Last week’s Apple event in the new Steve Jobs Theater marked notable changes to the Apple ecosystem: cellular Apple Watches, 4K Apple TVs, new iPhone 8 models with wireless charging, and the upcoming iPhone X, which rethinks some of the iPhone’s fundamentals. We have full coverage of all the new gear. Last week also brought Mac users iTunes 12.7, the first release to remove major features, so we brought in iTunes expert Kirk McElhearn to explain what’s missing and how you can fill the void. Finally, Security Editor Rich Mogull chimes in on the Equifax breach and explains why there’s not much you can do about it. Notable software releases this week include iFlicks 2.4.8, BBEdit 11.6.8, Fission 2.4.1, ChronoSync 4.8, and SuperDuper 2.9.2.

This issue of TidBITS sponsored in part by:
Help support TidBITS by supporting our sponsors!

Apple Product Announcements Inaugurate the Steve Jobs Theater

  by Michael E. Cohen: mcohen@tidbits.com, @lymond

On 12 September 2017, Apple inaugurated the stage of the new glass-wrapped, wood-trimmed, and leather-seated Steve Jobs Theater in the company’s equally new Apple Park headquarters with a series of product announcements and demonstrations.

Preamble -- Introduced to the strains of the Beatles’ “All You Need is Love,” the show began with a heartfelt tribute to Steve Jobs by his successor, Apple CEO Tim Cook. Then, riffing on the theme of love, Cook turned briefly to a matter of pressing current interest: disaster relief for the victims of the hurricanes that have afflicted Texas and Florida. In particular, Cook announced Apple’s participation in the Hand in Hand Hurricane Relief fund with a quick donation wizard and a plug for the televised Hand in Hand hurricane relief benefit concert.

Coming back to the new Apple Park, Cook recounted how the campus, which he characterized as Jobs’s last big creative project, converted a 175-acre “sea of asphalt” to a green space with over 9000 trees and a collection of eye-catching structures powered entirely by renewable energy. (Cupertino regulations required that it also have a minimum of 11,000 parking spaces, and two large parking structures and an underground garage provide spaces for 14,200 employees.) Cook tossed in a mention of Apple’s new focus on augmented reality (AR) by noting that the Apple Park would feature not only an Apple retail store but also a visitor center that employed an AR guide.

Even though the throngs of guests were by now hungering eagerly for the main course of product announcements, Cook further piqued their appetites by introducing Apple’s retail head, Angela Ahrendts, to discuss the future of the Apple stores. Over time, many of the stores are going to become “Apple Town Squares” (one would have thought “Round-Cornered Rectangles” would be more in keeping with Apple’s design sense) featuring “Genius Groves.” These new retail stores will be designed by the same team responsible for Apple Park as spaces for people (that is, Apple customers) to come together to share knowledge and experience. (Given the typical noise level present in most Apple retail stores these days, one does wonder how much sharing can go on in that clamoring cacophony.)

Then, at long last, the new product announcements that everyone had come to hear took the stage.

Just the Facts, Ma’am -- First up was Apple Watch: Apple touted both new models and new software, including the long-awaited appearance of cellular connectivity in the forthcoming Apple Watch Series 3. You can learn more in “Apple Watch Series 3 Goes Cellular” (12 September 2017), but here’s the most pertinent information: the Series 3 is available for pre-order now and ships on September 22nd with a starting price of $329 for non-cellular models and $399 for cellular models. Cellular plans will cost $10 per month. The Apple Watch Series 1 remains available at $249, but the Series 2 models are now pining for the fjords. watchOS 4, compatible with all Apple Watch models, becomes available for download on September 19th.

Next on the playbill was a new Apple TV. Known as the Apple TV 4K, the black box mostly features 4K capability. Josh Centers provides a closer look in his article, “Apple Finally Enters the 4K Realm, but It Will Cost You” (12 September 2017). Although Apple said nothing about when the tvOS 11 software that drives the new device would become available, we anticipate that it will arrive on September 19th. The Apple TV 4K is available now for pre-order, with delivery on September 22nd, for $179 (32 GB) and $199 (64 GB). The older 32 GB fourth-generation Apple TV remains available for $149.

Following the Apple TV came the act that all had come to see: the iPhones! Not one new model, not two, but three — the iPhone 8, the iPhone 8 Plus, and the premium iPhone X. Here’s when you can get your hands on them and how much money you’ll spend to do so:

For all the details, see Adam Engst’s “Apple Introduces iPhone 8, iPhone 8 Plus, and iPhone X” (12 September 2017).

What about iOS 11, the software that drives Apple’s latest creations? You’ll be able to download it for free for older compatible devices on September 19th, just like watchOS 4.

Oh, and finally, although Apple said nothing about it during the event, the company subsequently posted information on its Web site stating that macOS 10.13 High Sierra would make its debut on September 25th.

Read and post comments about this article | Tweet this article

Apple Watch Series 3 Goes Cellular

  by Adam C. Engst: ace@tidbits.com, @adamengst, Julio Ojeda-Zapata: julio@ojezap.com

Apple Watch fans, the rumors were spot on: the new Apple Watch Series 3 will indeed have built-in cellular capabilities for standalone Internet connectivity without an iPhone nearby. Or rather, one model will; you can still get a Series 3 that’s limited to GPS connectivity when it’s away from its paired iPhone.

Other hardware changes in the Series 3 include a faster dual-core processor, a barometric altimeter to measure relative elevation, and a garish red dot on the cellular model’s digital crown — if you don’t like it, you can cover it up with WatchDots.

Software improvements are on tap as well. The new watchOS 4, due 19 September 2017, will bring with it an improved Heart Rate app and, for those with the cellular model of the Series 3, the option to stream the full Apple Music catalog right from your wrist — with no iPhone involved.

The capabilities of watchOS 4 have been well documented for the most part (see “watchOS 4 Focuses on Fun and Fundamentals,” 5 June 2017), but the new Heart Rate app is a surprise. Not only can it display your heart rate as a complication on the watch face, it can even warn you of an alarmingly high heart rate or the onset of atrial fibrillation (which we already knew it could do in theory, see “Apple Watch Can Detect Abnormal Heart Rhythms,” 12 May 2017).

