It's equally funny to see the collective sigh-of-relief expressed through this post's upvotes. OCSP is real and can hurt you, warrantless iCloud access still goes un-mitigated, but thank God! The QR code IP leak turned out to be a fake. Who knew MacOS was a nice and private operating system all along?
So... I think replication was needed and have a MacBook myself. However, the claim in question was tricky to verify because it was supposedly occuring over the course of days.
I also think it says a lot about collective anxieties over not using an open OS. The scanning wasn't happening but it was plausible and there wasn't really much to do about it other than try to verify it.
I think the episode says less about collective unwarranted paranoia and more about collective vulnerabilities.
I still am scratching my head about the new tweet though. It doesn't say the scanning isn't happening, just that it's not MacOS.
Unfortunately he doesn’t go the full distance and tell us unambiguously whether or not he clicked on said shortcut. Which would say nothing about the already settled macOS question but would say something about Firefox.
I’ve been thinking about this problem a lot. It seems to me you either go full send on the privacy front -> use FLOSS operating systems and self-host Nextcloud, or you want the comforts of modern apps and services -> buy into Apple’s or Google’s ecosystem.
There exists no option where you get to keep your privacy and enjoy modern technology.
I'd love Apple to build iCloud hosting via your home mac or a new version of the server they used to sell. That way all data sits on and is processed by a machine you control. Admittedly wishful thinking but I can dream.
Well, because using any popular service or app is right out?
Just looking at my own phone, payments, banking, planning transit rides, ordering cabs, keeping in touch with (online and offline) friends, streaming videos and music, gaming, ordering groceries, ordering takeout, translating documents, getting breaking news, taking (good) photos, and reporting vandalism to the city are all proprietary apps.
I don’t see a straightforward way to replace any of these with FOSS, and getting rid of them all would necessitate some serious concessions in my lifestyle.
> Well, because using any popular service or app is right out?
> Just looking at my own phone, payments, banking, planning transit rides, ordering cabs, keeping in touch with (online and offline) friends, streaming videos and music, gaming, ordering groceries, ordering takeout, translating documents, getting breaking news, taking (good) photos, and reporting vandalism to the city are all proprietary apps.
Most if not all of those are websites that work fine in a perfectly normal browser on whatever operating system I care to use, in my experience.
I know for certain that the services I depend on in at least half of those categories either don’t work in the browser, do work but don’t have full functionality, or are just the desktop version.
Maybe it's different where you live, but for me from of the things you listed, the only one that would absolutely depend on a proprietary OS is keeping in touch with friends - because many use services such as WhatsApp that depend on having a phone with Google Play Services. And games where you usually have no choice.
Of the others, many depend on proprietary services, but pretty much all are accessible via their respective websites and I rarely see missing functionality.
payments - just use your card. You could even stick it in your phone case so you always have it if you have your phone
banking - there are some "app-only" banks where I live, but for every one there are 5 normal ones with websites
planning transit rides - all the ones I've used work in the browser
ordering cabs - around here they all have websites... or even phone numbers. Even Uber works via the website.
streaming videos and music - Spotify, YouTube, Twitch etc all work fine in a browser (in fact, on mobile they work better in a browser as you can block the ads!). If you want to host your own, there is Plex and similar.
gaming - most games won't work, but there are web-based and OSS games; Steam Deck could be an alternative
ordering groceries - around here they all have websites
ordering takeout - as above
translating documents - this one is weaker but there are several services that let you do this via the website
getting breaking news - if you really need to see them ASAP, use a site that has an RSS feed - they still exist! Might not work for local news though
taking (good) photos - plenty of OSS camera apps; using an actual camera could be an alternative
reporting vandalism to the city - must be specific to where you live; here everything is via web forms, and if there is an app it just wraps the website
- some services don’t work (you already mentioned WhatsApp, there’s also others (Discord, FB Messenger) - maybe you can use them in the browser but it’s going to be a subpar experience)
- some have limited functionality (bank: works but you need to carry the physical 2FA device to log in instead of using your fingerprint; groceries: around here, the ones with websites have high order minimums and delivery fees; translating: camera translation (essential when travelling or living abroad) is only on the Google Translate app AFAIK; news: the national public broadcaster here doesn’t have a ‘breaking’ RSS feed, and apparently even the ‘all news’ feed is broken anyways)
- carrying around separate devices (camera etc.) brings us back to the original point: if you want to enjoy the niceties of modern devices, FOSS is going to be a compromise
It's not even at times. It's all the time. Theres many threads where the actual information is sparse but people sound extremely confident about their conclusions. Makes me realise that much of the time people are just making stuff up, there's just nobody to call them out.
