1STnTENDERBITS

dewme said:

godofbiscuits said:

I trust OpenID if they say there are security holes. And given the importance and visibility to Apple, I’m sure they’ll address the security issues before releasing SIWA. 

‘As for compatibility with generic OpenID?  Nice for OpenID, but it would only muddy the waters when it comes to customers understanding what SIWA is all about. Id be surprised if Apple makes that a priority. 

The thing is, OpenID is not saying there are security holes. Read their statement: 

"which could nominally leave people exposed to code injection and replay attacks."

If you're running Safari right click on the word nominally and select "Look up nominally." Or look it up in a dictionary.

Standards organizations are populated with wordsmiths who choose their words very carefully. They are not identifying any actual security holes that they have found. They are only saying that there is a possibility that an issue may or may not actually exist. Identifying a possibility is one of the weakest arguments one can make. If they were stating a probability, with a hard number or range of numbers, then we'd have to take a much more serious approach.  

Respectfully, maybe you should re-read their statement.  OpenID is saying their are security holes and they are identifying them.  They even link to the issues in the same paragraph you're quoting from (the hyperlink is "a host of differences").  Whether their claims ultimately prove to be true is a different matter.  Regardless of the veracity of their claims, you made the mistake of parsing their quote, excerpting a portion, and then building an argument around it.  Context matters.  That full sentence reads, "An example of the latter is absence of PKCE in the Authorization Code grant type, which could nominally leave people exposed to code injection and replay attacks."  That sentence is about 1 example, not their entire premise.  

seneca72 said:

Is Ive's new studio LoveFrom or shoudl it be "LoveFORM"  Surely the latter sounds more appropriate.

LoveForm - function can take a hike....

It's LoveFrom.  From FastCompany article: 

LoveFrom? Sort of an odd name on first hearing, right? Well, there’s a story there. The name comes from this Steve Jobs quote, paraphrased by Ives in a Financial Times piece today.

“There was an employee meeting a number of years ago and Steve [Jobs] was talking . . . He [said] that one of the fundamental motivations was that when you make something with love and with care, even though you probably will never meet . . . the people that you’re making it for, and you’ll never shake their hand, by making something with care, you are expressing your gratitude to humanity, to the species.”

“I so identified with that motivation and was moved by his description. So my new company is called ‘LoveFrom’. It succinctly speaks to why I do what I do.”

AppleExposed said:

zroger73 said:

FU, Apple. This is the stuff that is going to drive me back to PC's after a 12-year run and tens of thousands of dollars donated to your organization.

Apple has a 100% right to do this. Remember if anything is YOUR fault Apple gets blamed. Also if an aftermarket battery blows up an iPhone we get tons of articles, videos and memes mocking Apple.

Also, Apple has a charity?

Would you mind terribly pointing towards any evidence supporting that theory?  Both you and @sergioz used the same claim of aftermarket batteries catching fire and Apple getting blamed.  That really doesn't happen though.  Not really sure what rights you think Apple has, but the right to force 1st party and authorized repair ain't one those rights.  

Right to repair is focused on consumer protection and consumer choice.  I think anyone advocating against that, especially a consumer putting corporate desires above their own, needs to have their priorities adjusted.

Rayz2016 said:

But why do they need folk to listen to the recordings? I’m a bit unclear on that. 

Piggybacking on Avon B7's comment about accidental activations, humans listening to the recording are helpful when the Assistants misunderstand what's being said.   With all the accents and dialects that are spoken, there are going to be times the assistants don't understand the command or query.  Humans can better decipher the meaning and that info can be fed back into the knowledge base to increase accuracy.

As many have said, there are very legitimate reasons for human listening.  There just has to be improvement.  First thing, they need to get rid of the 3rd party outsourcing and use in-house employees only.  Yeah, it's going to cost more for them but none of these companies are hurting for a dollar.  Second, implement controls in the work environment that make stealing data a difficult process.  Third, in plain language inform customers there's a chance their interactions can be recorded and used for blah, blah, blah.  Third B - a pop up that makes participation OPT-IN not opt out.

Not high priority, but I think they should all use raw number when reporting to the public.  Vague "less than 1%" or "approximately 0.2%" doesn't really paint an illuminating picture for customers using these services.  What raw number represents less than 1% of interactions per day x 365 days per year?  1000 per day? 100,000? A million?

