in my case, I think it was a glitch. Before the update, I had System Preferences > Software Update > Advanced set with everything checked except Install macOS updates. The update said it turned them on, but when I checked, nothing had changed.
 


iOS 12.4.2 is only available for older Apple devices that can't run iOS 13.
I know this is of no comfort to those who own newer devices, and as someone who clung to Yosemite (and Mavericks before that) for years afterward, I absolutely sympathize – but I had been thinking that the release of iOS 13 would mean that my iPhone 6 Plus was going to be left out in the cold for security updates. So I am glad that iOS 12.4.2 exists!
 


Ric Ford

MacInTouch
I should have been more clear. I started by clean-installing iOS 12 on an iPad 6 (General > Reset > Erase all content and settings), then went through all settings and configured them as much as possible for privacy and security, then installed iOS 13.1 and rechecked preferences (after jumping through a great many hoops , e.g. for 2FA). I may have missed some detail somewhere but it seems pretty clear that Apple’s changing some (but not all) settings behind our backs.
I just updated an iPhone to iOS 13.1.1. I have never enabled Game Center anywhere on any Apple device, and I have disabled it over, and over, and over, and over again, every time I find it again enabled behind my back.

When I checked the iPhone after the iOS 13.1.1 update, looking for an unrelated setting, I discovered that Apple had enabled Game Invitations: Nearby Players. WTF, Apple?
 


Ric Ford

MacInTouch
(There's no T1 or T2 subsystem in the 2017 iMac, thus no BridgeOS.)

2017 iMac 5K, running macOS Sierra, after the first Security Update 2019-004 Sierra:
Model Identifier: iMac18,3​
Boot ROM Version: 175.0.0.0.0​
SMC Version (system): 2.41f1​
System Version: macOS 10.12.6 (16G2127)​
Kernel Version: Darwin 16.7.0​

After installing the second version, Security Update 2019-004 10.12.6:
Model Identifier: iMac18,3​
Boot ROM Version: 175.0.0.0.0​
SMC Version (system): 2.41f1​
System Version: macOS 10.12.6 (16G2128)​
Kernel Version: Darwin 16.7.0​
After installing Security Update 2019-005 (for Sierra):
Model Identifier: iMac18,3​
Boot ROM Version: 175.0.0.0.0​
SMC Version (system): 2.41f1​
System Version: macOS 10.12.6 (16G2136)​
Kernel Version: Darwin 16.7.0​

So, no firmware updates, just a new macOS build on this iMac Sierra system.
 


Ric Ford

MacInTouch
I'm sorry but that's just plain wrong on Apple's side (and clearly we've been here before). It does not matter how important the update is, I specifically don't have "automatically download updates" on, and force-downloading content to my computer is totally wrong! ...
I just went through the following process on the 2017 iMac 5K (running macOS Sierra 10.12.6) and took notes/screenshots as I went, in case the info is helpful.
  1. Got the stupid Apple pint-size alert pop-up about updates (with its totally non-standard user interface) but did nothing with it (no click, nothing - left it on the screen).
  2. Went to App Store > Updates (where there is a simple third-party app update plus Security Update 2019-005 pending). An alert says Some updates need to finish downloading before they are installed. Your computer will restart to complete the updates. Not Now or Download & Restart (I chose the latter.)
  3. My App Store preferences:
    • √ Automatically check for updates
    • ☐ download newly available updates
    • ☐ Install app updates
    • ☐ install macOS Updates
    • √ Install system data files and security updates
    • - Automatically download apps purchased on other Macs: Can't determine iif automatic downloads are enabled due to a network problem.
  4. Security Update 2019-005 10.12.6 is downloading.
  5. Restarting Your Computer alert: Restart or Later > Install in an Hour | Install Tonight | Remind Me Tomorrow
  6. Computer restarts and boots without prompting for FileVault password.
  7. Apple throws up its App Store advertising billboard in my face, despite my having chosen to not re-open previously open apps/windows on restart.
 


Ric Ford

MacInTouch
And now this:
axi0mX said:
https://twitter.com/axi0mX/status/1177542201670168576
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices. Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
Here's a good, prompt analysis from Thomas Reed:
Malwarebytes said:
New iOS exploit checkm8 allows permanent compromise of iPhones
... Although checkm8 will work even on a locked device, it’s important to understand that checkm8 is not a remote exploit. To compromise your iPhone, an attacker would need to have it in his hands physically. The device would need to be connected to a computer and put into DFU (Device Firmware Upgrade) mode in order to exploit it.

The checkm8 vulnerability itself is not sufficient to install persistent malware on a device. However, it could potentially be chained together with other vulnerabilities in iOS to gain that level of access.

