Apple has issued three Mac security updates: Security Update 2016-001 El Capitan, Security Update 2016-005 Yosemite, and Safari 9.1.3 for OS X 10.9.5 Mavericks and OS X 10.10.5 Yosemite. All three updates are related to the major vulnerabilities discovered in iOS by Citizen Lab and Lookout, as we reported in “iOS 9.3.5 Blocks Remote Jailbreak” (25 August 2016). Due to the severity of these vulnerabilities, we encourage everyone to install these updates as soon as possible.
You can download the 414.9 MB Security Update 2016-001 and the 468 MB Security Update 2016-005 directly from Apple’s Web site, though it’s easier to install them via Software Update. Safari 9.1.3 is available only via Software Update.
Read and post comments about this article | Tweet this article
In “Apple Grilled Over Tax Practices” (24 May 2013), we reported on the controversy surrounding Apple’s practice of using Irish loopholes to minimize its tax bill. Now, it appears that those chickens have come home to roost, since the European Commission has concluded that Ireland illegally gave Apple up to €13 billion (roughly $14.5 billion) in tax benefits that the country must now recover.
Apple CEO Tim Cook is none too pleased with the ruling. In an open letter, he said:
The European Commission has launched an effort to rewrite Apple’s history in Europe, ignore Ireland’s tax laws and upend the international tax system in the process. The opinion issued on August 30th alleges that Ireland gave Apple a special deal on our taxes. This claim has no basis in fact or in law. We never asked for, nor did we receive, any special deals. We now find ourselves in the unusual position of being ordered to retroactively pay additional taxes to a government that says we don’t owe them any more than we’ve already paid.
In the letter, Cook cited Apple’s long-lasting commitment to Ireland, dating back to 1980, and the many people it employs there. “Beyond the obvious targeting of Apple, the most profound and harmful effect of this ruling will be on investment and job creation in Europe,” he said.
Apple and Ireland both plan to appeal the ruling. “We are confident that the Commission’s order will be reversed,” Cook wrote.
The news might make tax repatriation a topic of discussion in the U.S. presidential race. The two major party candidates have differing views on bringing that money to the United States: Republican candidate Donald Trump has proposed a drastically lower corporate tax, which would theoretically discourage offshoring of profits, while Democratic candidate Hillary Clinton has proposed a series of measures to discourage companies from offshoring profits in the first place.
The U.S. government, often at odds with Apple over issues like encryption, is not happy with the EU’s decision. The White House and the Treasury Department both warned that it could damage U.S.-EU relations. The Business Roundtable called it an “act of aggression.” “Above all, this is yet another reason why we need to fix our tax code,” said Republican House Speaker Paul Ryan. High-ranking Democratic Senator Chuck Schumer echoed Ryan’s sentiments. But while both parties might agree on the concept of tax reform, we’ll see if they can work together sufficiently to enact real reform.
Read and post comments about this article | Tweet this article
When T-Mobile announced its “unlimited” T-Mobile ONE plan, many outlets, including TidBITS (see “T-Mobile and Sprint Announce Unlimited Data (for Higher Prices),” 19 August 2016), complained that for most users, T-Mobile ONE would effectively be a price increase. Just days before launch, T-Mobile announced some changes to T-Mobile ONE to ease concerns.
When first announced, tethering on T-Mobile ONE was limited to 2G speeds — 5 GB of high-speed data would have cost $15 per month. Now, all T-Mobile ONE customers will get unlimited 3G tethering at no extra charge.
T-Mobile ONE is limited to SD video streaming unless you pay an additional fee. Originally, that HD streaming fee was to be $25 per month. Now, T-Mobile has added a $3 Day Pass that grants HD streaming for 24 hours.
Perhaps the biggest change is the introduction of T-Mobile ONE Plus, which replaces the previously announced $25-per-month HD video fee. For $25 per month per line, T-Mobile ONE Plus includes unlimited HD Day Passes, “unlimited” 4G LTE tethering, and 2x faster data speeds abroad.
