WTF Weekly

my thoughts on the week that was

09 Aug 2019

WTF Weekly for August 9, 2019

Hit me up on Twitter to yell at me about typos or to talk about anything I’ve included here.

How ‘Microcracks’ Undermined San Francisco’s New Bus Terminal

One of the benefits of being human is that we have disciplines such as structural engineering that allow us to build cities and other trappings of modern societies. We pretty much take it for granted that the bus terminal we’re in, for example, won’t come crashing down on our heads unexpectedly.

This isn’t always a given, as Transbay discovered in San Francisco, when a maintenance worker noticed cracks in ceiling levels of the giant new SF bus terminal. What followed was a multi-agency investigation involving an engineer specializing in fracture mechanics and fatigue, the construction contractor, and Transbay.

It’s a fascinating read, and far more intriguing than you might think, even if you’re not into civil engineering or gigantic concrete structures.

Security researchers demonstrate how to bypass Face ID with glasses and tape

It’s like Revenge of the Nerds: glasses and tape can get you into someone else’s iPhone!

All you have to do is find someone who doesn’t pass Face ID’s “liveness” detection (meaning they’re dead or unconscious) and put glasses with tape on the lenses onto their face.

It’s a weird bypass that still requires the victim to be present and (for some reason) unconscious or otherwise inattentive according to Face ID.

In summary, it’s a non-issue in the real world, but it’s still something Apple should fix.

Still, any hack involving glasses and tape gets my vote.

And not completely unrelated…

Apple expands its bug bounty, increases maximum payout to $1M

Apple has had a bug bounty program for iOS for years, but it’s avoided doing so for macOS until now. Pretty much all Apple products running an accessible OS (AirPods are excluded) is now eligible for payout upon vulnerability disclosure to Apple.

In addition, Apple is upping the maximum payout to $1 million for extremely severe exploits (which, considering the market value of exploits when sold to shady companies, is an absolute necessity if people are going to submit their findings to Apple instead of someone with less honorable intentions).

And finally, Apple is going to distribute some developer phones to trusted, vetted security researchers, which will give them greater ability to poke under the hood and find vulnerabilities that are normally not accessible to them.

Apple has a lot of enemies ranging from nation states, including the US government, to black hat hackers in general. iOS specifically is a huge target, but macOS is as well, and vulnerabilities in your Mac can also impact your mobile devices (not to mention much of the same data). It’s good to see Apple stepping up their game and cooperating more fully with the outside security industry.

Fukushima nuclear plant out of space for radioactive water

You can file this under the “we’re all f#$%ed” category, if you’re looking for more man-made failures to either gloat about or cry over.

TEPCO has been accumulating and storing radioactive water from its damaged Fukushima reactors in large tanks since the 2011 disaster. The problem is, rainwater and groundwater mix with the existing contaminated water, so there’s an ever-increasing and seemingly endless supply of the tainted liquid. TEPCO estimates they’ll run out of storage space by summer 2022.

To make matters worse, there’s still no real plan on what to do with the radioactive water, which will reach 1.37 million tons when TEPCO runs out of storage.

That’s a lot of death water.

5g Is Here—and Still Vulnerable to Stingray Surveillance

It’s obvious no one cares, but all our cellular communications can be very easily compromised, and that won’t change with 5G, in case you were counting on it to solve all our problems.

Stingrays, those little fakers previously used mostly by government agencies, but now pretty well accessible to anyone, can still trick cellphones into connecting to them and spilling their secrets, regardless of which brand of cellular connectivity is used. Even though 5G does implement some security fixes to prevent fake base station attacks, it doesn’t go far enough.

One attack 5G devices are vulnerable to is being tricked into being downgraded to an older connection technology, which then opens it up to the greater level of vulnerabilities that older connection is susceptible to.

That’s it for this issue of WTF Weekly! I wrote this the same day news broke about Epstein’s apparent suicide, but that whole mess plus the immediate QAnon conspiracy theories springing forth from brain donors everywhere made me wish for a giant global flood of Biblical proportions, so you’ll have to read about that somewhere else.

See you next time, whenever my random “time to publish” instinct generator kicks in.