This exploit hasn’t been weaponized yet, as far as anyone is aware. Though, of course, it could already be in secret use by criminals, forensics companies like Cellebrite and Grayshift, and surveillance companies like NSO.

It’s also important to keep in mind that many files on the device will be encrypted. Even if the device is jailbroken, that doesn’t automatically give the attacker access to the contents of those files. Of course, it would still be possible to install malware that could potentially get access to the unencrypted contents of those files in the course of normal usage of the device.

... If used in the wild, it will be difficult to determine whether a device has been compromised, due to the extremely closed nature of iOS. As with the Project Zero findings from last month, this is yet another reason that Apple needs to provide more visibility into the status of iOS. Even just being able to inspect the list of running processes without jailbreaking would be a move in the right direction.
 


And the fix is now in:
Except...when I plugged my release 13.1 iPad into my Mojave Mac to update, I got a dialog, "A software update is required to connect to ThisiPad. Would like to download and install this update now?" with Install, Not Now, and Learn More... buttons. When I clicked Learn More it took me to a page that essentially said "when you get this dialog, click Install." Nowhere did it give me a hint of what it was going to install, iTunes, Catalina, Windows?

My iPhone running beta 13.1 connects and backs up fine... sigh...
 



I upgraded iOS from 12 to 13 on an iPhone 6s today. Apple turned on Bluetooth for me automatically, as it has for as long as I can remember. However, I didn't experience any changes in settings that I keep permanently turned off for many iCloud-connected services. This includes Game Center, Photos on iCloud, location sharing with "friends", Wallet/Apple Pay, and Music.

My experience may be different from others reported here because in almost every area of Settings > Screen Time > Content & Privacy Restrictions, I don't allow changes. Further, the critical one might be Account Changes. I only set the switch to Allow when I am actively making changes to an app or setting. It is otherwise always set to Don't Allow.

If my hazy memory is correct, I don't think I've had any instances of Apple forcing widespread Settings changes on my phone for at least the last two major iOS version updates. I do think it was a problem for me sometime in the past... which might have led me to lock down my phone so extensively.
 


Installing Security Update 2019-005 for High Sierra 10.13.6 on my 2012 Mac Pro resulted in the dreaded "waiting for DSMOS" freeze on reboot (as shown in verbose mode). Having never experienced this before, I spent some time researching and trying a few fixes, none of which worked. Safe and Single User modes didn't work, neither did resetting PRAM/NVRAM, etc. Booting into Recovery mode worked, and running Disk Utility found no errors.

Fortunately, I had a recent enough backup (thanks, Carbon Copy Cloner), so all I lost was a few hours of my time. There aren't any other reports like this out there, but others with a similar configuration may want to wait a few days to see before updating. Wonder how thoroughly Apple tested this update on older supported systems.

2012 Mac Pro 6-core 3.33GHz, 48 GB RAM, 1TB Samsung 850 EVO on OWC Accelsior S, formatted HFS+, Nvidia GTX 980 Ti flashed by MacVidCards (thanks for the boot screen!), macOS 10.13.6 High Sierra with all updates through Security Update 2019-004 v1
 


One more article on the epic jailbreak development that puts things in a slightly different light. Probably will do more for vulnerability analysts than malicious types that want to hack your phone:
’ArsTechnica’ said:
Developer of Checkm8 explains why iDevice jailbreak exploit is a game changer
I wanted to learn how Checkm8 will shape the iPhone experience—particularly as it relates to security—so I spoke at length with axi0mX on Friday. Thomas Reed, director of Mac offerings at security firm Malwarebytes, joined me. The takeaways from the long-ranging interview are:
  • Checkm8 requires physical access to the phone. It can't be remotely executed, even if combined with other exploits
  • The exploit allows only tethered jailbreaks, meaning it lacks persistence. The exploit must be run each time an iDevice boots.
  • Checkm8 doesn't bypass the protections offered by the Secure Enclave and Touch ID.
  • All of the above means people will be able to use Checkm8 to install malware only under very limited circumstances. The above also means that Checkm8 is unlikely to make it easier for people who find, steal or confiscate a vulnerable iPhone, but don't have the unlock PIN, to access the data stored on it.
  • Checkm8 is going to benefit researchers, hobbyists, and hackers by providing a way not seen in almost a decade to access the lowest levels of iDevices.
 


One more article on the epic jailbreak development that puts things in a slightly different light. Probably will do more for vulnerability analysts than malicious types that want to hack your phone:
Justin at The Art of Repair (https://youtu.be/kcYmGn9kPbs) believes that the most significant aspect of this exploit will be for companies offering data recovery services. The exploit, if it turns out to be what the hype implies, means it can be used to extract data from an otherwise bricked-dead phone.

