InchBlog

Never put off the work till tomorrow what you can put off today.

More US agencies potentially hacked, this time with Pulse Secure exploits — 04/30/2021

More US agencies potentially hacked, this time with Pulse Secure exploits

More US agencies potentially hacked, this time with Pulse Secure exploits
Getty Images

At least five US federal agencies may have experienced cyberattacks that targeted recently discovered security flaws that give hackers free rein over vulnerable networks, the US Cybersecurity and Infrastructure Security Agency said on Friday.

The vulnerabilities in Pulse Connect Secure, a VPN that employees use to remotely connect to large networks, include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw, which Ivanti disclosed last week, carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it’s installed.

Federal agencies, critical infrastructure, and more

Security firm FireEye said in a report published on the same day as the Ivanti disclosure that hackers linked to China spent months exploiting the critical vulnerability to spy on US defense contractors and financial institutions around the world. Ivanti confirmed in a separate post that the zero-day vulnerability, tracked as CVE-2021-22893, was under active exploit.

In March, following the disclosure of several other vulnerabilities that have now been patched, Ivanti released the Pulse Secure Connect Integrity Tool, which streamlines the process of checking whether vulnerable Pulse Secure devices have been compromised. Following last week’s disclosure that CVE-2021-2021-22893 was under active exploit, CISA mandated that all federal agencies run the tool.

“CISA is aware of at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access,” Matt Hartman, deputy executive assistant director at CISA, wrote in an emailed statement. “We are working with each agency to validate whether an intrusion has occurred and will offer incident response support accordingly.”

CISA said it’s aware of compromises of federal agencies, critical infrastructure entities, and private sector organizations dating back to June 2020.

They just keep coming

The targeting of the five agencies is the latest in a string of large-scale cyberattacks to hit sensitive government and business organizations in recent months. In December, researchers uncovered an operation that infected the software build and distribution system of network management tool-maker SolarWinds. The hackers used their control to push backdoored updates to about 18,000 customers. Nine government agencies and fewer than 100 private organizations—including Microsoft, antivirus maker Malwarebytes, and Mimecast—received follow-on attacks.

In March, hackers exploiting a newly discovered vulnerability in Microsoft Exchange compromised an estimated 30,000 Exchange servers in the US and as many as 100,000 worldwide.

Microsoft said that Hafnium, its name for a group operating in China, was behind the attacks. In the days that followed, hackers not affiliated with Hafnium began infecting the already-compromised servers to install a new strain of ransomware.

Two other serious breaches have also occurred, one against the maker of the Codecov software developer tool and the other against the seller of Passwordstate, a password manager used by large organizations to store credentials for firewalls, VPNs, and other network-connected devices. Both breaches are serious, because the hackers can use them to compromise the large number of customers of the companies’ products.

Ivanti said it’s helping to investigate and respond to exploits that the company said have been “discovered on a very limited number of customer systems.”

“The Pulse team took swift action to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system, and we plan to issue a software update within the next few days,” a spokesperson added.

A Wildlife Photographer Critiqued Our New Pokémon Snap Photos —

A Wildlife Photographer Critiqued Our New Pokémon Snap Photos

There’s an invigorating thrill to catching one of New Pokémon Snap’s lovingly animated critters coming out of a hiding spot you’d been coasting past for the last few runs of a level. Like its 1999 predecessor, New Pokémon Snap keeps you on a set track, allowing you to rotate 360 degrees to snap your camera shutter. It’s at its best when you finally turn at just the right time and pay attention to just the right nook.

You can prod subjects to have a joyous little feast, or dance, or exhibit some other surprising, character-specific action. You can highlight them with a radiant glow under the night sky. The level of interaction is curated but can lead to bucolic moments, and there’s a healthy enough variety of beasts and behaviors to make the game a nicely satisfying and sedate experience.

But how closely does New Pokémon Snap resemble real-world nature photography? To find out, I enlisted Melissa Groo to judge my in-game photos. In addition to taking home the grand prize in the 2015 Audubon Photography Awards, Groo has had her work exhibited in the Smithsonian Museum of Natural History, serves as an advisor to the National Audubon Society, and writes frequently on nature photography and wildlife conservation. 

In New Pokémon Snap, a character named Professor Mirror rates your pictures based on how centered the subject is, how many Pokémon are in frame, and whether you captured any unique behavior. As you might have guessed, Groo has other thoughts. Following are several in-game photos we took this week—and her candid critiques of how they turned out. 

This interview has been edited for clarity.

Courtesy of Jonathan Peltz

Groo: Usually as wildlife photographers, we don’t necessarily put our subject in the middle of the frame. But if the subject is facing us, sometimes that does work really well. So compositionally, it looks like the animal is head on, and in that case, that works to place it in the center. But in wildlife photography, it’s super important for the viewer to feel a sense of connection with a subject, and that’s really through the eyes. Even if you can’t see, like, 95 percent of the body, just getting a glimpse, even just one eye, is crucial.

WIRED: OK … that was my worst photo. I think they’ll get better from there. I should also tell you: In the game, you’re on a track and inside a little pod that goes from one end of the level to the next. You can’t control the movement.

Courtesy of Jonathan Peltz

Groo: Compositionally, I really like it. I think the spacing works really well. I would say the one thing that’s not ideal, and I don’t know if this is fair to critique, but as wildlife photographers we’re always looking at lighting conditions, and we’re avoiding times of day when the sun is really high because it creates very contrasting conditions such that the top of an animal is going to be really bright. And then the bottom part is going to be dark. It’s sort of this aesthetically jarring thing where I won’t—if it’s going to be a sunny day, I stop shooting at like 9 in the morning, because I want to avoid that contrasty look.

Courtesy of Jonathan Peltz

There’s a lot of dead space to the left, and something like this I would have cropped in. I would have gotten closer and maybe placed him or her a little bit more to the corner to the left. So compositionally, I think it’s a little problematic. I would have maybe tried to include the whole of those structures behind instead of cutting them off at the top. So it would have been more of a story about that stuff. And then just getting rid of this dead space in the front and to the left that doesn’t really add anything to the story. 

WIRED: [I explained how the game’s judging system works, that it favors centered, portrait-style photos, and that Professor Mirror scored this photo really well.]

Groo: So they’re telling you they want it centered?

WIRED: Yes

Groo: [laughs] This is so alien to me.