More About Cellular -- It’s no shock that Apple built cellular access into the Apple Watch Series 3 given that competing smartwatch makers have been doing so for a while now.

The details of Apple’s implementation are technologically impressive, though. To start, Apple combined the Series 3’s LTE and UMTS cellular radio with a display that doubles as an antenna, along with an “eSIM” that is about one-hundredth the size of a standard SIM card. Apple says that the watch can be activated over the air on its own.

For convenience, the Series 3 will use the same phone number as its iPhone companion, but it won’t be free. AppleInsider reports that AT&T, T-Mobile, and Verizon will all be charging $10 per month for watch connectivity after a three-month trial. In all cases, the data used by the Apple Watch comes from the same bucket as its associated iPhone. AT&T notes that the Series 3 can receive iMessage messages, but not SMS text messages.

The implication of Apple’s demo was that anything the Apple Watch can do via Bluetooth and Wi-Fi while connected to its iPhone, it can do while untethered via cellular: phone calls, messaging, Siri, calendar notifications, and more. Apple demoed making a live phone call to an Apple employee who was on a standup paddleboard in the middle of a large body of water — she managed to have a coherent conversation that sounded remarkably good, all without falling.

Third-Gen Hardware -- The Series 3 watches boast a third-generation hardware architecture that includes that faster dual-core processor, which will allow for faster app launches and smoother graphics performance, both of which have been an issue for those with older models.

The new hardware allows for other enhancements. Siri can now speak, for instance, via a built-in speaker. And the Series 3 has an all-new W2 wireless chip to make Wi-Fi up to 85 percent speedier. Wi-Fi and Bluetooth power efficiency is 50 percent better, too. These hardware changes increase the Series 3’s size only marginally, making the back crystal slightly thicker.

That new barometric altimeter looks to come in handy for a wide variety of workouts, from running and bicycling to clambering up stairways. The sensor will register elevation gained and flights climbed during physical activity.

Despite the new cellular capabilities and new hardware, Apple claims to have maintained good battery life, promising up to 18 hours with mixed telecom uses, although a 1-hour phone call may drain it entirely. We’ll see how it performs in the real world, particularly in areas where cellular service is spotty, since searching for connectivity is notoriously power-draining.

The only non-obvious difference we’ve found between the cellular and GPS-only models is that the cellular models have 16 GB of storage, while the GPS-only models have only 8 GB.

Bands and Cases and Models, Oh My! -- Although Apple has lately focused the Apple Watch on fitness rather than fashion, the company continues to tweak its look. There’s a new ceramic gray finish in the $1299 Apple Watch Edition Series 3, and the stainless steel Apple Watch Hermès Series 3 ranges from $1149 to $1399.

For the rest of us, Apple has introduced a variety of new bands, and there are new colors for the Apple Watch Nike+ Series 3. It’s all quite dizzying.

That said, you can buy an Apple Watch Series 3 without cellular capabilities for $329, or one that has them for $399. The Apple Watch Series 2 is gone, but the Series 1 remains in the lineup for $249. It has a slower processor, dimmer screen, and no standalone GPS capabilities. You can place an order for a new Series 3 now, and it becomes generally available on 22 September 2017.

Overall, the Apple Watch Series 3 looks to be a solid upgrade in both the cellular and non-cellular models. We can imagine someone upgrading from a Series 1 or Series 2 to the cellular Series 3, but the other Series 3 changes don’t seem significant enough to warrant replacing an older Apple Watch. For new buyers, though, the Series 3 offers compelling enhancements over the Series 1, which stays in the lineup as a low-cost option.

One final interesting fact: Apple claims that the Apple Watch is now the number one watch in the world, selling more than all products from Rolex, which posted revenues of $4.7 billion in 2016. Apple Watch revenues may not match up to those of the iPhone in Apple’s product mix, but it’s clearly doing well enough.

Read and post comments about this article | Tweet this article

Apple TV Finally Enters the 4K Realm, but It Will Cost You

  by Josh Centers: josh@tidbits.com, @jcenters

Years after being beat to the punch by Amazon, Google, Roku, and every other company that makes a streaming TV box, Apple is finally releasing the Apple TV 4K. It became available for pre-order on 15 September 2017 and will ship on 22 September 2017. Pricing will be $179 for 32 GB and $199 for 64 GB.

The Apple TV 4K will output video at 2160p resolution, with Dolby Vision and HDR 10 — two competing standards for High Dynamic Range video. Outside of better quality video, don’t expect much in the way of improvements. The new A10X Fusion chip, Gigabit Ethernet port, simultaneous dual-band Wi-Fi, and Bluetooth 5.0 support are nice additions, but they’re not game-changing. Interestingly, Apple’s specs page doesn’t mention or show a USB-C port on the Apple TV 4K, which makes me wonder how developers are supposed to interact with it.

But wait, what about improvements to the Siri Remote (for some of the main complaints, see “Wrangling the Siri Remote,” 14 April 2016)? Don’t worry; Apple didn’t forget about it — the company’s crack industrial designers added a white circle around the Menu button!

Frankly, this hardware upgrade is a colossal disappointment. The fourth-generation Apple TV was already behind the curve when Apple launched it without 4K in 2015, and now that it has caught up with the competition, it’s still about $100 more expensive than comparable devices.

Don’t believe me? The Roku 4 sells for $79.99 — $100 less than the basic Apple TV 4K. Google’s Chromecast Ultra is $69. When the second-generation Amazon Fire TV was available, it was only about $90 (the third-generation model is reportedly on the way, which explains why you can’t buy the second-generation model). I think the Apple TV 4K will still be the best of the lot, but it’s hard to justify double the asking price (or more!) of the others.

The pricing of the Apple TV 4K is insulting. Apple is keeping the old fourth-generation Apple TV for sale, but it still costs $149 for 32 GB of storage. The Apple TV 4K starts at $179 for 32 GB, and you can opt for a 64 GB model for a whopping $199. Why anyone would invest in more Apple TV storage, I don’t know, and Apple has never adequately explained why it’s even an option.