And of course, it means that the hobbyist/hacker community has an opportunity to port new operating systems to any affected iPhone (4S through X). I'm looking forward to reading articles and watching videos of people running Linux or Android or some obscure mobile OS on one of these phones. There's no practical reason do so, but it will still be fun to read about.
 


Another question is: how does Apple's reset procedure determine which iOS release you get when more than one is currently being signed?
As I alluded to in the other thread, using Apple's erase and reset options does not change the operating system installed (nor does restoring from a backup). It simply clears out all user settings and files and resets the existing installed system to its initial default state. The operating system only gets changed when you do an over-the-air update in Settings > General > Software Update, or do an update via iTunes.

(Another question is how this works for devices that are incompatible with the latest iOS/iPadOS.)
Apple continues to sign iOS installations for the last iOS version available for a specific device. For example, if you try to do an install of iOS 10.3.4 on an iPhone 5, Apple's server will recognize that you're using an iPhone 5 and the request will be signed. However, if you tried to install iOS 10.3.4 on an iPhone 5S, the request would be denied. The only iOS request that would be signed for an iPhone 5S would be for iOS 12.4.1.

In addition to all that, there are some extra features/options that may be available via something like iMazing.

That will still only give you the same iOS version options that you would otherwise have, as the system still has to be signed by Apple when it's installed. Using iMazing is basically just a replacement for doing the iOS installation via iTunes.

If you have an iPhone running iOS 12.4.1, you need a security update today to patch a serious vulnerability, and that patch is included in iOS 12.4.2, but Apple won't let you choose that update. Instead, to get this critical security patch, you have to update to iOS 13.1. iOS 12.4.2 is only available for older Apple devices that can't run iOS 13.
That's because Apple does not issue security updates for any version of iOS besides the current one (unlike macOS, where they continue to issue security updates for the two prior releases). They want you on the latest iOS. As far as I can recall, this is the first time they have ever issued a security update for an old version of iOS, and probably only because it's so close to the iOS 13 release, and the issue (RCE) so severe. There will probably never be a 12.4.3 update. And yes, that means that old devices that cannot update to the latest iOS have increasing numbers of security holes.

The only other time I can recall them issuing an update for an old iOS version was the recent iOS 9.3.6 and 10.3.4 updates, and those did not contain any security updates, just an update to keep the GPS radios in those devices functioning properly.

I may be mistaken, I thought once a new major version was released, that that was the only version available for an iOS device, provided the newest version supported said device. I'd be happy to be mistaken as I missed the 12.4.1 update on a couple iOS 12 devices.
Apple is still signing iOS 12.4.1 for all devices for about maybe 5 more days, so you have a small window to install it. You can download the appropriate 12.4.1 IPSW package and install it manually via iTunes using the links here. Of course, those devices will be vulnerable to the RCE vulnerability discussed in this thread.
 


It does appear that an Apple email following the conversion offers some means of reverting within a limited amount of time.
Yes, according to the FAQ, you have a two-week window in which to reverse the 2FA enrollment by clicking the link in the e-mail. After that period, it becomes permanent on that Apple ID.

P.S. It's actually even worse. It appears that some devices are set up with 2FA while others are not, despite sharing a single Apple ID. I thought 2FA was a property of an Apple ID, not a device. Is it a property of combinations of the two?
No, your initial thought is correct. 2FA is a property of the Apple ID. I'm not sure what you're seeing that makes you say that 2FA is not "set up" with a particular device. If that iOS or macOS device is already logged into iCloud, then it is a Trusted Device for that Apple ID. If, however, you were to log out of iCloud, and then log back in later with that Apple ID (or any other Apple ID enrolled in 2FA), you would be prompted to enter a 2FA code before the login procedure would complete.
 


I just went through the following process on the 2017 iMac 5K (running macOS Sierra 10.12.6) and took notes/screenshots as I went, in case the info is helpful.
  1. Got the stupid Apple pint-size alert pop-up about updates (with its totally non-standard user interface) but did nothing with it (no click, nothing - left it on the screen).
  2. Went to App Store > Updates (where there is a simple third-party app update plus Security Update 2019-005 pending). An alert says Some updates need to finish downloading before they are installed. Your computer will restart to complete the updates. Not Now or Download & Restart (I chose the latter.)
  3. My App Store preferences:
    • √ Automatically check for updates
    • ☐ download newly available updates
    • ☐ Install app updates
    • ☐ install macOS Updates
    • √ Install system data files and security updates
    • - Automatically download apps purchased on other Macs: Can't determine iif automatic downloads are enabled due to a network problem.
  4. Security Update 2019-005 10.12.6 is downloading.
  5. Restarting Your Computer alert: Restart or Later > Install in an Hour | Install Tonight | Remind Me Tomorrow
  6. Computer restarts and boots without prompting for FileVault password.
  7. Apple throws up its App Store advertising billboard in my face, despite my having chosen to not re-open previously open apps/windows on restart.
For reference, my settings are:
  • √ Automatically check for updates
  • ☐ download newly available updates
  • ☐ Install app updates
  • ☐ install macOS Updates
  • √ Install system data files and security updates
I guess, technically, the full Security Update 2019-005 could fall in to the latter category, but it's the first time a "full" security update has been classed as this - normally it's just the background stuff like XProtect and Gatekeeper that's installed by that option. Every other full security update with these settings has always been treated as a normal software update with notification first, and then I can download and install with a specific manual request at a time when I choose.
 