Of course, there are catches to T-Mobile ONE Plus. T-Mobile says in the fine print that customers who use more than 26 GB per month must use that data mostly with a smartphone or tablet. There are no specific penalties for using too much data while tethering, but T-Mobile says you might get a call if you’re a heavy user. Also, T-Mobile says that it will prioritize smartphone and tablet data over hotspot data.
Finally, T-Mobile ONE availability was moved up, from 6 September 2016 to 1 September 2016.
To address customer concerns about the price going up, T-Mobile also emphasized in its press release that existing customers can keep the plans they have for as long as they wish.
Some have complained that T-Mobile’s changes further complicate the company’s “simple” plans, but I applaud T-Mobile’s attempt to respond to complaints. Bundling HD streaming and high-speed tethering in one package does make things a bit simpler.
However, after an industry-wide trend of simplifying mobile plans, it’s frustrating to see a move back toward basic plans with complicated add-ons, such as T-Mobile ONE Plus and the $15 Safety Mode on lower-tier Verizon data plans (see “Verizon Wireless Offers More Data for More Money,” 7 July 2016).
Read and post comments about this article | Tweet this article
A colleague recently left a job, and I suggested that, as part of her purge of personal data associated with her work accounts, she delete her Slack account in order to destroy personal messages sent through direct messages (what Slack often refers to as “conversations”) or in private channels. My understanding was that her public messages would persist, thus not violating any employment agreement or making older public conversations incomprehensible, while no one would ever have access to her non-public communications.
I was wrong. Slack doesn’t let users delete their accounts. Instead the company deactivates them, which isn’t the same thing. That would be fine if the member were the only person who could reactivate the account. But there is a gap through which access can slip. While I don’t believe this design is intentional, it undermines some of Slack’s statements about user privacy. Slack has strong privacy protections, even among members of a team and the owner of the team.
The hole in this case relies on a combination of how Slack uses email addresses and its lack of a true bulk delete option for member messages. Other services in which messages, files, or other interactions are hosted may have a similar way around the privacy expectations of many users, even business users.
Slack Private Message Policies -- According to Slack, all posts in direct messages and private channels can be seen only by recipients and participants in those channels. This claim isn’t explicitly noted on Slack’s site, but I confirmed it with the company in several different ways while writing “Take Control of Slack Basics” and “Take Control of Slack Admin” earlier this year.
Paid team owners can configure message retention policies, which can either enhance retention by creating a log of every edit and deletion, or limit retention by deleting messages (public, private, and direct) and files after a certain number of days. (Some companies routinely age out messages to limit their ability to provide old information in lawsuits or prosecutions.) Free teams can see only the last 10,000 messages, but older messages are retained and can’t be deleted; they become available if a free team upgrades to paid.
However, setting a message retention policy doesn’t give admins access to direct messages and private channels. Conceivably, Slack could be compelled by law enforcement to provide such messages that remain in the system, but that’s a far cry from any team admin being able to snoop on private messages.
There is another way that private messages can cease to be private. An owner of a Plus tier paid team can request compliance exports, which can be required for certain kinds of businesses. Compliance exports include all private and direct messages. Slack says it evaluates each request, and an organization has to prove to Slack that such an export is needed. Team members are notified if compliance exports are turned on when they join a team, or if they’re enabled afterward. However, no direct messages or private channel messages from before compliance exports are approved by Slack will be included in the export.
In other words, unless you’re in a team with a retention policy that retains edited and deleted messages, you can delete all your messages from conversations, private channels, and public channels at any time — one by one — and they disappear forever.
However, all these protections assume you maintain control of your email account and that an admin can’t change your Slack account’s associated email address.
Email Is the Weak Link -- What I didn’t previously anticipate, and what Slack technical support has now confirmed, is that a team member who wants to delete their account is disabling the account, not removing messages. As noted, Slack describes this action as account deactivation, not deletion, and the company is up front about how deactivating an account does not remove messages or files you’ve posted.
