Password Manager Bitwarden Adds Touch ID to Browser Extension

Password manager Bitwarden announced the addition of a couple of new features. One feature adds support for Touch ID and Windows Hello to its browser extensions.

Browser extensions will now be able to access this authentication inside the Desktop application. This allows a more streamlined integration with hardware that does not require a unique browser-level integration. Biometric authentication requires macOS users to download the Mac App Store version.

Buffer Overflow Bug Found in SUDO Dubbed ‘Baron Samedit’

Tracked as CVE-2021-3156, a heap overflow bug found in sudo and dubbed “Baron Samedit” has been found recently. It allows an unprivileged user to gain root privileges on a vulnerable machine using a default sudo configuration.

The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.

2020-02-03: Looks like macOS is affected after all.

Twitter Client ‘Tweetbot’ Becomes a Subscription App

Tweetbot was updated to version six on Tuesday and it brings several notable features, including the move to subscription pricing.

Even though the Tweetbot subscription isn’t expensive, I think Tapbots owes its users more than it has delivered. It’s a shame because Tweetbot remains one of the premier third-party Twitter clients for iOS. Hopefully, the lack of new features in this update will be addressed in subsequent releases.

Another subscription app that I’ll be deleting. For me, the only advantage Tweetbot has over Twitter is the lack of sponsored tweets, aka ads. While that is a notable feature worth paying for, one downside to Tweetbot includes never getting timely notifications.

Cut Fiber Cable Causes Verizon Outage on East Coast

A cut fiber cable has been giving Verizon Fios customers issues on the East Coast.

On Twitter, which many still were able to access, people reported they were seeing issues with their Verizon Fios Internet service. Verizon’s customer support team said on Twitter Tuesday that a fiber had been cut in Brooklyn, which could possibly account for some of the issues. The support account on Twitter quickly became inundated with customers asking why their internet was slow and bumpy.

Microsoft Edge Update Adds Built-in Password Manager

Version 88 of Microsoft Edge adds a new security feature for users. A built-in password manager makes it easy to keep your logins safe. It also scans for breached passwords on the dark web and notifies you if it finds a match.

Password Monitor will begin rolling out today with Microsoft Edge 88, but it may take a couple weeks for you to see it in your browser. For more information on how Password Monitor works, take a look at the latest blog from Microsoft Research.

Google Still Doesn’t Have iOS 14 Privacy Labels

I’ve been hesitant to keep sharing these stories. At the time this news first appeared I was skeptical, saying that we just got over the holidays so give Google a break. But as the days turn into weeks, this is when it does start to look damning and now it’s time to give Google some heat.

On January 5, Google told TechCrunch that the data would be added to its iOS apps “this week or the next week,” but both this week and the next week have come and gone with no update. It has now been well over a month since Google last updated its apps.

EU Fines Valve And Five Other PC Games Publishers

The European Union Commission issued fines totalling €7.8 million ($9.4 million) to Valve and five other games publishers on Wednesday, Techrunch reported. It followed a lengthy investigation that found that firm’s had broken the bloc’s rules.

The geo-blocking practices investigated since before 2017 concerned around 100 PC video games of different genres, including sports, simulation and action games. In addition to Valve — which has been fined just over €1.6 million — the five sanctioned games publishers are: Bandai Namco (fined €340,000), Capcom (€396,000), Focus Home (€2.8 million), Koch Media (€977,000) and ZeniMax (€1.6 million). The Commission said the fines were reduced by between 10% and 15% owing to cooperation from the companies, with the exception of Valve, which it said chose not to cooperate (a “prohibition Decision” rather than a fine reduction was applied in its case).

The Story of the 30-Year-Old PDF Format

The Portable Document Format (PDF) has been around for thirty years. But how did it become so ubiquitous? Rob Walker shares the interesting story.

The PDF keeps spreading not because Adobe or any company forces others to use it, but because of “millions of people all over the world,” Parmenter says, “just doing their thing.”