I feel like there's been a little too much Apple security "fun" lately....
The "permanent" aspect of this exploit is relative. It is not a persistent-state exploit. Rebooting the device will remove it. The "persistent" in the early descriptions of this have to do with being able to 'install' it again, not that it sticks.

ArsTechinica has an interview with the author. You physically have to have the iOS devices (it is not a remote exploit and a combo with others won't work). You can only jailbreak when tethered to another device (it is a RAM-based exploit).

This is one of the aspects the [Mac] T2 [chip/system] is meant to get around, where the boot ROM is not directly accessible (only a copy is used), and the process is verified at each step of the bootstrapping process - and, by default, won't pay attention to tethered devices at boot.
 


No, your initial thought is correct. 2FA is a property of the Apple ID. I'm not sure what you're seeing that makes you say that 2FA is not "set up" with a particular device.
In 2-factor authentication, the device is one of the factors (something you have). It is not entirely correct to say it is not a property, when it is intrinsically part of the authentication. (A "property" is a part/attribute of something. The device is a component of the 2FA.)

There are two dimensions here: the attribute hanging on the Apple ID and the 2FA itself.

If you set the authentication method on the account to 2FA, that doesn't (and shouldn't) automatically attach any 2nd factors to the authentication. What Apple's set-up process will do is set up the device that you are currently on to be a 2nd factor. (You need at least one "something you have" device. So the first one is coupled in a multiple-step transaction.)

It won't automagically flip all of the rest of the devices you may be logged into at the time to being 2nd factors. You may or may not have those. This first device triggered the 2FA conversion so they know you have it.

When you change the account's authentication, the previously logged-in devices' logins should go 'stale'. Their authentication doesn't match up with what is supposed to be used now. This should be similar to changing your account password, which should ripple to having to re-enter the password on all of the devices.

I think, technically, you don't have to elevate the other devices into "factor" status, if you login with the username/password/passcode. But having a backup "factor" is a good thing, and iCloud enhanced security basically counts on it.
If that iOS or macOS device is already logged into iCloud, then it is a Trusted Device for that Apple ID. If, however, you were to log out of iCloud, and then log back in later with that Apple ID (or any other Apple ID enrolled in 2FA), you would be prompted to enter a 2FA code before the login procedure would complete.
Simply just being logged in shouldn't elevate a device to "trusted" status. It could have been two-step verification (2SV), but plain old login wouldn't be 'trusted' status. It would be authenticated in a logged-in status. 'Trusted' is only when it has been registered as a 2nd factor device in a 2FA process.

I'm not sure that works as you upgrade the operating system, since Apple is changing the "at rest" encryption on the iCloud back-end with 2FA with the updates.

It might work if you don't login during the upgrades (delay the iCloud login as long as possible and then just don't use the systems that change encryption methods). But if you just follow Apple defaults in the upgrade process and have default settings of iCloud features turned on, there should be a ripple change propagation, as they enhance the security on a subset of your iCloud storage.

There is more control in the upgrade sequence if you delay logging back into iCloud until you have access to the system settings apps yourself (and check that what is/isn't on/off there).
 