Anything Apple gets peoples hackles up. I think it’s because “favourite tech stack” is such a tribal thing, and there’s so many more Windows/Linux/Android users in tech communities
I doubt it. All of bigtech gets the same deranged treatment: Google, Facebook, Microsoft, etc.
It was a weird moment when I found myself defending fb on hn more often than I criticized them (I think they're atrocious), but the comments on bigtech stories are just that stupid.
I agree that all big tech gets it, and to be honest anything that’s not FOSS gets shit on a ton here.
But I do think Apple get it worse than other companies.
Android posts don’t get as many comments that range from conspiracy to calling users sheep.
Google gets ribbed for their ADHD but rarely criticized anywhere as much if Safari or Chrome both add their web proposals before standardization.
Apple hardware gets trivialized when performance comes up whereas Intel, AMD and NVidia get vaunted.
So I agree every big tech company gets railed on here, but I think Apple gets a disproportionate amount of it.
Before someone says it, That’s not me defending them as a company, it’s me tired of the terrible discourse on every post that mentions them. There’s lots of things that would be interesting to criticize them for and read about, but every thread divulges into the same exact community talking points.
I suppose I haven't noticed that myself. Though I spend less time on hn than I used to, and the consensus on Apple used to be dramatically more positive, so it's possibly that colors my perception
I know someone that doesn’t tell people they work at Apple. They say it’s a death blow to making new friends, always resulting in in the same “well, I don’t like Apple because” or “well I prefer Android because” conversations (or their inverse).
I thought they were exaggerating until they proved it to me, by letting me witness the train wreck, at a social gathering.
People seem to have _really strong opinions_ about Apple. I’m in an IRC group and the people in there are great but then very tribal when anyone mentions Apple.
It’s a little bizarre to me, the litany of things they can talk about. I’m pretty sure I spend just about 0% of my energy thinking about where people get their phones or which mobile operating system they use.
What's worse is that the brands they use have became the extension of their identity, or even their complete identify. I once mentioned online that FaceID has failed for me almost once a day, I got attacked online by fanboys.... very strange behaviour
> one thing is for certain; Apple doesn't treat privacy as a human right. If you can live with that, then more power to you.
You're inferring that the commenter deduced this solely from the new (incorrect) info. It seems a lot more plausible that they already hold the view (as I do) that Apple's privacy-friendly image is overblown, and used a separate issue to belabor that pt.
Though I do agree that this incident seemed unlikely w/o further evidence, even given Apple's traditional disdain for the user's control over their own system. And Apple has firmly joined the ranks of bigtech cos that HN threads are absolutely deranged about.
I hope they did sell it. It’s right for there to be consequences for not being a critical thinker.
Not that Debian Linux is bad. But selling a machine and setting up a new one is friction that I don’t mind seeing imposed as a cost of unthinkingly following cognitive bias.
Yeah and to be clear, that's not merely an HN thing, or an internet thing. People - even people who seem very clever - generally have no idea what they're talking about.
It's sort of exhilarating to truly understand just how much of the world is built on absolute bullshit.
However, I think it's more dangerous on sites like HN where it's wrapped up in this illusion of rationalism, intelligence and elitism along with HN reputation for a "higher level of discourse" which makes people more likely to believe.
Turns out HN falls prey to all the same human biases as everywhere else.
