Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses (since 2007) by Muhammad Amir Ayub

From Macrumors:

Hackers have had an “easy way” to get certain malware past signature checks in third-party security tools since Apple’s OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools — designed to sniff out suspiciously signed software — into thinking the malware was officially signed by Apple while they in fact hid malicious software.

...

The researchers said that the signature bypassing method is so “easy” and “trivial” that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple.

...

Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: “To be clear, this is not a vulnerability or bug in Apple’s code... basically just unclear/confusing documentation that led to people using their API incorrectly.” It’s also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: “If a hacker wants to bypass your tool and targets it directly, they will win.”

For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that “third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”

It looks like a case where human engineering fooled the so-called security programs (and not helped by Apple's usually not so helpful documentation). All the more reasons that for the Mac, trusting the built in security is the way to go for the most part. You've already paid a premium for the hardware.

Try out Backblaze for free and protect your precious files.

iOS 12 Tidbits From Macstories by Muhammad Amir Ayub

Previously available only on 3D Touch-enabled iPhones or with a two-finger swipe on the iPad’s keyboard, trackpad mode can be activated in a much easier way in iOS 12: just tap & hold on the space bar until the keyboard becomes a trackpad. This mode (seemingly inspired by Gboard and other custom keyboards with a similar implementation) gives owners of iPhones without 3D Touch a way to more precisely control the cursor in text fields.

I've been a heavy user of the 3D Touch cursor control when typing and now can't live without it. The long press is an excellent way to access it for non-3D Touch devices.

If you write longform content on an iPad, or if you want to always make a great impression with your ‘Sent from iPhone’ emails, iOS 12 has just the feature for you: a built-in thesaurus that lives alongside the system dictionary.

Having the thesaurus built in is excellent too. I always use it on the Mac.

For the past couple of years, iOS has offered a native Markup mode to annotate images and PDF documents. Initially rolled out for Notes and Mail, this feature eventually expanded to QuickLook for document previews as well as screenshots. In iOS 12, Apple is making Markup mode more powerful by adding new drawing options and a color picker with 120 color choices.

One of the weaknesses of the recent iOS releases were the very limited color choices during Markup. My children like to draw and scribble in Notes and were not happy when the color palette became limited to only a few colors instead of the many shades of each color.

Among the new skills it’s learning this year, Siri in iOS 12 is capable of finding one of your devices nearby and playing a sound on it. To try this feature, ask Siri to “find my iPhone” and the assistant will tell you whether or not it was able to locate it nearby. Additionally, Siri will offer to play a sound on the selected device (if you have multiple devices with a similar name under your iCloud account, you’ll have to select one from a list inside Siri); the sound won’t stop playing until you find and unlock your device. This is no different from what is already supported in the Find My iPhone app, but Siri activation makes it easier and faster to use.

This is useful. Many a times I've had to use the app on another phone or use iCloud on the laptop to use the feature and find lost iPhones (of course taken away by the children).

Other purported stuff include Podcast chapters (which I don't really care for) and tapbacks in notifications (which is useless in the non-US part of the world as iMessage isn't popular: Whatsapp/Telegram and the likes rule this part of the world by a mile).

I've been on the developer beta and like it so far: even the developer betas are much more stable than the initial public betas of the previous version of iOS.

Trying Out Programming Again, and Again, and Again... by Muhammad Amir Ayub

I'm a geek at heart, and it pains me to still be inept at programming and coding. Once upon a long time I was the Mac packager for Wesnoth, but I'm very much self-aware of my deficiencies. The lack of knowledge + skill plus the transition from student life to housemanship made me readily give up the role to people who professionally have a background in programming. I'm interested in just learning the ways and make programs that I can use to help myself in my daily activities (certainly not to make a fortune, though that'd be nice). For many years, the effort has never been consistent. I want to try again, now with Swift (previously tried out Objective-C but I failed miserably to get anywhere).

