FOXTROT/ALFA: Lots of Code Executions, iPhones, Google is Killing Products Again

FOXTROT/ALFA — Your Daily Tech and Policy Newsletter, Issue 149
Thursday, 15 October 2020

Yeah, I admit it. I played Elite Dangerous instead of writing my newsletter yesterday. There really is no excuse. But hey, I’m back today. So here’s the tech news of the last two days…

Vulnerabilities & Hacks

IT security news has been relatively quiet for a while now, but that seems to be changing all of a sudden. There are a lot of code execution vulnerabilities flying around right now.

Plug’n’Pwn – Apple’s USB security chip is broken:

For those just joining us, news broke last week about the jailbreaking of Apple’s T2 security processor in recent Macs. If you haven’t read it yet, you can catch up on the story here, and try this out yourself at home using the latest build of checkra1n. So far we’ve stated that you must put the computer into DFU before you can run checkra1n to jailbreak the T2 and that remains true, however today we are introducing a demo of replacing a target Mac’s EFI and releasing details on the T2 debug interface.

BleedingTooth - A remote code execution bug in the Linux Bluetooth stack:

BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.

And there’s also a remote code execution vuln in the TCP/IP stack of Windows:

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.

In other security news, Barnes & Noble was hacked.

Barnes and Noble tonight confirmed it was hacked, and that its customers' personal information may have been accessed by the intruders. The cyber-break-in forced the bookseller to take its systems offline this week to clean up the mess.

And also: Patch your PDF reader!

Windows and Mac users running Foxit’s popular PhantomPDF reader should update their installations to the latest version after the US CISA cybersecurity agency warned of a handful of high-severity product vulnerabilities. In its latest regular threat report, CISA counted four CVSS v2 7.5-level vulns affecting PhantomPDF.

Foxit has published updates for its software in both Windows and Apple Mac formats. Those readers running versions prior to 10.1 for Windows and version 4.1 for Mac ought to download and install them from Foxit’s website.

iPhones. New iPhones. Buy them already!

Oh yeah, I did promise you a recap of the recent Apple event, didn’t I? I think The Register summed it up pretty much perfectly with this headline: It’s that time of the year when Apple convinces you last year’s iPhones weren’t quite magical enough, so buy this new 5G iPhone 12 instead.

Apple on Tuesday wheeled out its iPhone 12 range featuring a more powerful system-on-chip, harder glass, sharper displays, and 5G.

The latest additions are split in two: the iPhone 12 and iPhone 12 Mini, and the iPhone Pro and iPhone Max. The iPhone 12 Mini reverses the trend of ever-larger phones and heads back toward iPhone 8 size with a 5.4-inch display. At the other end is the iPhone 12 Pro Max with a 6.7-inch screen. Apple says the iPhone 12 is 11 per cent thinner and 16 per cent lighter than today’s iPhone 11. And its new “super retina XDR” OLED screen offers a 460ppi resolution, slightly higher than other smartphones on the market.

There are no wireless EarPods included, nor the headphone jack, nor a power adapter; a USB-C to Lightning cable is included. Storage capacity starts at 64GB for the non-Pro and 128GB for the Pro versions – you lose 11GB to 14GB of that on bundled apps and operating system files, depending on which apps you choose to remove. The Pro range adds an extra camera and a LiDAR depth-sensing sensor that will probably make its way into non-Pro iPhones next year when Apple finally launches its augmented reality (AR) service. All four phone models are rated IP68, meaning they can last up to 30 minutes under no more than six metres of water.

Of interest to the average consumer will be the new toughened glass called “ceramic shield” that Apple describes, somewhat vaguely, as providing “four times better drop performance.” Does that mean you can ditch the extra screen protector with the iPhone 12? Let’s wait to see the inevitable YouTuber tests.

The iPhone 12 range is also, of course, Apple’s first 5G range. The launch carefully skirted around the realities of 5G networks at the moment, although it is possible that by the time the iPhone 13 is launched that 5G networks are real for most people, rather than network operator hype. Models sold in the US can use mmWave frequencies, and it’s sub-6GHz for the rest of the world.

Well, my iPhone 7 still works and I really don’t see a single reason here for an upgrade. YMMV.

The 14,000 GPU Supercomputer

Apparently, Nvidia is gonna team up with Intel to build a huge supercomputer in Italy. Very ambitious for a company who can’t even supply enough graphics cards to satisfy the demand among gamers.

Europe is to build four Nvidia-Intel-powered supercomputers, one of which will be the most powerful super yet built for AI applications, the GPU giant reckons.

That top-end machine, nicknamed Leonardo, is expected to reach 10 exaFLOPS albeit at FP16 precision; supercomputers tend to be benchmarked using FP64, though FP16 is presumably good enough for AI. This is why Nvidia billed Leonardo as “the world’s fastest AI supercomputer,” in that it will be the fastest publicly known computer… when executing machine-learning and data analytics algorithms using FP16 or lower. It will be dwarfed by other supercomputers when it comes to running workloads that require a precision greater than FP16.