A quick way to see it in action is find a thread about something you know deeply and read the comments.
At the risk of falling into the age old Eternal September trap, I do feel like I've become significantly more disillusioned in the last year or so at the quality, or rather the lack thereof, of discourse on HN. It's as tribal as Reddit is, and not consistently higher quality discussion.
What we do have here is dang, though, which is a lot more than Reddit generally has.
Hackernews has a whole lot of smart people, but the dark matter of the Hackernews universe is the much larger number of schlubs who cosplay as smart people online.
I flagged both of those at the time because it seemed more likely to be user error than anything. Bold claims like that need more evidence before publishing.
One thing that any programmer knows is that until you have a way to reproduce something in a clean environment, a bug report on its own cannot be fully trusted. That doesn't mean you ignore the possibility that the reporter is correct, because sometimes reproduction is very difficult indeed, but you have to allow for the fact that something about the user's environment or workflow unrelated to your own code might be at fault.
We are all susceptible to errors in our methodology or limitations in our understanding of how complex systems interact. We should be humble and careful about jumping to conclusions.
In a now deleted tweet, the person was also ridiculing security researchers who were DMing him for more information, painting them as lazy, as if they hadn't tried to reproduce themselves. But nobody could reproduce the issue.
uh wow. It goes without saying that you should know what the commands do before you run them and should not ask for help and then be hostile when people offer to help.
> We should be humble and careful about jumping to conclusions.
Agreed, but it's also important to look out for confirmation bias. There were users on Twitter and even one HN commenter in the linked threads above who claimed to have reproduced the issue and verified the flaw. The HN commenter later updated their comment to admit their mistake. However, it's interesting to see how once the idea has been seeded, people are primed to accept any suggestion that it might be true.
A lot of applications seem to use this user agent because a lot of sites were providing embed data only to this user agent. Bizarre, but a needed evil I guess.
Yes, I just tried it and apparently Firefox on iOS uses that user agent when it gets a thumbnail of a page for its "Recently Saved" and "Jump Back In" sections on the new tab page.
The retraction is that it's not the operating system doing it. But honestly, Firefox doing the same thing isn't great either. Am I alone in finding it surprising that the recent list actively polls the things on it?
As far as I understand it, Firefox is not reading QR codes out of images and automatically opening links, but rather reloading already opened URLs that were coming from QR codes. Maybe not ideal, but far better than having the OS scan for QR codes in background and loading them without warning.
I don't think Firefox was reading any QR codes, but instead was recrawling the link in the "Recents" list on a new tab or bookmarks screen.
This is in no way a problem. There is precedent for browsers eagerly loading links, it happens all the time in regular webpages. This is most of the reason why anchors should be safe/side-effect free.
> then overly cautious and leave a potential problem unaddressed.
I don't think "do even the most cursory verification to check if the extraordinary thing I've just seen is actually happening" could be counted as "overly cautious".
Because a ton of people replied saying they couldn't reproduce the issue. It didn't help that the guy was snarky to a bunch of security researchers who asked him for more info.[1] He also neglected to mention that he'd recently visited the canary URL on that computer (which is why it was in Firefox’s recent shortcuts). Had he been more forthcoming with information, people would have figured it out sooner and his misinformation wouldn't have spread as far.
It would have been better to have done some verification first, before tweeting, to check whether it was actually doing what it appeared to be. Especially when you know your tweets have considerable reach.
> lololol @ the "security researchers" sliding into my DMs asking me to run shell commands and send them the output
> Go run your Little Snitch and WireShark and tcpdump and mdimport and mitmproxy and system_profiler on yourself; I'm not your SOC
Wow this guy comes across like a right twat. No wonder his apology sounds like it's coming out from furiously gritted teeth.
Still, I hope he learned something useful from this experience. Many of us have gone through a similar period of arrogance in our younger years, only to be shocked into looking back in shame later on.
I hope the Apple security team that was assigned to investigate this report is enjoying a nice beverage tonight. Dealing with unconfirmed critical security reports with few details can be a nightmare, especially when they turn out to be unfounded.
