Dan Goodin writing for Ars Technica regarding a web browser proxy protocol issue that can expose full URLs of webpages you’re browsing, even over HTTPS:
The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD (short for Web Proxy Autodisovery) in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week’s Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.
With the exception of the full URL, all other HTTPs traffic remains unaffected by the attack. Still, in some cases, disclosure of the URL can prove fatal for security. The OpenID standard, for instance, uses URLs to authenticate users to the sites and services that support it. Another example is document sharing services, such as those offered by Google and Dropbox, that work by sending a user a security token that’s included in the URL. Many password-reset mechanisms similarly rely on URL-based security tokens. Attackers who obtain such URLs in any of these cases are often able to gain full access to a target’s account or data.
Good to be aware of and yet another reason to be especially careful when using public WiFi. Fortunately, web browsers could mitigate this:
Still, browsers can largely work around the vulnerability by following the lead of Microsoft’s Edge and Internet Explorer 11 browsers, which invoke the FindProxyForUrl function with URLs that are truncated to host names only, as opposed to full URLs, which may contain authentication tokens or credentials.
Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.
Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Additionally, Santa can aid in analyzing what is running in your fleet.
While it’s not 1.0 yet, this is definitely a project for macOS (née OS X) administrators to watch.
Managed Preferences (MCX) was deprecated way back in OS X 10.8 Mountain Lion, though it still works in OS X 10.11 El Capitan, and is the only other way I’m familiar with for blacklisting or whitelisting apps on OS X. MCX settings can even be applied using Profiles via your favorite deployment method (mcxToProfile is a handy tool for that). Unfortunately, I’ve found it to be very problematic and unreliable in practice (often needing to resort to whitelisting entire folders, which is not particularly secure), so this is a very welcome addition to the macOS management toolset. The ability to monitor binary usage across clients is another huge benefit.
Two weeks ago Dropbox made a fascinating announcement of a new “streaming image format”:
Lepton achieves a 22% savings reduction for existing JPEG images, by predicting coefficients in JPEG blocks and feeding those predictions as context into an arithmetic coder. Lepton preserves the original file bit-for-bit perfectly. It compresses JPEG files at a rate of 5 megabytes per second and decodes them back to the original bits at 15 megabytes per second, securely, deterministically, and in under 24 megabytes of memory.
We have used Lepton to encode 16 billion images saved to Dropbox, and are rapidly recoding our older images. Lepton has already saved Dropbox multiple petabytes of space.
I’m not a fan of the JPEG image format, but since it’s so pervasive and everyone is taking and storing so many photos at this point, this is important and very impressive. Read the full post on the Dropbox Technical Blog for all the technical details. Lepton is open source under the Apache license and available on GitHub, so we all benefit.
Michael Gartenberg writing for iMore:
I know many smart folks, folks who aren’t remotely Apple fanboys like Steven Sinofsky, who barely use their Macs (or Surface) but do use an iPad Pro.
I’m using my iPad Pro as my primary computer as well, and almost everyone I’ve shown it to has bought one. Yep, bought one … or tried to steal mine. Clearly, there are a lot of people who would buy an iPad.
So why aren’t the sales higher? I think iPad is suffering from the “TiVo paradox.”
Having switched to just an iPad mini for my personal computer, I’ve been wondering the same. Before departing Small Dog Electronics I began wondering why companies are not switching most desktops and laptops out for iPads in droves.
I agree with Michael’s conclusion.
Now that I’m independent and posting more frequently, I’ve joined the iTunes Affiliate Program to help the site earn its own keep. I host this site on Textattern, an excellent, light weight, and very flexible CMS (Content Management System) and—wanting to work smarter, not harder—decided to write a plug-in that could automatically rewrite any iTunes/iBooks/App Store affiliate URL I post in an articles using my iTunes Affiliate Program ID. This will make it easier to just copy links to music, books, or apps from the appropriate store and not have to run them through a different tool to appropriately tag them to hopefully earn a little commission.
Let me introduce the new mta_affiliate Textpattern plug-in. It’s a simple plug-in which, once installed, gives you a pair of preferences to enable URL rewriting and enter your iTunes Affiliate Program affiliate ID. It provides a
<txp:mta_affiliate></txp:mta_affiliate> container tag which you can then use in your pages/forms to automatically rewrite any iTunes Affiliate Program URL (“clean” or “legacy”, see Advanced Affiliate Linking) contained within (including those produced by other Textpattern tags). In my case, I wrapped my article bodies with this tag, as well as a some custom fields which I generally store URLs in and output from.
I had previously developed similar functionality for Small Dog Electronics, though not in the same way, so this is far from my first time working with iTunes Affiliate Program URLs or the concept of parsing & rewriting URLs within content. I intend to support further affiliate programs in the future.
Download the latest version from the development page, the GitHub project, or Textpattern.org. You can get usage assistance, report any issues, and request additional affiliate programs support in the Textpattern Plugin support forums.
Neon Drive is a fun, retro-futuristic game for iOS which I reviewed for the 959th issue of Small Dog Electronics’ Kibbles & Bytes newsletter back in November:
It’s not a traditional racing game, but, to quote the web site, it’s a “slick retro-futuristic obstacle-dodging game”. The graphics have a neon retro-futuristic theme (think the Tron movies) with some fun visual effects and the music has an 80’s techno/tracker feel to it. One of the best parts of the game to me is the fact that the game is timed to the music, or the music to the game, and so it becomes very immersive if you put on headphones and get into the flow. You can really build your muscle & auditory memory to get through it. That’s not to say it’s too easy as it switches up the gameplay styles for an effective challenge.
The combination of the visual effects and music style hearkens back to the demoscene, for me anyway.
Oh, and don’t forget to read my original, full review in Kibbles & Bytes for a bit of demoscene history.
A few months ago I reviewed the Twelve South Compass 2 iPad stand for the 973rd issue of Small Dog Electronics’ Kibbles & Bytes newsletter:
Being an active Apple Newton user and—more recently—an iPad mini user (see my review , I’ve had my eye on Twelve South’s Compass product for years. With their Compass 2 product line, they brought full support for the iPad mini and I finally got around to picking one up for my iPad & Newton use.
The previous Compass was just a little too wide for the iPad mini, so while you could make it work by not adjusting it out all the way, it was far more unsteady, so the Compass 2 fixes that. With any iPad, I’d be careful about tapping too hard in the top left and right corners when the Compass 2 is in the easel configuration and your iPad is in portrait mode, but it’s still quite stable. It’s too small for the iPad Pro, so we’ll have to wait for a different solution there.
I have the MessagePad 2100 which was the last, best model and the most expandable with an optional wired keyboard (via the serial port) and two PCMCIA slots (I have ethernet, WiFi, Bluetooth, and GPS cards I use in mine). It also functions in portrait and landscape orientations, just like the iPad. In fact, while thicker, it’s dimensions are pretty close to that of the iPad mini, so it works just as well on the Compass 2. The Compass 2 makes typing with the external Newton keyboard extremely comfortable and is still stable enough to use the stylus for navigation & selections!
The Compass 2 has been getting even more use since my departure from Small Dog Electronics and I still highly suggest it, for both the iPad mini and the Newton MessagePad 2×00 models. They now come in new hues to match the silver, gold, and rose gold iPads, but they still make my favorite: black.