Apple is finally planning to kill off iTunes on Windows, Amazon now offers passkeys for logins, and Google Chrome will allow users to hide their IP addresses; just like Apple’s iCloud Private Relay.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, October 26 2023.
This week’s Intego Mac podcast security headlines include: Apple is killing off iTunes. For real this time. Amazon begins using passkeys in yet another major tech company’s implementation of the password-less login feature. Google Chrome’s new IP Protection looks a lot like something similar that Apple introduced some time ago. And we make some predictions on what Apple may reveal during its unusually timed evening event on Monday, the 30th. Now, here are the hosts of the Intego Mac Podcast, veteran Mac journalist, Kirk McElhearn. And Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 0:52
Good morning, Josh, how are you today?
Josh Long 0:54
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:55
I’m doing just fine. Did you get that update for iOS 17.1 That was supposed to be released by yesterday?
Josh Long 1:01
No. Remember last week, we talked about how some French authority leaked that iOS 17.1 was going to launch by October 24. At the latest well, that turned out to not be accurate.
Kirk McElhearn 1:14
Well, according to the text from this French authority, Apple will not be able to sell the iPhone 12 until they have released this update. They’re not selling the iPhone 12 anymore. So it really doesn’t have that much of an effect. Maybe for whatever reason it’s been delayed. Now we just found out yesterday that Apple is holding an event on October 30. To present what seems to be Mac’s with M3 processors. That’s what people think. So it kind of would make more sense that they released an update timed with that event along with the next macOS Sonoma update. What’s really weird about this is it’s 5pm, California time. Now these things are always 10am. California time, I can’t remember the last time it was not. Maybe when they did a Macworld in Boston, and they did a keynote there. And this goes back a long time. I have no idea why a couple of people have said, well, at least people in China can watch it live. But I can’t see Apple changing the time of an event like that. For China. They generally do this for a couple of reasons. One, to get it into the news in the US and Europe, which are the main markets, and to to get journalists to be talking about it, you know, Mac journalists to be talking about it. So if it’s 5pm, West Coast time, which is what 8pm East Coast time, it’s too late for a lot of these journalists to write about it on the blogs and the newspapers, and talk about it on CNN, kind of interesting. Now, this is going to be one of these pre-recorded events. So basically, someone pushes a button and rolls the tape. But there’s going to be some place in New York City where they’re going to be welcoming journalists to give them some hands on time for whatever the new products are.
Josh Long 2:48
Oh, I hadn’t heard about the last part yet. I thought there was no hands on component at all this time around.
Kirk McElhearn 2:53
Yeah, I heard it on social media. So we’re expecting Macs with the M3 processors, maybe a MacBook Pro, maybe an iMac. My speculation is a bigger iMac, perhaps. So the 21 and a half one to 24. And the 27 hasn’t been replaced, it would be a 30 or 32 inch iMac. And a lot of people I know have been holding out to buy that because they don’t want the smaller display even though the 24 is almost as big as a 27. If you think about it. The other possibility with the new operating systems, there are some new features in the music apps that should be released. So things like collaborative playlists. And I think I mentioned this last week when we were talking about no new Apple products, and I’m kind of expecting them to come out with new air pods Max before Christmas. Because this is a Christmas product. The first one came out in December 2020. So that’s almost three years ago. And in fact, it was so popular that you couldn’t get them for Christmas, you couldn’t get them for a couple of months. So if they were to release new AirPods Max now, they would have them in stock for Black Friday for Christmas. It’s not the same price as selling an iMac or an iPhone. But this could be a pretty big market for Apple in a time when they don’t have much else to update. As we talked about last time, no iPads this year.
Josh Long 4:09
You know Apple’s needed to update this product. I feel like ever since Beats Studio Pro, the latest version of that was released. Now the air pods Mac’s are outdated, like they have outdated technology and so they really need to be brought up to date to be at least on par with what Beats Studio Pro has had now for several months.