A few years back a company I was contracting for had one of their end users report a high severity security defect. Apparently he signed into the app and thought he had been hacked because a couple of large 6-figure transactions had been made.
After several hours of inconclusive investigation where even identifying the user proved difficult, this turned out to be him seeing the marketing example screens in the app store and having a panic. The app never even got installed and he never signed up for it.
The marketing screens were quickly updated to show something less impressive and with a sample data only warning...
I wonder how big of a company you'd have to be to go through all the effort of changing marketing screens because of that. I can think of the biggest company I've worked for laugh at that and move on.
> The app never even got installed and he never signed up for it.
....that is some serious "My computer won't turn on. No I can't check to see if the power cord is plugged in, its too dark to see back there because the power is out." energy.
I’m quite curious to be a fly on the wall where the decision was made to accommodate the lowest common denominator. Why wouldn’t he just be dismissed rather than wasting hundreds or thousands of dollars of employee time?
By chance could you illuminate the thought process?
Was it Personal Capital? I always thought it was silly that the demo screenshots in the marketing were some absurd amount in the multi millions. Like, who do you think you are marketing to?
Might be useful internally though. Back when I had a pet dinosaur I worked on an accounting program. Most test data was moving around 4 digit numbers. I made myself a richer test company and uncovered a few numeric bugs this way :)
Glad I saw this and now I wonder how often something turns out to be false and then we don‘t happen to read about the retraction. Next we incorporate the false information as facts into discussions with other people. I mean, I‘m worried enough about infosec that I had enough interest to read the story but then I wouldn‘t have returned to look further into the story, eventually finding out it was false. Instead I‘m just lucky to have checked out HN once again today.
How embarrassing for this man of many titles and authorities, to have his reputation upended by a foolish and avoidable false accusation. A slice of humble pie sticks in the throat, so it is heard.
79 comments
[ 1111 ms ] story [ 5494 ms ] thread- https://news.ycombinator.com/item?id=33095608 (83 comments)
- https://news.ycombinator.com/item?id=33096540 (102 comments)
A lot of people had their opinions on those two threads, didn't they?
Kudos to the ones who questioned the origin of the phenomenon instead of declaring immediately that the world is falling.
I also think it says a lot about collective anxieties over not using an open OS. The scanning wasn't happening but it was plausible and there wasn't really much to do about it other than try to verify it.
I think the episode says less about collective unwarranted paranoia and more about collective vulnerabilities.
I still am scratching my head about the new tweet though. It doesn't say the scanning isn't happening, just that it's not MacOS.
I didn't think it is plausible which is why I set up a whole bunch of replication scenarios to verify the extraordinary claim.
> It doesn't say the scanning isn't happening, just that it's not MacOS.
I think it's clear that the scanning isn't happening and that it was just Firefox refetching something?
"I now believe the canary token was triggered [...] by Firefox’s “recent” shortcuts on the home screen"
I’ve been thinking about this problem a lot. It seems to me you either go full send on the privacy front -> use FLOSS operating systems and self-host Nextcloud, or you want the comforts of modern apps and services -> buy into Apple’s or Google’s ecosystem.
There exists no option where you get to keep your privacy and enjoy modern technology.
The systems are very nice honestly, because they give you much more control (e.g. windows vs Linux).
Just looking at my own phone, payments, banking, planning transit rides, ordering cabs, keeping in touch with (online and offline) friends, streaming videos and music, gaming, ordering groceries, ordering takeout, translating documents, getting breaking news, taking (good) photos, and reporting vandalism to the city are all proprietary apps.
I don’t see a straightforward way to replace any of these with FOSS, and getting rid of them all would necessitate some serious concessions in my lifestyle.
> Just looking at my own phone, payments, banking, planning transit rides, ordering cabs, keeping in touch with (online and offline) friends, streaming videos and music, gaming, ordering groceries, ordering takeout, translating documents, getting breaking news, taking (good) photos, and reporting vandalism to the city are all proprietary apps.
Most if not all of those are websites that work fine in a perfectly normal browser on whatever operating system I care to use, in my experience.
Of the others, many depend on proprietary services, but pretty much all are accessible via their respective websites and I rarely see missing functionality.
payments - just use your card. You could even stick it in your phone case so you always have it if you have your phone
banking - there are some "app-only" banks where I live, but for every one there are 5 normal ones with websites
planning transit rides - all the ones I've used work in the browser
ordering cabs - around here they all have websites... or even phone numbers. Even Uber works via the website.
streaming videos and music - Spotify, YouTube, Twitch etc all work fine in a browser (in fact, on mobile they work better in a browser as you can block the ads!). If you want to host your own, there is Plex and similar.
gaming - most games won't work, but there are web-based and OSS games; Steam Deck could be an alternative
ordering groceries - around here they all have websites
ordering takeout - as above
translating documents - this one is weaker but there are several services that let you do this via the website
getting breaking news - if you really need to see them ASAP, use a site that has an RSS feed - they still exist! Might not work for local news though
taking (good) photos - plenty of OSS camera apps; using an actual camera could be an alternative
reporting vandalism to the city - must be specific to where you live; here everything is via web forms, and if there is an app it just wraps the website
- some services don’t work (you already mentioned WhatsApp, there’s also others (Discord, FB Messenger) - maybe you can use them in the browser but it’s going to be a subpar experience)
- some have limited functionality (bank: works but you need to carry the physical 2FA device to log in instead of using your fingerprint; groceries: around here, the ones with websites have high order minimums and delivery fees; translating: camera translation (essential when travelling or living abroad) is only on the Google Translate app AFAIK; news: the national public broadcaster here doesn’t have a ‘breaking’ RSS feed, and apparently even the ‘all news’ feed is broken anyways)
- carrying around separate devices (camera etc.) brings us back to the original point: if you want to enjoy the niceties of modern devices, FOSS is going to be a compromise
> this is the exact same technology Apple lets China use to hunt down their religious and political minorities
> one thing is for certain; Apple doesn't treat privacy as a human right. If you can live with that, then more power to you.
Something tells me people won’t use this as an excuse to accuse Firefox of human rights abuses though.
It was a weird moment when I found myself defending fb on hn more often than I criticized them (I think they're atrocious), but the comments on bigtech stories are just that stupid.
But I do think Apple get it worse than other companies.
Android posts don’t get as many comments that range from conspiracy to calling users sheep.
Google gets ribbed for their ADHD but rarely criticized anywhere as much if Safari or Chrome both add their web proposals before standardization.
Apple hardware gets trivialized when performance comes up whereas Intel, AMD and NVidia get vaunted.
So I agree every big tech company gets railed on here, but I think Apple gets a disproportionate amount of it.
Before someone says it, That’s not me defending them as a company, it’s me tired of the terrible discourse on every post that mentions them. There’s lots of things that would be interesting to criticize them for and read about, but every thread divulges into the same exact community talking points.
I thought they were exaggerating until they proved it to me, by letting me witness the train wreck, at a social gathering.
It’s a little bizarre to me, the litany of things they can talk about. I’m pretty sure I spend just about 0% of my energy thinking about where people get their phones or which mobile operating system they use.
You're inferring that the commenter deduced this solely from the new (incorrect) info. It seems a lot more plausible that they already hold the view (as I do) that Apple's privacy-friendly image is overblown, and used a separate issue to belabor that pt.
Though I do agree that this incident seemed unlikely w/o further evidence, even given Apple's traditional disdain for the user's control over their own system. And Apple has firmly joined the ranks of bigtech cos that HN threads are absolutely deranged about.
> That's It. I am done. Back to Debian Linux full time for me. Anyone want to buy a lightly used MacBook Air M1?
I hope they didn't already sell their M1 MBA!