This fact puts privacy pressure on the email address associated with your Slack account. If your employer controls that address, as is common, any admin with sufficient privileges could reset your email password, request a password reset for your Slack account, and access the new Slack password link. That would make all of your private messages in the team available, subject to either the 10,000-message limit of a free team or the retention policy of a paid team.
And if you’re on a paid team, a team admin could simply change the email address associated with your Slack account. Changing it to an address that the admin can access is all that’s necessary to receive a Slack password reset request and get into your private message traffic.
The solution, which Slack mentions, is that you can go through your private messages and delete them manually before deactivating your account. However, there’s no “nuke DMs” button, so you would have to go through and delete messages one at a time. Possible, but tedious at best.
Slack isn’t doing anything wrong here — there are good reasons why even private message traffic can be accessed with some effort. In America, firms typically have legal access to all communications on company-owned equipment or using corporate servers and services, and they own all the data — even supposedly private data — transmitted. There’s no default expectation of privacy, though companies may offer privacy guarantees through employment policies or under union contracts. (Promising nothing should impose no burden, but I am not offering legal advice here.)
When you leave a job, you probably shouldn’t be able to delete all your associated correspondence, whether public or private. In the wrong circumstances, deleting files (including email) when you’re leaving to set up a new business or going to work for a competing company could lead to a lawsuit under a federal law designed to help businesses protect trade secrets!
Plus, private messages sometimes turn out to hide illegal behavior, discrimination, and other problems, as we’ve seen in lawsuits and criminal trials since companies began to use email. Companies want to protect themselves against rogue employees (or have a scapegoat handy), and retaining private messages helps.
Disclosure is always the key. If a company promises you as an employee that your non-public company communications are yours to delete, great; if you sign a contract that says the company might inspect any message and that you can’t delete data, you should avoid corporate services for anything truly private.
How Can Slack Clarify and Fix This? -- Given the intention towards privacy that Slack consistently expresses, the company could offer better explanations and clarify expectations with a few minor changes. Slack could:
Explain better just how private messages really are when someone joins a team. While Slack mentions compliance exports, the company should also note: “Direct messages and those posted in private channels remain private unless a team owner or admin controls your email address, in which case they may be able to read messages at some point in the future. Post accordingly.” For paid teams, the warning should also include, “Your account’s associated email address can be changed by a team owner or admin, who could then reset your Slack password and access past private messages.”
Disclose privacy expectations at the start of every new conversation. Right now, the message Slack shows reads, “Direct messages are private between the two of you” for a two-person conversation. That should be modified to include the provisos about resetting a password via email or changing an account’s email address, depending on the team type.
Offer a “nuke DMs” option for users leaving a team, but give team admins the capability to override it. For the admin, the setting could be described as, “You can let team members who deactivate their accounts delete their side of all conversations.” And in the team member’s deactivation process, explanatory messages could include: “Your team lets you delete all your direct messages,” “You can only delete direct messages one at a time,” or “You cannot delete any direct messages.” (I’d argue private channels aren’t intended to have the same level of eternal privacy.)
Should you use a company-owned service to discuss things you don’t want your employer to find out about ever? No. Setting up a separate free Slack team to have bitch sessions with fellow employees might be a safer course of action, though it could have its own legal problems, depending on the confidentiality of the topics discussed.
People are better served when they know more about a situation. Slack’s intent is transparent disclosure of message privacy, and the company could do a better job in this hazy area. More generally, if you work for or contract with any organization, it’s best to assume that you have no expectation of privacy for communications on work-owned devices or services. If you’re concerned about that, bring your own device and keep work and personal communications completely separate.
Read and post comments about this article | Tweet this article
When the proverbial manure hits the fan and prevents your Mac from booting as you want, knowing the right startup key combination can save the day, whether you boot into Safe Mode, Recovery, Apple Diagnostics, or from another disk entirely.
Here are fifteen startup key combinations that can save the day when things go wrong. Not all are useful on today’s Macs, but we wanted the list to be complete.