Kirk McElhearn 4:29
Okay in other Apple news, Apple is finally killing off iTunes for real and this was a surprise. Josh, pinged me Monday and showed me a link to the Microsoft Store where Apple has a couple of free view apps and these are preview apps for Apple Music, Apple TV and Apple devices. Now Apple devices would be an app to sync and backup iPhones and iPads. We’ll have links in the show notes to a number of articles we’ve written about iTunes. When iTunes was split, Apple rolled all of the syncing and backup features into the Finder can’t really do that in Windows, so they created a separate app. Shortly after I published his article on the economic security blog, Apple released an update to the iTunes app for Windows. And this added two features that it has never had podcasts and audiobooks. It’s kind of weird that with all the time that Apple has been supporting podcasts, which roughly go back to 2004, they never rolled them into iTunes for Windows, you could download a podcast and add it to the iTunes library, but you didn’t have access to the whole podcast, I guess store is what they really call it. You’ve never been able to read Apple’s ebooks on Windows. So the fact that they’re releasing these two new features in iTunes for Windows will bring it on parity to iTunes for Mac just before they split it. So when they do split it with all these apps, they will have the same apps that they do on the Mac with the exception. For now. We’re only seeing audiobooks in iTunes. We don’t know if they’re going to have an actual books app for ebooks for Windows.
Josh Long 5:59
Yeah, so it seems like what’s going on here is that they’re they’re adding podcasts and books as an interim step at least audiobooks as an interim step into iTunes for Windows, which for now is still being updated. Because maybe they don’t have preview apps available yet for the apples, podcasts app and Apple books on Windows. So they have preview apps for Apple Music and Apple TV. They already have the Apple devices preview the sinking app, but they don’t yet have an apple podcasts preview or Apple books preview for Windows. So it seems like what they did was they temporarily rolled those features into iTunes. That’s what it appears anyway.
Kirk McElhearn 6:45
But there’s something that’s even more interesting. You can only listen to podcasts and audiobooks if you have installed the preview Apple Music and Apple TV apps. So basically, the podcasts and audiobooks features are kind of skinned into the iTunes app, but they’re using the audio playback features in Apple Music and Apple TV. That’s what it feels like. Because you remember some podcasts or video podcasts.
Josh Long 7:10
Actually one of the most surprising things about this iTunes update is that wait, podcasts weren’t already on iTunes for Windows, like what that was, that was probably the one of the most shocking things to me. I’ve kind of known for a while that either iTunes was just going to stick around forever on Windows, because you know, it does drive sales on Windows, people download music and things. And so it kind of made sense for Apple to keep iTunes around if they weren’t going to split it into several apps like they did on the Mac years ago. Any case, yeah, I was kind of surprised to find out that podcast wasn’t already a thing on Windows.
Kirk McElhearn 7:48
One could argue that since they have made literally no changes to the Music app and the TV app and all the other apps on macOS, that development team had enough time to work on the Windows apps, or at least the design team had enough time to work on it. I think this is good. As someone who writes a lot about iTunes, it’s good that they didn’t update everything this year and change the interface. Now they’re going to have to have parity between the two operating systems. And this means that they’re not going to make sudden changes. Like if we go back to iTunes 10, when they just totally changed the interface. This means that they’re going to be settling in for a while, which is a good thing. Settle in Apple don’t change too many things. Okay, speaking of media, Apple is raising prices, they’re raising prices on Apple TV. Plus, when Apple TV plus launched, I think they gave Mac users and iOS users 18 months for free was it that one, it was either 12 or 18 months, and it was $5 a month, then, early this year, they raised it to $7 a month and now it’s going up to $10 a month. Now, that’s a huge hike not okay, free, I understand they wanted to get eyes and that was the only way $5 kind of matches the amount of content they have $7 you starting to push it $10 For what little content they have. The only thing I can think is in next week’s event, we’ll hear that Apple has added some non original content to the Apple TV plus offer. Maybe they’re not buying Netflix, I don’t think they’re doing that because it would be a lot more expensive than $10. But maybe they’re licensing some kind of content. You know, they could license a number of Turner Classic Movies or the Criterion Channel or things like that, that have libraries of content that appeal to niche users, but they could license content like that to put into the Apple TV offer. So Apple news plus is going up from $10 a month to 13 I use the Apple News app every day I will get it I don’t pay for Apple News Plus, I would pay $5 a month for Apple News Plus I would not pay 10 and I will certainly not pay 13 It’s not worth it for me. Apple Arcade is going up from five to seven but the Apple One bundles are not going up as much they’re going up I think $2 for the end of it Do a plan $5 for the premier plan. Basically, they’re saying, You know what, don’t buy these individual subscriptions, we’ll give you this bundle. It’s a whole bunch cheaper, and you’ll commit for a long time. Because once you’re stuck in Apple One, it’s hard to get out. The main reason being, if you set up a music library with Apple Music, and you unsubscribe, you’re going to lose that library.
