• Explore the magic and the mystery!


  • Listen to The Tech Night Owl LIVE

    Last Episode — August 24: Gene presents a regular, tech podcaster and commentator Kirk McElhearn , who comes aboard to talk about the impact of the outbreak of data hacks and ways to protect your stuff with strong passwords. He’ll also provide a common sense if unsuspected tip in setting one up. Also on the agenda, rumors about the next Mac mini from Apple. Will it, as rumored, be a visual clone of the Apple TV, and what are he limitations of such a form factor? As a sci-fi and fantasy fan, Kirk will also talk about some of his favorite stories and more. In is regular life, Kirk is a lapsed New Yorker living in Shakespeare’s home town, Stratford-upon-Avon, in the United Kingdom. He writes about things, records podcasts, makes photos, practices zen, and cohabits with cats. He’s an amateur photographer, and shoots with Leica cameras and iPhones. His writings include regular contributions to The Mac Security Blog , The Literature & Latte Blog, and TidBITS, and he has written for Popular Photography, MusicWeb International, as well as several other web sites and magazines. Kirk has also written more than two dozen books and documentation for dozens of popular Mac apps, as well as press releases, web content, reports, white papers, and more.

    For more episodes, click here to visit the show’s home page.

    The Apple Pay Conundrum

    November 7th, 2014

    Shortly before starting this article, I went to the nearest Walgreens store to buy some batteries for my Apple Magic Mouse. When you get the low battery warning, you only have a short time to replace them.

    Now understand that Walgreens is seldom the cheapest place to buy anything unless it’s on sale, or you have one of their rewards cards, which occasionally works with one item or another. But I needed those batteries yesterday and didn’t have time to get to a store with a better price.

    I might even have been tempted to give Apple Pay a try, since Walgreens supports NFC-based mobile payment systems, and that includes the seldom-used Google Wallet. But my bank hasn’t yet opted to support Apple’s payment schedule, and the same is true for my one-and-only credit card. Well, at least not yet.

    In talking to the store clerk, he said that, over the years, he recalls meeting just one person who used Google Wallet for a store purchase, but he wasn’t sure about Apple Pay. So it is very early in the game. Support from banks and merchants is a work in progress, and some larger retailers, including Walmart, are experimenting with CurrentC. Supposedly if a retailer signs up to beta test CurrentC, it’s an exclusive deal for the time being, though it’s not certain whether a dealer will have to pay a penalty, or lose access, if they opt to accept other payment systems.

    Without going through the advantages and otherwise of each system, it does appear Apple made a large effort to make the scheme as secure as possible, and prevent retailers from gaining any access to your payment and other identifying information. But a sale is a sale, and I suppose if they want to get your email address and other contact information to send you marketing spiels, you can always give it to them voluntarily.

    Now in a high-profile rebuke to Apple, both CVS and Rite Aid, two rivals to Walgreens, opted to shut down the NFC feature on their point-of-sale terminals when it was disclosed it worked with Apple Pay. I know that if I walked into one of those stores when this happened, I would have vowed never to return. But corporations are no smarter than individuals in sometimes making stupid decisions.

    Yes, I do understand that the company behind the CurrentC checkout system, MCX (Merchant Customer Exchange) is perfectly entitled to push their own methods and let the marketplace decide. But when they enforce exclusivity, even on the short term for the beta process, they are taking away some of your payment options. Besides, CurrentC is not widely available, and won’t be until 2015. So how does a retailer lose by accepting payments via other mobile systems in the meantime?

    One answer is that, if you become accustomed to using Apple Pay, as an example, you may not care a whit about CurrentC when it debuts. I suppose that’s the danger, but so be it. Customers should be given a variety of different methods to pay. Some retailers even accept Bitcoin, though I remain concerned by the safety of that system.

    So if you want to use cash, a credit card, a debit card, a check or even PayPal, the retailer who accepts these payment methods is more deserving of your business. If they are equipped to take Apple Pay and Google Wallet, more power to them. You have choices, so where’s the problem?

    Well, I suppose if a retailer has a method that sidesteps credit card systems, and thus the need to pay a percentage of each sale, it means more revenue. As innovative as Apple Pay seems, it is still using the traditional credit card merchant processing system. Apple may get a small piece of the action, but the retailer is paying the same rate. It’s the cost of doing business.

    Let’s assume that CurrentC does go live next year, and assuming retailer exclusivity is no longer required. At that time, customers will decide which payment systems work best for them. Retailers will have a fair shake at making it convenient for customers to buy their products or services. There’s nothing wrong with that.