Courtesy of Jonathan Peltz

I like this. We talk a lot about leading lines. And this, the stream, takes your eye up into the photo, and you just sort of follow it around. Then you start looking at the animals, and they’re all sort of doing their thing. Engaging in natural behavior. It’s a pretty landscape. At the same time it’s interesting in terms of animals and how they’re arrayed and how they’re busy doing their thing. I think this is a successful shot.

Courtesy of Jonathan Peltz

Compositionally, I think it works. I wish there was more light on the face. The bird seems to be kind of lit from behind. And I’m always more trying to get the light to fall on the face or on the front of the bird and on the back. But again, it’s highlighting that gorgeous feather attribute that comes off of the head so it can work. It’s just a little bit dark on the right.

WIRED: So would it be kosher for me to fix this in post-production and make it brighter?

Groo: As long as it’s within reason. It’s called dodging and burning, and even Ansel Adams did it: lightening and darkening certain parts of the picture to make it more aesthetically pleasing. That’s completely acceptable in wildlife photography, to a point. If it gets too heavy-handed or unnatural, photo contests won’t accept it. Other people who have seasoned eyes or know the field of photography and what light can and can’t do can tell by looking at an adjusted photo that it doesn’t look real.

Courtesy of Jonathan Peltz

This is good. It’s a little bit dark. I wish there were more light on the fish. That expression is interesting. And I do wonder if it’s mad at the photographer. Is the photographer crowding it? Is it getting too close? I mean, when you see a creature look angry, in wildlife photography, that’s often when people may draw conclusions like, “Gosh, the photographer must have been really crowding that animal, because it looks pissed off.” So that would be the only caution. Maybe that wasn’t the case. But that’s just something to be aware of.

WIRED: No, you hit the nail right on the head. I threw an apple at it. [I explained that to get a Pokémon to face you in the game, you throw fruit at it to get its attention.]

Groo: This is a little bit worrisome to me. I just worry that people might transfer some of this to the field, to real experiences with wild animals to try to get a reaction, even if they just want to make a connection and have an animal look at them in the eye. Or they want to incite some sort of defensive or reactive expression. That would be my concern. I already have concerns about kids who just don’t know any better, and they throw little rocks at gulls on the beach. At a time when wildlife really needs us to better support it and honor it and give it space, to sort of create this culture where we’re interfering with nature for our own entertainment?

A lot of my work is really about teaching people the dangers of feeding wildlife and how that habituates wild animals to people. And that often does not end well for the animal. Maybe you’ve heard the expression “a fed fox is a dead fox.” Well, that’s pretty much applicable to any predator.

I don’t want to sound like a total killjoy, because there’s probably an upside to this. It’s getting people excited about different kinds of creatures and the diversity and the beauty and whimsical nature of some of these animals. But technology is driving all of our instincts and our reactions and our inclinations, and it’s concerning.

Courtesy of Jonathan Seltz

I think this is a lovely image. It looks like it’s backlit, so you get this rim of light all around the animal when the subject is between you and a light source. It’s a technique that I love to employ in my photography, because it gives you such a great sense of the lines of an animal. I like how it looks tranquil and unbothered. But am I wrong? Was an apple just thrown?

WIRED: Oh no, now you’re worried! No, this was the orb. The orb gives the animal a light around its body. But they don’t notice when the orb is thrown.

Groo: Then that’s my favorite. My favorite part of the game is the orb. You can say that, OK? Because it doesn’t interfere with them, it just lights them up and highlights their beauty, and it doesn’t change their behavior. 

If I had any superpower, I’d be invisible. Any wildlife photographer worth their salt wants to capture natural behavior. And so we’re always seeking ways to be as nondisruptive as possible. The thought of throwing something at the animal is the worst possible thing we can do, ethically, as photographers. Most of the time it’s going to make an animal take off and be scared of us. Our whole thing is spending deep time with individual animals. How do you get an animal comfortable with you? Well, you don’t throw shit at it. You just kind of become a part of the environment yourself. A nonthreatening benign presence in that landscape.

Courtesy of Jonathan Peltz

I think compositionally, this one is good. Did you do some Photoshop work on it?

WIRED: Yes, I did! [I used the game’s built-in photo editing tools, and I explained them to Groo.]

Groo: I think basically it’s good. It’s maybe a little bit bright on them. Might turn that down a little bit. It’s just like a little too “WHOOOOA” bright; the contrast might be too heavy-handed.

Courtesy of Jonathan Seltz

The fact that it’s kind of cut off on the top is not appealing. I can’t get past that. And the Photoshop effect and everything is all a little too psychedelic for me.

WIRED: Tacky?

Groo: Yeah.

Courtesy of Jonathan Seltz

Groo: This is a sweet moment of behavior between a parent and young dolphin-type thing. I think it’s pretty good. Fine. Is he freaked out?

Courtesy of Jonathan Peltz

WIRED: I threw an apple at him. And then I also added the bow tie and graduation hat with the game’s editing tools.

Groo: I think the bow tie is cute. I wish the hat wasn’t cut off. And I don’t like that he’s uncomfortable. I totally understand the need for ways for people to interact with what’s happening on the screen, but what if there were a little receptacle in the background and it was like, oh, you have to throw a ball in the receptacle near the animal. Something where the object of hitting was not the actual animal. God, there are so many geniuses they had working on that game. Could they have come up with some other means of engagement than provoking an animal?

WIRED: Do you think, right now, during the pandemic, when not everyone has access to nature, and they can’t necessarily travel to it, an experience like this is valuable?

Groo: I think there’s no substitute for the real thing. The benefits that nature gives us, even if you’re just walking in an urban park, far surpass anything you’re going to get from a screen. But if they can teach people something about the importance of land for an animal—every animal needs a home, and animals have very specific kinds of homes that they need, so if there’s anything that talks about conservation of animals, that’s a good thing. If there’s some sense conveyed that there’s this rich world of wildlife out there, something more fantastic and amazing than we can dream. It’d be great if the game had something like, “Go out there and see wild animals, and respect them and protect them!” or a disclaimer like, “Please don’t throw things. Please don’t feed wildlife. This is a game.” Do they have that anywhere?

WIRED: I haven’t beaten the game yet.

Groo: I strongly recommend that they add something like that. If they want me to advise them on it, I’m happy to do it.

WIRED: Can you tell from these photos if I have any natural talent for photography?

Groo: You could be on your way. You have some good compositional grasp and some good concepts about lighting. You just need to get out there and get some practice with the real thing.