Josh Long 10:22
Well, that’s interesting, I hadn’t really thought about that in that particular angle. So So you’re saying basically, that if somebody subscribed Apple Music, because it’s fully subscription thing, you’re not purchasing things, if you have created playlists based on things that you’re just renting, you’ll no longer have access to that potentially,
Kirk McElhearn 10:40
Right. And they upped the price on Apple Music a few months ago by $1. So everything’s going up. And, you know, we’ve got inflation around the world. So it’s not entirely surprising, they have kept these prices, I think Apple Music has been 10 bucks a month, base price since it launched in 2015. So it’s not that surprising that they increase the price of that,
Josh Long 10:59
I will say that all of these individual prices for like TV, plus News Plus Arcade, all of those were already too high for me to go for on an individual basis. Anyway, like I have thought about getting an Apple One family in plan because you know, we we already have Family Sharing setup, we already do have some extra storage that we’re paying for. And so it wasn’t that big of a leap. And I had been thinking about maybe I would kind of use News Plus if I had it. But with things going up even more, I was already hesitant. And now I’m like, Yeah, I don’t think so.
Kirk McElhearn 11:36
I’ve mentioned this before, what I do with Netflix is I subscribe for a month, every now and then maybe three times a year, maybe twice a year, watch all the stuff I want to and then cancel. You could do that with Apple TV plus, if you want, but if they can walk you into the Apple One bundle monthly, where you’re committed, it’s a lot harder to make that change. Amazon is apparently going to start charging extra for Amazon Prime video, I think they’re talking about $3 A month over and above your Amazon Prime subscription, which mine just renewed here it was 95 pounds, I don’t remember what it is in the States $129, something like that, or 109. And I pay for that because I want next day delivery. I don’t mind paying that and paying what’s included for Amazon Prime video, I’m not paying them three bucks a month. In addition for Prime Video, all these prices are going up Netflix is going up to I think $23 a month for the premium 4k plan. They’re starting to price people out of the market. And I think they’re going to suffer for this.
Josh Long 12:37
Yeah, we’ve started to do the same thing that you’re talking about there with the like canceling and renewing and just going in month to month, we’ve started doing that with streaming services, too, because it’s it’s gotten pretty expensive if you’ve subscribed to multiple.
Kirk McElhearn 12:50
In addition to that I’ve been cutting down on a lot of app subscriptions because they’ve been creeping up, right? You buy an app and you’ve been using an app for a while and it’s good. But then all of a sudden, they want more for subscriptions, the Calendar app I was using, I was paying $35. And they raised this subscription fee to like 55 a year. And the feature that they are selling is one of these features that people in business use to like, you want to make an appointment with someone. Here’s a calendar of my availability, right. So if they’re running their own server, I don’t use this feature. I switch calendar apps because I’m not paying another 20 bucks a year for a calendar app that I don’t use. And I’m finding a lot of apps are having this subscription creep, and I’m cutting back on a lot of these services. Okay, quickly before the break, a hacker has leaked 4.1 million additional 23andMe genetic data profiles. We didn’t talk about the first million. That was about two weeks ago. Is that it?