Ric Ford

MacInTouch
Here's what Apple is doing:
  1. To get critical security updates, you have to update to the latest iOS (or recent macOS).
  2. Updating to the latest iOS requires updating apps to be compatible.
  3. Updating apps requires accepting Apple's App Store conditions.
  4. Accepting Apple's App Store conditions means compromising privacy to enhance Apple's advertising, profiling and profits:
Apple said:
App Store & Privacy
  • We collect your personal information so that we can provide you the content you purchase, download, or want to update in the Stores, which include App Store, iTunes Store, the Store in Apple Books, and iTunes U.
  • We also use information about your account, purchases, and downloads in the Stores to offer advertising to ensure that Search Ads in the App Store and ads in Apple News and Stocks, where available, are relevant to you. You have choices with respect to this advertising, as described below.
  • We use information about your purchases, downloads, and other activities in the Stores to tailor features and offer personalized recommendations for you. You can opt out of the use of this data for this purpose, as described below.
  • To help identify and prevent fraud, information about how you use your device, including the approximate number of phone calls or emails you send and receive, will be used to compute a device trust score when you attempt a purchase. The submissions are designed so Apple cannot learn the real values on your device. The scores are stored for a fixed time on our servers.
  • To find ways to improve the Stores, we use information about your browsing, purchases, searches, and downloads. These records are stored with IP address, a random unique identifier (where that arises), and Apple ID when you are signed in to a Store.
... we collect information about your usage of the Stores, including when you open or close a Store, what content you search for, and the content you view and download. We also collect information about your device such as the type of device, the version of your operating system, and the amount of free space on your device.

... Additionally, if you have Popular Near Me enabled in Location Services, your iPhone will periodically send locations of when and where you have purchased or used apps...

... We use information about your device, account, purchases, downloads and search terms in the App Store to ensure that ads in the App Store are relevant. We create groups of people, called segments, who share similar characteristics and we use these groups for delivering targeted ads. Information about you is used to determine which segments you are assigned to, and thus, which ads you receive. ... App Store browsing activity includes information like the content and apps you tap and view while browsing the App Store. ... We also use similar information from the App Store to make ads in Apple News and Stocks more relevant...

... We are obligated to provide some non-personal information to strategic partners that work with Apple to provide our products and services, help Apple market to customers, and sell ads...

We are obligated to provide some non-personal information to strategic partners that work with Apple to provide our products and services, help Apple market to customers, and sell ads...


We retain personal information associated with your purchases and downloads on the Stores for the periods specified by applicable laws relating to financial reporting, which vary by country. For most customers, that requires at least a ten-year retention period. ... some information, such as purchases but not your stored card details, may be retained as business records even after you close your account or stop using the Stores.

... We also collect personal information to prevent fraud and other malicious activity in the Stores and other Apple apps and services. This information includes device information, such as device type and software version, location information, if available, download and purchase history, and other interactions with the Stores.

We also compute a device trust score on your device when you attempt a purchase using information about how you use your device, including the approximate number of phone calls or emails you send and receive
Apple's all about touting its privacy protections... while it's forcing you to be profiled, marketed and monetized. Plain as day, if you read the fine print.

(Here's more on Apple's privacy practices: Privacy Policy.)
 


Here's what Apple is doing:
  1. To get critical security updates, you have to update to the latest iOS (or recent macOS).
  2. Updating to the latest iOS requires updating apps to be compatible.
  3. Updating apps requires accepting Apple's App Store conditions.
  4. Accepting Apple's App Store conditions means compromising privacy to enhance Apple's advertising, profiling and profits:
<policy text snipped>
Apple's all about touting its privacy protections... while it's forcing you to be profiled, marketed and monetized. Plain as day, if you read the fine print.
(Here's more on Apple's privacy practices: Privacy Policy.)
As much as I respect Ric for all the effort he puts into this site, I must respectfully strongly disagree with his statements about this policy.

Multiple points:
1. The wording is specific that the data collected for serving ads only happens in those three applications, or in just their Store. And that you can opt out.​
2. The device information collected related to Store usage appears necessary in order to ensure you can use applications in the Store. It would be good if that were spelled out, though.​
3. Popular Near Me requires a location, so of course your device sends it if you turn it on.​
4. The 10 year retention period and other business records are almost certainly mandated by law.​
5. Purchases have to be stored, as they are business records; technically, so are downloads of said purchases, so storing them with AppleID is required.​

The only slightly hinky points that I see are:
1. Search and browsing data from within the store is collected and associated with an AppleID. These are pretty much necessary to prevent DoS. Associating them with the AppleID you have signed into the store with at the time is necessary to prevent offering to sell you things that you already own. The question is, do they retain this data?​
2. The obligation to share non-personal information with business partners. It's possible this is also required by law, not just contractual agreement - but it would be good if they said what that non-personal info was.​
3. The data collected to establish a device trust score. But the wording is clear the score is calculated when you attempt a purchase. What's vague is whether that data is only collected then as well. Either way, I'd be hard-pressed to think of what data they might use instead to aid fraud prevention that is even less personal.​

Saying this proves that Apple is plain as day profiling, monetizing and marketing to you is a stretch. For example, if they were doing that, they wouldn't specifically state that the information they share with third parties is non-personal. Adding that adjective to this policy opens them up to lawsuits if they wind up sharing personal information, even by accident.

Yes, there is some evidence they are trying to monetize your data - but the counterpoint is the policy indicates that such attempts happens when you are shopping. What do you expect Apple to do in that case, when you are shopping?!?