Option: Invoke Startup Manager -- The first startup key every Mac user should know is the Option key. Press and hold Option as your Mac boots to enter the Startup Manager, which lets you select which disk to boot from.
Startup Manager is primarily useful for booting from an alternative drive, like a system clone, USB thumb drive, or a Boot Camp partition. However, you can also use it to force a boot from your primary drive if your Mac is stubbornly booting from another disk. Startup Manager may also help identify a flaky hard drive; if the drive you’re looking for doesn’t appear in Startup Manager, you know you have a problem.
If you have a bootable external drive, booting from that drive can also help you isolate problems or provide a different environment, such as a different version of OS X.
T: Target Disk Mode -- What if you want to boot from another Mac’s drive using Startup Manager? You can connect the Macs via FireWire or Thunderbolt, and then put the other Mac into Target Disk Mode, which lets it serve as an external drive. Hold T during boot to enter this mode. If either Mac lacks a FireWire or Thunderbolt port, you’re out of luck.
In addition to troubleshooting, Target Disk Mode can also be useful for quickly transferring many gigabytes of files. And if your main Mac’s display fails, you can use Target Disk Mode to turn it into the boot drive for another Mac with a working screen.
Shift-Control-Option: Reset SMC -- When your Mac is exhibiting truly odd behavior, it may be worth resetting the System Management Controller (SMC), which controls all manner of things, such as batteries, keyboard backlight, and cooling fans. Apple lists all the things an SMC reset can fix.
On desktop Macs, you reset SMC by unplugging the power cable for 15 seconds, plugging it back in, and turning the Mac on after 5 seconds. On older Mac notebooks, you can reset SMC by removing the battery and power adapter, holding down the power button for 5 seconds to drain the capacitors, reinserting the battery, and turning it back on again.
However, for newer Mac notebooks, where it’s impossible to remove the battery, you need to know this key combo: Shift-Control-Option, using the keys on the left side of the keyboard. Shut down your Mac, connect it to power, press Shift-Control-Option, and then press the power button while holding those keys down. Release the keys and press the power button again to fire up the Mac with a fresh set of SMC settings.
Command-Option-P-R: Reset NVRAM -- The other quick fix is resetting Non-Volatile Random Access Memory (NVRAM), which you do by holding Command-Option-P-R during startup. The Mac startup chime should sound a second time. After that, release the keys. (The reason for using P and R in the key combination is that Apple used to call this bit of non-volatile memory “PRAM,” for Parameter RAM.)
NVRAM controls things like speaker volume, screen resolution, and startup drive selection. Like an SMC reset, an NVRAM reset can fix a host of seemingly random issues.
Shift: Safe Mode -- If your Mac gets stuck during the boot process, booting in Safe Mode might help you diagnose what’s wrong. To invoke Safe Mode, hold the Shift key while booting. It does a few things:
Simply booting in Safe Mode may solve your problem, if it was related to directory corruption or a messed-up cache file. If a Safe Mode boot works fine, try a regular boot immediately, and if it proceeds normally, you’re all set.
However, if your Mac boots fine in Safe Mode, but has problems otherwise, you probably have a software problem related to something that loads at startup. You might guess that a third-party kernel extension was the culprit, but it could also be a corrupt font. Start poking around in the various Library folders on your Mac.
(If all you want to do is disable login items, press Shift when you click the Log In button in the login window, or as soon as you see the progress bar in the startup screen. Release it when you see the Desktop or Dock.)
Command-R: Recovery -- Every modern Mac can boot into a special mode called Recovery, which provides tools to resolve a variety of problems. The system disk of most Macs contains a small partition containing a stripped-down version of OS X, which you can boot from by holding Command-R as your Mac boots. If the recovery partition is missing for some reason, you can load the Recovery software from the Internet by holding Command-Option-R at startup. Needless to say, loading Internet Recovery takes quite a bit longer; happily, it does provide a time estimate.
Recovery gives you seven options:
Restore from a Time Machine Backup: You do have a Time Machine backup, right? Right?