Leonardo, we’re told, will be packed with roughly 14,000 of Nvidia’s latest Ampere A100 GPUs, and it will be operated in Italy by CINECA, a non-profit group made up of 70 universities as well as four government-funded Italian research labs and the state’s Ministry of Education, University, and Research.

Oh, I get it now! This is why they don’t have any GPUs for gamers left! Bastards.

Google Music is Gone, is the Play Store Next?

Google. The masters of killing products and leaving users high and dry.

There’s not much time left for Google Play Music. We’ve known Google’s 9-year-old music service was on the way out, but this week Google has started to actually shut down parts of its cloud music service in the hopes of pushing people to YouTube Music.

The gradual shutdown started on Monday with the death of the Google Play Music Store, which previously let you purchase music for playback and download, as opposed to the all-you-can-eat rental services that dominate the music landscape today. Google’s Music store was a section of the Google Play Store, which now just shows a message saying the feature has been removed. Google is getting out of the business of selling music entirely and now only offers a rental service through YouTube Music.

The other big feature shutdown is music playback on Google Home and Nest Audio speakers. While the Google Music app still works and you can start a playback through Chromecast, you’re no longer able to start music by voice through Google Assistant devices. If you dig into the Google Assistant settings (that means opening the Google app on your phone, then hitting “More,” then “Settings,” then “Google Assistant,” “Services,” and finally “Music”) you’ll find that the “Google Play Music” option has completely disappeared. Now the only supported services for voice commands are YouTube Music, Pandora, Deezer, and Spotify.

Google was talking up a smooth transition from Google Play Music to YouTube Music, and while the initial transfer process will bring all your Google music to YouTube Music, the YouTube Music service isn’t anywhere near ready for prime time and is missing a host of features. Support for playing uploaded YouTube Music playlists started rolling out to the Google Assistant this month, but it still hasn’t hit everyone. I can’t start any music by voice now, even with YouTube Music selected in the settings. My speakers only tell me “I can’t do that here, but you can ask me to play it on one of your other devices.” There are similar reports on the YouTube Music subreddit.

Google Music is scheduled to completely shut down sometime this month. Right now, the only thing left is streaming via the smartphone app and the Google Music website.

It gets better, though.

While there hasn’t been any formal announcement about the future of the Play Store, I think it’s time to start wondering if “selling everything” is still the vision for the app’s future. In Google’s original vision for the Play Store, it was a one-stop-shop to buy apps, games, books, movies, TV shows, and music. But now we’re seeing evidence that the Play Store is being parted out.

Besides losing the music store to YouTube Music, in the past few days, we’ve seen the “Movies and TV” store get duplicated in the new “Google TV” app. Google’s media apps have previously had seamless links to their own sections in the Play Store, but that’s not what’s happening here – Google TV launched with an entire duplicate store in the app’s codebase. On the Google Play Books front, Android Police recently spotted an experimental UI test for the Play Store that removed the “Books” section entirely. That leaves nothing but apps for the Play Store.

Lest Ad Blockers Work Too Well: Microsoft to Adopt Manifest V3 in Edge

That browser extension from Google that’s set to kill all ad blockers that actually block ads well? Yeah, Microsoft is all-in.

Microsoft has decided to support the Google-proposed Manifest V3 in its Edge browser – based on the Chromium browser engine – despite continuing concern about the impact on content-filtering extensions such as ad blockers.

The manifest is used by browser extensions to declare what permissions an extension requires, and is associated with a set of APIs through which the code can interact with web pages. Extensions are able to read and modify the content of the page, giving them high capability but also introducing privacy and security risks, in the case where a user installs a malicious or compromised extension.

In early 2019, Google came up with a proposal to make extensions safer but at the expense of some reduction in capability. In particular, the webRequest API, which lets the extension view, modify or block browser requests, is being deprecated in favour of a new and less powerful Declarative Net Request API. A common use for webRequest is ad blocking, but there are many other use cases.

It is a difficult matter as while Google is correct in stating that extensions can abuse webRequest, there are also suspicions that the company is keen to keep ads flowing because its business depends on it. We reported last year on a Google financial filing which highlighted ad-blocking technology as a threat that “could adversely affect our operating results.”

Microsoft could potentially have made support for the more powerful webRequest API a distinctive feature of Edge; and some users begged for it to do so, saying: “Please, please don’t remove/change/limit this API.” Those appeals appear not to have been heeded. In a new post, the Microsoft Edge team said: “We plan to support the Declarative Net Request API and other changes proposed as part of Manifest V3.”

Tesla not Paying for Water on Their Berlin Building Site

Oh this is good. Tesla has to stop building its new factory close to Berlin because they haven’t paid for the water on the building site . Now, it takes quite a while of you not paying your bill for the German utility to turn it off, it’s a civil right, after all. But after not paying more than 15,000 euros, apparently due to a software glitch, the waterworks apparently got fed up with Elon’s people. LOL. Software glitch. Sounds like a Tesla.

Also Noteworthy

Other stories I’ve been reading in the last two days:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.