Josh Long 13:40
Yeah, not too long ago, there was a leak of a million records of people with Ashkenazi Jewish heritage. And now there’s been a second leak with 4.1 million additional records from people who live in the UK or Germany. It seems like probably what happened is that there was really one data breach. And now some of that data has is starting to leak out over time. So there was the 1 million dump initially an additional 4.1 million. And so there’s probably additional information that you know, hackers have access to. So it’s possible that more may leak over time.
Kirk McElhearn 14:20
Interestingly, I know several people who discovered that they have Ashkenazi Jewish heritage through 23andMe who didn’t know this could include a lot of people who don’t think they’re affected plus the second data leak could be a lot of others. All right, we’re gonna take a break. When we come back, we’re gonna talk about passkeys. We’re gonna talk about Firesheep and we’re going to talk about Google Chrome’s new IP Protection that will hide your IP address.
Voice Over 14:47
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 16:03
Okay, so we’re going to do an authentication roundup this week. How do they do it on Jeopardy? You have to answer with a question is that it? “They now let you log in with Apple passkeys” Josh for $100!
Josh Long 16:13
I guess I would say what is Amazon? Is that is that the
Kirk McElhearn 16:17
Ding! That’s how you do it on Jeopardy? Go ahead.
Josh Long 16:19
Okay, yeah, so Amazon now lets you log in with Apple’s passkey. So this isn’t a new thing. We mentioned recently that Google now if you’re creating a new Google account, they encourage you to use past keys. That’s the default now. If you have an existing Amazon account, you can now set up Apple passkeys as a way to log in to your Amazon account. So you don’t have to use your password anymore if you have a passkey setup. A lot of services are starting to do this. We’re gonna see more and more big services like this, do this over the coming year or two as passkeys gets wider adoption. So Amazon is the next company to add passkeys support for an alternative way to log in without a password.
Kirk McElhearn 17:03
Right. It’s an alternative. It’s not a requirement like Google is now a requirement. But there’s something I’m not sure about. Let’s say you set up a passkey on a device. So passkey needs biometric authentication, it needs Face ID Touch ID or whatever the equivalents are in other operating systems. What if you set up on one device but then you want to log in on another device? Can you still use your password?
Josh Long 17:25
I assume so. Yeah. I mean, I’m not exactly sure how that process works. I have not tried this myself. But that would be my guess is that you probably still have the option to use your password on another device.
Kirk McElhearn 17:36
Okay. They detected suspicious activity in their Okta account. Josh, for $200.
Josh Long 17:39
What is 1Password?
Kirk McElhearn 17:42
Yes, go ahead and tell me what Okta is, I don’t know who they are.
Josh Long 17:47
First of all, 1Password is a very popular password manager, especially on Mac and iOS. I know Kirk that’s, that’s your preferred Password Manager. I’ve used 1Password as well. So is this a big problem? Anytime you hear, you know, data breach or things like this, people get really worried, you know, something got hacked, and it’s a password manager related thing. Oh, my gosh, is this another LastPass? Like, is this a really big deal? In this case, 1Password is saying, for now at least they’re saying that no user data was compromised, and no sensitive systems of theirs were compromised. So let’s talk about the Okta angle of this. Okta is an authentication provider. And Okta says that hackers had breached its support system relatively recently and viewed customer files, they obtained valid credentials. Okta doesn’t say exactly how that might have happened. But a lot of companies use Okta for authentication. Okta also has an authenticator app, so you can use them to get your two factor one time use codes as your second factor when you’re logging in to sites. 1Password CTO said on September 29, so this was almost a month ago, we detected suspicious activity on our Okta instance that we use to manage our employee facing apps, they say, we immediately terminated the activity investigated and found no compromise of user data or other sensitive systems either employee facing or user facing. So they’re saying, yeah, there was an issue. And I guess some hackers got access to some stuff, but it wasn’t anything significant. So don’t worry about this. The thing that’s concerning, of course, is that remember, this sort of thing has happened before with a lot of other data breaches, including with LastPass where initially they said, Oh, no, you know, there’s nothing sensitive here. And then kind of later they started saying, Oh, well, actually, there was this other thing, and then oh, there was actually okay. No, it was a big problem. It took it took them like a couple a month or two to like finally admit that okay, yeah, this was a pretty big deal.