    Or is it possible the folks at MCX aren’t fully secure that they have devised the most safe and flexible mobile checkout system? It’s not that it’s necessarily the easiest, since it requires an intermediate app to make the transaction. Even aiming your iPhone 6 at a checkout terminal to bump and make an Apple Pay transaction may take some practice. Remember that the transaction also has to be finalized via Touch ID.

    It’s also true that there’s a finite number of potential Apple Pay customers at the start, and even if the iPhone 6 and iPhone 6 Plus are in the hands of tens of millions of customers by the end of the holiday shopping season, the vast majority of mobile gear out there won’t be compatible. It will take another year before there are enough of these handsets in place, along with the Apple Watch, to make a reasonable dent in the marketplace.

    At the same time, dealers might be reluctant to commit to a checkout system that only works with one product line. Over time, Apple might want to consider making Apple Pay an open standard at the expense of losing its status as an exclusive feature. There can still be hardware requirements that will ensure security regardless of which mobile platform you support.

    Sure Apple might prefer to keep Apple Pay in the family, but that will continue to limit access to the system.


    Fear and Loathing About Mac Security

    November 6th, 2014

    Some months back, a high-profile tech journalist and talk show host posted an overwrought spiel about the possibility of getting malware on a Mac. The few malware outbreaks over the years, such as Flashback, a Java exploit, were cited, and a certain unnamed Mac security app was recommended to protect you from possible misery.

    Now the 2012 Flashback trojan affair reportedly impacted 600,000 Macs, although it’s not at all certain independent researchers were actually able to verify that figure, which came from one of the security software companies. It’s very true Apple should have acted sooner than it did to block the trojan, even though the security lapse was actually the responsibility of Oracle, who publishes Java.

    It’s also clear in the way that Apple acted, when it finally acted, that it is taking such threats seriously, even though those impacted by Flashback probably didn’t suffer serious damage and were able to remove the trojan fairly easily. But they could have had their data compromised as a result of such malware. Watching this episode play out taught me to stay away from Java.

    Without much in the way of malware outbreaks on the Mac platform, it also demonstrated how security companies will fear monger to sell more apps.

    There is also an article posted by one of those security companies about the dangers of having a Mac that can’t run OS X Yosemite or older versions of OS X that are still receiving security updates. The article correctly states that Mountain Lion, Mavericks and Yosemite can be run on a similar collection of Macs dating back to 2007, 2008, and 2009, depending on the model.

    Those Macs will continue to get security fixes most likely until OS 10.11 arrives, which might support fewer older models. Or maybe not.

    But if your Mac is stuck with OS 10.6 Snow Leopard or earlier, you’ll find that security fixes are no longer being released. Are you in danger of being infected? Does it mean your vintage Mac, while still working great, might be compromised?

    How do you protect yourself? Or must you buy a new Mac to get with the program?

    One of the most foolish suggestions in the article is to install Windows 8.1 under Boot Camp, so you are free of OS X and can run an OS for which security fixes are still being released. The other suggestion is even more curious, which is to follow some online instructions to install Ubuntu Linux.

    Talk about lame solutions. Now the failed Windows 8.1 is bad enough. I suppose you could hold out till next year and try Windows 10, assuming the version of Boot Camp that runs on your older Mac will support that OS. And remember we’re talking of Intel-based Macs. What about PowerPC Macs?

    Such suggestions aren’t just off the rails. They are out of this world. Solutions of this sort, and the suggestion to buy a cheap Windows PC or a Chrome-book, completely overlook the reasons people buy Macs in the first place. Being able to run a guest operating system on a Mac under Boot Camp, or a virtual machine such as Parallels Desktop, is a great accommodation for folks who need to occasionally run another OS for a specific app. But you buy Macs primarily to run OS X and Mac apps.

    Besides, can anyone believe someone would tell a Mac user that it’s safer to run Windows?

    What is not stated, however, is whether users of those older Macs should consider buying security software from the company who published the blog. Unfortunately they can’t, because the latest products from that company require OS 10.7 Lion or later.

    So what’s the point?

    Yes, it’s true that older Macs won’t receive security updates, however critical. It’s also true that Apple hasn’t, up till now, officially declared the end of support for an older OS. You have to discover by inference, that a new security update isn’t released for that system.

    Still, most malware these days gains control of a computer via social engineering. You are enticed via email or an online link to visit a site where the infected payload is delivered to your Mac or PC. It doesn’t just happen, even though there are occasional security leaks that might allow someone to gain root privileges on your Mac and take it over.

    One example is Rootpipe, recently discovered, but said to potentially impact OS X Yosemite and some unmentioned older OS versions. Now if your Mac can only be exploited by physical access to your machine, that’s one thing, and something that isn’t likely to happen to anyone who isn’t personally targeted by a thief who breaks into somone’s home or office.

