Month: January 2015

Michael Geist:

The CRTC has issued a major new decision with implications for net neutrality, ruling that Bell and Videotron violated the Telecommunications Act by granting their own wireless television services an undue preference by exempting them from data charges. The Commission grounded the decision in net neutrality concerns, stating the Bell and Videotron services “may end up inhibiting the introduction and growth of other mobile TV services accessed over the Internet, which reduces innovation and consumer choice.”

The case arose from a complaint filed by Ben Klass, a graduate student, who noted that Bell offers a $5 per month mobile TV service that allows users to watch dozens of Bell-owned or licensed television channels for ten hours without affecting their data cap. By comparison, users accessing the same online video through a third-party service such as Netflix would be on the hook for a far more expensive data plan since all of the data usage would count against their monthly cap.

I like to bring you good news whenever I can. Consider it a service, or a token of just how much I dig you.

If you like pointing and laughing at people who are massively wrong a lot of the time as much as Nelson Muntz or, well, me, Gruber has been collecting a bunch of recipes of his favourite claim chowder over the past few days.

The Macalope is on fire lately. Not literally, of course; that’s like a weird combination of venison and that distinct burning plastic smell when you have inevitably fried something in a circuit you’re messing with.

The Macalope:

Apple, of course, is roundly chastised for not making the big deals like Woodside did in bringing about Google’s acquisition of Motorola. Now it has to suffer the barbs of Gizmodo, laced with weapons-grade dumb, for making a smart acquisition that enhanced its products and crippled those of its competitors.

This whole manufactured controversy is atomic stupid.

Tony Romm, Politico:

The forthcoming measure — slated for release next month — would require large Internet companies, online advertisers, mobile app makers and others to ask permission from consumers before collecting and sharing their most sensitive personal information, according to three sources briefed by administration officials. Companies that collect data for one purpose would in some cases need to get user sign-off before deploying it in a markedly different way, the sources said.

The draft bill would also enhance the enforcement authority of the FTC, which has become Washington’s de facto privacy cop. Among the proposed changes, the Obama administration wants to give the agency its long-sought ability to fine companies for online privacy missteps, according to the sources. And the measure would strengthen government oversight of data brokers, firms that siphon up and sell vast amounts of consumer information, often behind the scenes.

About time.

Kyle Russell, TechCrunch:

An issue with Apple’s iTunes Connect service, which lets developers upload new versions of their apps to the App Store and track sales and income, is causing some developers to log into the wrong accounts this morning.

That’s kind of a big problem. I’ve noticed tweets from a few different people that ended up in BlackBerry’s iTunes Connect example, though, which makes me think that some accounts were shown more often than others. That’s kind of weird, and it makes me wonder what kind of weird session management issue caused this.

Apple has pulled iTunes Connect offline while they work to resolve the issue. Unfortunately, because it’s Apple, there’s almost no chance of any of us finding out what the root of this issue was, unless someone in the know were to leak it.

My contact information is on the “About” page, by the way.

Update: This problem has apparently been fixed. I was able to log in to iTunes Connect with my developer ID and it did, indeed, go to the correct portal.

One of the more popular criticisms of Apple bloggers is that Apple is a big company now and they don’t need a public defence. It’s true that they don’t need defending from valid critics, nor the cheering of mindless support in whatever they do. But I don’t think Apple bloggers are the ones thinking that the company is still tiny. The vast majority of reports from alarmist analysts are predicated on the notion that Apple is a competitor or a misstep away from bankruptcy. Many analysts have still got it in their heads that it’s a tiny company that sells a handful of products to a devoted but small following. That’s simply not the case.

It’s true. Look it up.

Also, check out what Tim Cook said on the conference call today, particularly:

Demand for iPhone has been staggering, shattering our high expectations, with sales over 74 million units, driven by the unprecedented popularity of iPhone 6 and iPhone 6 Plus. This volume is hard to comprehend. On average, we sold over 34,000 iPhones every hour, 24 hours a day, every day of the quarter.