Malwarebytes Reveals it Was Hacked by Nation State Behind ‘SolarWinds’

Malwarebytes co-founder and current CEO Marcin Kleczynski reveals the company was hacked. He believes it was the same nation state actor behind the SolarWinds attack. The state is believed to be Russia.

After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.

Crazy stuff, and we’ll probably hear of the fallout for a long time.

AirPods Max Headbands Could be Interchangeable

iFixit published a tear down of the AirPods Max and it reveals, among other things, that the headband could be interchangeable.

It was rumored that Apple wanted to design the AirPods Max headband to be easily-swappable like its magnetic ear cups. That feature was thought to be missing from the final design, but this joint is so complex it just might have one more thing up its sleeve…despite the joint’s complexity, you can detach the entire headband from AirPods Max with just a SIM card removal tool or paperclip, without even opening the ear cup.

Bug Lets Audio, Video be Transmitted Without Consent in Apps Like Signal

Google’s Project Zero security team found a bug that lets audio and video be transmitted without user interaction in five messaging apps. These are Signal, JioChat, Mocha, Google Duo, and Facebook Messenger. All bugs have been fixed.

I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data. All these vulnerabilities have since been fixed. It is not clear why this is such a common problem, but a lack of awareness of these types of bugs as well as unnecessary complexity in signalling state machines is likely a factor.

Where are the Safari 14 WebExtensions?

In 2020 Apple announced it would support browser extensions that used the WebExtensions API. But as Jason Snell points out, we haven’t seen many yet. One developer listed possible barriers for entry:

Limited time, lack of access to Apple hardware, unfamiliarity with Apple’s developer tools, Safari’s incompatibility with some existing extension-development tools, and the requirement to make some code changes in order to fit inside Apple’s security model.

I think another barrier is probably the US$99/year developer program fee. It makes sense if you’re already in the program to build an extension if it makes sense for you, but I don’t think many outside of the program will pay that just to release a new extension. Then again, it’s still in the early days of this new support.

Analysts Say Spotify’s Podcasting Isn’t Working Out

Citi analysts wrote to clients their belief that Spotify’s foray into podcasting hasn’t been working.

The cadence of Premium gross additions (through 3Q20) and app download data (through 4Q20) do not show any material benefit from recent podcast investments (that began in 2019). The firm downgraded the stock to sell from neutral. Spotify’s stock was down more than 6.5% in the afternoon.

Apple Feels Schadenfreude as Amazon is Accused of eBook Price Fixing

Nine years after an investigation found that Apple and the “Big Five” book publishers colluded to fix eBook prices to compete with Amazon, Amazon has now been accused of doing the same.

The lawsuit claims that almost 90% of all ebooks sold in the US are sold on Amazon, in addition to over 50% of all print books. The suit alleges that ebook prices dropped in 2013 and 2014 after Apple and major publishers were successfully sued for conspiring to set ebook prices, but rose again after Amazon renegotiated their contracts in 2015.

Using Open Source Software to Extend Apple’s HomeKit

Simon Bisson wrote a cool story for ZDNet. It involves using an open source tool called Homebridge that can be used to integrate smart home devices that don’t natively support HomeKit.

The plugin ecosystem is where Homebridge really excels. By having its own defined APIs, it’s possible for anyone with access to developer documentation to build a simple translation layer that links devices to HomeKit and to Home (and to Siri). Most of the plugins are on GitHub, so if you want additional features or support for alternative hardware, you can fork existing code and start to add your own features.

Epic Games Submits Complaint Against Apple in UK

The latest move in the Epic v Apple legal battle involves the former expanding its complaint to other countries. This was made public [PDF] by the Competition Appeal Tribunal of the UK.

This is an important argument to make on behalf of consumers and developers in the U. K. and around the world who are impacted by Apple and Google’s misuse of market power. Epic is not seeking damages from Apple or Google in the U. K., Australia or the U. S., it is simply seeking fair access and competition that will benefit all consumers.