In any case, this same evidence could also be interpreted as Apple trying to be as clear as possible about what data they can't easily avoid collecting. Do I like that Apple collects even this much data? No, but I don't see much room for them to collect less either.

I suppose whether Ric is correct can be discerned by whether Apple makes efforts to collect more data in the future, or even less. Recent history indicates Apple will do the latter, not the former, but time will tell.
 


Ric Ford

MacInTouch
And that you can opt out.
Opt-out appears to be limited:
Apple said:
If you choose to limit ad tracking, you will still receive ads based on search terms you enter.
I wish I could opt out of Apple ads entirely on the Apple devices I "bought", but I can't stop them from being constantly shoved in my face (e.g. after rebooting from a software update or in unstoppable pushes to "upgrade" to buggy new OS versions).
Saying this proves that Apple is plain as day profiling, monetizing and marketing to you is a stretch. For example, if they were doing that, they wouldn't specifically state that the information they share with third parties is non-personal.
Note that I didn't claim Apple was selling personal information to third parties, like Facebook has done in the extreme with the resulting dire consequences.
I suppose whether Ric is correct can be discerned by whether Apple makes efforts to collect more data in the future, or even less.
This is the core of the issue for me. Apple is collecting astounding amounts of extremely personal information for its own uses and AI systems (including marketing and sales). I'm not real comfortable with that, nor with the revolutions currently being driven so hard by "analytics", "big data" and "AI." But, then, I'm getting old and remember the warnings of science fiction I read in my youth that seems to be coming to pass now.
 


Opt-out appears to be limited:
Apple said:
If you choose to limit ad tracking, you will still receive ads based on search terms you enter.
I wish I could opt out of Apple ads entirely on the Apple devices I "bought", but I can't stop them from being constantly shoved in my face (e.g. after rebooting from a software update or in unstoppable pushes to "upgrade" to buggy new OS versions).
Saying this proves that Apple is plain as day profiling, monetizing and marketing to you is a stretch. For example, if they were doing that, they wouldn't specifically state that the information they share with third parties is non-personal.
Note that I didn't claim Apple was selling personal information to third parties, like Facebook has done in the extreme to extreme effect.
I suppose whether Ric is correct can be discerned by whether Apple makes efforts to collect more data in the future, or even less.
This is the core of the issue for me. Apple is collecting astounding amounts of extremely personal information for its own uses and AI systems (including marketing and sales). I'm not real comfortable with that, nor with the revolutions currently being driven so hard by "analytics", "big data" and "AI." But, then, I'm getting old and remember the warnings of science fiction I read in my youth that seems to be coming to pass now.
I think much of the concern regarding privacy is generational. I continue to notice those significantly younger than me (millennials) do not appear to be worried at all. A common comment is that everything about me is already known from social media, from Google searches, and from Amazon purchases.

I suspect they are correct. For example, if you want weather warnings, generally you have turn on location services continually. I understand that the purpose of weather apps is to create location data to be sold. Or using bluetooth beacons to keep track of the stores you visit.

As time goes on, I am less concerned about data collection but rather the sneakiness of the collection in the first place. The data is so lucrative that there is an inherent conflict of interest for the creators of OS and apps. In summary, I suspect privacy is a lost cause.
 


I'm not real comfortable with that, nor with the revolutions currently being driven so hard by "analytics", "big data" and "AI." But, then, I'm getting old and remember the warnings of science fiction I read in my youth that seems to be coming to pass now.
I couldn't agree with Ric more on this point. I just submitted feedback to Apple on this overarching topic of "Big Brother". The day when our tools cease to be primarily tools appears to be upon us. Just because large segments of our "digital life" can be wired to a "cloud" ("Skynet" anyone?), doesn't mean they should be - let alone forced to be. What I fault Apple for in this is that they are making what, for me, is a 50+ hr a week tool into an ecosystem of enslavement.
 


Ric Ford

MacInTouch
Apple issued silent security updates, along with its (partially) documented software/security updates:
Eclectic Light Co. said:
Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2106, dated 1 October 2019, and to its malware removal tool MRT, bringing it to version 1.50, also dated 1 October 2019. XProtect version 2105 wasn’t generally released, but was included in Catalina beta releases.
SilentKnight is helpful for checking macOS software security status.
 


SilentKnight is helpful for checking macOS software security status.
Just a had co-worker install what I thought was the second version of the confusingly named Mojave Supplemental Update 2 (September 26, 2019) only to receive a more confusing notice from macOS Software Update that Supplemental Update 2 needed to be installed.

Had her download and run SilentKnight. Cleared up the confusion and enabled an installation of pending "silent" Apple security updates.