Reinstall OS X: You don’t have to wipe your disk and start from scratch; this option reinstalls the currently installed version of OS X over your existing install, which can fix missing or corrupted system files. If you use Internet Recovery, you get the version of OS X that originally came with your Mac instead.
Get Help Online: This option opens Safari so you can browse Apple’s support site for help.
Disk Utility: Clicking this item in the list brings up the Disk Utility app, which can check and repair your disks. If absolutely necessary, you can use Disk Utility to erase your system disk, onto which you can then restore your data from Time Machine. (You do have that backup, right?)
Firmware Password Utility: Choose Utilities > Firmware Password Utility to launch this app, which lets you set and turn off a firmware password. You might want to enable a firmware password to make Find My Mac more secure (see “Disable Find My Mac by Resetting NVRAM,” 22 July 2016).
Network Utility: Also available from the Utilities menu, Network Utility lets you test local and Internet connectivity using tools like Netstat, Ping, Traceroute, and more. It’s more easily used when the Mac isn’t in Recovery mode, but it’s here if you need it.
Terminal: For those who are more comfortable at the command line, you can also launch Terminal from the Utilities menu. It’s a stripped-down installation that may lack some of the Unix tools you’re accustomed to having, but you can move around, look at files, and delete things. Be careful!
D: Apple Diagnostics -- If nothing mentioned so far is solving your problem, your Mac might be suffering from a hardware issue. Hold D at startup to boot into Apple Hardware Test or Apple Diagnostics.
Which you get depends on the age of your Mac; Macs produced before June 2013 have Apple Hardware Test, while later Macs have Apple Diagnostics. They do basically the same thing, but Apple Hardware Test is a blast from the past — it looks like the old, pre-OS X Mac OS! Apple Diagnostics is a lot slicker looking and more or less automatic, while you have to click a button to start Apple Hardware Test. Apple Hardware Test also gives the option of an extended test, which takes a lot longer and isn’t usually necessary. Apple recommends disconnecting all external devices except the keyboard, mouse, display, and Ethernet adapter before starting either test.
If you can’t boot into one of these tests for some reason, try holding Option-D instead to load an Internet-based hardware test.
Command-V: Verbose Mode -- Holding Command-V during startup puts your Mac in verbose mode. Instead of a tasteful gray screen, you see every single Unix system message as your Mac boots. Verbose mode could be useful for troubleshooting if you’re already a Unix expert; otherwise it’s mostly amusing to watch.
Command-S: Single-User Mode -- To go one step beyond verbose mode, hold Command-S during boot, which puts your Mac in single-user mode. After the Mac finishes displaying all the Unix messages during its boot sequence, you’re given a command-line prompt, just as though you were in Terminal. As with using Terminal from Recovery, single-user mode is useful mostly if you’re already comfortable in Unix. Some people use single-user mode to run the Unix fsck utility, although it’s easier to boot into Safe Mode or run Disk Utility from Recovery for that purpose.
To leave single-user mode and continue booting, type
exit and press Return. Or, to start over, type
reboot and press Return.
Neither single-user mode nor verbose mode is accessible if you have a firmware password enabled.
C: Boot from Removable Media -- If you hold the C key during boot, the Mac will start up from removable media, such as a CD, DVD, or USB thumb drive. Since Apple has largely done away with optical drives and physical installation discs are a thing of the past, this shortcut isn’t as useful as it used to be. Using Option to bring up Startup Manager is a better option because then you know exactly which disk you’re going to boot from.
Eject, F12: Eject All Removable Media -- Here’s a neat trick: if you hold the Eject key (if your Mac has one), F12, or the mouse or trackpad button during boot, the Mac will eject all removable media. Like the C shortcut, this technique isn’t as necessary as it used to be when it was the standard way of getting non-bootable floppy disks out of a Mac quickly, but it’s worth remembering should you ever end up working on an old Mac.
