According to a complaint filed on Tuesday, Apple user Matthew Price spent nearly $25,000 on content attached to his Apple ID, which was terminated by the company for unknown reasons. The lawsuit targets a clause in Apple's media services terms and conditions, which states a user with a terminated Apple ID cannot access media content that they've purchased. AppleInsider reports: "Apple's unlawful and unconscionable clause as a prohibited de facto liquidated damages provision which is triggered when Apple suspects its customers have breached its Terms and Conditions," the lawsuit reads. Additionally, the complaint claims that users with Apple devices will find their products "substantially diminished in value" if their Apple IDs are terminated, since they won't be able to access Apple services or purchased content.

According to the complaint, the $25,000 worth of media included apps, in-app purchases, programs and platform extensions, and related services. The plaintiff also alleges that Apple prevents users from accessing unused funds attached to an Apple account. Price, for example, had about $7 in iTunes credit. The lawsuit doesn't specify why Price's account was terminated. However, it does claim that Apple shut down the Apple ID "without notice, explanation, policy or process." It goes on to claim that Apple's conduct -- specifically, the clause and resulting terminations -- are "unfair, unlawful, fraudulent, and illegal," and alleges that Apple is in violation of several consumer regulations in California. The lawsuit is seeking class action status, with a Nationwide Class consisting of people in the U.S. who have had their Apple IDs terminated.

FlatEric521 shares a report: Moxie Marlinspike, the founder of the popular encrypted chat app Signal claims to have hacked devices made by the infamous phone unlocking company Cellebrite, which has famously worked with cops to circumvent encryption such as Signal's. In a blog post Wednesday, Marlinspike not only published details about the new exploits for Cellebrite devices but seemed to suggest that Signal's code could be theoretically altered to hack Cellebrite devices en masse. "We were surprised to find that very little care seems to have been given to Cellebrite's own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present," Marlinspike wrote in the post. "Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices."

Marlinspike claims (whether you believe this portion of the post or not is up to you) that while he was on a walk he happened to find a Cellebrite phone unlocking device: "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters." Along with his colleagues, Marlinspike analyzed the device and found that it included several vulnerabilities that could allow an attacker to include an "otherwise innocuous file in an app" that when it gets scanned by a Cellebrite device exploits it and tampers with the device and the data it can access.

A one-man Bunco Squad is poking holes in Apple's App Store image. From a report: Recently, I reached out to the most profitable company in the world to ask a series of basic questions. I wanted to understand: how is a single man making the entire Apple App Store review team look silly? Particularly now that Apple's in the fight of its life, both in the courts and in Congress later today, to prove its App Store is a well-run system that keeps users safe instead of a monopoly that needs to be broken up. That man's name is Kosta Eleftheriou, and over the past few months, he's made a convincing case that Apple is either uninterested or incompetent at stopping multimillion-dollar scams in its own App Store.

He's repeatedly found scam apps that prey on ordinary iPhone and iPad owners by luring them into a "free trial" of an app with seemingly thousands of fake 5-star reviews, only to charge them outrageous sums of money for a recurring subscription that many don't understand how to cancel. "It's a situation that most communities are blind to because of how Apple is essentially brainwashing people into believing the App Store is a trusted place," he tells The Verge. There's a lot to unpack there: fake free trials, fake reviews, subscription awareness. We could write an entire story about each. Today, I'd like to focus on how one guy could find what Apple's $64-billion-a-year App Store apparently cannot, because the answer is remarkable.

The new Apple TV sports a more powerful A12 Bionic chip that lets it play HDR video at higher frame rates. It also comes equipped with a redesigned Siri remote. The Verge reports: The new Siri remote has an iPod-style scroll wheel, a five-way click pad, touch controls, a mute button, and a power button that can turn your TV on and off. Meanwhile, the Siri button is now on the side of the remote, and Apple says that the voice assistant now works on Apple TV in Austria, Ireland, and New Zealand, in addition to the 13 countries where it was already supported. Finally, the new Siri remote's enclosure is made out of 100 percent recycled aluminum.

You'll get the new remote with the new $179 4K set-top box, or it's available separately for $59. As well as being compatible with the new Apple TV 4K, it also works with the 2017 model and Apple TV HD. Apple will also sell the remote bundled with the Apple TV HD for $149. Other features of the Apple TV 4K include support for 60fps Dolby Vision playback over AirPlay from a compatible iPhone, and the ability to optimize the colors of your TV screen using the light sensor on an iPhone.