    If it could be done remotely, the offender would still have to somehow break into your router and discover the hardware address of your Mac. I suppose that could happen in a public Wi-Fi setting, but that assumes Rootpipe can be made to function remotely, and the security researcher who discovered the vulnerability, Emil Kvarnhammar, is not talking. Evidently he’s giving Apple time to fix the bug before things get out of hand.

    But the lurid prose doesn’t mean your older Mac is no longer safe. If you practice safe computing, you probably have little or nothing to worry about. The sky isn’t falling.


    Some of the Latest Apple Glitches In Brief

    November 5th, 2014

    Although my experiences with OS X Yosemite have largely been favorable, it does seem that some people are reporting Wi-Fi connection issues. So their Macs aren’t able to sustain the Wi-Fi hookup for more than short time before it has to be reestablished. It appears there are some home-brewed workarounds, some of which involve dumping networking preferences and redoing them, but it’s not a lock.

    Some of the media outlooks complain that Apple hasn’t officially responded to the problems, and there are enough reports to show a trend. That would imply there’s no concern about it, but that’s just not so. An example is the report that Apple has already seeded the first OS 10.10.1 update to developers. One of the key areas they’re being asked to test is Wi-Fi, which, if correct, would indicate they have been aware of the problem for a while and have been working on a fix. Such things aren’t done overnight.

    You wonder, in passing, why this problem, and a few others that appeared in Yosemite, weren’t fixed during the beta process, which included not just developers but over a million Mac users who signed up for the public beta. It may well be that they were discovered late in the test process, or Apple didn’t feel they impacted enough people to hold up release. So on my Macs, a short time after launch, Mail stops displaying the number of messages in a mailbox, and I know Apple is aware of that one, though it is probably relatively insignificant in the scheme of things.

    All in all, as OS X releases go, the number of bugs described online seems fairly normal. I suppose it’s still not at all certain whether the public beta helped all that much, but at least it served a positive marketing initiative, to drive more interest to Macs. Clearly the platform is on a tear these days.

    When it comes to Apple’s mobile gear, reports are still coming in of perhaps some lingering bugs with iOS 8.1. There’s also a published report that a beta of version 8.1.1 has been seeded, and, further, that it might contain critical performance improvements for older gear. So folks who found performance to be perfectly awful on an iPhone 4s or an iPad 2 may receive some relief when the update goes live. Right now apps take longer to launch compared to iOS 7, and overall system and app performance may be more jerky than fluid.

    This brings to mind iOS 7, which supported the iPhone 4, but not so well. It took iOS 7.1 to make that 2010 iPhone relatively snappy again. Maybe not as quick as iOS 6, but certainly more usable. So will iOS 8.1.1 do the same to the iPhone 4s and iPad 2? We’ll see.

    When it comes to hardware, although someone is trying to resurrect BendGate with those alleged 300 pictures of bent gear, there may actually be a genuine problem. Well, if the reports are true and consistent.

    So there’s a story that at least some folks who bought the 128GB configuration of an iPhone 6 or an iPhone 6 Plus have been reporting what appears to be a very serious issue involving those with large app libraries. So it is prone to crash, followed by an endless boot loop after a restart. The jury is out as to the cause.

    It could, I suppose, be a software issue, a problem managing large app libraries. One story has it, however, that it could be a hardware issue that involves a defect in the memory controller of the NAND flash used on these models. If that’s the case, affected customers would have to get replacement handsets.

    Now we have to make some assumptions. First is that this is a hardware issue and not something that can be fixed with an iOS update. If it’s a defective component, the question would be whether a lot of units are impacted — necessitating a huge and expensive recall process — or perhaps just a few early production units. The media and industry analysts who might want to fear monger over the threat of defective iPhones need to hold off until the facts are known.

    One thing is sure: Regardless of the expense, if any iPhones under warranty have defective flash memory, Apple will do the right thing. However, that has never been confirmed. What’s more, the actual number of people reporting such problems appears to be quite small. Many of the posts, for example, on Apple’s support forums are from a small number of people who are conversing back and forth with other posters, so the total number of posts mount. So if a problem truly exists, it may not be widespread. And if there are, indeed, a small number of defective iPhones out there, that’s not really unusual. It happens with all makers of tech gear.

    The long and short of it is that there isn’t likely to be a recall, or even the need for one. More to the point, I wonder if reports of this sort are sometimes influenced by Apple’s competitors who lack the ethics to play fair and compete with the best products and support. It doesn’t mean they aren’t real, but sometimes you wonder.


    BendGate Revisited: Number Nine and Counting?