Kirk McElhearn 19:49
This didn’t just affect 1Password. This affected 1% of Okta’s 17,000 corporate customers, so 170 organizations, including CloudFlare, which is a big company, but again, this is a affecting the authentication for employees. Your 1Password data vault is encrypted with your Master Password. So even if they got your data vault, unless you had a really bad master password, they couldn’t get into it. Worth noting that Okta’s stock price dropped more than 11% on Friday, last week, so $2 billion off the company’s value. And that’s one reason why these companies need to have better security. It costs them it’s the bottom line. So. They use Google ads and pony code to push malware, Josh for $300.
Josh Long 20:29
What is a fake KeePass site? KeePass is another password manager not quite as popular on the Mac and iOS as 1Password. KeePass is actually an open source password manager. And so it’s more popular on Windows. And there are third parties that make KeePass apps for macOS. A particular fake KeePass site was using a domain that looked like the real KeePass except for like a pixel or two that was just slightly off. And you wouldn’t necessarily notice this because you might think you have a speck of dust on your screen or something like that when you’re seeing this address in your URL bar. In fact, what was really going on was that they were using a special character that looks like the letter K with a little speck under it. We’ve talked before about homograph attacks. And this is another example of those. Some browsers will render this as something that looks like KeePass dot info, which is the legitimate KeePass website. But what’s actually going on behind the scenes is the domain that’s registered is something like x n hyphen, hyphen, E E pa SS hyphen V BB dot info in this case, but it just looks like so the browser interprets that as KeePass dot info but not an actual K.
Kirk McElhearn 21:57
I think what happens is all non Latin characters have to be rendered in Unicode, but then they’re translated, so users don’t see it. And they’re translated into regular ASCII characters. So the trickery is actually quite simple. And imagine in this case, it’s a K with a little diacritic underneath it. Imagine if there are three different k’s with diacritics, they would all look like the same k. So take the letter E, which can have an accent going up and accent going down, a diuresis, a straight line over it all sorts of different types of diacritics. And imagine if they’re all rendered as the same letter E. That means there’s plenty of options for malicious users to create domain names that would look like other domains.
Josh Long 22:42
The second stage of this attack, though, is that they registered Google ads. And the way that they did it, it looked like you were actually going to the real KeePass website, it looked like you know, they give you kind of a little preview of where you’re going to end up landing. And that preview on Google Ads looked like it was going to take you to the legit KeePass website. But in fact, the Google ad up at the top of the search results was actually going to a malicious site. In this particular case, it was Windows malware that you would get infected with if you went to the fake site and downloaded it from there. There was not a macOS component. But still something to be aware of, because this could just as easily have been a fake 1Password site that did the same thing. So be very, very careful. Look closely at that URL bar. There are actually ways that you can change the default behavior of your browser to always render these pages to not show the lookalike characters. So for example, you would see the weird hyphens and all that other stuff that’s in the actual domain as really registered. You know what, I’m going to create an article about this today, we’ll get it published and put it in the show notes for this episode on how you can change that for whatever browser you’re using. So they show the real domain and not the lookalike characters in the address bar.
