Feed aggregator

My Workout: Ryan Seacrest Is Just One Man, He Can Only Do So Much in This Life

NY Times - Tue, 2018-06-12 11:30
“I’m only working to eat well and drink wine.”

Trump's optimistic news conference after meeting with Kim Jong Un, annotated

Washington Post - Tue, 2018-06-12 11:30
"Real change is indeed possible,” the president said.

Trump again scolds Trudeau, says his criticism will cost Canada ‘a lot of money’

Washington Post - Tue, 2018-06-12 11:30
Trump said the Canadian prime minister “learned” not to speak critically of him because he was watching on television aboard Air Force One.

Trump and Kim joint statement from the Singapore summit

Washington Post - Tue, 2018-06-12 11:30
The White House released a joint statement from President Trump and North Korea's Kim Jong Un after Monday's summit in Singapore.

Trump says he trusts North Korean dictator, but vague promises mirror past agreements

CNN - Tue, 2018-06-12 11:13
Singapore was crackling with anticipation for the historic moment US President Donald Trump meets Kim Jong Un, the first time ever for a US president and a North Korean leader.

6 Highlights From Trump’s News Conference, With a Full Transcript

NY Times - Tue, 2018-06-12 11:11
Speaking in Singapore after meeting with Kim Jong-un of North Korea, President Trump answered questions about Otto Warmbier, war games and the video his team made for Mr. Kim.

Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

MacRumors - Tue, 2018-06-12 11:10
Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software.


The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps.

Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure.

Ars Technica broke down how the method was used and which third-party tools are affected:
The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too.

Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall, Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See. Many companies and individuals rely on some of the tools to help implement whitelisting processes that permit only approved applications to be installed on a computer, while forbidding all others. Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: "To be clear, this is not a vulnerability or bug in Apple's code... basically just unclear/confusing documentation that led to people using their API incorrectly." It's also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: "If a hacker wants to bypass your tool and targets it directly, they will win."

For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that "third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result."

Tag: security
Discuss this article in our forums

Ars on your lunch break: the ins and outs of genomics, 30 minutes at a time

Ars - Tue, 2018-06-12 11:01

3d render of DNA spirals. (credit: Image courtesy of NIST)

Today we’re launching something of an experiment, connecting a podcast to the written pages here at Ars. For at least a few weeks, we’ll be running episodes of my tech- and science-heavy podcast in installments near the typical US lunch hour. To keep lunch from going long, we've got the episodes chopped up into 30-ish minute segments. Opening installments will go up on Tuesdays, then we’ll keep posting daily until the episode is complete (typically two to four days). If you prefer to read rather than listen, we've got transcripts available.

Your host will be me, Rob Reid—a long-time entrepreneur who now podcasts and writes science fiction. The name of both my podcast and my most recent novel is After On. The podcast consists of deep-dive interviews with world-class thinkers, founders, and scientists. My guests have included Rodney Brooks, the father of the Roomba and countless other robots; UCSF neuroscientist Adam Gazzaley, whose clinical video games fight ADHD and dementia and have been featured on the cover of Nature; and the ever-controversial Sam Harris, going deep into his personal history and opining up about terrorism.

I talk about my podcast’s approach in the introduction to today’s segment, and I won’t repeat myself here. Instead I’ll give you a quick preview of today’s installment: it features the legendary bioengineer and genomicist George Church, whose Harvard lab is one of the most celebrated fonts of innovation in the world of life science. As I say in the podcast, George was one of the earliest drivers behind the Human Genome Project. He’s also one of the most prominent co-inventors of the gene editing technology known as CRISPR, and he has co-founded 22 life-science companies (yes, really).

Read 8 remaining paragraphs | Comments

The summit resulted in no new nuclear concessions from North Korea and didn't address human rights

CNN - Tue, 2018-06-12 10:54
Kim Jong Un couldn't have scripted his Singapore sojourn any better himself. As he toured the streets on a night-time walkabout and posed for selfies with the Singaporean foreign minister, he was treated more like a rock star than a pariah autocrat.

The Artwork Was Rejected. Then Banksy Put His Name to It.

NY Times - Tue, 2018-06-12 10:53
The Royal Academy in London turned down a work by “Bryan S. Gaakman” for an exhibition, then asked Banksy — who had made it — if he had a submission.

The interpreters: The two really important people at the summit

CNN - Tue, 2018-06-12 10:53
When President Trump and North Korean leader Kim Jong Un held their historic talks Tuesday in a Singapore hotel, they weren't in the room alone. Someone had to interpret for them.

Republican senators move to block Trump’s deal to revive ZTE

Ars - Tue, 2018-06-12 10:44

Enlarge / Arkansas Republican Sen. Tom Cotton is a leading opponent of Trump's ZTE deal. (credit: Pete Marovich/Getty Images)

Last week the Trump administration announced a deal to lift a ban on US companies exporting technology to Chinese smartphone maker ZTE. ZTE has been largely shut down since the ban was announced last month, because the company depends heavily on Qualcomm chips, Google's software, and other US-made components.

But now a bipartisan group of US senators is seeking to reverse Trump's decision and re-impose the export ban. The Wall Street Journal reports that the legislators have reached a deal to attach a ZTE export ban to the National Defense Authorization Act, a "must-pass" bill that authorizes funding for the military.

Supporters of the amendment include Democratic minority leader Chuck Schumer and at least two Republican Senators—Sen Tom Cotton (R-Ark.) and Sen. Marco Rubio (R-Fla.). In the closely divided Senate, just a handful of Republican defections can be enough to give critics of President Trump a majority.

Read 9 remaining paragraphs | Comments

A Thai Chef Heads Home for a Challenge

NY Times - Tue, 2018-06-12 10:42
Having made her name in San Francisco, Pim Techamuanvivit is taking charge of Nahm, a Bangkok restaurant famed for its fine dining.

Restaurant Review: A Rare Treat on Delancey Street: A Chef Who Cooks for You

NY Times - Tue, 2018-06-12 10:36
At Shabushabu Macoron, the informal, do-it-yourself Japanese hot pot tradition becomes a refined and intimate meal.

Why We Are So Vulnerable to Charlatans Like Trump

NY Times - Tue, 2018-06-12 10:35
We may laugh at how people in the past fell for phony remedies — but we can fall for the same tricks.
Syndicate content