Worse, 4K itself is largely a gimmick. You need an enormous screen that supports 4K to appreciate the higher resolution, although I’m sure the Apple TV’s interface elements will look much nicer all around in 4K. The larger story here is support for HDR, which I can attest makes a big difference, providing far more vibrant colors than traditional color on TV screens. But unfortunately, the HDMI ports of many televisions do not support an HDR signal. For instance, my 2015 Sony supports HDR, but only via Android apps that run on the TV itself. That’s because its HDMI ports are HDMI 2.0, not HDMI 2.0a, which is the minimum requirement to transmit an HDR signal (HDMI 2.1, of course, also supports HDR).

(The messiness of the HDMI specification is one reason why I wish Apple would make an actual TV set. I had to buy an HDMI-CEC–equipped television to test the fourth-generation Apple TV, and now I would have to buy yet another to try out HDR on an Apple TV 4K. Unfortunately, a lot of people will pay a premium for the Apple TV 4K and not see much benefit from it. But I digress.)

On the content front, the news is more interesting. Apple said that 4K movies would soon be available from the iTunes Store for the same price as HD movies and that the company will upgrade your existing HD iTunes movies to 4K HDR for no additional charge! In fact, it’s already happening ahead of the Apple TV 4K’s arrival — see “HDR Movies Now Available for 2017 iPad Pro Tablets” (16 September 2017). (Perhaps Hollywood studios are getting a cut of the Apple TV hardware sales?)

Apple announced a few new features coming to the TV app that hadn’t been mentioned before, specifically support for live sports and news. Sports will have its own tab inside the TV app, and the app can notify you if your favorite team is playing, or if the score is tight. You’ll also be able to see thumbnails of other games with scores and time remaining. Apple is launching the TV app in seven additional countries by the end of the year, including Canada and Australia later this month.

Apple said nothing about when it would release tvOS 11 to those with existing fourth-generation Apple TV units, but I’m betting that it will ship with the iOS 11 and watchOS 4 updates on 19 September 2017. For more on what is promising to be an underwhelming update, see “What’s Coming in tvOS 11” (15 June 2017).

And for those wondering, yes, Joe Kissell and I have agreed to update my “Take Control of Apple TV” book with the minor improvements coming in tvOS 11 sometime later this year. Thanks so much to everyone who has bought a copy over the years!

Read and post comments about this article | Tweet this article

Apple Introduces iPhone 8, iPhone 8 Plus, and iPhone X

  by Adam C. Engst: ace@tidbits.com, @adamengst

At Apple’s special event on 12 September 2017, the company threw back the curtain on the latest iPhone models, the iPhone 8 and iPhone 8 Plus, which are logically next in line after last year’s iPhone 7 and iPhone 7 Plus, and the ground-breaking iPhone X. (That’s the same Roman numeral X as Apple used in Mac OS X, so it’s pronounced “iPhone 10.”)

iPhone 8 and 8 Plus -- Breaking with tradition, Apple jumped directly from the iPhone 7 to the iPhone 8, bypassing the expected iPhone 7s. That makes sense because the iPhone 8 boasts a new industrial design and a few major new hardware features — it’s more than an enhanced iPhone 7.

Apple has returned to a mostly glass case, claiming that it’s the most durable glass ever used in a smartphone. We won’t be putting that to the test, but the reason for the glass is that the iPhone 8 supports the Qi wireless charging standard (pronounced “chee”). Charging pads are available, and furniture retailer IKEA has even introduced tables with integrated wireless chargers. Apple said that next year it would release an AirPower charging mat that could charge an iPhone 8 or iPhone X, Apple Watch Series 3, and a set of AirPods with an optional new charging case. Lightning ports remain standard in the iPhone 8 so you can still plug in to charge.

The iPhone 8 and 8 Plus have reinforced steel innards and are sealed to provide water and dust resistance. The water resistance is IP67, the same as the iPhone 7. The physical sizes are nearly the same as the iPhone 7 and 7 Plus as well, varying only by 0.1 or 0.2 millimeters in various dimensions. Between the glass and the steel, however, the new models are slightly heavier, weighing in at 5.22 ounces (148 grams) and 7.13 ounces (202 grams), which are 10 and 14 grams heavier, respectively.

The screens on both the 4.7-inch iPhone 8 and 5.5-inch iPhone 8 Plus sport the same basic technical specs as the previous models as well. However, the new iPhone displays now support Apple’s True Tone technology, which changes the brightness and color of the display based on the ambient light. Apple claims that the new iPhones’ speakers are 25 percent louder than the iPhone 7 and boast deeper bass.

Much has been made of ARKit, Apple’s augmented reality technology in iOS 11 (“ARKit: Augmented Reality for More Than Gaming,” 28 July 2017). To provide the best possible experience for AR and other processor-hungry tasks, Apple has given the new iPhones a new chip, the A11 Bionic, with a neural engine. It also has an updated M11 motion coprocessor. Apple claims that the A11 Bionic is the most powerful chip ever in a smartphone, with a six-core CPU that can deliver up to 70 percent better performance than the A10. The iPhone 8 also includes Apple’s first-ever in-house GPU, which is 30 percent faster than the previous GPU and can deliver iPhone-7-level performance at half the power. There’s also a new image signal processor that provides faster autofocus in low light and better pixel processing, plus hardware-enabled noise reduction.

For better photos, video, and augmented reality, Apple also improved the cameras in the iPhone 8 and 8 Plus. The rear-facing camera in the iPhone 8 is still 12 megapixels, but it sports a new sensor that features deeper pixels, a new color filter, and optical image stabilization. It captures 83 percent more light and is more power efficient too. All that adds up to better color saturation, a wider dynamic range, and lower noise than the previous models. As we’ve noted previously, the camera captures photos in HEIF and JPEG (see “HEVC and HEIF Will Make Video and Photos More Efficient,” 30 June 2017).

In the iPhone 8 Plus, there are once again dual cameras, both at 12 megapixels. One has an f/1.8 aperture, and the other is f/2.8. Again, those are the same basic numbers as the iPhone 7 Plus, but with the new sensors. Portrait mode sticks around and has received some enhancements, but new (and in beta) is Portrait Lighting, which lets you change the lighting of your shot in real-time as you compose the shot. You can even tweak the lighting afterward. These features show that computational photography is where the photography world is going.

Video capture on the iPhone 8 and 8 Plus is also notably improved thanks to an Apple-designed video encoder. You can now shoot 4K video at 24, 30, or 60 frames per second, whereas the iPhone 7 could do only 24 fps. Slo-mo video supports 1080p resolution at 120 fps or 240 fps, again besting the iPhone 7, which could only provide 120 fps. Video is captured using HEVC and H.264.