Kirk McElhearn 24:10
Okay, breaking news. And I don’t know that seems to happen a lot. But just as we’re finishing to record a podcast, Apple releases an update. So 17.1 has been released. It has new features for Apple Music, it has AirDrop over internet remember that one? That’s a pretty clever feature that Apple announced watch os 10.1 is also out with that double tap gesture for the newest Apple watches. The Apple Watch 9 and the Apple Watch Ultra 2. So at least we can say while we’re recording that what we said earlier in the show, which we’re going to leave in anyway, was came out today instead of Tuesday. Josh for $400, who or what is 13 years old?
Josh Long 24:45
Firesheep. (Yes!) Firesheep is a browser extension that was released 13 years ago 2010. At a security conference, there was a researcher named Eric Butler who released this and if you loaded this extension and you went someplace that had an open Wi Fi network, you would be able to pull up the Firesheep sidebar. And you would get a list of all of the people who are on that Wi Fi network who were logged into Facebook or Twitter or Google, or a number of other sites. And you could just click on any one of those and then be signed in as that person in your Firefox browser.
Kirk McElhearn 25:26
So basically, you were taking over their session cookie.
Josh Long 25:29
That’s exactly right. Because back in 2010, we didn’t have HTTPS everywhere. We only had HTTPS, usually, on login pages, and then websites would fall back to HTTP. Because why would you need security on the whole entire browser session? Well, it turns out, this is a good reason to have security on your whole entire browser session, because those cookies basically authenticate you and show the website that you are the legitimate user who already put in your username and password. And so this really, Firesheep was the thing that made websites start to use HTTPS across the board, not just for login pages, but for the entire browsing session. Hooray for Firesheep, its developer did a really great thing for the safety of Internet users worldwide.
Kirk McElhearn 26:20
Okay, last question for $500. Their new IP Protection will hide user’s IP address.
Josh Long 26:26
What is Google and Google Chrome?
Unknown Speaker 26:28
Yes.
Kirk McElhearn 26:29
What is Google Chrome. I’ll give it to you. We’ll accept that. Will we accept that answer? Johnny? Yes, we’ll accept that answer. So Google Chrome is going to hide users IP addresses. This is a good thing, right?
Josh Long 26:40
It’s an interesting thing. So basically, what this really means is that Google’s gonna start using proxy servers in order to mask IP addresses. So this sounds very much like Google Chrome’s version of Apple’s iCloud Private Relay. This is functionality that exists on macOS and iOS. Since 2021 we’ve had private relay as a way to hide your IP address when you’re using Safari and going to websites. Now Google is kind of saying, oh, yeah, that thing that Apple has been doing for two years already, we want to do that, too, for Chrome. And so we’re going to start rolling this thing out. IP protection is going to be an opt-in feature, at least at first. So users are going to have the option to turn this on if they want to. This is probably a good idea, because I imagine that their systems might be pretty overwhelmed considering that Chrome is the number one most used browser in the world. Google is calling this they’re “phase zero”, as they start to roll this out as an opt in feature. And then over time, presumably they may enable this as a default feature if their pilot program goes well.
Kirk McElhearn 27:53
It’s also only available to users logged in to Google Chrome with US based IP addresses. It’s not available internationally. One thing I’d like to point out the bleeping computer article says, we are considering using two hops for improved privacy, a second proxy would be run by an external CDN, while Google runs the first hop, which is exactly what Apple did when they launched iCloud, private Google a saying that we need two hops for privacy,
Josh Long 28:17
Right. They don’t want a government agency or whoever to subpoena Google and say, you have all this data about what you proxied for whom and so tell us who was it that made this request at this particular time? And now Google is going to be able to say, oh, yeah, we don’t know because some other provider who actually put them out on the internet and so sorry, we don’t have all the information that you’re looking for.
Kirk McElhearn 28:41
Okay, that’s enough for this week. Next week, we’ll be talking about what Apple presents on Halloween eve. Until next week, Josh, stay secure.
Josh Long 28:49
All right, stay secure.
Voice Over 28:52
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.