Went looking for a way to donate to Howard Oakley's work at and found:
The Eclectic Light Company said:
The Eclectic Light Company: About
This site is not sponsored, nor does it force you to suffer advertising or commercial overhead. I do not seek donations, but welcome your spreading ‘likes’ and appreciation.
So I'm spreading likes and appreciation.

I suggest everyone else hit that support MacInTouch link, as I did last week, because without Ric, I'd have never heard of SilentKnight, or been willing to install unknown software on my Mac.
 


Ric Ford

MacInTouch
I suggest everyone else hit that support MacInTouch link, as I did last week, because without Ric, I'd have never heard of SilentKnight, or been willing to install unknown software on my Mac.
Thanks, both for the direct support and for noting that others might want to help, too.

Also critically important is folks taking maximum advantage of the MacInTouch Amazon link for any and all purchases (including home goods, clothing, tools, food, Apple products, and everything else). Despite high website traffic and workloads, this has dropped this year, and that's a big issue.
 


Ric Ford

MacInTouch
It seems a little harder to justify Apple's exclusion of USB-C for mobile devices when this is going on....
Motherboard said:
Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold
Soon it may be easier to get your hands on a cable that looks just like a legitimate Apple lightning cable, but which actually lets you remotely take over a computer. The security researcher behind the recently developed tool announced over the weekend that the cable has been successfully made in a factory.

... MG is the creator of the O.MG Cable. It charges phones and transfers data in the same way an Apple cable does, but it also contains a wireless hotspot that a hacker can connect to. Once they've done that, a hacker can run commands on the computer, potentially rummaging through a victim's files, for instance.
 




I think much of the concern regarding privacy is generational. I continue to notice those significantly younger than me (millennials) do not appear to be worried at all. A common comment is that everything about me is already known from social media, from Google searches, and from Amazon purchases. I suspect they are correct. For example, if you want weather warnings, generally you have turn on location services continually. I understand that the purpose of weather apps is to create location data to be sold. Or using bluetooth beacons to keep track of the stores you visit. As time goes on, I am less concerned about data collection but rather the sneakiness of the collection in the first place. The data is so lucrative that there is an inherent conflict of interest for the creators of OS and apps. In summary, I suspect privacy is a lost cause.
I couldn't agree with Ric more on this point. I just submitted feedback to Apple on this overarching topic of "Big Brother". The day when our tools cease to be primarily tools appears to be upon us. Just because large segments of our "digital life" can be wired to a "cloud" ("Skynet" anyone?), doesn't mean they should be - let alone forced to be. What I fault Apple for in this is that they are making what, for me, is a 50+ hr a week tool into an ecosystem of enslavement.
... As much as I agree with Ric and abhor Apple's invasion of privacy, today's present and very near future make it positively trivial.

The PBS News Hour has a current series on the development of China, very relevant since the People's Republic just turned 70. Technological growth has been a fundamental driver of this progress. A large, crucial part of the tech focuses on surveillance and profiling.

As an engineer, I find what they can do astounding. As a privacy and human rights advocate, I want to vomit. China is not only deploying its eyes, ears, and AI at home, it's selling it to countries all around the world. How long until it gets here? How about next week. Just how well does Amazon's Alexa speak Mandarin? (I doubt Siri has gotten there yet.)

Here are the two News Hour episodes most relevant to this thread, though I strongly recommend you view all the entries in the series. Each is about 10 minutes long.
 


As much as I agree with Ric and abhor Apple's invasion of privacy, today's present and very near future make it positively trivial. The PBS News Hour has a current series on the development of China, very relevant since the People's Republic just turned 70. Technological growth has been a fundamental driver of this progress. A large, crucial part of the tech focuses on surveillance and profiling. As an engineer, I find what they can do astounding. As a privacy and human rights advocate, I want to vomit. China is not only deploying its eyes, ears, and AI at home, it's selling it to countries all around the world. How long until it gets here? How about next week. Just how well does Amazon's Alexa speak Mandarin? (I doubt Siri has gotten there yet.)

Here are the two News Hour episodes most relevant to this thread, though I strongly recommend you view all the entries in the series. Each is about 10 minutes long.
Two very recent stories directly related to Fred's post:
China’s new 500-megapixel ‘super camera’ can instantly recognize you in a crowd
Researchers from the country have developed a 500 megapixel facial recognition camera capable of capturing “thousands of faces at a stadium in perfect detail and generate their facial data for the cloud while locating a particular target in an instant."
Hong Kong: Anger as face masks banned after months of protests
Hong Kong's chief executive Carrie Lam has used a colonial-era emergency law to ban face masks to try to quell months of anti-government unrest.
 