In 2007, Steve Jobs said that he wanted the iPhone, in 2008, to capture 1% of the worldwide cellphone market, which would have given the company ten million sales over the course of a year. Apple just sold over 1% of everyone on Earth an iPhone in three months. Bananas.

(And, yes, the Apple TV question in Jason Snell’s transcript was from Gene Munster. Collect your prize, reader: a 65″ Apple TV, scheduled for release when Gene Munster stops sobbing into the phone while asking when it’s going to be released.)

It includes a plethora of security fixes, including a solid patch for Thunderstrike, a fix for displaying remote email content in Spotlight, and a bunch of other critical patches. It also ostensibly fixes, once and for all, some consistently awful WiFi connection problems.1 Despite only seeing a partial improvement in the beta versions I’ve been using, I’m hopeful for the final version to have its kinks ironed out. It may not fix all of the bugs, but it’s big progress.

Update: I’m seeing reports indicating that this might fix issues with an incrementing Sharing name, too. Here’s hoping.

  1. My WiFi connection stops responding about two or three minutes after waking from sleep. Thankfully, Yosemite added a “disconnect from network” option when Option-clicking the WiFi menubar icon, as if they knew we’d need something like that. ↥︎

John Callaham, iMore:

If you’ll recall, the iOS 8.1.1 update returned some 500MB of free space to users. The free space needed to implement the many major under-the-hood changes that comprised iOS 8 did cause some grief for many updaters, so hopefully after installing iOS 8.1.3 we won’t have to resort to less civilized means of updating when the next update comes along.

Good stuff, and it sounds like the reduced space requirement takes effect immediately without having to wait for the next update. I wonder if this will help those who were unable to update from iOS 7, and what kind of uptick this will produce in version stats, which currently sits at 69% running iOS 8.

I still think 16GB iOS products should be abolished, though. I doubt there’s anyone in Apple’s senior ranks who uses a 16GB iPhone, and it’s not because they’re rich.

Bad reporting on the state of Macintosh security is nothing new, and ZDNet’s Adrian Kingsley-Hughes adds another one to the stack. I missed this one when it was written a couple of weeks ago, but I thought I’d make up for some lost time today:

Macs vulnerable to virtually undetectable virus that “can’t be removed”

That headline can be broken into three distinct parts:

  1. Is the malware “undetectable”, or virtually so?
  2. Is it a “virus”?
  3. Is it, in fact, impossible to remove?

Let’s start with the first claim in the headline: Thunderstrike is “virtually undetectable”. Kingsley-Hughes reports it so:

“Since it is the first OS X firmware bootkit, there is nothing currently scanning for its presence. It controls the system from the very first instruction, which allows it to log keystrokes, including disk encryption keys, place backdoors into the OS X kernel and bypass firmware passwords,” Hudson said.

Well, when I say “reports”, Kingsley-Hughes basically dumps bits of Trammel Hudson’s original post into the ZDNet CMS, adds a few summarizing phrases, and dusts his hands before hitting the “Publish” button. But I digress.

Kingsley-Hughes’ selected quote, however, clearly states that nothing is currently detecting this malware; that doesn’t mean that nothing could. In Hudson’s original post, he clearly says that the boot ROM — where this attack lives on the system — is being verified at boot in software. It’s entirely possible that its contents could be dumped and checked against a known safe version during a reboot.

Hudson suggests basically that for Option ROM, which is loaded when a PCIe Thunderbolt device is mounted:

If they really need to support Option ROMs on Thunderbolt, Apple could implement the EFI architecture specific security protocol to enforce driver signing — PCIe OptionROMs can be signed and checked before they are executed.

In fact, even in Hudson’s worst-case scenario, the boot ROM could hypothetically be verified in this fashion:

It could also be very stealthy and hide in system management mode, through virtualization or possibly in the Management Engine (although there is lots of work to be done there).