In terms of other specs, the iPhone 8 is basically the same as the iPhone 7, with the exception of Bluetooth 5.0 instead of 4.2. Apple’s tech specs page also notes that the iPhone 8 supports “NFC with reader mode” whereas the iPhone 7’s page just said “NFC.” We don’t yet know if there’s a technical difference behind the wording change.

Both the iPhone 8 and 8 Plus are available in two capacities — 64 GB and 256 GB — and in three colors — gold, silver, and space gray. The 64 GB models of the iPhone 8 cost $699, and the 256 GB models cost $849. The iPhone 8 Plus models are $100 more, either $799 for 64 GB or $949 for 256 GB.

Both come with Lightning-based EarPods, a Lightning to USB cable, a 5 watt USB power adapter, and — still! — a Lightning to 3.5 mm headphone jack adapter if you want to use standard headphones. And, of course, they’ll run iOS 11.

They’re available for pre-orders now and will ship on 22 September 2017. You won’t have to wait that long for iOS 11, though, which will become available on 19 September 2017.

iPhone X -- After the announcement of the iPhone 8, Tim Cook returned to the stage for Apple’s classic One More Thing™ — the much-rumored iPhone X.

Although it shares a few industrial design features with the iPhone 8, such as the glass back that enables Qi wireless charging, the iPhone X boasts an edge-to-edge screen that fills almost the entire front face, dropping the iconic Home button entirely. Its metal edges are surgical-grade stainless steel, and it comes in just two colors: silver and space gray.

The iPhone X screen measures 5.8 inches diagonal, which means that it offers more screen real estate than the 5.5-inch iPhone 8 Plus screen, but by losing the bezel, the iPhone X is much closer in size to the iPhone 8 (thank goodness!). The iPhone 8 is 5.45 inches by 2.65 inches by 0.29 inches (138.4 x 67.3 x 7.3 mm) and weighs 5.22 ounces (148 g). But the iPhone X is just 5.65 inches by 2.79 inches by 0.30 inches (143.6 x 70.9 x 7.7 mm) and weighs 6.14 ounces (174 g). The extra size must have given Apple more room for the battery, since it’s supposed to last 2 hours longer than the iPhone 7 (and the iPhone 8 has the same battery life as the iPhone 7).

The iPhone X’s Super Retina display also has way more pixels — 2436-by-1125 at 458 pixels per inch — than any previous iPhone. In comparison, the iPhone 8 Plus is only 1920-by-1080 at 401 ppi. That means you’ll see quite a bit more detail on the iPhone X than you would on even Apple’s previous Plus models.

Some of these changes were made possible via the switch to OLED — organic light-emitting diode — technology. Historically, OLED screens have provided great contrast, high resolution, and minimal thickness due to not needing a backlight, but they have had trouble with brightness, wide color support, and color accuracy. Apple claims to have resolved these problems, so the iPhone X display supports high dynamic range video in both the Dolby Vision and HDR10 formats and offers a 1,000,000 to 1 contrast ratio. It also supports 3D Touch and True Tone.

But without a Home button, how do you wake an iPhone X? Raise to Wake still works, or you can just tap the screen. What about Siri? Press the iPhone X’s new side button, much like on an Apple Watch, or just use “Hey, Siri.” To unlock the iPhone X, you just swipe up from the bottom of the screen while looking at the iPhone X, and it uses Apple’s new Face ID technology to recognize your face, much like Touch ID did with your fingerprint in the past. Apple said nothing about whether the iPhone X could learn multiple faces as previous iPhones could learn multiple fingers, but entering a passcode remains an option for families who often share devices.

Face ID relies on both the A11 Bionic’s neural engine and what Apple calls the TrueDepth front-facing camera system — that notch on the top of the iPhone X — which includes a 7-megapixel camera, infrared camera, flood illuminator, and dot projector, along with the proximity sensor, ambient light sensor, speaker, and microphone. Face ID works in the dark, and although you train it quickly on initial setup, it continually adapts to your changing look, so it can handle glasses, hats, beards, and more, all without being fooled by photos.

It almost seemed as though Apple had read Rich Mogull’s “Preparing for a Possible Apple “Face ID” Technology” (18 August 2017) because the company noted that Touch ID has a 1 in 50,000 false positive rate, but Face ID should be more like 1 in 1,000,000. That said, Apple did admit that Face ID might not stop evil twins (whereas Touch ID would, since identical twins do not have identical fingerprints). Also, apps that work with Touch ID, like 1Password, will work with Face ID.

Swiping up from the bottom of the iPhone X screen works across the system for jumping back to the Home screen or (if you pause briefly) opening the app switcher. You can also swipe left and right on the bottom area to switch between apps. The main oddity is that you now get to Control Center by swiping down from the top-right corner of the screen (to the right of the notch). To access the Lock screen, which replaces the Notification Center in iOS 11, you now swipe down on the upper-left of the screen (to the left of the notch).

Apple uses the iPhone X’s facial recognition technology in a few other ways, including a demo of an upcoming version of Snapchat that could affix a virtual mask to your face in real time. And you can create “animoji” — a dozen different animated emoji characters whose faces mimic what you do with your face while recording in Messages. Technically impressive, but it brings new meaning to that long-ago option in Eudora: “Waste cycles drawing trendy 3D junk.”

The iPhone X sports a pair of cameras, much like the iPhone 8 Plus, but has slightly different specs. One has an f/1.8 aperture, but the other is f/2.4, as opposed to f/2.8 on the iPhone 8 Plus, and lets in 36 percent more light. It also sports optical stabilization (on both lenses) for better low-light photos and videos. Apple says its quad-LED True Tone flash delivers twice the uniformity of light.

As with the iPhone 8, the iPhone X will be available in two capacities — 64 GB for $999 and 256 GB for $1149. Interestingly, unlike the iPhone 8, you cannot buy a SIM-free iPhone X that can work with any carrier; you must select from AT&T, Sprint, T-Mobile, or Verizon when ordering from Apple. Besides cases, the iPhone X accessories are the same as the iPhone 8, including the headphone adapter. You can pre-order an iPhone X on 27 October 2017 with availability on 3 November 2017.

If you’re in the market for a new iPhone, the question is, do you wait another 6 weeks and pay an extra $300 for the bigger display, Face ID, and other improvements? It’s tempting, of course, but since a lot of new technology debuts in the iPhone X, it’s also possible that it will be plagued with problems, particularly at first. Apple has historically done a pretty good job of addressing problems that seem like hardware issues with iOS updates, but you could still suffer through a month or two of awkward usage if Face ID doesn’t work well for you, for instance.

All that said, I’m getting one.

Read and post comments about this article | Tweet this article

You Can’t Protect Yourself from the Equifax Breach

  by Rich Mogull: rmogull@securosis.com

Earlier this month, news broke of a massive data breach at Equifax, one of the three major credit rating agencies. Equifax may have lost private information, including Social Security numbers, for up to 143 million U.S. consumers, which would be over half of the adult, bank-account-participating population of the country. Some information from British and Canadian citizens may also have been exposed. In Equifax’s own words:

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents.

Equifax subsequently botched its response and communications with consumers, including unclear legal clauses when you check your exposure, failing to provide specific information or an effective way to determine if you are affected, and even hosting its response Web site on a non-Equifax domain name using an incorrect digital certificate.

Ignoring all that, the real issue is that one of the companies “trusted” with determining our financial future based on deep records of personal information was breached… and due to the current nature of our financial system, we can’t effectively protect ourselves. Our best options offer only limited protection and come at a hefty cost, due in large part to lobbying by the credit rating agencies themselves.

As a cybersecurity advisor, I have worked with companies in all the nooks and crannies of the financial system. While most take their responsibility very seriously, they are still businesses filled with humans working with a hodgepodge of a system that has developed over decades, if not centuries. Mistakes will happen, and our system is poorly designed to protect consumers.

Here is how to understand your risk and best live with the exposure.

Nine Digits to Rule Them All -- Banking and credit has always been a history- and reputation-based industry. Financial institutions provide credit but need some level of assurance they will get their money back. For hundreds of years, this was managed through personal relationships. Over the past few decades, however, society decided to prioritize faceless transactions and frictionless credit. Financial institutions no longer have direct relationships with their customers, and in many cases have never even met their customers. To manage their risk, these institutions started to rely on credit ratings developed by private companies dedicated to collecting and analyzing our financial histories.

Thus the emergence of credit rating agencies (CRAs) like Equifax, Experian, and Transunion. These companies collect everything from public records to your credit card payment history and use that information to determine those all-powerful credit scores. Credit scores are merely a single numeric risk rating that financial institutions can use to decide what type of credit to extend to you — from mortgages to credit cards — and for how much.

Since names aren’t unique, the CRAs rely heavily on Social Security numbers (SSNs) as the unique identifier for individuals, sometimes in combination with full name and date of birth. The problem is that our system treats an SSN as a secret key to our financial records, but an SSN is merely a nine-digit number that is most definitely not encrypted.

SSNs are nearly impossible to change, are prone to errors, and clearly cannot be kept secret. Some bad guys first stole mine from a database at the student healthcare clinic where I went to college, and then it was exposed again (probably to China, based on public reports) during the big breach of the Office of Personnel Management (OPM) in the U.S. federal government.

In each of these cases, I was offered a year of free credit monitoring, just as Equifax has done in this latest breach. However, the free credit monitoring lasts only for a year, yet the bad guys can use my SSN for the rest of my life.

That’s the real issue here. Once your SSN has been exposed, you can never be assured it will be secret or safe ever again. Data like your SSN and date of birth won’t change, even after your death. Credit monitoring will only alert you to some kinds of new account fraud, essentially throwing a notification when someone creates a new account that is reported to a CRA. Those alerts won’t necessarily notice when utilities or other services create accounts that also rely on your SSN.

Even if you can protect your financial records, loss of your SSN and other personal information could expose nearly any kind of account you have, not just financial accounts!

Think of all the situations where something is “protected” with the last four digits of your SSN or a credit card. Breaches of a credit agency like this expose the master key to recover or access more than a few of your accounts.

Once you’re exposed, you’re exposed for life, not just for the year of free credit monitoring. At least until the system changes.

Your Best Financial Defense -- Although you can get, by law, a free copy of your credit report every year from each agency, doing so doesn’t offer much protection. You would need to be diligent about checking annually and then go through the process of cleaning up any new account fraud that occurs. (“Hey Siri, remind me to check my credit report every year.”) Doing so can be a difficult process since the system is built to protect the financial institutions, and CRAs are historically reticent to respond to consumer issues. Remember, the CRA’s customers are banks, not you. You’re the product.

The first step is to make things harder for a criminal to create new accounts in your name. There are two tools to do this, fraud alerts and credit freezes, but only one actually works. You can find information, phone numbers, and links on the U.S. Federal Trade Commission’s Identity Theft Web site:

A fraud alert places a flag on your account for 90 days. During that time a business needs to verify your identity before it can create a new account in your name. There used to be companies that could automatically renew your 90-day alerts for you, but the credit agencies sued them out of existence, which was a travesty. So, if you want an indefinite fraud alert, you need to repeat the process yourself every time it expires.

Another option is a credit freeze, which locks your account completely. The CRAs may charge for this service, and you will have to enter a PIN code to unlock your account. A credit freeze prevents all access to your account, including credit checks, and thus may have unintended consequences (for example, background checks for employment). It’s your best option for long-term security and doesn’t expire, but it isn’t ideal.

There is one more option, an extended fraud alert that lasts for 7 years but is generally available — thanks to federal law! — only if you have already been a victim of identity theft.

These techniques can help, a bit, but at a cost. Worse, they do nothing to protect non-financial accounts secured with your private information.

Living with Long-term Risk -- Until the system changes, there isn’t much you can do beyond a credit freeze, and that comes with some negatives, especially if you need to apply for credit or a job. Perhaps this incident will spur some legislative changes. The odds are high that more than a few politicians are also now exposed, and self-interest is a powerful motivator.

We normal consumers must be hyper-aware of when our SSNs are used as a security control. Does your healthcare provider use your SSN to decide when to release medical data? Does your school system use it to release transcripts? Does your bank use it as an account recovery passcode?

In my experience, most of these organizations, even if they use the infamous “last four digits,” also offer alternative PIN or verification options. Try to use those alternatives whenever possible, or at least understand and accept your risk.

The average person isn’t necessarily at risk of having someone impersonate them to get medical records, but there are plenty of occupations and situations where that might be a concern, including politicians, journalists, and anyone in a divorce or child custody fight.

I first learned to live with this risk personally thanks to the OPM breach that exposed more than just my SSN. The real lesson came as part of a second breach, which revealed a wealth of personal history that I had submitted as part of a standard security form. It included every place I have ever lived, every country I had visited in the preceding 7 years, and the personal information of all my immediate family members.

Knowing this information is out there is… disconcerting. There’s no way for me to know who has it now: likely some Chinese intelligence agency or underground criminal information exchange. It’s not an everyday source of stress, but more of a low-level buzzing in the back of my head.

I have to assume anyone who really wanted to could get my SSN and possibly a bunch of other private information. So I do my best to protect myself and my family by enabling multi-factor authentication on accounts whenever possible, creating account recovery questions that are pseudo-passwords, and changing PIN codes so they aren’t the last four digits of my SSN.

I write this as a so-called security expert who makes my living in this industry, and I know I still have plenty of vulnerable accounts and financial risk. Practically speaking, the vast majority of consumers, or even TidBITS readers, don’t have the time, knowledge, or security diligence to protect themselves indefinitely.

Since Equifax is one of the primary sources of credit reports and knows exactly how fraud occurs and how our information is used, it is unconscionable that the company offers only a year of free credit protection to the people it has harmed through its negligence. It’s equally offensive that Equifax continues to prevent the use of tools like persistent fraud alerts that could help reduce our risk.

As much as I hate to end on a sour note, the reality is that, until the system changes, until our financial lives are governed by something stronger than some short strings of plain text that never change, we have to keep our guard up and hope for the best. And hope is never part of security best practices.

Read and post comments about this article | Tweet this article

iTunes 12.7 Giveth, but Mostly It Taketh Apps and Ringtones Away

  by Kirk McElhearn: kirk@mcelhearn.com

As autumn arrives in the Northern Hemisphere, we welcome some familiar things: the leaves change color, the weather turns cooler, and iTunes gets an update. Apple hasn’t always changed iTunes at this time of year, but the last three major versions — 10, 11, and 12 — have coincided with the release of a new iPhone in September.

This week, Apple released iTunes 12.7. It requires OS X 10.10.5 Yosemite or later and is a free download from the Apple Web site or via Software Update. Although it’s not a major number update, it’s notable for losing more features than it gains.

iTunes users have long accused the app of being bloated, though I strongly disagree with this view. (See “Is iTunes Bloated?” (27 September 2010) and a 2015 update to that article on my Web site.) Bloat is in the eye of the beholder. It’s simple to hide iTunes features you don’t use, and if more people did that they would be less annoyed by iTunes.

In any case, this is the first time that Apple has addressed what one might call a surfeit of features in iTunes. But the company may have gone too far, as evidenced by the dialog below. The most significant changes apply to iOS apps, but iTunes U, ringtones, and Internet radio are also affected. Let’s look at those first, and then double back to apps.

A New Building for iTunes U -- Apple launched iTunes U in 2012 as part of a broader strategy for providing tools for the education market (see “Apple Goes Back to School with iBooks 2, iBooks Author, and iTunes U,” 19 January 2012). iTunes U offers course material, some of it from major universities around the world, in the form of audio and video lectures, sometimes in conjunction with ebooks, PDFs, and other media.

Within iTunes, iTunes U was just another media kind in the Media Picker above the iTunes sidebar. As such, it was low hanging fruit in Apple’s quest to streamline iTunes, and it’s no longer available there.

However, there are actually two types of iTunes U content: collections and public courses, and they’ve moved to different places.

Apple says that iTunes U collections move into the Podcasts category in both iTunes and the iTunes Store; they’re also available in the iOS Podcasts app. Educators who use iTunes U collections may find this change confusing, but as long as they provide the appropriate links to their students and follow Apple’s instructions, it shouldn’t be a problem.

In contrast, Apple notes that iTunes U public courses (it’s unclear how to tell the difference) now appear only in the iTunes U app in iOS.

Watch That Tone -- Another casualty in Apple’s war on iTunes feature bloat is ringtones. Since the advent of the iPhone in 2007, iTunes has served as a repository for ringtones. Since that time, Apple has sold ringtones, which proved an extremely lucrative market for snippets of music, but iTunes also allowed you to add custom ringtones, even those you created yourself. Starting in 2011, Apple also offered this option for the alert tones that play when you receive notifications on your iOS device.

iTunes 12.7 removes the Tones library. You can no longer store ringtones and alert tones in iTunes, nor can you sync them automatically to your iOS device. There is still a way to move them to your device; I’ll get to that in a minute.

You haven’t been able to buy tones from the iTunes Store on the Mac for some time. To purchase tones, you must go through the iOS Settings app. Go to Settings > Sounds (or Sounds & Haptics), and tap a tone, such as Ringtone. Then, under Store, tap Tones (iOS 10) or Tone Store (iOS 11).

One Small Step for Internet Radio -- Internet radio — real-world radio stations streaming over the Internet, not to be confused with Apple Music Radio — has been around for a long time.

In iTunes 12.7, Apple has moved the Internet Radio option from the Media Picker to the sidebar, which probably streamlines access. Tomato, tomahto.

Bulldozing the iOS App Store -- The above changes pale in comparison to Apple’s removal of the iOS App Store from iTunes 12.7. You can no longer download or purchase iOS apps from iTunes on your Mac; you can no longer manage a library of apps on your Mac; and — most problematic — you can no longer sync apps from your Mac to your iPhone or iPad.

I would wager that most iOS users don’t use iTunes for anything related to iOS — not even for backups. It’s not like in the early days of the iPhone when iTunes was necessary for activation and updating iOS. Even so, this change is problematic for users who rely on their apps being available locally.

Take, for example, a family with four iOS devices. One person may manage all the devices from a Mac, downloading apps to iTunes and syncing them to the devices. This approach is especially useful in areas where Internet access is slow or has a data cap.

Some people store large iOS apps on a Mac to keep them handy for syncing to an iOS device, but without having them consume space on the iOS device at all times. An example would be a game you play only occasionally. (If this is you, check out a new iOS 11 feature, in Settings > iTunes & App Stores, that lets iOS offload apps while retaining their settings and data. This feature won’t solve the problem of limited bandwidth or the annoyance of waiting for a download, but it will help some users.)

But there is another more serious consequence. Have you ever had to restore your iPhone or iPad from scratch? Some problems do require a full wipe and restore. If this happens to you, and you have backed up to iTunes, you can restore much of the device’s content from this iTunes backup, potentially saving hours of downloading time over an iCloud backup.

With iTunes 12.7, even if you’ve made an iTunes backup, the process is guaranteed to take much longer than before, likely hours instead of minutes, because each app will have to download anew. A couple of years ago, I had only about 2 Mbps download bandwidth, and if I needed to restore all the apps on my iPhone from iCloud, I had to run it overnight.

Another problem with removing iOS apps affects app developers and how people like to download new apps. Imagine that you see an article about an iOS app on a site like TidBITS on your Mac and click a link to load the developer’s Web site, where you read more about the app and decide to buy it. This everyday action happens so often that Apple has provided developers with “Download on the App Store” buttons. Previously, if you clicked one of these buttons, iTunes would launch, and if you clicked Get or Buy, you’d download the app to your Mac, after which you could sync the app to your iOS device or have it automatically download there as well.

This is no longer the case. Now those Web buttons redirect to iTunes, which sends you to a Web page showing information about the app; it’s the same information you would see on the App Store, just formatted differently. But you can’t purchase the app. You’ll have to copy and paste the page’s URL to your iOS device in some fashion and tap it there to load the app in the App Store.

Apple’s decision to remove the iOS App Store from iTunes is perplexing. On the one hand, it would make sense to remove app syncing from iTunes if Apple were to remove all syncing and create a separate app to sync content — it could be called iSync. But Apple didn’t do that. And while I’m sure only a small percentage of people sync anything from iTunes anymore, this change is painful for those who do sync apps. (A small percentage of a billion users is still a lot of people.)

Removing the ability to purchase apps from iTunes on a computer is even more confusing because it cuts out an important way that many developers send customers to the App Store and will make these developers unhappy. Perhaps Apple’s long-term intention is to move iOS apps into the Mac App Store, which could allow Mac users to purchase iOS apps even if they cannot download them locally. But if this is the case, why didn’t Apple do so immediately?

Sync Workarounds -- While you cannot automatically sync apps or tones from iTunes to an iOS device, there is a workaround. When you connect an iOS device to iTunes, click it in the iTunes navigation bar and then look in the sidebar for the On My Device section. You can copy an app or tone from a folder on your Mac to your device by dragging it to that section.

So, you can still create custom ringtones and alert tones, but you must use this kludge to copy them to your device. In fact, you can also use this trick to copy apps to your device! Unfortunately, since you can’t download new apps or updates to existing apps to your computer anymore, this workaround won’t be useful for long. (See Apple’s tech note for more information.)

Note that your apps will still be on your Mac, even if you don’t see them in iTunes. To see them, go to the ~/Music/iTunes/iTunes Media/Mobile Applications folder in your home folder. You can delete this folder, if you plan to download apps to your iOS devices in the future, or leave the folder there if you want to copy any apps to your iPhone or iPad manually. The folder might be pretty big, so deleting it could give you back a fair amount of drive space.

New Apple Music Feature -- Despite removing all these longstanding capabilities, iTunes 12.7 does introduce one major new Apple Music feature. In iOS 11 and macOS 10.13 High Sierra, you can share what you listen to on Apple Music with your friends, and see what they’ve been listening to, starting via a prompt on the For You screen.

This feature is partly controlled by a new checkbox on the iTunes General preference pane called Use Listening History.

It’s a little unclear how this social sharing of music will work, but once iOS 11 and iTunes 12.7 are more widely installed, it should become more obvious.

Summing Up -- In the end, Apple has made a big mistake in removing the App Store from iTunes 12.7. Apple seems to think that everyone has unlimited high-speed broadband; not only is this not the case across many parts of the United States, particularly in rural areas, but in many countries “broadband” doesn’t exist. Even in developed countries, users may have usage caps on their Internet service or are charged exorbitant overage fees.

Further, this move strikes me as being bad for developers, despite Apple’s constant claims of support. I have no way of knowing what percentage of apps are purchased through iTunes on the Mac, but it’s non-zero — TidBITS publisher Adam Engst said that he finds and buys iOS apps exclusively on his Mac. Anecdotally, I’ve heard from a lot of people who prefer finding iOS apps via Google searches or browsing the App Store on a Mac rather than on an iPhone’s tiny screen. So removing the App Store from iTunes will hurt both the Mac user experience and developer revenues.

But for better or worse, this is where we are today. iTunes 12.7, as Apple says in its release notes, “focuses on music, movies, TV shows, and audiobooks.” That may be true, but the loss of local syncing options for iTunes-related content has thoroughly confused matters.

I think the best solution for users and developers alike would be for Apple to update the App Store app on the Mac to allow browsing and purchasing of iOS apps as well as Mac apps. Then Apple could move the syncing capabilities of iTunes into a standalone iSync app that would let those without high-speed Internet access manage their iOS devices from a Mac.

Read and post comments about this article | Tweet this article

TidBITS Watchlist: Notable Software Updates for 18 September 2017

  by TidBITS Staff: editors@tidbits.com

iFlicks 2.4.8 -- Jendrik Bertram has issued iFlicks 2.4.8, a maintenance release that brings fixes and improvements to the video encoding and metadata management app. The update adds a rule action to remove all chapters, enables you to use “Where from” metadata in rules, improves handling of iTunes errors, fixes a bug in handling some special characters when used with rule actions, resolves a potential overflow in aspect ratio calculations, and improves support for some 3D videos. ($34.99 new from the Mac App Store, free update, 17.1 MB, release notes, 10.10+)

Read/post comments about iFlicks 2.4.8.

BBEdit 11.6.8 -- Bare Bones Software has issued BBEdit 11.6.8, a quick maintenance release for the long-standing text editor. The update addresses an issue that caused incorrect warnings about modification date changes when saving changes to existing documents on APFS volumes. It also fixes a bug where the Capitalize Lines change case operation would behave strangely, resolves a problem where the default browser preview command on the Markup menu wasn’t correctly populated, and fixes a bug where clicking on a file-relative link in a live preview window would fail. ($49.99, free update, 14.0 MB, release notes, 10.9.5+)

Read/post comments about BBEdit 11.6.8.

Fission 2.4.1 -- Rogue Amoeba has released Fission 2.4 with a major update to address changes to how iTunes 12.7 deals with ringtones (see “iTunes 12.7 Giveth, but Mostly It Taketh Apps and Ringtones Away,” 15 September 2017). Because the Save as iPhone Ringtone option in previous versions of Fission can no longer pass custom tones to iTunes 12.7, Rogue Amoeba updated Fission’s ringtone saving capabilities (see this Rogue Amoeba blog post and step-by-step guide for details). The app also improves compatibility with APFS and makes several fixes to avoid crashes when resampling audio.

Shortly after this release, Rogue Amoeba issued version 2.4.1 to fix a critical bug that could cause attempts to save split clips to fail. ($29 new from Rogue Amoeba with a 20 percent discount for TidBITS members, also available from Mac App Store, free update, 10.6 MB, release notes, 10.10+)

Read/post comments about Fission 2.4.1.

ChronoSync 4.8 -- Econ Technologies has released ChronoSync 4.8 with over 50 enhancements focused on simpler scheduling, a simpler user interface, and speed improvements. The synchronization and backup app introduces Creation Assistants, which guide you through the process of setting up a variety of backup schemes, as well as Modifier Assistants that help you make bulk modifications to previously created tasks. The update also improves support for APFS-formatted drives, adding the capability to identify them, determine the partitioning scheme, and mount encrypted APFS volumes.

ChronoSync 4.8 improves Scheduler efficiency by reworking algorithms that calculate next item run date; introduces a file validation feature that performs a byte-for-byte comparison of file contents and metadata; adds support for cut, copy, and paste operations on Rules; and improves Document and Window Close behavior. ChronoSync now requires OS X 10.10 Yosemite or later. (Free update, $49.99 new for ChronoSync with a 20 percent discount for TidBITS members, 48.4 MB, release notes, 10.10+)

Read/post comments about ChronoSync 4.8.

SuperDuper 2.9.2 -- Shirt Pocket released SuperDuper 2.9.2, ensuring compatibility for the Mac OS Extended (HFS+) drive format in macOS 10.13 High Sierra (see “Important High Sierra Changes for IT Admins,” 11 September 2017). Shirt Pocket is continuing to work on its APFS support but decided it was not fully ready for this release of SuperDuper (which suggests that SuperDuper users whose Macs have SSDs that will be converted to APFS might want to hold off on High Sierra). The drive-cloning and backup app also works around a “Could not enable permissions” problem caused by corrupt database files, improves the schedule day display handling for non-English languages, adds a Little Snitch “Internet access policy” file, and ignores the “Operation not permitted” errors caused by the tightened System Integrity Protection (SIP) in High Sierra. (Free for basic functionality, $27.95 for additional features, free update, 2.9 MB, 10.8+)

Read/post comments about SuperDuper 2.9.2.

ExtraBITS for 18 September 2017

  by TidBITS Staff: editors@tidbits.com

In ExtraBITS this week, macOS 10.13 High Sierra won’t support APFS on Fusion Drives at first, Apple has banned fraudulent “virus scanners” from the iOS App Store, you can now watch HDR iTunes movies on 2017 iPad Pro models, and, speaking of the iPad Pro, Apple has quietly raised the price of many of its configurations.

Initial High Sierra Release Won’t Support APFS for Fusion Drives -- If you converted a Fusion Drive to APFS during the macOS 10.13 High Sierra beta, we have some bad news: the initial release version of High Sierra that Apple plans to ship on 25 September 2017 will not officially support it. This unexpected announcement presumably comes due to problems discovered during the beta that the company hasn’t yet addressed. Apple recommends that you back up the Fusion Drive, reformat it using Mac OS Extended (HFS+), and restore it from backup. The support document implies that Apple will support APFS-formatted Fusion Drives in a later release of High Sierra.

Read/post comments

New iOS App Store Guidelines Ban “Virus Scanners” -- Apple’s updated App Store rules now explicitly ban scam apps that claim to remove viruses or malware from your iOS device, in large part because sandboxing ensures that there’s no way they could do what they promise. Another new guideline requires developers to offer an alternative to Face ID authentication for users under the age of 13, and Apple says ARKit-driven augmented reality apps must be “rich experiences,” not just one-trick ponies. Apple’s goal in updating these policies is to keep iOS app quality high — or at least above some reasonable level.

Read/post comments

HDR Movies Now Available for 2017 iPad Pro Tablets -- With the Apple TV 4K coming, Apple has promised 4K and HDR upgrades to existing iTunes movies at no additional charge. We’re already seeing that on 2017 iPad Pro tablets running iOS 11 — the key is that the latest 10.5-inch and 12.9-inch iPad Pros have HDR-capable displays. Check Settings > TV > iTunes Videos and make sure the Download HDR Videos switch is enabled. Then, in the TV app, on the Library screen, tap a movie to see its listing; you’ll see 4K and HDR badges if Apple has updated the film. The Verge reports that these files on the iPad are 1080p and not 4K, but they do support HDR. Regardless, they look great.

Read/post comments

Apple Quietly Raises iPad Pro Prices -- Apple has quietly raised the prices of the 256 GB and 512 GB iPad Pro tablets by $50. This applies to both the Wi-Fi and Wi-Fi+Cellular models, but the 64 GB models are unaffected. Some have speculated that the price hike is due to increased flash storage costs, but without an official statement from Apple, it’s impossible to say for sure.

Read/post comments

This is TidBITS, a free weekly technology newsletter providing timely news, insightful analysis, and in-depth reviews to the Apple Internet community. Feel free to forward to friends; better still, please ask them to subscribe!

Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.

Copyright 2017 TidBITS Publishing Inc. Reuse governed by this Creative Commons License.
TidBITS Publishing: 50 Hickory Road, Ithaca, NY 14850, USA 607-216-8248