Groo and I discussed the importance of nature photography to conservation efforts. I asked her about the role nature photography plays in conservation and whether players will understand the role nature photographers play in environmental protection and awareness.

Groo: There’s a whole genre of photography now of conservation photography, where photographers are really working hard to use their photos and to take photos that are sort of storytelling photos about an animal and its habitat. And then they try to find ways to use those photos to raise awareness, to get people to care about a particular animal or the landscape that animal depends on. They want to find different ways to get the word out and educate people, to sort of expand people’s sympathies, and that’s really what my work is about.

And, and more and more, I think nature photographers are realizing it’s not enough just to make pretty pictures anymore. The state of the world—the fact that we’re in the sixth great extinction—people are realizing, “OK, I need to use my photos to affect change.” And ethics is a big part of that. How can we be out there as conservation photographers, and not disturb or disrupt our subjects and instead honor them? How do we really come away with natural photos where the animal does not look disturbed by us? And how do we walk away leaving no trace, doing no harm?

So yeah, photos now have the power to really go viral. I think this is a really exciting time to be a conservation photographer or a nature photographer, because we’re such visual creatures. Both in the eyes of social media and the ability of our photos to go viral and to be seen by so many. I’ve seen photos that have more power than words do because it’s a universal language. And so with that power that we have, as photographers with that ability to go viral, it’s really incumbent on us to advocate for our subjects and to model good behavior as photographers and to be honest and truthful in our captioning.


More Great WIRED Stories
Verizon tries to sell Yahoo and AOL after spending $9 billion on fallen giants — 04/29/2021

Verizon tries to sell Yahoo and AOL after spending $9 billion on fallen giants

A Yahoo logo.
Enlarge / Yahoo logo at the 2014 International CES conference in Las Vegas.
Getty Images | Ethan Miller

Verizon is reportedly ready to give up on Yahoo and AOL after spending a combined $9 billion on the once-dominant Internet brands that fell from prominence years before Verizon bought them.

“Verizon is exploring a sale of assets including Yahoo and AOL, as the telecommunications giant looks to exit an expensive and unsuccessful bet on digital media,” The Wall Street Journal reported yesterday. The sale process involves private-equity firm Apollo Global Management and “could lead to a deal worth $4 billion to $5 billion,” the Journal wrote, citing “people familiar with the matter.”

We asked Verizon if it has a response to the WSJ report today, and a spokesperson told us the company has “nothing to add.”

The Journal report is a bit vague. The headline says that Verizon is exploring the sale of “parts of Yahoo and AOL,” but the story itself does not contain that “parts of” qualification. The article also said that “[o]ther details couldn’t be learned.”

Bloomberg’s article on the potential sale said that Verizon is considering selling its entire media division, including Yahoo and AOL, and did not contain any qualification suggesting that only “parts of” the units would be sold. Verizon “is talking to Apollo Global Management about a deal, [people familiar with the matter] said. It couldn’t immediately be learned how a deal would be structured or if other suitors may emerge. No final decision has been made and Verizon could opt to keep the unit,” Bloomberg wrote.

Verizon purchased AOL in 2015 for $4.4 billion and bought Yahoo in 2017 for $4.5 billion, combining the two into a subsidiary called “Oath.”

Failure quickly followed Yahoo purchase

Verizon’s acquisition-fueled media division failed to compete effectively against Google and Facebook in the advertising market. Verizon realized its media plans weren’t panning out by the end of 2018 when it said that Oath “experienced increased competitive and market pressures throughout 2018 that have resulted in lower-than-expected revenues and earnings.” This led to a non-cash goodwill impairment charge of about $4.6 billion, wiping out nearly all of Oath’s goodwill value.

In January 2019, Verizon announced layoffs of 7 percent of the 11,385 employees in the media division, or about 800 employes. Verizon renamed Oath as “Verizon Media” that same month. Another 150 layoffs followed in December 2019 after another drop in revenue.

“The [Verizon Media] business, which also includes Yahoo Finance and Yahoo Mail as well as news sites TechCrunch and Engadget, generated $7 billion of revenue in 2020, down 5.6 percent from the previous year due to a sharp advertising pullback during the early months of the coronavirus pandemic,” the Journal report said. “Business picked up in the second half and the unit has logged two consecutive quarters of double-digit growth, including a boost of 10 percent, to $1.9 billion, in the first quarter.” However, the media business “failed to reach its target of $10 billion in annual revenue by 2020,” and “[b]y selling now, Verizon could raise needed cash at a time when valuations of similar assets are enjoying an upswing,” the Journal wrote.

Tumblr, which Yahoo bought for $1.1 billion in 2013, was sold by Verizon to WordPress.com owner Automattic in 2019. An Axios report at the time said that a “source familiar with the deal puts the price-tag ‘well below’ $20 million, while another source puts it below $10 million.”

Verizon agreed to sell HuffPost to BuzzFeed in November 2020 and subsequently informed investors of “a net loss of $119 million primarily related to the disposition of the HuffPost business.”

Verizon recently committed to spend $45.45 billion in the 3 GHz “C-Band” spectrum auction to improve its mobile network. Verizon told investors that its capital expenditures in 2021 will total between $19.5 billion and $21.5 billion, “including the further expansion of 5G mmWave in new and existing markets, the densification of the 4G LTE wireless network to manage future traffic demands and the continued deployment of the company’s fiber infrastructure,” and “deployment of the company’s C-Band 5G network.”

Verizon’s total operating revenue in Q1 2021 was $32.9 billion, up 4 percent year over year. Net income was $5.4 billion, up 25.4 percent year over year.

Office default Calibri will join Clippy, Internet Explorer in Windows retirement — 04/28/2021

Office default Calibri will join Clippy, Internet Explorer in Windows retirement

In tech, all good defaults (that aren’t the Mac startup chime, at least) must someday come to an end. Today, Microsoft announced its Office font since 2007—the everyman sans serif, Calibri—would soon join Clippy, Internet Explorer, and the Windows 8 Start button in the big Windows graveyard in the sky.

“Calibri has been the default font for all things Microsoft since 2007, when it stepped in to replace Times New Roman across Microsoft Office,” the Microsoft Design Team opined in Calibri’s de facto obit. “It has served us all well, but we believe it’s time to evolve.”

Microsoft is now on the hunt for tech’s next great default font. Rather than going the reality competition route and opening up the search to any old handwritten font family, the company has commissioned five custom fonts that will now vie for this cushy gig.