In theory, the user downloads a firmware update from the App Store and is prompted to restart their Mac. They do, the firmware is checked, and, if it fails, they’re prompted to visit a retail store to have it fixed.

So, no, it’s not “virtually undetectable”. Like any security gap, it takes time for it to be detectable.

Next claim: it’s a “virus”.

Not exactly, no, and certainly not in its current form:

Hudson discovered that he could use a modified Apple gigabit Ethernet Thunderbolt adapter to carry out the attack.

It spreads through hardware-to-hardware contact, not over the air. If Kingsley-Hughes were a health reporter, he’d probably say that gonorrhoea can be spread by sneezing or something.

I get that the term “virus” gets tossed around in mainstream publications the way everyone calls any tablet an iPad, but ZDNet is an industry-targeted site, and not really for general audiences. Using the term “malware” would be more correct.

Finally, is it true that it “can’t be removed”? Well, that’s a little hard to know, as Hudson, to my knowledge, didn’t actually attempt a removal, only stating that:

Since the public RSA key in the boot ROM is now one that we control, only updates that are signed by our private key can be used to update the firmware.

So, hypothetically, it wouldn’t be possible to update the firmware through software if the system were infected. A thorough software fix comes as part of OS X 10.10.2, and a hardware fix for infected computers — currently estimated at zero — would still be possible, though Kingsley-Hughes reports it in typically doomsday terms:

Fortunately, Hudson reports that Apple is working on an update that will prevent malicious code from being written to the Boot ROM via the Thunderbolt port. However, this update would not protect the system from having the Boot ROM tampered with directly.

If you have direct access to the boot ROM chip, you have direct access to everything. It’s a bit like pointing out the flaws of having locks on the doors of your house because you still have a wall that, when combined with a chainsaw, can be entered through.

However, if someone could rewrite the public RSA key on the chip, surely Apple could write it back, even if it requires in-store service.

There’s no doubt that Thunderstrike exposed a pretty serious vulnerability in the security of the Thunderbolt port. But Apple is rolling out a very thorough fix in 10.10.2 that even prevents an attacker from undoing the patches. This is clearly not being ignored, but hyperbolic and incendiary reporting doesn’t help anyone.

Update: Small revision to clarify the difference between Option ROM and boot ROM.

Though I’ve been hard on the Verge of late, they still do some killer reporting. Spencer Woodman:

On August 21st, 2014, Mayor Jere Wood of Roswell, Georgia, sent a letter to the Federal Communications Commission expressing emphatic support for Comcast’s controversial effort to merge with Time Warner Cable. Not only did the mayor’s letter express personal excitement for the gargantuan deal — which critics say will create a monopoly that will harm millions of consumers — but it also claimed that the entire town of Roswell adored Comcast. “When Comcast makes a promise to act, it is comforting to know that they will always follow through,” Wood’s letter explained. “This is the type of attitude that makes Roswell proud to be involved with such a company,” the letter asserts, “our residents are happy with the services it has provided and continues to provide each day.”

Yet Wood’s letter made one key omission: Neither Wood nor anyone representing Roswell’s residents wrote his letter to the FCC. Instead, a vice president of external affairs at Comcast authored the missive word for word in Mayor Wood’s voice. According to email correspondence obtained through a public records request, the Republican mayor’s office apparently added one sign-off sentence and his signature to the corporate PR document, then sent it to federal regulators on the official letterhead of Roswell, Georgia.

And, as Woodman’s reporting reveals, at least two other public officials did something similar with Comcast on this issue alone. This reporting isn’t that shocking; lobbyists have long worked far too closely with public officials. But the blatant and indefensible nature of these emails is noteworthy.

In response to a list of questions from the Verge, Comcast emphasized that it did not have final say in the substance of the letters. “We reached out to policy makers, community leaders, business groups and others across the country to detail the public interest benefits of our transaction with Time Warner Cable,” Sena Fitzmaurice, a Comcast spokesperson, said in an email. “When such leaders indicate they’d like to support our transaction in public filings, we’ve provided them with information on the transaction. All filings are ultimately decided upon by the filers, not Comcast.”

