Andrew Orr

A server belonging to Voxox (formerly Telcentris) in San Diego was exposed because the server wasn’t protected with a password. Security researcher Sébastien Kaul discovered that it was an SMS text database containing “tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.”

Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.

If you’re dumb or negligent enough to not secure a password containing other peoples’ sensitive data, you should not be in whatever industry you’re in. I hope Senator Ron Wyden’s bill gets passed.

Apple and Barclays are teaming up to offer a special promotion. If you sign up for an Apple Rewards Barclaycard Visa, you’ll get two US$25 Apple Store Gift Cards or App Store Gift Cards.

The Barclaycard Visa with Apple Rewards allows cardholders to rack up points when using the card to purchase products at Apple locations. The card rewards users with 3 points for every $1 spent at Apple, 2 points for every $1 spent at restaurants, and 1 point for every $1 spent on other purchases.

More details can be found on Apple’s financing page.

Apple customers can now buy an unlocked iPhone XR. This means that it’s not tied to a specific carrier so you can use your current SIM card. If you have a prepaid carrier, this is the model you’ll want.

SIM-free iPhone XR models are compatible with AT&T, Verizon, T-Mobile, Sprint, and other carriers. The iPhone XR starts at US$749 for 64 GB models available in white, black, blue, yellow, coral, and (PRODUCT)RED. Higher-capacity models are available for US$799 (128 GB) and US$899 (256 GB).

There’s a new version of the Apple Watch charger. The model number is MU9F2AM/A and has been added to the online Apple Store.

There are no design tweaks to the dock, which suggests that the new model includes unspecified internal updates. It is not known why Apple has introduced a revamped version, but the changes are likely to be minor.

You can pick up the new charger for US$79. The device is available for delivery starting on Friday, November 16, and should be in retail stores soon.

A couple of iPhone suppliers—Hon Hai and AMS AG—have said they probably won’t make as much money as they thought, and Wall Street is panicking.

The accumulation of warning signs has prompted analyst revisions in the past week. Guggenheim on Wednesday said the company’s recent reliance on rising average selling prices was “no longer enough” to boost growth at a time unit sales show signs of slowing. Shares in Japan Display Inc., one of the quartet that reduced its sales outlook, slid 9.5% Thursday.

I’m certainly no economic expert, but I’m pretty sure the fact that Apple is a stable company now is a good thing. Apple anticipated this years ago and is expanding their sources of revenue. Meanwhile, somewhere on Wall Street little Tommy won’t be getting a Maserati for Christmas.

Google’s subsidiary DeepMind Health is restructuring and becoming part of the company. Now that its new app Streams is a Google product, people are concerned that Google will start linking patient health data to their respective Google accounts. My thought: You could just delete your Google account, but the health data will likely be added to an advertising profile of you instead. Update: A spokesperson from DeepMind reached out to me to make some clarifications. I’ve also changed the headline to make it more accurate.

Patient data is, and will continue to be, kept strictly separate from other Google projects/products, and subject to strict audit and access controls. Our contractual agreements with existing partners, and their restrictive rules on patient data, are still in force and unchanged. Patient data remains under our partners’ strict control, and all decisions about its use will continue to lie with them. The move to Google does not affect this.

Mozilla’s Privacy Not Included gift list helps you shop safe for the holidays. It shows all of the holiday presents and tech gear that can be easily hacked. Ashley Boyd, vice president of advocacy at Mozilla, told Wired:

We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet. These products are becoming really popular. And in some cases, it’s easy to forget that they’re even connected to the internet.

I think this is a fantastic idea and it brings more awareness to the insecurity of many popular gadgets and gear.

A website called Orcasound lets you listen to orcas using hydrophones, which are underwater microphones. Scientists use these recordings to find and study whales, especially at night or in bad weather.

The team behind Orcasound hope that non-expert listeners will help quickly alert researchers to the presence of orcas, so they can send out boats to test fecal matter and leftover bits of prey, thereby getting a better sense of what the whales are eating.

If you like whales and you’re interested in citizen science, check out Orcasound.

Another Facebook vulnerability has been found that could have exposed information about users and their friends.

The security company Imperva has released new details on a Facebook vulnerability that could have exposed user data. The bug allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser. The bug was disclosed to Facebook and resolved in May.

At this point Facebook is a giant dumpster fire. Get out while you still can.

In another BGP hijack, Google traffic was rerouted yesterday through Russia and China. This included Google Cloud, YouTube, and other services.

Specifically, network connectivity to Google was instead routed through TransTelekom in Russia (mskn17ra-lo1.transtelecom.net), and into a China Telecom gateway (ChinaTelecom-gw.transtelecom.net) that black-holed the packets. Both hostnames have since stopped resolving to IP addresses.

Hijack me once, shame on you. Hijack me twice, shame on me.

A new HTTP version is coming, and it will work differently than previous versions. Instead of using TCP, it will use a Google technology called QUIC.

In its continued efforts to make Web networking faster, Google has been working on an experimental network protocol named QUIC: “Quick UDP Internet Connections.” QUIC reinstates the reliability and ordering that TCP has but without introducing the same number of round trips and latency.

For example, if a client is reconnecting to a server, the client can send important encryption data with the very first packet, enabling the server to resurrect the old connection, using the same encryption as previously negotiated, without requiring any additional round trips.