Microsoft's Xbox Cloud Gaming service, previously known as xCloud, will begin rolling out in beta to iPhones, iPads and PCs this week. The service will be invite-only to start, Microsoft said in a blog post on Monday. From a report: Xbox Cloud Gaming was on track to launch for iPhones and iPads earlier, but Apple updated its App Store rules in September that impacted services like Xbox Gaming and Google Stadia. Apple's move forced the companies to use web browsers to redesign their services so that they could circumvent the App Store rules. Under the rules, Microsoft, Google and other companies with similar services would have had to offer each game as an individual download instead of offering a complete library the way Netflix does for movies.

Xbox Cloud Gaming is sort of like Netflix for games. People who subscribe to Microsoft's $14.99/month Xbox Game Pass Ultimate plan can access more than 100 titles. The cloud gaming aspect lets you stream the games without having to download them, provided you have a fast enough internet connection. The streaming option is already available for Android phones.

Apple has approved Parler's return to the iOS app store following improvements the social media company made to better detect and moderate hate speech and incitement, according to a letter the iPhone maker sent to Congress on Monday. From a report: The decision clears the way for Parler, an app popular with conservatives including some members of the far right, to be downloaded once again on Apple devices. The letter -- addressed to Sen. Mike Lee and Rep. Ken Buck and obtained by CNN -- explained that since the app was removed from Apple's platform in January for violations of its policies, Parler "has proposed updates to its app and the app's content moderation practices." On April 14, Apple's app review team told Parler that its proposed changes were sufficient, the letter continued. Now, all Parler needs to do is to flip the switch. "Apple anticipates that the updated Parler app will become available immediately upon Parler releasing it," Apple's letter said. Parler, an alternative to Facebook and Twitter that bills itself as a haven for free speech, was removed from major tech platforms in early January following the US Capitol riots of Jan. 6.

A federal judge tossed a $506.2 million damages award against Apple after ruling the iPhone maker should have been able to argue that patent owner Optis Wireless Technology was making unfair royalty demands, though he refused to throw out the liability finding. From a report: Optis and its partners in the case, PanOptis Patent Management and Unwired Planet, claimed that Apple's smartphones, watches, and tablets that operate over the LTE cellular standard were using its patented technology. U.S. District Court Judge Rodney Gilstrap said the jury should have been allowed to consider whether the royalty demand was consistent with a requirement that standard-essential patents be licensed on "fair, reasonable and non-discriminatory," or FRAND, terms. The patent trial in August, one of the few held during the pandemic, was part of an unusual sweep of verdicts in Texas that collectively resulted in $3.7 billion in damages against tech companies like Apple and Intel Corp. Apple was also hit with damages awards of $502.8 million in a decade-long battle over security communications technology, and $308.5 million in a case over digital rights management.

Researchers at the University of Washington have partnered with Apple to study how Apple Watch may be used to predict illnesses such as coronavirus, or flu. Apple Insider reports: "The goal of the study is to see if the information collected by the Apple Watch and iPhone can detect early signs of respiratory illnesses like COVID-19," say the organizers on the recruitment page. The study is focusing on the Seattle area because residents "may have higher than normal risk of respiratory illness because of frequent exposure to other people through work or other activities, health conditions, or other factors."

This Apple Respiratory Study is expected to take "up to six months." During the study, participants will be required to periodically answer survey questions in the Apple Research iPhone app. If participants get sick while enrolled in the study, they will be sent an in-home testing kit for COVID-19 and other respiratory illnesses. But, this will likely assist the study further, as sick participants will be asked to "take some additional health measurements using your Apple Watch."

A new report from The Washington Post reveals how the FBI gained access to an iPhone linked to the 2015 San Bernardino shooting. Apple refused to build a backdoor into the phone, citing the potential to undermine the security of hundreds of millions of Apple users, which kicked off a legal battle that only ended after the FBI successfully hacked the phone. Thanks to the Washington Post's report, we now know the methods the FBI used to get into the iPhone. Mitchell Clark summarizes the key findings via The Verge: The phone at the center of the fight was seized after its owner, Syed Rizwan Farook, perpetrated an attack that killed 14 people. The FBI attempted to get into the phone but was unable to due to the iOS 9 feature that would erase the phone after a certain number of failed password attempts. Apple attempted to help the FBI in other ways but refused to build a passcode bypass system for the bureau, saying that such a backdoor would permanently decrease the security of its phones. After the FBI announced that it had gained access to the phone, there were concerns that Apple's security could have been deeply compromised. But according to The Washington Post, the exploit was simple: [An Australian security firm called Azimuth Security] basically found a way to guess the passcode as many times as it wanted without erasing the phone, allowing the bureau to get into the phone in a matter of hours.