Say hello to the candidates hoping to get the final rose from the Microsoft Design Team.
Enlarge / Say hello to the candidates hoping to get the final rose from the Microsoft Design Team.
Microsoft

As pictured above, the new potential default fonts are called Tenorite, Bierstadt, Skeena, Seaford, and Grandview. All five are sans serifs—shots fired at the legacy of Times New Roman—and the Microsoft Design Team made a case for each when unveiling these new options.

Tenorite appealed because it took an opposite approach from Calibri (round, wide, and crisp rather than soft corners and narrow proportions). Bierstadt is Yet Another Helvetica Impostor™ (aka, a new typeface in the “grotesque sans serif” category). Skeena and Seaford are sans serifs, each designed to mimic certain aspects of serifs. The former is based on the shape of serif typefaces; the latter is “rooted in the design of old-style serif text typefaces” to evoke familiarity. And Microsoft evidently means serious familiarity.

“To pinpoint the kind of familiarity and ‘comfort’ the typeface should evoke, we also looked at pictures of old armchairs: in chair terms, we were going for a practical interpretation of a beautiful family heirloom; durable upholstery, nothing overtly plushy or nostalgic,” wrote designer Nina Stössinger. “And when it comes to italics, it turns out there are parallels between chair ergonomics and typography: rather than inflating it and making it softer, trust the rigid moments that are good for your back.”

The last candidate stands as a personal favorite (clearly, it’d look its absolute best in lowercase surrounded by a certain hued circle). Grandview designer Aaron Bell said he was inspired by classic German road and railway signage, which emphasized readability so onlookers could understand from a distance or in poor weather.

His explanation of how this idea evolved felt appropriately and mechanically German:

Using Bahnschrift—a prototype I developed in the mechanical style of DIN [the German Industrial Standard]—as a starting point, I decided to keep the x-height large. This results in better legibility and readability at smaller sizes on low-resolution devices, which matters because Grandview is intended for body text on any computer running Windows. Then, I created a version about 20 percent wider than the original design and interpolated between them to find the exact right balance between Bahnschrift-ness and the horizontal aspect. Ultimately, I found increasing the width of the lowercase by 40 units (four to five percent) was perfect. The width of the uppercase was also increased by about 20 units (roughly two percent) to keep them in step with the lowercase.

For now, Microsoft hasn’t provided a firm timetable for this font farewell to take place. (The announcement blog also isn’t entirely clear whether this new default font will replace Calibri only in the Office suite or across Windows—we reached out to Microsoft for clarification and will update this post if we hear back.) Instead, it urged any Office users with fervent font feelings to… at-them on Twitter. No public vote or anything. Evidently, this is not a font-acracy; the ultimate decision will be made in Redmond.

Update, 6:15 pm EDT: We heard back from Microsoft’s PR team shortly after publication to clarify any confusion from the blogpost. Segoe UI is Microsoft’s Windows and Web UI font, while Calibri has been the default font for user’s content (such as with Microsoft 365 apps). Whatever new font is declared the winner, it will replace Calibri in that Microsoft 365 role specifically.

Listing image by Microsoft

Verizon “leads” all US carriers in mmWave 5G availability at 0.8% —

Verizon “leads” all US carriers in mmWave 5G availability at 0.8%

A giant Verizon 5G logo in an expo hall.
Enlarge / A Verizon booth at Mobile World Congress Americas in Los Angeles in September 2018.

US mobile customers are almost never able to connect to millimeter-wave networks even though the cellular industry and Verizon in particular have spent years hyping the fastest form of 5G.

AT&T and T-Mobile customers with devices capable of using millimeter-wave networks were connected to mmWave 5G only 0.5 percent of the time during the 90-day period between January 16 and April 15, 2021, according to an OpenSignal report released today. Even on Verizon, the carrier with the most aggressive rollout of mmWave 5G, users with compatible devices spent 0.8 percent of their time on the high-frequency network that uses its large capacity to provide faster speeds than low- and mid-band spectrum.

Average download speeds on mmWave 5G were 232.7Mbps for AT&T, 215.3Mbps for T-Mobile, and 692.9Mbps for Verizon. You can see the average time connected to mmWave 5G and the average speeds in these charts from OpenSignal:

The “average time connected to mmWave 5G” chart represents the percentage of time connected to mmWave among users who have a mmWave 5G-capable device and have connected to mmWave at least once, OpenSignal told Ars today. That means the numbers aren’t driven down by devices that simply aren’t new enough to use mmWave 5G—the percentages for all three major carriers are under 1 percent when evaluating users who definitely have devices compatible with the mmWave networks.

“In Opensignal’s analytics, we consistently see our Verizon mmWave 5G users experiencing a higher average time connected to mmWave 5G than users on the other US carriers,” the report said. “In this 90-day period, our Verizon users saw a mean time connected to mmWave 5G of 0.8 percent compared with 0.5 percent on AT&T and T-Mobile. However, despite Verizon appearing to be ahead this result actually represents a statistical tie because of overlapping confidence intervals with AT&T.” All three major carriers have “plenty of scope to increase the availability of mmWave 5G services,” the report noted.

Overall 5G availability between 11% and 33%

Another report released by OpenSignal today said that—when counting 5G on all spectrum bands, not just mmWave—5G was available 33.1 percent of the time on T-Mobile, 20.5 percent of the time on AT&T, and 11.2 percent of the time on Verizon.

OpenSignal’s speed-test apps “collect billions of individual measurements every day from over 100 million devices worldwide,” producing “the vast majority of our data via automated tests that run in the background,” the testing firm says.

Verizon’s lead in mmWave 5G is not surprising because “Verizon’s 5G deployment strategy has placed a strong emphasis on mmWave while T-Mobile has focused on its 600 MHz and its 2.5 GHz spectrum assets for 5G services, and AT&T has mainly used low-band for 5G so far,” OpenSignal said.

mmWave use could rise in summer

mmWave 5G was never likely to become the primary form of mobile connectivity, because the high-frequency radio waves don’t travel far and are easily blocked by walls and other obstacles. The pandemic has also limited opportunities for people to connect to mmWave 5G because the technology makes the most sense in heavily populated outdoor areas and at large events.

“With the pandemic, large groups of people were not congregating as much in city centers, sports stadiums, or shopping malls—so we haven’t yet seen the full benefit of mmWave 5G services,” OpenSignal VP of Analysis Ian Fogg told Ars in response to our questions. “Additionally, we will likely see seasonal differences in the time users spend connected to mmWave, given that mmWave sites are mostly located outdoors.”