One area I want to try is to make a program to log my 5/3/1 progress. Currently I use Numbers to calculate my weights automatically (by keying in my training maxes) and log progress (with 5/3/1's estimated 1RM calculator):

The only numbers and details that matter nowadays are the ones in the box below the name of lift (e.g. 211 kg) and the numbers to the right of each main lift (percentage followed by weight, calculated automatically). The rest are all very outdated (…

The only numbers and details that matter nowadays are the ones in the box below the name of lift (e.g. 211 kg) and the numbers to the right of each main lift (percentage followed by weight, calculated automatically). The rest are all very outdated (e.g. that 143 kg was once upon a time my deadlift PR).

My log to chart lifts along with E 1RM's. Note how I only bothered to key in the dates only early on. The estimated 1RM formula is based on multiple reps and gets it wrong when I do a single rep only with the last set (there is no if condition). Con…

My log to chart lifts along with E 1RM's. Note how I only bothered to key in the dates only early on. The estimated 1RM formula is based on multiple reps and gets it wrong when I do a single rep only with the last set (there is no if condition). Consistency in lifting is key.

The derived charts. Note the drops coinciding with the moves to housemanship, Melaka (this one was major), HKL again, post competition. My progress has been stagnant for the past 3 months due to whatever.

The derived charts. Note the drops coinciding with the moves to housemanship, Melaka (this one was major), HKL again, post competition. My progress has been stagnant for the past 3 months due to whatever.

So now I'm trying to learn programming again; my mania has taken over (with help of copious amounts of home cold brewed coffee). Currently I've managed to write something in Swift that will calculate my training max (for now based on my true max) and subsequent training weights, with say my deadlift:

import UIKit

var helloPlayground = "Hello, playground"
print(helloPlayground)

class Lift {
    var liftName = String()
    var kg = "kg"
    var liftTrainingMax = Double()
    var liftLiftingMax = Double()
    var weight = Double()
    var percentage = Double()
    
    func calculateLiftTrainingMax(using liftLiftingMax:Double){
        liftTrainingMax = 0.9 * liftLiftingMax
        print("Say that my \(deadlift.liftName) max is \(deadlift.liftLiftingMax) kg \nMy training weights will be:")
    }
    
    func calculateLiftWeights (){
        var percentage: Double = 0.4
        var liftWeights = [percentage:weight]
        while percentage < 1 {
            var weight = percentage * liftTrainingMax
            percentage = (percentage*100).rounded()/100
            weight = (weight*10).rounded()/10
            liftWeights [percentage] = weight
            percentage += 0.05
            }
        for (percentage, weight) in liftWeights.sorted(by: <) {
            print ("\(Int(percentage*100))% : \(weight) kg")
        }
        }}

let deadlift = Lift()
deadlift.liftName = "deadlift"
deadlift.liftLiftingMax = 100
deadlift.calculateLiftTrainingMax(using: deadlift.liftLiftingMax)
deadlift.calculateLiftWeights()
deadlift.liftTrainingMax = 211
print("\nSay that I've a preset training max of \(deadlift.liftTrainingMax) kg (my actual current training numbers)\nNow my training weights will be")
deadlift.calculateLiftWeights()

And it's subsequent output:

Hello, playground
Say that my deadlift max is 100.0 kg 
My training weights will be:
40% : 36.0 kg
45% : 40.5 kg
50% : 45.0 kg
55% : 49.5 kg
60% : 54.0 kg
65% : 58.5 kg
70% : 63.0 kg
75% : 67.5 kg
80% : 72.0 kg
85% : 76.5 kg
90% : 81.0 kg
95% : 85.5 kg

Say that I've a preset training max of 211.0 kg (my actual current training numbers)
Now my training weights will be
40% : 84.4 kg
45% : 95.0 kg
50% : 105.5 kg
55% : 116.1 kg
60% : 126.6 kg
65% : 137.2 kg
70% : 147.7 kg
75% : 158.3 kg
80% : 168.8 kg
85% : 179.4 kg
90% : 189.9 kg
95% : 200.5 kg

My mania has led me to pay quite an amount to resubscribe to the Apple Developer Membership, and yes, I'm using the Developer beta's for iOS 12 and MacOS Mojave (which are actually much more stable than even the first public beta's for the previous versions of the 2 OS'es). I'm currently learning a bit from Youtube and trying things out (with Google, you can search anything for help quickly without thorough browsing of the documentation). Let's see where this rabbit hole will take me.