The technical details of how the auto-erase feature was bypassed are fascinating. The actual hacking was reportedly done by two Azimuth employees who gained access to the phone by exploiting a vulnerability in an upstream software module written by Mozilla. That code was reportedly used by Apple in iPhones to enable the use of accessories with the Lightning port. Once the hackers gained initial access, they were able to chain together two more exploits, which gave them full control over the main processor, allowing them to run their own code. After they had this power, they were able to write and test software that guessed every passcode combination, ignoring any other systems that would lock out or erase the phone. The exploit chain, from Lightning port to processor control, was named Condor. As with many exploits, though, it didn't last long. Mozilla reportedly fixed the Lightning port exploit a month or two later as part of a standard update, which was then adopted by the companies using the code, including Apple.

If you're wondering when Apple will hold its next event, Siri may have the answer. From a report: Ask the digital helper: "When is the next Apple event?" and it will respond with "the special event is on Tuesday, April 20, at Apple Park in Cupertino, CA. You can get all the details on Apple.com." MacRumors, which spotted the reply, says the virtual assistant is providing it in certain instances on iPhone, iPad, Mac, and HomePod. While it's an open secret that Apple is planning an event for later this month where it's expected to debut a new iPad Pro, Siri has seemingly leaked the date ahead of confirmation. We won't have to wait long to find out if the info is correct, though. Apple normally sends out invites to the press a week ahead of the proceedings, so it should make it official later today. The event itself is expected to be a virtual affair starring the iPad Pro (in two sizes) and possibly featuring the AirTags Bluetooth tracker. Apple's next premium slate reportedly features a Mini LED display on the flagship 12.9-inch model, but supply chain issues could see it ship later than planned and in limited quantities.

An anonymous reader writes: If you're a frequent user of WhatsApp, you may want to keep an eye on a disturbing hole discovered in its security this weekend. It's possible for an attacker to completely suspend your WhatsApp account, without any recourse for the individual user, and all they need is your phone number. At the time of writing there's no solution for this issue.

This newly-discovered flaw uses two separate vectors. The attacker installs WhatsApp on a new device and enters your number to activate the chat service. They can't verify it, because of course, the two-factor authentication system is sending the login prompts to your phone instead. After multiple repeated and failed attempts, your login is locked for 12 hours. Here's where the tricky part comes in: with your account locked, the attacker sends a support message to WhatsApp from their email address, claiming that their (your) phone has been lost or stolen, and that the account associated with your number needs to be deactivated. WhatsApp "verifies" this with a reply email, and suspends your account without any input on your end. The attacker can repeat the process several times in succession to create a semi-permanent lock on your account. The results are disturbing, but at the very least, this method can't be used to actually gain access to an account, merely to block access by its legitimate owner. Confidential text messages and contacts are not exposed. The proof-of-concept attack was first reported by Forbes from security researchers Luis Marquez Carpintero and Ernesto Canales Perena. There's no indication that it's being used in the wild.

"Everyone has that story," writes Slashdot reader alaskana98: You know, the one where you spilled a Big Gulp-sized cup of sugary Coke all over your laptop and it somehow still works to this day — although the space bar is permanently glued in place.

Or that time you left your iPhone out in a pouring thunderstorm, stuck it in a bag of rice and after a few days it miraculously turned back on. Yes, we've all been there, maybe cried a little and then went on with life — a little wiser for the wear.

So, fellow Slashdotters, what's your worst tale of hardware horrors?
The original submission has already drawn some interesting tales from long-time Slashdot readers, including two thunderstorm hardware horror stories. And there's also the user who remembers how "In the mid 1980s I blew up a $75,000 laser by not turning the cooling water on before firing it up."

But what's your story? Share your own tale in the comments.

What's your worst damaged hardware horror story?

"Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in," reports a new article in Forbes. "Even two-factor authentication will not stop this..."

The attacker triggers a 12-hour freeze on new verification codes being sent to your phone — then simply reports that same phone number as a lost/stolen phone needing deactivation. There are apparently no follow-up questions, and "an automated process has been triggered, without your knowledge, and your account will now be deactivated," Forbes writes.

The phone can't be reactivated without one of those verification codes blocked by that 12-hour freeze (which the attacker can renew for another 12-hour window, until the next day WhatsApp blocks those reactivating codes indefinitely). "There is no sophistication to this attack — that's the real issue here and WhatsApp should address it immediately..." Forbes complains. This shouldn't happen. It shouldn't be possible. Not with a platform used by 2 billion people. Not this easily. When researchers, Luis Márquez Carpintero and Ernesto Canales Pereña, warned they could kill WhatsApp on my phone, blocking me from my own account using just my phone number, I was doubtful. But they were right...