Fogg noted that “the physics of high-frequency mmWave spectrum bands means signals that originate outdoors tend to stay outdoors” and that people obviously spend more time outdoors in the summer than the winter. However, “when we see more mmWave deployed inside large buildings such as shopping malls or metro systems, seasonality will reduce,” he said.

Those caveats mean that it’s too early to write off mmWave 5G as a major player in mobile Internet use. But so far, mmWave 5G is barely making a ripple in US mobile connectivity, and it is not clear whether it will ever become a big factor for smartphone users. The technology could end up helping many home-Internet users get faster speeds through point-to-point connections, but most people would prefer a wired connection. Moreover, the emergence of SpaceX Starlink’s low Earth orbit satellite service may reduce interest in mmWave 5G for home Internet, and availability for Verizon’s mmWave 5G Home service is very limited. T-Mobile recently launched a 5G home Internet service, but it doesn’t use mmWave.

Massive hype, then reality

Verizon claimed in July 2019 that “5G Ultra Wideband,” its marketing name for mmWave, “has the potential to drive broad, systemic transformation that not only benefits consumers and enterprises, but humanity as a whole.”

Verizon wrote, with perhaps some hyperbole:

5G promises more than just a faster download. The fifth generation of wireless represents a technological breakthrough that has been likened to prior Industrial Revolutions involving electricity, the steam engine, and the personal computer. It has the potential to be a watershed moment in history, one that will fundamentally change the way we live, work, learn and play. The leap from 3G to 4G was huge, but the one from 4G to 5G will likely be transformational, upending entire industries and creating new ones overnight.

Anything would be possible with Verizon’s mmWave 5G, the company claimed. “At the end of the day, 5G Ultra Wideband is about unparalleled digital experiences. If people can dream it, Verizon 5G Ultra Wideband can help deliver it.”

Verizon had launched mmWave 5G in April 2019 in “select areas” of Minneapolis and Chicago, but reviewers had trouble even finding a signal. Later that year, it became clear that Verizon 5G wasn’t capable of covering an entire NFL stadium or an NBA arena.

In April 2018, AT&T boasted of 5G trials that produced “gigabit wireless speeds on mmWave spectrum in both line-of-sight and some non-line-of-sight conditions.” AT&T claimed at the time that mobile 5G would “bring to life experiences like virtual reality, future driverless cars, immersive 4K video, and more.” The company said its mmWave 5G signals were strong enough to withstand “rain, snow, or other weather events” and to “penetrate materials such as significant foliage, glass, and even walls better than initially anticipated.”

But when AT&T finally launched 5G, it was using lower spectrum bands and producing only 4G-like speeds. AT&T also deliberately tried to confuse customers by renaming its 4G LTE-Advanced service “5G E.”

5G hype used for lobbying and deregulation

Beginning in 2018, T-Mobile used the promise of 5G to lobby for government approval of its acquisition of Sprint, and then-Federal Communications Commission Chairman Ajit Pai claimed the need for 5G justified deregulation and big reductions in fees paid by carriers to local governments.

But Verizon said that Pai overturning local rules and fees would have no impact on the pace of its 5G rollout. T-Mobile was publicly casting doubt on the usefulness of mmWave 5G by at least April 2019, when Chief Technology Officer Neville Ray wrote that millimeter-wave spectrum used for 5G “will never materially scale beyond small pockets of 5G hotspots in dense urban environments.” Verizon subsequently acknowledged that mmWave isn’t for widespread coverage.

Verizon had to tamp down 5G claims

In July 2020, Light Reading wrote that “Verizon appears to be the only US operator with plans to significantly expand its 5G network in millimeter wave (mmWave) spectrum,” as T-Mobile and AT&T weren’t showing much enthusiasm for the high-frequency radio waves.

While 5G is deployed on a mix of low- to high-frequency spectrum, Verizon said in May 2020 that non-mmWave 5G would only provide small improvements compared to 4G in the near term. Verizon said that customers will eventually see “dramatic improvements” but didn’t say when that would happen.

In July 2020, after a complaint from AT&T to the advertising industry’s self-regulating body, Verizon reluctantly agreed to stop running ads that falsely implied the carrier’s 5G mobile service was available throughout the United States. The National Advertising Division said that during its investigation, Verizon did not dispute that its “5G coverage is primarily restricted to outdoor locations in certain neighborhoods and varies from block to block.”

Verizon has since launched 5G more broadly on the same spectrum bands used for 4G. But Verizon is now in third place in average 5G download speed, according to OpenSignal.

“Our T-Mobile users saw average 5G download speeds of 71.3Mbps, ahead of AT&T users’ score of 54.9Mbps and Verizon of 47.7Mbps,” OpenSignal’s 5G report said. “Our T-Mobile users’ average 5G download speed has increased by an impressive 13.2Mbps compared to our January 5G report, while our users on AT&T and Verizon saw their average speeds more or less stationary at 54.9Mbps and 47.7Mbps, respectively.”

Including both 5G and previous-generation networks, average download speeds were 33.2Mbps on AT&T, 28.9Mbps on Verizon, and 28.8Mbps on T-Mobile, an OpenSignal report in January 2021 found. While T-Mobile leads the three carriers in overall 5G availability at 33.1 percent, OpenSignal’s January report found that 4G was available between 96 and 98 percent of the time on all three major carriers.

Chipmaker says it will ramp up production of older 28nm chips —

Chipmaker says it will ramp up production of older 28nm chips

A woman watches a mask—a part used in wafer conception—at a show room of the 12-inch United Microelectronics Corp (UMC) factory in Tainan, southern Taiwan.
Enlarge / A woman watches a mask—a part used in wafer conception—at a show room of the 12-inch United Microelectronics Corp (UMC) factory in Tainan, southern Taiwan.
Sam Yeh | Getty

United Microelectronics Corporation (UMC), the world’s fourth-largest contract chipmaker, is expanding its capacity to produce mature technology chips in exchange for financial guarantees, in response to the shortage gripping the global semiconductor supply chain.

UMC said it would add capacity for manufacturing 20,000 wafers a month at 28 nm, one of the process technology nodes worst-hit by the global chip shortage, at an existing fabrication plant, or “fab,” in Tainan.

The investment will drive up the company’s capital spending for this year by 53 percent to $2.3 billion, but it is made under a deal that commits several of UMC’s largest customers to pay deposits upfront and guarantee certain orders at a fixed price.