Bullshit. Comcast wrote these letters in the voice of the public officials they’re targeting, under the presumption that the public officials will submit the letters largely unchanged to the FCC. These are not informational briefs, but fully-formed letters of support.

The public officials should be shamed for signing their names on these things — and, for what it’s worth, for supporting a Comcast/TWC merger — but Comcast isn’t anywhere close to innocent here.

Gus Mueller:

Apple is your favorite aunt or uncle, who isn’t talking about crazy future ideas, but is instead showing you how to hold a pencil correctly, or a tie your shoe. Something you can do today. Apple isn’t flailing about trying to grab onto whatever it can so, yelling out for attention. Apple is solid, reliable, dependable.

And I think that is why we’re seeing so many people reacting to Apple’s software quality lately. You expect Microsoft not to deliver. But we expect Apple to. And lately, it really hasn’t felt like they’ve been doing it.

Well said.

Michael Tsai:

The comments from Apple insiders underscore that there are many factors that affect software quality. It is not simply a matter of dropping the yearly schedule or of deciding to do “another Snow Leopard.” The development schedule and cycles matter. It also matters who the engineers and managers are, how they are treated, whether they are shuffled between projects, etc.

Precisely why I’m not in the “just do a Snow Yosemite release this year” camp, nor in the “delay software releases by several months” group. Apple needs to refine the features they already have, absolutely, but it cannot come at the cost of releasing zero new features this year either. The annual release cycle is impressive, and it can work for them if everything else is in order. Much of Apple’s quality issues appear to be a byproduct of much greater forces.

Craig Hockenberry:

The number of requests [to the Iconfactory’s main server] peaked out at 52 Mbps. Let’s put that number in perspective: Daring Fireball is notorious for taking down sites by sending them about 500 Kbps of traffic. What we had just experienced was roughly the equivalent of 100 fireballs.

If each of those requests were 500 bytes, that’s 13,000 requests per second. That’s about a third of Google’s global search traffic. Look at how much careful planning went into handling Kim Kardashian’s butt at 8,000 requests per second.

All of this traffic directed at one IP address backed by a single server with a four core CPU.

Like I said, “Holy shit.”

On a scale of One to Deep Wedgie, this ranks pretty high on the nerdy scale, but it’s a real “holy shit” kind of story. I’ve had to block a couple of IP addresses for DDoS attempts, but I’ve never seen anything like this. Madness.

You know that scene at the beginning of “Goldeneye”, where Bond leaps off the cliff to chase the rapidly-plummeting plane, manages to get into the cockpit, and jostles the stick just in time for the nose to come up over the mountain?

Mayer’s job is a bit like that.

As Backblaze has thousands of very high-capacity hard drives running all the time, they’re in a unique position to analyze the failure rates of popular models. No surprises that Seagate lives up to their abysmal reputation here, though I was a little surprised to see a somewhat poor showing from Western Digital. Pretty much all of my dozen-or-so spinning hard drives are from WD and I haven’t had a single failure in as much as eight years. Unlike Backblaze, though, I’m not running them full-time, my sample size is comparatively tiny, and they’re not the recent ultra-high-capacity models (my biggest is a 2TB “Green” model).

Shorter Dan Frommer: Apple tends to make stuff that people actually buy, use, and love. Microsoft makes crazy bets in loads of sectors, only some of which pan out. Frommer:

[The HoloLens] looks technically impressive, and Microsoft’s demo went about as smoothly as something like this could have. This could become a big deal someday.

But it’s hard to get over how strange someone looks using it. And it’s hard to imagine Apple doing something like this any time soon, whether or not it’s the future of computing.

Given how huge and dorky these goggles are, it seems as though Microsoft intends this to be something used in private, likely when doing specialized tasks. They may have a really crap sense of fashion — just look at the big feature image in the linked article — but I don’t think they’re completely oblivious.