Not that Debian Linux is bad. But selling a machine and setting up a new one is friction that I don’t mind seeing imposed as a cost of unthinkingly following cognitive bias.
It's sort of exhilarating to truly understand just how much of the world is built on absolute bullshit.
Exhilarating perhaps if the goal is to bullshit through life. Fake it until you make it, as it were.
If you hate bullshit, on the other hand, it's exhausting.
However, I think it's more dangerous on sites like HN where it's wrapped up in this illusion of rationalism, intelligence and elitism along with HN reputation for a "higher level of discourse" which makes people more likely to believe.
Turns out HN falls prey to all the same human biases as everywhere else.
A quick way to see it in action is find a thread about something you know deeply and read the comments.
What we do have here is dang, though, which is a lot more than Reddit generally has.
But at least I’ll admit that I’m not always right.
One thing that any programmer knows is that until you have a way to reproduce something in a clean environment, a bug report on its own cannot be fully trusted. That doesn't mean you ignore the possibility that the reporter is correct, because sometimes reproduction is very difficult indeed, but you have to allow for the fact that something about the user's environment or workflow unrelated to your own code might be at fault.
We are all susceptible to errors in our methodology or limitations in our understanding of how complex systems interact. We should be humble and careful about jumping to conclusions.
lololol @ the "security researchers" sliding into my DMs asking me to run shell commands and send them the output
Go run your Little Snitch and WireShark and tcpdump and mdimport and mitmproxy and system_profiler on yourself; I'm not your SOC.
"""
https://webcache.googleusercontent.com/search?q=cache:e2HBeu...
Agreed, but it's also important to look out for confirmation bias. There were users on Twitter and even one HN commenter in the linked threads above who claimed to have reproduced the issue and verified the flaw. The HN commenter later updated their comment to admit their mistake. However, it's interesting to see how once the idea has been seeded, people are primed to accept any suggestion that it might be true.
I'm still REALLY curious about the Facebook useragent. Where was that from, specifically? Firefox?
This is in no way a problem. There is precedent for browsers eagerly loading links, it happens all the time in regular webpages. This is most of the reason why anchors should be safe/side-effect free.
admit you were wrong and made it all up -> get people to ‘respect’ you and even more twitter followers
Besides the ham fisted approach, the original vuln idea seemed reasonable.
They were wrong, it happens to the best of us.
I’d say the potential security risk was worth raising the flag over.
Better be wrong and safe, having many of us learn something along the way, then overly cautious and leave a potential problem unaddressed.
I don't think "do even the most cursory verification to check if the extraordinary thing I've just seen is actually happening" could be counted as "overly cautious".
I mean, I wouldn't say "great" when you've incited a security panic because you didn't even do the bare minimum of ...
> looking more closely
1. See the bottom of the archived tweet thread: https://archive.ph/qKyA3
It would have been better to have done some verification first, before tweeting, to check whether it was actually doing what it appeared to be. Especially when you know your tweets have considerable reach.
> lololol @ the "security researchers" sliding into my DMs asking me to run shell commands and send them the output
> Go run your Little Snitch and WireShark and tcpdump and mdimport and mitmproxy and system_profiler on yourself; I'm not your SOC
Wow this guy comes across like a right twat. No wonder his apology sounds like it's coming out from furiously gritted teeth.
Still, I hope he learned something useful from this experience. Many of us have gone through a similar period of arrogance in our younger years, only to be shocked into looking back in shame later on.
Good practice for the real thing, though.
A few years back a company I was contracting for had one of their end users report a high severity security defect. Apparently he signed into the app and thought he had been hacked because a couple of large 6-figure transactions had been made.
After several hours of inconclusive investigation where even identifying the user proved difficult, this turned out to be him seeing the marketing example screens in the app store and having a panic. The app never even got installed and he never signed up for it.
The marketing screens were quickly updated to show something less impressive and with a sample data only warning...
....that is some serious "My computer won't turn on. No I can't check to see if the power cord is plugged in, its too dark to see back there because the power is out." energy.
By chance could you illuminate the thought process?