The deal is highly unusual for contract chipmakers. The flexibility to allocate capacity to orders from different customers has long been a cornerstone of their profitability.

But that model has come under fire as first automakers and now a growing range of other sectors have been unable to secure enough chips from foundries such as UMC and Taiwan Semiconductor Manufacturing Company (TSMC), the global industry leader.

UMC said the deal was an “innovative, win-win” arrangement. “This will strengthen our financial position to capture the market opportunity,” Jason Wang, UMC president, told investors.

TSMC said this month it would invest $100 billion in new capacity over three years. Intel recently announced a $20 billion investment program under which it wants to challenge TSMC in offering contract chipmaking services.

But the global chip shortage is expected to continue unabatedly. UMC said its capacity utilization rate was 100 percent in the first quarter and would remain there for the time being. The company expects average selling prices of its chips to rise 10 percent this year compared with 2020.

“There is a supply-demand imbalance in mature nodes,” said Liu Chi-tung, UMC chief financial officer. “We have seen lots of capacity expansion in advanced nodes, but companies have not addressed the mature nodes. There are lots of critical components on those nodes.”

SK Hynix, the world’s second-largest memory chipmaker, plans to bring forward some of its planned capital expenditure for next year to the second half of this year to meet surging chip demand.

The South Korean company said on Wednesday that demand was stronger than expected and forecast the imbalance in demand and supply to worsen in coming quarters. It expects D-Ram chip supplies to remain tight throughout the year and forecast a faster than expected recovery in demand and prices for Nand memory chips.

While the UMC deal is aimed at battling the shortage, it is expected to take at least two years to take shape, highlighting the depth of the constraints on the semiconductor supply chain.

Although the fab dedicated for the capacity expansion already exists, mass production is expected to start only in the second quarter 2023 because key tools are in short supply too. “We are working with our suppliers. There is a lead time for equipment,” Wang said.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Ransomware crooks threaten to ID informants if cops don’t pay up —

Ransomware crooks threaten to ID informants if cops don’t pay up

Ransomware crooks threaten to ID informants if cops don’t pay up
Getty Images

Ransomware operators have delivered a stunning ultimatum to Washington, DC’s Metropolitan Police Department: pay them $50 million or they’ll leak the identities of confidential informants to street gangs.

Babuk, as the group calls itself, said on Monday that it had obtained 250GB of sensitive data after hacking the MPD network. The group’s site on the dark web has posted dozens of images of what appear to be sensitive MPD documents. One screenshot shows a Windows directory titled “Disciplinary Files.” Each of the 28 files shown lists a name. A check of four of the names shows they all belong to MPD officers.

Other images appeared to show persons-of-interest names and photos, a screenshot of a folder named Gang Database, chief’s reports, lists of arrests, and a document listing the name and address of a confidential informant.

“Drain the informants”

“We advise you to contact us as soon as possible, to prevent leakage,” a post on the site says. “If no response is received within 3 days, we will start to contact gangs in order to drain the informants.”

In an email, MPD Public Information Officer Hugh Carew wrote, “We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.” Carew didn’t answer questions seeking additional details about the breach.

In a videotaped message published on Tuesday night, Metropolitan Police Chief Robert J. Contee III said that with the assistance of local and federal partners, MPD has identified and blocked the mechanism that allowed the intrusion. He provided no new details about the breach or the ongoing investigation into it.

“Our partners are currently fully engaged in assessing the scope and impact,” he said. “In the course of the review, if it is discovered that personal information of our members or others was compromised, we will follow up with that information.”

The chief then went on to encourage people to “maintain good cyber hygiene.”

As bad as it gets

The incident underscores the growing brazenness of ransomware operators. Once content with merely locking up victims’ data and demanding a ransom in exchange for the key, attackers eventually introduced a dual-revenue model that charged for the key but also promised to publish sensitive documents online unless the ransom was paid. In recent weeks, at least one gang has started contacting customers and suppliers of victims to warn them their data may be spilled if the victims don’t pay up.

Threatening to identify confidential informants to organized criminal gangs—as Babuk appears to be doing now—hits a new low, said Brett Callow, a threat analyst who follows ransomware at security firm Emsisoft.

“That’s as bad as it gets,” he told Ars. “Can you imagine the potential for lawsuits if an informant were to be harmed as a direct result of the breach?”

Babuk is a relatively new ransomware enterprise that appeared in January. Not much is known about the group other than it has Russian-speaking team members, and Emsisoft researchers found a severe bug in the group’s decryptor software that caused data loss. The group’s dark web site claims to have breached almost a dozen other companies.

Last week, a US Justice Department memo showed the agency convening a new task force to respond to the recent surge in ransomware attacks, particularly on hospitals and other critical US organizations. Acting Deputy Attorney General John Carlin will lead the task force, which is made up of agents and prosecutors from the FBI and Justice Department.

The leak might pose a threat not just to confidential informants but also to ongoing investigations. Federal prosecutors last year dropped narcotics charges against six suspects after crucial evidence was destroyed in a ransomware infection.

FCC lets SpaceX cut satellite altitude to improve Starlink speed and latency — 04/27/2021

FCC lets SpaceX cut satellite altitude to improve Starlink speed and latency

A SpaceX Starlink user terminal, also known as a satellite dish, seen against a city's skyline.
Enlarge / A SpaceX Starlink user terminal/satellite dish.

SpaceX today was granted permission to use a lower orbit for Starlink satellites, as regulators agreed with SpaceX that the change will improve broadband speed and latency while making it easier to minimize orbital debris. In granting SpaceX’s request, the Federal Communications Commission dismissed opposition from Viasat, Hughes, Dish Network, OneWeb, the Amazon subsidiary known as Kuiper, and other satellite companies that claimed the change would cause too much interference with other systems.

In 2018, SpaceX received FCC approval to launch 4,425 broadband satellites at orbits of 1,110 km to 1,325 km. An FCC order in 2019 gave SpaceX permission to use a lower altitude for over 1,500 of those satellites. Today’s FCC order granting SpaceX’s additional license-change request lowers the altitude for 2,814 of the satellites, letting them orbit in the 540-570 km range. Today’s FCC order will also let SpaceX use a lower elevation angle for antennas on user terminals and gateway Earth stations.

“Based on our review, we agree with SpaceX that the modification will improve the experience for users of the SpaceX service, including in often-underserved polar regions,” the FCC order said. “We conclude that the lower elevation angle of its earth station antennas and lower altitude of its satellites enables a better user experience by improving speeds and latency.”

The FCC order also said, “a number of the satellites being deployed pursuant to this modification are satellites orbiting at high inclinations, which are uniquely able to provide improved service to higher latitude regions.” As for the license change’s impact on orbital debris, the FCC said that “deployment to a lower altitude guarantees removal of satellites from orbit within a relatively short period of time, and consequently has beneficial effects with respect to orbital debris mitigation.”

The FCC previously allowed SpaceX to operate 1,584 of the satellites at an altitude of 550 km, via an approval in April 2019.

Many satellites at different altitudes

The number of Starlink satellites from the first batch approved in March 2018 has since been reduced from 4,425 to 4,408, and all of those are now approved for orbits between 540 and 570 km. SpaceX separately was granted permission in November 2018 to launch another 7,518 satellites at even lower altitudes of 335 km to 346 km. The space company is also seeking permission for 30,000 more satellites at altitudes ranging from 328 km to 614 km.

Besides what we’ve already mentioned, today’s FCC order gives SpaceX “authority to conduct launch and early orbit phase (LEOP) operations and payload testing during orbit-raising and deorbit of its satellites.”

“Our action will allow SpaceX to implement safety-focused changes to the deployment of its satellite constellation to deliver broadband service throughout the United States, including to those who live in areas underserved or unserved by terrestrial systems,” the FCC said.

Rejecting opposition’s interference claims

The FCC order said that SpaceX’s license change “does not create significant interference problems,” rejecting allegations made by Dish Network and other companies.

The FCC denied “petitions to deny or defer” SpaceX’s request filed by Viasat, SES Americom and O3B Limited, Kepler Communications, and Kuiper Systems. Other satellite companies such as Hughes and OneWeb had filed comments challenging SpaceX’s claims and requesting that the FCC impose new conditions on SpaceX. The FCC also denied Viasat’s petition to reconsider the commission’s earlier decision to let SpaceX use the 540-570 km altitudes for ten satellites.

Opponents of SpaceX argued that the license change “will increase the number of in-line interference events because of its proposed lower elevation angles and doubling of the number of satellites communicating with each gateway earth station simultaneously” and that “SpaceX’s redesigned antennas and wider beam footprints would worsen the interference environment and eliminate earth station separation as an interference mitigation technique,” the FCC said.

The FCC agreed that the license change “would result in new interference to other NGSO [non-geostationary satellite orbit] systems in certain areas where previously interference did not exist,” but the agency concluded that the license would not create “any significant interference problems.”

The FCC explained further:

Specifically, after analyzing the technical arguments in the record, we conclude that the lower altitude of the satellites will in fact result in fewer satellites in view, and therefore will result in fewer in-line interference events with respect to other NGSO operators, even if the number of active satellites in view of a particular earth station is increased. We observe that by lowering the earth station elevation angle, more of the sky is visible from the perspective of the earth station, and as a result more satellites may be visible. However, when the satellite altitude is lowered, the satellites will need to be closer to the earth station in order to be within view, and therefore lowering the altitude of the satellites helps to offset the fact that additional satellites may be visible due to the lower elevation angles, in turn offsetting the potential increase in inline interference events. We also conclude that the reduced satellite PFD [power flux-density] at the satellites enabled by operating the satellites at lower altitudes will help to offset the potential for increased interference.

SpaceX already has over 1,300 satellites in orbit while it provides Starlink service in beta for $99 a month plus $499 upfront for equipment. SpaceX has been advertising beta-service speeds of 50Mbps to 150Mbps, with latency of 20 ms to 40 ms. CEO Elon Musk said in February that speeds will hit 300Mbps later this year and that the service will become available to “most of Earth” by the end of 2021.

SpaceX was tentatively granted $885.51 million over 10 years in rural-broadband funding, but the company is facing opposition from other ISPs, and the FCC hasn’t made a final decision on the funding. SpaceX also has a pending application to be designated as an Eligible Telecommunications Carrier as part of plans to offer phone service and discounted telecom service to people with low incomes.

Update: Viasat contacted Ars with a statement, saying it is “pleased the commission confirmed that Starlink satellites must be reliable and safe, and also recognized the need to assess the cumulative (aggregate) collision risk presented by the entire Starlink constellation.” Viasat claimed that the FCC failed to use “a science-based approach” in its order.

Amazon also provided a statement, saying, “This is a positive outcome that places clear conditions on SpaceX, including requirements that it remain below 580 km and accept additional interference resulting from its redesign.”

The interference-related “condition means that if the [Starlink] redesign creates interference with other systems (including Kuiper), the burden is on SpaceX to either alter its operations or accept the impact on its service,” an Amazon spokesperson told Ars.

While SpaceX only asked for orbits between 540 and 570 km, Amazon told Ars that it requested the hard limit of 580 km because “SpaceX satellites have an orbital tolerance of +/- 30 km.” Amazon plans to use orbits as low as 590 km in its Kuiper constellation.

“These conditions address our primary concerns regarding space safety and interference, and we appreciate the commission’s work to maintain a safe and competitive environment in low-earth orbit,” Amazon said.

Cable-chewing beavers take out town’s Internet in “uniquely Canadian” outage —

Cable-chewing beavers take out town’s Internet in “uniquely Canadian” outage

A beaver in shallow water, chewing on a branch.
Enlarge / A wild beaver works furiously in Grand Teton National Park in Wyoming.
Getty Images | Jeff R Clow

About 900 Internet users in Tumbler Ridge, British Columbia, lost service for 36 hours when beavers chewed through an underground fiber cable in what network operator Telus called a “very bizarre and uniquely Canadian turn of events.”

“Our team located a nearby dam, and it appears the beavers dug underground alongside the creek to reach our cable, which is buried about three feet underground and protected by a 4.5-inch thick conduit. The beavers first chewed through the conduit before chewing through the cable in multiple locations,” the statement from Telus said, according to a CBC article posted Sunday.

The beavers apparently used some of the Telus materials to build their dam. Telus provided Ars with these photos of the damaged cable and the beaver dam:

Internet service went down at about 4 am Saturday and was restored by Telus at around 3:30 pm on Sunday. Telus also said there were disruptions to cell phone service in the area and to TV service for about 60 customers. Tumbler Ridge has about 2,000 residents.