Everything seems to be working pretty well, except Safari on the iPad Pro can't see open tabs on my other machines on the same network, something all the other machines can do quite well; and the other machines can't see the iPad Pro Safari tabs.
After a few restarts, insuring that all the correct boxes are checked, and patiently waiting for the tabs to appear, I finally suspect that my other machines would have to be updated to Catalina in order for the iPad Pro to see tabs. The easy test for this would be to see if the iPad Pro could see my iPhone XS after I update it to iOS 13, but I am not ready to do that yet.
I'm also having a problem with iCloud Tabs. My MacBook Pro running Mojave and Safari 13 will no longer sync tabs with iOS 12 devices and a Mac running macOS Sierra.

While trying to troubleshoot this, I discovered iOS 13 started using encryption with iCloud Tabs, and there is no backward compatibility with anything prior to iOS 13 and Mojave. I don't know if this is a bug or by design.
Macrumors said:
Stronger Encryption
In iOS 13, Safari history and open tabs that have been synced to iCloud are protected with end-to-end encryption, which means that no one but you can access your browsing history.
 


Agreed. But, we can't just sit down and let it happen here.
Ultimately, a large part of the issue is a relative trade-off between security and liberty. Of course, part of the equation on the security side is security of the people being ruled vs. security of the government. Simply think about what we go through in order to board an airplane. Being frisked and having our luggage examined was unthinkable 50 years ago. It is said that you cannot walk anywhere in London without being on camera. Yet those same cameras were extremely useful in tracking bad people.
 


I just checked again and logged in fine [to PayPal] with a TOTP 2FA. I can't post screen shots right now, but my screens don't look like what you have in your screen shots. To enable 2FA using TOTPS, here is what I did:
  1. Go in your account settings (gear in the upper right corner)
  2. Third item down is 2-Step Verification. Click Update
  3. In the Manage 2-Step Verification screen, click Add a Device and select Use an Authenticator App.
You should then be able to walk through the process to add TOTP authenticator app.
This is what my Settings > Security section looks like. The "Security Key" section goes to the screens I posted earlier where you can only add a mobile number for SMS delivery. I was unable to find anything that looks like what you described or any instructions that match that.
It appears that Rob may have gotten early access to an updated PayPal interface that included support for authenticator apps. My PayPal account now has access to the screens that Rob described, rather than the older screens that my account had before. I imagine that this has been rolled out to all PayPal accounts by now. I was able to add an authenticator app to my account and remove the (relatively insecure) SMS option.

I was unable to find any announcement or documentation about this on PayPal's site. In fact, their help documentation is completely devoid of 2FA information now.
 


Running macOS High Sierra Version 10.13.6 (17G65), the App Store tells me I have an update to apply, Security Update 2019-005 10.13.6.

I click the Update button, I get a Restarting Your Computer box, which counts down. When it hits 0, I get a box that says Available Updates Have Changed. Click "Show Details" to see the available updates. When I click Show Details, I go back to the beginning. Lather, rinse, repeat.

If I merely reboot, there is no sign that any update installed, and I go back to the beginning of the cycle.

Thoughts?
 


I was able to add an authenticator app to my account and remove the (relatively insecure) SMS option.
Same here, from Canada. Finally, PayPal has proper 2FA mechanisms!

Note that I had to go through 'Your Profile' and not 'Account Settings' to get to the proper area to find the 2FA settings (what they call "2-step login").
 


I found this post interesting about how apps can track users with their own persistant ID. That's one reason to erase and reinstall instead of restore, which is what I did for updating to iOS 13.12 with the older iTunes that supports apps. It has been mostly a trouble-free upgrade and solved some other problems.
StackExchange said:
Is it a privacy issue that iOS persists private keys between app installs of the same bundle ID?
In iOS apps, Apple goes to a lot of trouble to keep applications from creating a stable identifier for a specific device. For example, in iOS >= 5 they no longer allow apps to get the hardware-tied UDID from UIDevice -uniqueIdentifier and instead exposes a value that changes between app installs in UIDevice -identifierForVendor. They also seem to put unwritten restrictions on the advertising ID, and allows the user to zero it out by enabling a "limit ad tracking" option.

However, as I've been working on an app that needs to identify the install to our servers, I noticed that there is a rather simple way to identify a device uniquely until a wipe occurs or a user manually edits their keychain. When creating a SecureElement-backed private key, that key is stored in the HSM while the public part of the key is stored in the keychain. The keychain entries are associated with a specific bundle ID and are not removed when the the associated app is uninstalled. Also, HSM policies can be applied when creating the key that allow tying access to the key to a specific user's biometric identity. Any time the app is reinstalled, it will have access to this hardware-linked identity which can be used to strongly identify the device and the user.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts