Without doubt the usual offenders among Apple critics are joyfully reporting about a serious security flaw that reared its ugly head in macOS High Sierra 10.3.1. It was a foolish mistake, the sort of mistake that might cause management to find the offenders and take some serious action.

No, I’m not suggesting they should be canned. Stuff happens. But it would probably require finding out exactly how this mistake was allowed to happen, and make sure it doesn’t happen again, and it’s clear Apple is doing exactly that.

What was the problem?

Well, if you installed the very first macOS high Sierra update, this flaw would allow you, or someone who has access to your Mac, to enable root mode without a password. Just enable root access, and it would be little different from getting an email account with your cable provider that used the default password, “password.” Well, except for the fact that you could leave the password field blank.

In Unix parlance, the root user is the king of the hill, the individual who can access your Mac’s entire file system and do anything he or she wants. As a practical matter, it’s  best left disabled, but with this bug, anyone who controls your Mac could do some nasty things. They could install a virus, copy your data, or wipe the drive clean.

But it still required such access to enable the root user which, as I said above, could be done without need of a password. Not good.

Once this flaw was discovered, Apple made quick work of fixing it by posting an online update. Says Apple:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 AM, the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Clearly Apple has the damage control process down pat. Apologize for the problem, express contrition and explain what’s being done to keep similar problems from occurring in the future.

Just look at Apple’s statement again. Upon being alerted to the problem after posts appeared on various tech blogs, it took less than a day for Apple to create, test and post the fix for users of macOS 10.13.1. The speed is commendable, and harkens back to the short-lived iOS 8.0.1 update in 2014, which killed the mobile connection and Touch ID for the iPhone 6 and the iPhone 6 Plus.

Apple became aware of the problem within about an hour or so, and withdrew it. A fixed version, 8.0.2, arrived the very next day. In the meantime, the affected iPhones could be repaired with a Restore. It wasn’t permanent damage.

Now in that particular case,  even mainstream cable news talking heads attacked Apple for its lack of attention to detail, but few mentioned how quickly it was fixed.

Now the 10.13.1 fix reportedly requires redoing the root user setup process and giving yourself a password, after which you can disable it again. Most Mac users probably won’t bother and, as I said, this is not a situation that would necessarily cause them any trouble if the bug went unfixed. Once again, you have to be directly targeted by a hacker with direct access to your Mac to enable that feature.

Apple’s critics responded to the security glitch in a predictable pattern. How could Apple do such a foolish thing? Does this mean they’ve lost their ability to deliver a secure product? One critical blog I read strongly implied that this is the first time an Apple OS contained a serious security flaw which, of course, isn’t true.

With nearly every macOS update, there is a set of security fixes. Some are arcane, and can only be exploited in theory. Others are serious enough to allow hackers to gain control of your Mac without much effort. It’s not just about not having to use a root password.

In short, the belief that macOS, or any computer OS, is perfect is sheer nonsense. Again, it’s not whether the flaw exists, but how Apple reacts to the problem and how quickly the fixes can be released. Sometimes it takes weeks or months. This time it was an overnight process.

That’s about as fast as you can get in the real world1

Compare that to any serious security leak in Android. Just how quickly would Google fix the problem? And even if it were fixed overnight, how would they deploy that fix to the hundreds of millions of owners of Android gear out there?

The answer is that they won’t, unless the fix can be deployed via the Google Play app store, or to users of native Google smartphones, the Nexus and Pixel models. Otherwise, the chances that anyone will receive that patch are slim to none.

Something to think about.

It’s very easy for an outsider to say how a huge multinational corporation should do business. There are no consequences unless that corporation chooses to take their advice. Even then, it’s still their fault for being so foolish.

Of course, there’s nothing wrong with making suggestions about what a company can do to earn more money, improve its image or otherwise do things better. Talk is cheap. At the very least, it might even be fun.

In keeping with that tradition, there’s an alleged analyst at The Motley Fool (an apt title) that is going full bore into claiming that Apple is on the wrong track. The headline reads, “Apple Inc. Might Be Making a Big Mistake.”

Lest we forget, Apple’s September quarter exceeded analyst expectations. Revenue was up. Sales for the iPhone, the iPad, Macs and the Apple Watch increased. Despite estimates from Gartner and IDC about flat or falling Mac sales, they improved by 10.2% over the year-ago quarter. Yes, there’s still life left in the Mac platform. For the second quarter in a row, iPad sales increased, and there were reports of double digit growth for the Apple Watch.

True, Apple doesn’t actually release numbers for the Apple Watch, but it’s possible to make educated guesses by looking over the totals in Apple’s “Other Products” category.

Sounds good so far, right?

So how is Apple going to make a “big mistake”?

The article quotes someone credible, analyst Ming-Chi Kuo of KGI, who claims, based on his supply chain sources, that Apple plans to build a bigger version of the iPhone X next year. So in addition to an updated version of the existing form factor with a 5.85-inch display, there will be one with a 6.46-inch display.

In short, the larger model would be similar in physical size to the iPhone 8 Plus?

The Fool’s assumptions are based on a telltale quote from Kuo stating that there will be no major differences between the two models other than size. Evidently without further thought of the meaning of such an analysis, that Fool blogger asserts, “If this is true, then Apple is making a mistake.”

How so?

Well, it appears that conclusion is based on the differences between, say the iPhone 8 and the iPhone 8 Plus, where the larger form factor gets you two cameras rather than one. So the assumption here is that Apple is making a huge mistake not to follow a similar game plan with the iPhone X.

Except that the blogger is missing something, probably because Apple’s specs weren’t consulted. The iPhone X already has a dual camera system at the rear. Thus the presumed advantage of the iPhone 8 Plus is already present.

So what else might Apple do to avoid deliver extra stuff for the larger model? Of course that assumes it has to be otherwise different in some way other than size.

What does Apple do? Offer a sharper camera? Maybe adapt the ProMotion feature from the iPad? The doubled refresh rate, at 120Hz, will deliver smoother motion, making for a better viewing experience for movies and games. It’s why you might consider buying a TV with a higher refresh rate, and it’s particularly noticeable on a 55-inch set. It may not be as visible on the far smaller screen of an iPhone, although it is visible on an iPad.

Now lest we forget, Kuo’s analysis shouldn’t be expected to list all of the proposed features of the 2018 iPhones. It’s possible that both will have ProMotion, and perhaps better cameras, with more megapixels, although Apple has concentrated more on larger lenses and better processing software to improve picture quality under a variety of shooting conditions.

In other words, the blogger is talking through his hat. He doesn’t know. He doesn’t have a clue what Apple is going to do, or whether they will add some kind of differentiator other than size to the rumored larger iPhone X. To assume an outsider’s analysis of a future Apple product must represent the complete list of specs is foolish. It doesn’t makes sense even when you accept Kuo is a very knowledgeable outsider.

Indeed, it may well be that the final feature set of the 2018 iPhone X, and a possible iPhone X Plus, aren’t even finalized yet, so how would a third party know if Apple’s designers don’t? Or is The Motley Fool implying that Kuo is omniscient?

The blogger also suggests that, since iPhone sales increases are slowing due to a saturated market, Apple needs to find other ways to boost revenue. That means increasing average sales prices, but the statement is self-contradictory. If there’s to be a larger version of the iPhone X, it should cost more. Even if total unit sales were the same, revenue and average sale prices are apt to increase.

Then again, since there are already complaints about the $999 list price for the 64GB iPhone X, what will an iPhone X Plus cost? Or will Apple lower the price of the former by, say, $100 due to production efficiencies, and place the Plus version in its former slot?

The long and short of it, though, is that any assumption that Apple is making some sort of big mistake based on someone’s estimates about the possible specs of next year’s models is just plain dumb. It’s just as dumb to assume Apple has no idea how to differentiate a larger smartphone from a smaller one, besides the size and battery capacity.

As I said, dumb!

Amid all the hype, Apple is not exactly saying that Face ID and Touch ID are perfect solutions. They don’t work in every single case. From Consumer Reports to a number of tech publications, it has been demonstrated that Face ID can fail from time to time under normal use. Touch ID is better than it used to be, but I occasionally have to do it twice. Sometimes I just use the passcode, which always works so long as I enter the correct numbers.

Now one of the classic features of the “Mission Impossible” TV series, and the blockbuster movies, is the ability to create amazingly perfect face masks. A character puts on the mask, and they are instantly changed into a perfect replica of another person.

Of course, this requires a suspension of disbelief, a very big suspension. The secret agent’s physique has to roughly resemble the person he or she will impersonate. At 5′ 7,” actor Tom Cruise has pretend to be one of the shorter villains, or does he wear stilts and platform shoes?

In any case, the basic question is whether a real face mask can somehow be used to fool Face ID. A report from Forbes claims it has been done twice by hackers from Viet Nam at a total cost of $150 for the first effort, and $200 for the second.

The deed is allegedly demonstrated in a video, but you’d have to take it on faith that it wasn’t edited to convey a misleading impression of what was really accomplished.

According to the Forbes blogger, “A video shows the Face ID facial recognition enrollment being reset. Then the researcher enrolls his own face and seconds later unlocks it with a mask made of a 3D-printed visage constructed of stone powder, with 2D-printed eyes stuck on.”

But the scheme has a fatal flaw, because the mask is made by scanning someone’s face. So you need the original face to begin with, meaning it ought to be a lot less time-consuming for that person to just unlock an iPhone X. Or maybe the individual has been kidnapped, and thus they criminals have decided to use the mask for future attempts to unlock the device without the owner being present.

Isn’t this starting to get just a little extreme?

Of course it’s always possible for a criminal to take out a gun, and order someone to unlock their iPhone. It doesn’t matter how. How many people would be foolish enough to say no way?

Now if the scan could be generated direct from someone’s digital photo — and that appears to apply to the facial recognition scheme on a Samsung Galaxy S8 — it would represent a genuine security flaw. But having to go through all the rigamarole the Vietnamese hackers had to confront to unlock an iPhone X clearly demonstrates that Apple’s solution is pretty robust. Only time-consuming and extreme methods will accomplish the deed, and at some point the device’s owner has to participate, willing or not.

As a practical matter, Face ID appears to work well enough to accommodate most situations. If you don’t trust it, use a passcode. With a six-figure code, the chances that anyone will guess it before the unit is locked for good are slim to none. If you type the code correctly, it works 100% of the time, whereas all biometrics are less efficient.

But what about just buying an iPhone with Touch ID? Is that a more robust solution?

Maybe not. I’ve managed a roughly 80% success rate with recent iPhones. I create profiles with both thumbs, but it’s just not good enough. Sometimes I just have to revert to the passcode, which you have to do anyway if you restart the device.

If you do a little online checking, you’ll see reports of people who managed to fool Touch ID with some sort of latex print. But you still have to lift the print, meaning you have to have the original finger, or a really good fingerprint to work with. Some suggest you might also be able to accomplish the task with a dead finger, so long as the corpse hasn’t deteriorated too much. I suppose that ought to be a lesson to the authorities if they are trying to grab data from an iPhone, or another device with a fingerprint sensor that was used by the recently deceased suspect.

It’s a grisly prospect, to be sure.

With the latest reports, Apple’s critics will no doubt produce the straw man arguments that their biometrics are deeply flawed, suffering from serious security vulnerabilities.

So it is fun, I suppose, to read reports about successful efforts to hack an iPhone or another device. Again, you have to feel confident that Apple has devised a solution that’s harder to crack than the competition’s. It should be obvious that they already know its flaws, and are working on even more robust hardware and software that even the best “Mission Impossible” mask won’t crack. Well, at least until the hackers come up with a better way.

Without actually doing a survey, it does seem to me that the iPhone X has been the subject of more fear mongering than any other Apple gadget in recent memory. It has been positively relentless, with story after story about the alleged reasons Apple chose Face ID as the product’s biometric, its presumed shortcomings, and the alleged problems in improving production yields.

Many of the arguments against Face ID came from people who never used it. Now that the iPhone X is available at more and more dealers, it’s very possible for these alleged journalists to look at one, test one and see whether it works as advertised. If they work for a publication that can afford to lay out some cash, they can buy one, take it home and give it a full test. At the very least, they can read the dozens and dozens of posted reviews to get a sense of how well Face ID and other features operate.

For example, is the notch a distraction, or have developers begun to largely work around it? Should Apple have simply set up the display below the notch, rather than have it consume some of the space? Would that spoil the promise of an edge-to-edge display? Does it even matter?

Continue Reading…