Telus told Ars that the cause of the fiber cut was “fairly unique” because the beavers “chewed through our fiber cable at multiple points, causing extensive damage.”

“Our crews brought in additional equipment and technicians to help expose the cable and determine how far the damage continued up the line, and have worked around the clock under challenging conditions as the ground above our cable is partially frozen,” Telus said.

As the BBC noted in its coverage of the incident, beavers are “Canada’s national animal,” but they “have a mixed reputation. The rodents are loved by some as the ultimate environmental engineers whose dam-building skills bring an array of ecological benefits. But their incredibly strong teeth can cause extensive damage, and farmers in particular worry at the havoc they could cause to crops and trees.”

Lack of redundancy in fiber lines

Tumbler Creek’s beaver problem was yet another example of how Internet service can be disrupted in a variety of ways. In western Massachusetts last month, about 2,000 customers in six towns lost service when “a burning tree severed a fiber-optic line on the state’s middle-mile network,” The Berkshire Eagle reported at the time.

“It’s not hard to understand why this happens in rural America. In much of the country, the fiber backbone lines that support Internet access to rural towns use the same routes that were built years ago to support telephone service,” telecommunications consultant Doug Dawson wrote in his blog yesterday.

“The bad news is that nobody is trying to fix the problem,” Dawson also wrote. “The existing rural fiber routes are likely owned by the incumbent telephone companies, and they are not interested in spending money to create redundancy. Redundancy in the fiber world means having a second fiber route into an area so that the Internet doesn’t go dead if the primary fiber is cut.”

Actively exploited Mac 0-day neutered core OS security defenses —

Actively exploited Mac 0-day neutered core OS security defenses

Actively exploited Mac 0-day neutered core OS security defenses
Getty Images

When Apple released the latest version, 11.3, for macOS on Monday, it didn’t just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.

Together, the defenses provide a comprehensive set of protections designed to prevent users from inadvertently installing malware on their Macs. While one-click and even zero-click exploits rightfully get lots of attention, it’s far more common to see trojanized apps that disguise malware as a game, update, or other desirable piece of software.

Protecting users from themselves

Apple engineers know that trojans represent a bigger threat to most Mac users than more sophisticated exploits that surreptitiously install malware with minimal or no interaction from users. So a core part of Mac security rests on three related mechanisms:

  • File Quarantine requires explicit user confirmation before a file downloaded from the Internet can execute
  • Gatekeeper blocks the installation of apps unless they’re signed by a developer known to Apple
  • Mandatory App Notarization permits apps to be installed only after Apple has scanned them for malware

Earlier this year, a piece of malware well-known to Mac security experts began exploiting a vulnerability that allowed it to completely suppress all three mechanisms. Called Shlayer, it has an impressive record in the three years since it appeared.

Last September, for instance, it managed to pass the security scan that Apple requires for apps to be notarized. Two years ago, it was delivered in a sophisticated campaign that used novel steganography to evade malware detection. And last year, Kaspersky said Shlayer was the most detected Mac malware by the company’s products, with almost 32,000 different variants identified.

Clever evasion

Shlayer’s exploitation of the zero-day, which started no later than January, represented yet another impressive feat. Rather than using the standard Mach-O format for a Mac executable, the executable component in this attack was the macOS script, which executes a series of line commands in a particular order.

Normally, scripts downloaded from the Internet are classified as application bundles and are subject to the same requirements as other types of executables. A simple hack, however, allowed scripts to completely shirk those requirements.

By removing the info.plist—a structured text file that maps the location of files it depends on—the script no longer registered as an executable bundle to macOS. Instead, the file was treated as a PDF or other type of non-executable file that wasn’t subject to Gatekeeper and the other mechanisms.

One of the attacks began with the display of an ad for a fake Adobe Flash update:

Jamf

The videos below show what a big difference the exploit made once someone took the bait and clicked download. The video immediately below depicts what the viewer saw with the restrictions removed. The one below that shows how much more suspicious the update would have looked had the restrictions been in place.

Shlayer attack with exploit of CVE-2021-30657.
Shlayer attack without exploit of CVE-2021-30657.

The bug, which is tracked as CVE-2021-30657, was discovered and reported to Apple by security researcher Cedric Owens. He said he stumbled upon it as he was using a developer tool called Appify while performing research for a “red team” exercise, in which hackers simulate a real attack in an attempt to find previously overlooked security weaknesses.

“I found that Appify was able to turn a shell script into a double clickable ‘app’ (really just a shell script inside of the macOS app directory structure but macOS treated it as an app),” he wrote in a direct message. “And when executed, it bypasses Gatekeeper. I actually reported it pretty quickly after discovering it and did not use it in a live red team exercise.”

Apple fixed the vulnerability with Monday’s release of macOS 11.3. Owens said that the flaw appears to have existed since the introduction of macOS 10.15 in June 2019, which is when notarization was introduced.

Owens discussed the bug with Patrick Wardle, a Mac security expert who previously worked at Jamf, a Mac enterprise security provider. Wardle then reached out to Jamf researchers, who uncovered the Shlayer variant that was exploiting the vulnerability before it was known to Apple or most of the security world.

“One of our detections alerted us to this new variant, and upon closer inspection, we discovered its use of this bypass to allow it to be installed without an end user prompt,” Jamf researcher Jaron Bradley told me. “Further analysis leads us to believe that the developers of the malware discovered the zero-day and adjusted their malware to use it, in early 2021.”

Wardle developed a proof-of-concept exploit that showed how the Shlayer variant worked. After being downloaded from the Internet, the executable script appears as a PDF file named “Patrick’s Resume.” When a user double-clicks on the file, it launches a file called calculator.app. The exploit could just as easily execute a malicious file.

Patrick Wardle

In a 12,000-word deep-dive that delves into the causes and effects of the exploits, Wardle concluded:

Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to incredibly shallow, yet hugely impactful flaws. How shallow? Well that fact that a legitimate developer tool (appify) would inadvertently trigger the bug is beyond laughable (and sad).

And how impactful? Basically macOS security (in the context of evaluating user launched applications, which recall, accounts for the vast majority of macOS infections) was made wholly moot.

Bradley published a post that recounted how the exploit looked and worked.

Many people consider malware like Shlayer unsophisticated because it relies on tricking its victims. To give Shlayer its due, the malware is highly effective, in large part because of its ability to suppress macOS defenses designed to tip off users before they accidentally infect themselves. Those who want to know if they’ve been targeted by this exploit can download this python script written by Wardle.