GeorgeBMac said:

I think Steve just rolled over...

Unless there's an earthquake, Steve ain't rollin' over.  The man's dead.  Please don't misguidedly invoke his memory.  His stylus quote was uttered at a different point in time, referencing different tech, and in a context completely different from today's tech.  Also the man wasn't intractable in his though processes.  That quote was uttered over a decade ago.  Things have changed.  If he was alive today, I'd bet he'd consider a lot of the thoughts he had a dozen years ago to be no longer be relevant.  Pretty sure it's the same way with you, me, and everyone else.  

On topic:  I personally think it was only a matter of time before the iPhone gained stylus support.  I also think the iPhone is going to get it's own iPhone sized version next.  The key here is, just like with the iPad, it's an accessory not a requirement.  Those who don't want one don't have to get one.  Choice is a good thing.  

GeorgeBMac said:

PART of the trouble here is, in fact, the fault of Apple:
While they "encourage" people to get repairs & upgrades done at an authorized center they neither enforce the policy nor (critically) publicize it up front.   Instead they use a sorta passive - aggressive approach where, when there is a problem they say:  "See, you didn't follow directions.   It is your fault".

I think Apple and its customers would be best served by making it very clear up front that, while they won't block you from getting third party repairs that all bets, warranties, guarantees, assurances and everything is gone if you do.   They need to do that BEFORE somebody buys an Apple product, not after they get the third party repair that impacts their product.

(I don't mean to absolve the person of responsibility for their actions.  But that we will continue to have these debates and discussions until  Apple makes their policy very clear UP FRONT.)

Apple can't do that, because it would be against the law.  Warranties are covered by the Magnusson Moss Warranty Act.  What you're advocating is expressly forbidden.  Apple can only insist on OEM or Authorized repair/parts if 1. They are offering the repair for free under warranty or 2.  They can prove the repair can only be done with certified parts or via certified tech.  

...according to a report on Monday that also claims the company intends to institute an official bug bounty program for Mac in the coming weeks.

If this is true, I got 2 things.  1. Great   2. About goddamn time. 

Soli said:

1STnTENDERBITS said:

If someone doesn't read the article and they freak out, that's on them.  If they don't read the article and say Face ID is crappy, so what?  Just ignore them or if it bothers you, correct their incorrect assumption.  Simply put, this is not a good look no matter how you look at it.  A vaunted security feature bypassed by $2 worth of supplies.  No 3D printer, no sophisticated masks or prosthetic pieces.  No Mission Impossible dangling from a rope inches above the floor.  Nope.  Just a quick hop over to Walmart and you're good to go.  As I said, I think Apple focused on high tech intrusion, not anything like this.  Their fix shouldn't be that hard to come up with imo.

Why go to Walmart? Take the glasses from the person that already has to be wearing them to setup Face ID with glasses and then put tape on them before putting them back on the face of the iPhone owner to get into their device. Despite your comment saying how obvious it is you still failed to not it requires all these very odd circumstances to use this "hack" effectively.

I think you're failing to understand the point.  Face ID can be defeated by a solution that is so low tech and cheap that it's absurd.  That "X-Glasses kit" from the picture I attached is all that is needed to bypass Face ID.   Stick the kit on someone's face, hold their phone up, and voila. ← That's exactly how the hack works. There are no very odd circumstances.   Bypassing Face ID should never be that easy.  That's the point.

StrangeDays said:

You can also knock a person out and stick their finger on a fingerprint sensor. 

You people try so hard. 

You don't try hard enough... to think.  How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily?  It doesn't.  You should try to do something other than your regular deflection shtick.  It is nothing more than a tedious annoyance.  "Hey, I know the subject is this issue right here, but I'm just gonna start tossin' dirt on other stuff.  I honestly don't think you know any other form of interaction besides trying to place blame elsewhere.  

Do you actually have a relevant opinion on this topic?  Or are you going to continue throwing dirt to deflect.  Let's see, you've already deflected using Samsung and Touch ID.  What's next?  Gonna say someone could hold a person at gun point and force them to give up their password. /s

Soli said:

Let's be clear that this "hack" still needs the face of the person who is already keyed for the device. This only allows a person who wears glasses to allow someone to use their phone on their face to unlock Face ID without their consent if they happen to be unconscious after making a pair of augmented glasses, assuming that their picking up the iPhone doesn't trigger Face ID and the subsequently disabling of Face ID before they can execute this "hack".