AirPods Spatial Audio Could Arrive on Netflix

As I noted last year in my AirPods Pro editorial, Spatial Audio is a great audio experience. It can be found on Apple TV+ and Disney+, but not Netflix. But a recent rumor claims Netflix is testing it.

The iPhoneSoft report doesn’t include specific information on when Netflix will roll out spatial audio report, instead only vaguely suggesting a spring release with a “limited” catalog.

Apple Apps No Longer Bypass macOS Big Sur Firewalls

In macOS Big Sur, Apple deprecated third-party kernel extensions including Network Kernel Extensions (NKEs). NKEs are used by apps like firewalls to monitor network traffic. Apple’s new user-mode Network Extension Framework had a side-effect: Apple’s own apps wouldn’t be routed through it and thus could bypass third-party firewalls. But now that has changed.

I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall.  Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic.

Mozilla VPN Arrives on macOS and Linux

After rolling out on platforms like Windows, Android, and iOS, the Mozilla VPN arrives on macOS and Linux for US$5/month.

The Mozilla VPN isn’t the cheapest option on the market. However, Mozilla has said that, because it uses fewer lines of code than other VPNs, the service is faster than many rival ones. You can connect to more than 280 servers in more than 30 countries via the VPN without any bandwidth restrictions.

I think US$5/mo is definitely one of the cheapest VPNs on the market.

Digital Library Book Readers Borrowed 430 Million Books in 2020

Book sales, both digital and physical, increased in 2020. Book borrowing did too, with OverDrive reporting 430 million ebooks, audiobooks, and digital magazines browsed in 2020. This is a 33% increase over 2019.

The most significant genre growth in 2020 was children’s and YA fiction and nonfiction because of remote and hybrid learning. In addition, more than 2 million checkouts occurred through Public Library CONNECT partnerships and the Sora student reading app. More public library and school partnerships than ever enabled students to use their school credentials to borrow ebooks and audiobooks from both their school and local public library.

Kevin Kelly vs. Kirkpatrick Sale: Has Tech Destroyed Society?

Here’s your long read for the weekend. Back in 1995, then-executive editor of Wired made a bet with Luddite Kirkpatrick Sale. The proposition? A bet that technology would destroy the world by 2020.

Twenty-five years later, the once distant deadline is here. We are locked down. Income equality hasn’t been this bad since just before the Great Depression. California and Australia were on fire this year. We’re about to find out how easy that money is.

I find myself between their arguments. Technology produces both positives and negatives, and issues like climate change largely accelerated by corporations make me pessimistic as a young person.

FTC Settles With App Maker ‘Tapjoy’, Blames Apple in Process

The FTC has reached a settlement with Tapjoy over claims that is used false advertising offers for in-game rewards that weren’t given to users.

But regulators also said Apple and Google helped create the environment that squeezes mobile gaming industry players and incentivizes them to find other monetization models that may have unsavory consequences for consumers.

Tapjoy runs a platform that lets users complete activities, like signing up for a free trial or downloading and running an app, in exchange for in-game virtual currency. It earns commissions from third-party advertisers who want to entice users to perform these tasks.

I think if a company is willing to do “unsavory things” to people, it probably doesn’t need to be forced into doing so. On Apple’s side, Tapjoy possibly ran afoul of review guideline 3.2.2 (vi).

Don’t Count on an Apple Car Any Time Soon

Some news outlets claim that the Apple car could be ready for production with a revolutionary battery by 2024. Mark Gurman has a report on Thursday saying that the car is five to seven years away, which is still in the general area of a half decade.

Still, some Apple engineers on the project believe the company could release a product in five to seven years if Apple goes ahead with its plans. The car is nowhere near production stage, the people said, though they did warn timelines could change. They asked not to be identified discussing sensitive, internal work. The majority of the team is currently either working from home or at the office for limited time, slowing the company’s ability to develop a full vehicle. An Apple spokesman declined to comment.

WIN an iPhone 16 Pro Max!