N: NetBoot -- If you hold N at startup, the Mac will boot from an available NetBoot server. Holding Option-N will boot from the default boot image on a NetBoot server. For those who have never even heard of NetBoot, it’s an Apple technology in OS X Server that enables a Mac to load the operating system from a network server, rather than from a local drive. Large networked environments sometimes use NetBoot to ensure that every Mac is using a consistent, approved version of the operating system. Chances are, you will never have to worry about booting from NetBoot.
X: Force a Boot into OS X, instead of Classic -- Finally, there’s X, which Apple says causes the Mac to “Start up from an OS X startup volume when the Mac would otherwise start up from a non-OS X startup volume.” This one threw us for a loop, but Phil Dokas, our shadow editor Chris Pepper, and several commenters reminded us that it’s a holdover from the early days of Mac OS X, when it was used to keep the Mac from booting into the Classic environment. Kevin Patfield said there was even a companion option — holding 9 — that forced a boot into Classic. If you know a contemporary use for this key, let us know in the comments!
Read and post comments about this article | Tweet this article
Alfred 3.1 -- Running with Crayons has issued Alfred 3.1 with workflow and performance improvements for the keyboard-driven launcher. The update adds three new workflow objects (a Hide Alfred utility, plus Dispatch Key Combo and Call External Trigger output objects), improves overall responsiveness (particularly for the Actions panel and Large Type), enables use of Command-S and Escape as key combinations in Remote configuration, updates the iTunes AppleScript to disable shuffle before playing an Alfred playlist, and tunes metadata queries for macOS 10.12 Sierra to improve performance. (Free, £17 for Powerpack, 2.6 MB, release notes, 10.9+)
Read/post comments about Alfred 3.1.
Default Folder X 5.0.6 -- St. Clair Software has released Default Folder X 5.0.6, adding support for macOS 10.12 Sierra plus a couple of oft-requested features: improved Favorites sorting by name and better compatibility with LaunchBar. The Open/Save dialog enhancement utility also adds support for version 3 of iTerm2, fixes a bug that could cause the cursor to disappear, addresses a hang that required quitting Default Folder X, improves launch speed, and correctly recognizes the active tab in a Finder window rather than using the first one. ($34.95 new, $14.95 upgrade from version 4, TidBITS members save $10 on new copies and $5 on upgrades, 8.1 MB, release notes, 10.10+)
Read/post comments about Default Folder X 5.0.6.
Nisus Writer Pro 2.1.5 -- Nisus Software has released Nisus Writer Pro 2.1.5 with fixes for problems with converting DOC, DOCX, and ODT files. The powerful word processor also addresses an issue with incorrect bulleted lists imported from Microsoft Word, squashes a bug that prevented duplicate backups from being autosaved when closing documents, ensures that pasting an image from Apple’s Photos app inserts an image rather than a link to the file, and adds a number of macros (Set Menu State, Set Bold, and Set Italic). ($79 new from Nisus Software and the Mac App Store, free update, 225 MB, release notes, 10.8.5+)
Read/post comments about Nisus Writer Pro 2.1.5.
DEVONthink 2.9.4 -- DEVONtechnologies has updated all three editions of DEVONthink (Personal, Pro, and Pro Office) to version 2.9.4 with sync-related reliability improvements and bug fixes for the personal information manager. The sync toolbar buttons now indicate unsynced changes (similar to the user interface found in the DEVONthink To Go iOS app), synced static and small items require less bandwidth and disk space thanks to better data chunking, and DEVONthink improves both Bonjour connection reliability and conflict handling with Dropbox.
The updates also fix an issue where WebDAV authentication could fail in OS X 10.10 Yosemite, resolve crashes related to sync stores and unreliable Bonjour connections, and fix a bug that prevented changes from being saved in a modified Web archive. (All updates are free. DEVONthink Pro Office, $149.95 new, release notes; DEVONthink Professional, $79.95 new, release notes; DEVONthink Personal, $49.95 new, release notes; 25 percent discount for TidBITS members on all editions of DEVONthink; 10.9+)
Read/post comments about DEVONthink 2.9.4.
iFinance 4.1 -- Synium Software has released iFinance 4.1 with improvements and enhancements for the financial management app (which we noted in “Your Favorite Mac Personal Finance Apps,” 29 February 2016). The update adds VoiceOver support and automatic backups, enables Categories to be added automatically when entering transaction titles, switches to an iPhone-like navigation mode when the database window gets too small, adds PDF exporting of charts and reports, improves speed, and revises the app icon.
iFinance for iOS has also been updated to version 4.1, adding a native Apple Watch app that runs on watchOS 2. Both the Mac and iOS versions of iFinance are discounted by 50 percent through 18 September 2016, with the Mac app priced at $19.99 (normally $39.99) and the iOS app priced at $4.99 (regularly $9.99). ($39.99 new from the Mac App Store, free update, 24.4 MB, release notes, 10.10+)
Read/post comments about iFinance 4.1.
EagleFiler 1.7 -- C-Command Software has released EagleFiler 1.7 with improvements, bug fixes, and additions to the venerable document organization and archiving app (see “EagleFiler Turns a Finder Folder Into a Snippet Keeper,” 24 February 2010). For those running macOS 10.12 Sierra, EagleFiler now supports capturing messages from Apple Mail, adds support for tabbed windows, and fixes a bug that prevented the app from launching. The update also resolves an issue with the Remove Duplicate Messages script not working, works around a bug where libraries failed to appear in the Open Recent menu, and improves reporting of empty Apple Mail messages. ($40 new with a 20 percent discount for TidBITS members from C-Command Software or from the Mac App Store, free update, 18.3 MB, release notes, 10.6.8+)
Read/post comments about EagleFiler 1.7.
In ExtraBITS this week, we now know the full scale of the 2012 Dropbox hack, the BitTorrent client Transmission has been infected with malware again, and Walt Mossberg evaluates Tim Cook’s run as Apple’s CEO.
Full Scale of Dropbox Hack Revealed -- File sharing service Dropbox is warning users who created accounts before 2012 to change their passwords, due to a breach that occurred that year. (If you’ve already changed your password, there’s no need to do so again willy-nilly.) Dropbox previously disclosed the attack, but the full scope of the breach has only recently become known: 5 GB of documents containing email addresses and hashed passwords for over 68 million users. If you used a high-quality password and didn’t reuse it on other sites, there is little cause for alarm, thanks to Dropbox’s strong password hashing, but you should change your password if prompted.
Transmission Infected with Malware… Again -- Back in March 2016, we reported that version 2.90 of the Transmission BitTorrent client had been hacked to include the KeRanger ransomware. Though Transmission’s developers acted quickly to solve that problem, it has happened again. For less than 24 hours between August 28th and 29th, the distribution copy of Transmission 2.92 was infected with the OSX/Keydnap malware, so if you downloaded Transmission during that time, your Mac might be infected. Transmission’s developers once again resolved the problem quickly and posted instructions for eliminating OSX/Keydnap from an infected Mac, but anyone contemplating using Transmission should keep this risk in mind. Note too that several studies have identified a significant percentage of BitTorrent downloads as containing malware — stick to the well-lit parts of the Internet if you’re concerned about safety.
Walt Mossberg Evaluates Tim Cook’s Apple -- Veteran tech journalist Walt Mossberg has taken a look at Apple under CEO Tim Cook, five years after Cook took the position. Overall, Mossberg praised Cook for guiding the company to new financial heights, refining its product lines, and retaining most of its senior talent. However, Mossberg deducts points for the fact that Apple under Cook has yet to introduce a game-changing product, though he admits that the Apple Watch might be that game-changer, saying that it took 3–4 years before the iPod took off. We’d also note that some of Apple’s biggest wins were actually low-hanging fruit — the iMac, iPod, iPhone, and MacBook Air all entered markets with radically inferior competition (the iPad didn’t have much to compete with in terms of tablets, but Steve Jobs set it against the entire netbook category). But there isn’t much easily reached fruit left in the consumer electronics world.