Apple Has a Patch out for the macOS Root Access Security Vulnerability

Go to the Updates tab in the Mac App Store to apply it now, you won’t even need to reboot. Apple has more details about the update at this link.

Here’s the post from yesterday with the details of the vulnerability.

Update:
If you have any trouble with file sharing after applying this security patch Apple has another fix for that, oops.

The macOS Root Access Security Vulnerability

There’s a vulnerability in the latest version of macOS High Sierra (10.13.1) that may let anyone with physical access to a Mac log in and gain system administrator (root) access. Or, if they already have an account, upgrade their access to the system administrator (root) level.

You can work around the issue by setting a root password as described in this support document from Apple. They’re working on fixing it.

The vulnerability works like this:

  1. At any login or a privilege escalation dialog a user types in the username root
  2. The user hits the login button or enter a few times in quick succession
  3. The system enables the root user account and assigns it no password.

This is incredibly bad for Apple to have a vulnerability this easy to exploit, and it’s ridiculous that it was also apparently publicly available on Apple’s developer forums weeks ago.

Star Trek: Continues is Excellent

With most fan-made productions you’re kind of left to go “oh it’s good… for a fan show.” That isn’t the case for Star Trek: Continues’ continuation of Star Trek’s original series. Continues is better than the new reboot movies, it’s also better than many of the shows after Deep Space 9. This show’s cast is excellent, the episodes are entertaining and have just the right amount of morality while still leaning into what made TOS so good.

Unlike Discovery you won’t have to subscribe to CBS’ crappy streaming service to watch Star Trek: Continues. Above is their playlist that has the full run of the show for free.

Uber Hid Hack of Data From 57 Million Users & Drivers

Bloomberg’s Eric Newcomer:

Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

Android Users’ Location Information Is Always Being Sent to Google

Quartz’ Keith Collins:

Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

Google claimed they weren’t doing anything with the data received from Android devices, and says they’ll stop doing it (at the end of the month) now that they’ve been caught by Quartz.

I’m not sure why anyone should trust Google’s word about what they were doing with this information when they explicitly use location information to target ads and were pulling this shit with no way for a user to disable it.

You can bet that companies like Google (photos), Facebook and their subsidiaries such as Instagram, and Twitter, also scrape location information whenever you upload photos to their services by reading the EXIF data attached to every photo. You can download apps like Metapho on iOS to remove the EXIF information from your photos before you share them.

HQ’s CEO Sounds Perfectly Normal

Well this is bizarre. The CEO of the company that owns the mobile video trivia app I wrote about just last week,  Rus Yusupov, threatened to fire the game show’s most popular host (Scott Rogowsky) if a reporter ran a profile about the host.

Taylor Lorenz:

Scott agreed to the interview and chatted with The Daily Beast on Monday afternoon. The Daily Beast simultaneously reached out to the HQ public relations email account and Yusupov, one of HQ’s founders, letting him know of our plans to write a story about the show’s host.

Several hours later, we received an email from Yusupov stating that HQ was “not making Scott available to discuss his involvement with HQ with the media/press.” The reporter informed Yusupov that we had already interviewed Scott and that the story was nearing publication, but encouraged him to call us with any concerns.

That’s when things went off the rails.

Yusupov, the CEO of HQ, called the reporter’s cellphone and immediately raised his voice. He said that we were “completely unauthorized” to write about Scott or HQ without his approval and that if we wrote any type of piece about Scott, he would lose his job.

The rest of the article gets even more outrageous. A friend wondered if  Yusupov’s reaction was inauthentic and intended to get more people reading about his trivia game, and I really don’t think so. HQ is run twice daily during the week and the next game after this article was published was late due to “technical difficulties” and Rogowsky’s on-air behavior once the game finally started was a little awkward early on.

Terry Cavanagh’s Constellation

Terry Cavanaugh makes some wacky games, or art pieces in this case. This website, and this itch page, are for his new project called Constellation. You type things in and they might appear onscreen. It’s free through the website, or for a name-your-own-price download on itch.

Nick Heer on the iPhone X

There are plenty of reviews out there now, but few had much time with the iPhone X  before it was released because Apple chose to not give reviewers an opportunity to spend much time with it.

Nick Heer:

The iPhone X is a product that feels like it shouldn’t really exist — at least, not in consumers’ hands. I know that there are millions of them in existence now, but mine feels like an incredibly well-made, one-off prototype, as I’m sure all of them do individually. It’s not just that the display feels futuristic — I’ll get to that in a bit — nor is it the speed of using it, or Face ID, or anything else that you might expect. It is all of those things, combined with how nice this product is.

Don’t Let Children Watch “YouTube Kids”

James Bridle has a terrifying and important article, it’s pretty long but the most important point is that people and businesses are systematically generating new videos for YouTube that appear to be tame pirated copies of shows like Peppa Pig but after a few minutes they change to be really awful and the YouTube app and site for kids don’t filter these out:

A step beyond the simply pirated Peppa Pig videos mentioned previously are the knock-offs. These too seem to teem with violence. In the official Peppa Pig videos, Peppa does indeed go to the dentist, and the episode in which she does so seems to be popular?—?although, confusingly, what appears to be the real episode is only available on an unofficial channel. In the official timeline, Peppa is appropriately reassured by a kindly dentist. In the version above, she is basically tortured, before turning into a series of Iron Man robots and performing the Learn Colours dance. A search for “peppa pig dentist” returns the above video on the front page, and it only gets worse from here

The reason why this crap skates by is because YouTube (and Google, and other companies) refuse to take responsibility for moderating what they host. Instead of hiring more people to moderate these things, the moderation is offloaded to algorithms and viewers.

Even if you only start a video on an official channel, auto play and the recommendations next to and after the video may take a viewer to another one.

tl;dr: Don’t let your kids watch YouTube. If you don’t have kids, please let your friends who do know about this problem.