What do you mean "let's be clear"?  Everything you said is stated better right in the article.  It couldn't be more clear.  The researchers even offered up their thoughts on how to mitigate the vulnerability.  Instead of trying to make excuses for Face ID, be happy this beyond low tech, super cheap MacGuyver hack has been exposed.  Now Apple can work on nullifying it.  I think Apple concentrated on defeating high tech penetration techniques.  This hack is the equivalent of throwing a rock through window.  Low tech, but it works.

StrangeDays said:

1STnTENDERBITS said:

Soli said:

1STnTENDERBITS said:

If someone doesn't read the article and they freak out, that's on them.  If they don't read the article and say Face ID is crappy, so what?  Just ignore them or if it bothers you, correct their incorrect assumption.  Simply put, this is not a good look no matter how you look at it.  A vaunted security feature bypassed by $2 worth of supplies.  No 3D printer, no sophisticated masks or prosthetic pieces.  No Mission Impossible dangling from a rope inches above the floor.  Nope.  Just a quick hop over to Walmart and you're good to go.  As I said, I think Apple focused on high tech intrusion, not anything like this.  Their fix shouldn't be that hard to come up with imo.

Why go to Walmart? Take the glasses from the person that already has to be wearing them to setup Face ID with glasses and then put tape on them before putting them back on the face of the iPhone owner to get into their device. Despite your comment saying how obvious it is you still failed to not it requires all these very odd circumstances to use this "hack" effectively.

I think you're failing to understand the point.  Face ID can be defeated by a solution that is so low tech and cheap that it's absurd.  That "X-Glasses kit" from the picture I attached is all that is needed to bypass Face ID.   Stick the kit on someone's face, hold their phone up, and voila. ← That's exactly how the hack works. There are no very odd circumstances.   Bypassing Face ID should never be that easy.  That's the point.

StrangeDays said:

You can also knock a person out and stick their finger on a fingerprint sensor. 

You people try so hard. 

You don't try hard enough... to think.  How exactly does Touch ID having vulnerabilities change the fact that Face ID got low tech spoofed easily?  It doesn't.  You should try to do something other than your regular deflection shtick.  It is nothing more than a tedious annoyance.  "Hey, I know the subject is this issue right here, but I'm just gonna start tossin' dirt on other stuff.  I honestly don't think you know any other form of interaction besides trying to place blame elsewhere.  

Do you actually have a relevant opinion on this topic?  Or are you going to continue throwing dirt to deflect.  Let's see, you've already deflected using Samsung and Touch ID.  What's next?  Gonna say someone could hold a person at gun point and force them to give up their password. /s

I do think, which is why I recognize bonehead troll tropes when I see them. Your pattern of posting history makes it very plain to see...you now purport there to be an immense Apple security problem where there isn’t, as shown by the many years of Touch ID and your crappy knockoffs with their fingerprint sensors. The whole “They’re gonna knock you out and put these glasses on you!” schtick is silly bullshit, nothing more. No more valid than the FUD pellets people like you dropped from your behind for Touch ID — “Muggers will cut your fingers off! The government will force your finger onto the sensor!” Then the “Hey, you!” fear mongering. Then the AirPod “Muggers will pluck them out of your ears on a bicycle!” Blah blah blah... All silly bullshit, none of which came to pass, just like this Groucho Marx nonsense. 

Apple will likely resolve any exposed weakness in the “liveness” detection so it’s just academic anyway. Heckler self-pleasuring, nothing more. 

You're an abject liar.  You are the one who brought up Touch ID. There's nothing negative about Touch ID in any of my posts.  There's nothing in any of my quotes about knocking someone out. All that shit you're trotting out and trying to attribute to me?  Piss off with that nonsense.  There's nothing in my posting history like that.  It's open so anyone can see what a liar you are.  And no, you don't think.  Otherwise you wouldn't try to pin outright lies on me.  I would say it's intentional but it's more likely Hanlon's Razor.