The Load Out

Tomorrow I’m taking a 5 hour drive to one of my work’s other offices. I’ll be there for 3 days upgrading a bunch of the Macs. Of course I’ll still have all my standard Help Desk duties while I’m there too.

One can never be too prepared so I’m bringing everything I can think of. I’ll have my MacBook Pro, my Surface, a freshly imaged MacBook Pro (just in case one of the upgrades goes awry), and a smattering of hard drives, docks, and flash drives for data migration.

Typed on Octopage

Useless Machine Build Log

Last weekend I picked up a Useless Machine from Barnes & Noble. I’ve wanted one for some time, but never got around to buying or building a kit.

This Makezine branded kit is geared towards kids (it’s marked 13+), but lets be honest, I’m really just a 6 foot manchild, so it’s appropriate. If only the maker movement were around when I was young - I would’ve been all over kits like this.

The kit itself is dead simple to assemble. Just like it says on the box, there’s no soldering involved (not that soldering would’ve proven difficult), literally the only tools I needed were small Phillips and Standard head screwdrivers.

Inside the box we get an instruction booklet, 9 acrylic plates for the frame, 1 for the machine’s arm, a motor, battery pack, PCB (preassembled), and some hardware.

First step is to attach the motor to its frame. The two acrylic plates line up with mounting holes in the motor. The frame is attached to the motor with screws & weld nuts.

Next the PCB is attached to the frame. Because of my big sausage fingers this proved a bit tricky, as the nuts that secure the PCB down must be slotted into the acrylic plate before mating the PCB to the plates.

With the PCB mated to the plate, it’s time to mate the arm to the motor. The instruction booklet notes to have the arm flush with the motor.

Next the motor + pcb + arm assembly is mounted to the bottom of the box’s frame and secured with a single screw & nut.

The battery compartment is mounted to the frame with velcro. This facilitates easy removal of the compartment for swapping batteries - it is pulled out through the machine’s door when necessary.

Time to connect some wires! Wires are secured to the terminal by adjusting the screws with a standard head driver. Black + red wires are clearly noted on the PCB. The bottom wire from the motor connects to the wire terminal next to the black wire, the top wire from the motor connects to the last remaining terminal.

At this point I installed batteries and verified the machine itself worked.

Next the case is assembled. The appropriate side plates attach to slots in the bottom frame. Plastic posts are connected to the bottom frame. The door is installed next. It isn’t mounted, it just moves freely while resting on the cutouts in the case’s side frame.

Lastly the top plate is attached and secured. This step took me a few minutes, as all the slots must be lined up perfectly.

The manual doesn’t note this explicitly, but it was necessary for me to remove all the nuts from the toggle switch in order to get the top plate to line up flush with everything else. Once the top plate was installed, I added 1 nut back to the toggle switch for beauty’s sake.

Lastly I added a couple of my own touches to give the machine some personality.

My useless machine now lives on my desk. Ready to be played with by whomever comes into my office.

Typed on ErgoDox Test Board

MacBook Pro Touch Bar Thoughts


Supplementary to my MacBook Pro post from 10/28

Played with a Touch Bar MacBook Pro over the weekend.

Quick Thoughts:

  • The Touch Bar itself is matte, surprise.
  • Speed is great. It changes views just as fast as you change apps.
  • Swiping on the Touch Bar to adjust volume/brightness is just fantastic.

I only had 5-10 minutes with it. I’m not totally certain what I think. Touch bar strikes me as something interesting, but not something the new MacBook Pros needed.

Within the stock apps there is great functionality, but we’re obviously going to need 3rd party developers on board as well. Some of the interfaces (like adjusting volume) are fantastic, others are just downright confusing. I found myself getting a couple menus deep, then I’d forget how I got there.

Is it interesting to have right now, sure? Do you need to spend $299 more to get it on the 13” product, no.

Typed on ErgoDox Test Board

iCloud Call Log Sync

Earlier today, reports surfaced on The Intercept and Forbes claiming Apple “secretly” syncs Phone and FaceTime call history logs on iCloud, complete with phone numbers, dates and times, and duration. The info comes from Russian software firm Elcomsoft, which said the call history logs are stored for up to four months.

