Dan Goodin writing for Ars Technica regarding a web browser proxy protocol issue that can expose full URLs of webpages you’re browsing, even over HTTPS:

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD (short for Web Proxy Autodisovery) in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week’s Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

[…]

With the exception of the full URL, all other HTTPs traffic remains unaffected by the attack. Still, in some cases, disclosure of the URL can prove fatal for security. The OpenID standard, for instance, uses URLs to authenticate users to the sites and services that support it. Another example is document sharing services, such as those offered by Google and Dropbox, that work by sending a user a security token that’s included in the URL. Many password-reset mechanisms similarly rely on URL-based security tokens. Attackers who obtain such URLs in any of these cases are often able to gain full access to a target’s account or data.

Good to be aware of and yet another reason to be especially careful when using public WiFi. Fortunately, web browsers could mitigate this:

Still, browsers can largely work around the vulnerability by following the lead of Microsoft’s Edge and Internet Explorer 11 browsers, which invoke the FindProxyForUrl function with URLs that are truncated to host names only, as opposed to full URLs, which may contain authentication tokens or credentials.

While developed internally by Google, Santa is not their Santa Tracker:

Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.

[…]

Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Additionally, Santa can aid in analyzing what is running in your fleet.

While it’s not 1.0 yet, this is definitely a project for macOS (née OS X) administrators to watch.

Managed Preferences (MCX) was deprecated way back in OS X 10.8 Mountain Lion, though it still works in OS X 10.11 El Capitan, and is the only other way I’m familiar with for blacklisting or whitelisting apps on OS X. MCX settings can even be applied using Profiles via your favorite deployment method (mcxToProfile is a handy tool for that). Unfortunately, I’ve found it to be very problematic and unreliable in practice (often needing to resort to whitelisting entire folders, which is not particularly secure), so this is a very welcome addition to the macOS management toolset. The ability to monitor binary usage across clients is another huge benefit.

Two weeks ago Dropbox made a fascinating announcement of a new “streaming image format”:

Lepton achieves a 22% savings reduction for existing JPEG images, by predicting coefficients in JPEG blocks and feeding those predictions as context into an arithmetic coder. Lepton preserves the original file bit-for-bit perfectly. It compresses JPEG files at a rate of 5 megabytes per second and decodes them back to the original bits at 15 megabytes per second, securely, deterministically, and in under 24 megabytes of memory.

We have used Lepton to encode 16 billion images saved to Dropbox, and are rapidly recoding our older images. Lepton has already saved Dropbox multiple petabytes of space.

I’m not a fan of the JPEG image format, but since it’s so pervasive and everyone is taking and storing so many photos at this point, this is important and very impressive. Read the full post on the Dropbox Technical Blog for all the technical details. Lepton is open source under the Apache license and available on GitHub, so we all benefit.

[Via TechCrunch]

Michael Gartenberg writing for iMore:

I know many smart folks, folks who aren’t remotely Apple fanboys like Steven Sinofsky, who barely use their Macs (or Surface) but do use an iPad Pro.

I’m using my iPad Pro as my primary computer as well, and almost everyone I’ve shown it to has bought one. Yep, bought one … or tried to steal mine. Clearly, there are a lot of people who would buy an iPad.

So why aren’t the sales higher? I think iPad is suffering from the “TiVo paradox.”

Having switched to just an iPad mini for my personal computer, I’ve been wondering the same. Before departing Small Dog Electronics I began wondering why companies are not switching most desktops and laptops out for iPads in droves.

I agree with Michael’s conclusion.