    November 4th, 2014

    When the first reports appeared about the alleged vulnerability of the iPhone 6 Plus to bending in your back pocket, Apple moved fast to respond. Only nine incidents were reported they said, and they invited selected members of the press to view their wireless handset stress tests. Even better was a test from Consumer Reports, who tends to be overly critical of Apple gear, which concluded that the iPhone 6 Plus wasn’t overly vulnerable to bending in your back pocket.

    This entire brouhaha arose when someone posted a video allegedly showing how easy it was to bend his iPhone 6 Plus. Of course, videos can be deceptive, and it’s quite possible he took extraordinary methods to bend the thing that weren’t photographed. More to the point, with targeted ads greeting anyone who wanted to watch that YouTube video, it’s very possible that revenue for ad clicks was a motivation. Sure, the video may have been totally accurate, but millions of hits meant plenty of ad revenue. Bad news can easily go viral whether true or not.

    Not long thereafter, SquareTrade, a company that sells extended warranties for tech gear, did their own informal test. Only the office bodybuilder, who could bench press over 400 pounds in a single bound, managed to successfully bend an iPhone 6 Plus. The moral of the story appeared to be that, if you tried hard enough, you could damage a $750 aluminum-clad mobile computer, but why?

    While Apple might be lenient about replacing damaged gear, clear signs of abuse would probably not receive a warm response from the local Apple Genius.

    So the story mostly died then and there and Apple went on to sell record numbers of iPhones. Samsung’s mobile handset sales continued to flag, and efforts to exploit the problem went for naught. It was fun for a while on the late night comedy shows, but they finally returned to political humor and other topics to get laughs.

    But some things that are old can be new again. So this week, a certain tech site claimed that someone had collected 300 pictures of bent iPhones. The intended purpose was to put the lie to Apple’s claim that only nine complaints were received. But it doesn’t quite pass the smell test.

    Remember that Apple made the original statement not long after the new iPhones went on sale. As millions of customers put their gear into service, it’s inevitable that a small number might be damaged. It’s also possible some forced the issue deliberately in the hope they could persuade Apple to replace their damaged iPhones.

    Even if the 300 number is correct, and perhaps represents a small portion of those impacted, the total would likely still represent a really tiny fraction of the millions of units sold. Tests from apparently reputable sources have already demonstrated that there is no product defect. But no mobile device is invulnerable to damage if you try hard enough to abuse it.

    Could the new iPhones be made stronger without necessarily making them much thicker or heavier? I suppose, although I wouldn’t pretend to guess how much the product would cost if more expensive and stronger materials were used? It’s a matter of being practical. Under normal use, your iPhone, even the 6 Plus, should be perfectly robust. If you drop it, or make an extraordinary effort to bend it, all bets are off.

    If those who collected 300 pictures actually have evidence of damage due to extreme vulnerability to bending, rather than deliberate attempts by people to get their 15 minutes, it still doesn’t prove Apple lied. The belief that a statement made on one day based on circumstances that existed on that day must remain true for the rest of time without change is downright foolish. I can’t imagine that any rational person would believe otherwise.

    Of course blaming Apple is nothing new.

    Shortly after Apple Pay first went live two weeks ago, there were reports that some Bank of America customers had their credit cards charged twice after making transactions with their new iPhones. Bank of America said it was an Apple issue, others said it was the bank. The media made a big play of it for a few hours, but it was reported that only 1,000 customers were impacted. All of them got full credit for the bogus charges.

    It was a fairly routine, if annoying, early launch glitch, and was apparently fixed very quickly. After the initial furore over yet another alleged Apple scandal, it all died down. This doesn’t mean there won’t be more glitches, but they will no doubt be addressed too.

    I also wonder if a similar level of coverage was given to the story that a rival digital payment scheme, CurrentC, backed by major retailers, experienced a major hack while still in the beta test phase. Apparently at least some of the email addresses of testers were acquired by hackers.

    Assuming CurrentC goes live as scheduled early next year, it’ll still be a potential nightmare. You’ll be making payments with bank drafts, although credit cards will reportedly be accepted. Right now, beta testers have to give their social security numbers and driver account information to set up accounts, though that is also  expected to change when the service goes live. But imagine the consequences if any of that information was stolen.

    In contrast, Apple Pay doesn’t send your credit card information, your name, address or other personal information to vendors, nor does it store any of that data in any retrievable fashion. With all those high-profile data breaches over the past year or so, whom do you trust with your credit card data? Do you trust the merchant? What if their credit card terminals are hacked? CurrentC is not a fully formed product, and there are already some questions about security.

    Security is one reason there is an Apple Pay in the first place, so merchants — and the thieves who might hack their payment systems — can’t take your personal information.

    In any case, when Apple’s involved, doesn’t there have to be a scandal?