Likewise, on iOS 10, Elcomsoft said incoming missed calls that are made through third-party VoIP apps using Apple’s CallKit framework, such as Skype, WhatsApp, and Viber, also get synced to iCloud. The call logs have been collected since at least iOS 8.2, released in March 2015, so long as a user has iCloud enabled.

Elcomsoft said the call logs are automatically synced, even if backups are turned off, with no way to opt out beyond disabling iCloud entirely. “You can only disable uploading/syncing notes, contacts, calendars and web history, but the calls are always there,” said Vladimir Katalov, CEO of Elcomsoft. “One way call logs will disappear from the cloud, is if a user deletes a particular call record from the log on their device; then it will also get deleted from their iCloud account during the next automatic synchronization. Given that Apple possesses the encryption keys to unlock an iCloud account for now, U.S. law enforcement agencies can obtain direct access to the logs with a court order. Worse, The Intercept claims the information could be exposed to hackers and anyone else who might be able to obtain a user’s iCloud credentials.

Further, in a statement today, Apple said the call history syncing is intentional. “We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson said in an email. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”

A lot of people are noting that Apple’s whitepaper on iOS security has a mention of call history in iCloud backups, I can’t find anywhere in said whitepaper acknowledging that call history/logs are synced using iCloud. Not sure if this is just an oversight in documentation, or a lack of transparency.

What’s curious to me is that Apple uses iCloud for this type of sync at all. The narrative is that it’s necessary to sync calls across all devices - my understanding of iMessage is that Apple keys each device and keys each message to be accessible by all devices. Why not employ a similar muli-keying for these type of sensitive records and use iMessage or something similar to enable the sync? Alternatively, if Apple is doing multi-keying for syncing these types of records, why doesn’t the whitepaper make mention of this?

[via Macrumors]

Typed on ErgoDox Test Board

Off Doesn't Mean OFF

Shazam is always listening

Patrick Wardle’s reversal of Shazam’s code:

TL;DR When Shazam (macOS) is toggled ‘OFF’ it to simply stops processing recorded data…however recording continues

Once installed, Shazam automatically begins listening for music, “ready to name that tune at a moment’s notice.” This song identification or “auto tagging” (in Shazam’s parlance) is of course is the main functionality of the tool.

Most (security-conscious) users probably don’t want Shazam listening all the time. Shazam appears to oblige, seemingly providing an option to disable this listening:

However, sliding the selector to ‘OFF’ did not generate the expected, “Mic was deactivated” OverSight alert. Odd :\ …though this did match what the OverSight user reported to me.

My first thought was perhaps OverSight had ‘missed’ the Mic deactivation, or contained some other bug or limitation. However testing seemed to confirm that OverSight works as expected. For example, when one quits (exits) Shazam, OverSight does receive a “Mic Deactivation” notification from the OS, and alerts this fact to the user:

So is Shazam still listening even when the user attempts to toggle it to ‘OFF’?

Again, though it appears that Shazam is always recording even when the user has toggled it ‘OFF’ I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc). However, I still don’t like an app that appears to be constantly pulling audio off my computers internal mic. As such, I’m uninstalling Shazam as quickly as possible!

From Digital Journal:

“There is no privacy issue since the audio is not processed unless the user actively turns the app ‘ON,’” James Pearson, Shazam’s VP of global communications, told Motherboard in a statement. “If the mic wasn’t left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users ‘miss out’ on a song they were trying to identify.”

A later statement from Shazam corroborates what Pearson stated, and what Whardle found in his reversal of Shazam’s code.

“Contrary to recent rumors, Shazam doesn’t record anything,” the company said. “Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted.”

Recording or no, one would expect the off switch behavior to stay true to expectations - to be an actual OFF switch. While Shazam may not record audio while the microphone is active, it still presents another attack vector that a malicious actor might use to coopt the microphone.

[ via Objective-See & Digital Journal ]

Typed on ErgoDox Test Board