Despite its vast user base, WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features such as multi-device access and fully encrypted backups. As the world's most popular messenger focuses on mandating new terms of service to enable Facebook's latest money-making schemes, these much-needed advancements remain "in development...."
Reached for comment, WhatsApp told Forbes that any victims of the attack should contact their support team — adding that such an attack would "violate our terms of service."

But Forbes adds "your other option would be to follow Mark Zuckerberg's reported example and start to use Signal..." Unfortunately, playing down the seriousness of security risks has become the in-house style at Facebook. Back in 2019, I reported on a vulnerability that allowed private user phone numbers to be pulled from Facebook databases at scale using automated bots. That hack was acknowledged by Facebook but dismissed as an "unlikely problem." Some 533 million users might now disagree.

Procter & Gamble "helped develop a technique being tested in China to gather iPhone data for targeted ads, a step intended to give companies a way around Apple Inc.'s new privacy tools," reports the Wall Street Journal. (Citing "people familiar with the matter.") The move is part of a broader effort by the consumer-goods giant to prepare for an era in which new rules and consumer preferences limit the amount of data available to marketers. P&G — among the world's largest advertisers, with brands such as Gillette razors and Charmin toilet paper — is the biggest Western company involved in the effort, the people said.

The company has joined forces with dozens of Chinese trade groups and tech firms working with the state-backed China Advertising Association to develop the new technique, which would use technology called device fingerprinting, the people said. Dubbed CAID, the advertising method is being tested through apps and gathers iPhone user data. Through the use of an algorithm, it can track users for purposes of targeting ads in a way that Apple is seeking to prevent.
Apple's response? "We believe strongly that users should be asked for their permission before being tracked. Apps that are found to disregard the user's choice will be rejected."

Apple knows that iMessage's blue bubbles are a big barrier to people switching to Android, which is why the service has never appeared on Google's mobile operating system. From a report: That's according to depositions and emails from Apple employees, including some high-ranking executives, revealed in a court filing from Epic Games as part of its legal dispute with the iPhone manufacturer. Epic argues that Apple consciously tries to lock customers into its ecosystem of devices, and that iMessage is one of the key services helping it to do so. It cites comments made by Apple's senior vice president of Internet Software and Services Eddie Cue, senior vice president of software engineering Craig Federighi, and Apple Fellow Phil Schiller to support its argument.

"The #1 most difficult [reason] to leave the Apple universe app is iMessage ... iMessage amounts to serious lock-in," was how one unnamed former Apple employee put it in an email in 2016, prompting Schiller to respond that, "moving iMessage to Android will hurt us more than help us, this email illustrates why." "iMessage on Android would simply serve to remove [an] obstacle to iPhone families giving their kids Android phones," was Federighi's concern according to the Epic filing. Although workarounds to using iMessage on Android have emerged over the years, none have been particularly convenient or reliable.

Apple plans to argue at a trial that developers and consumers will suffer if Epic Games succeeds in upending how the iPhone maker's app marketplace is run. From a report: Apple presented a California federal judge on Thursday with a road map of how it will push back against Epic in a high-stakes antitrust fight over how much the App Store charges developers. The filing comes ahead of a May 3 trial before the judge with no jury. In a summary of its legal arguments, Apple contends the 30% commission it charges most developers isn't anticompetitive as it's a typical fee across other mobile and online platforms. Moreover, the company argues taking a share of the revenue is justified by the billions of dollars it has invested in developing the proprietary infrastructure that underpins its App Store, including software development kits and application programming interfaces. The maker of Fortnite, which Apple removed from its store last year, accuses the iPhone maker's app store of being an illegal monopoly because developers are barred from making their iPhone and iPad apps available through their own websites. On Thursday, the game studio laid out its own arguments in the dispute, saying Apple's conduct harms innovation and allows it to profit at the expense of independent developers.

Trade-in provider Gazelle exited the online trade-in business back in February, and now the company says it's changing its mind. From a report: Gazelle is back to accepting online trade-ins of iPhones, Samsung phones, Google Pixel devices, and iPads and other tablets on its website, the company confirms to The Verge. The program resumed accepting new offers on April 5th, a Gazelle representative clarified. "Earlier this year, we announced that we will no longer be offering our trade-in option on Gazelle. After careful consideration, including feedback from customers like you, we have decided to keep Gazelle Trade-In going. Today, we are happy to say, 'We're back, baby!'" reads an email Gazelle sent to prospective customers. "Gazelle Trade-In is a pioneer of the electronics trade-in space and we are happy to continue building on our legacy by offering a simple process and immediate payouts for those unwanted devices." Gazelle emerged as one of the leading trade-in providers of the smartphone era. But its business model didn't fare as well when the US mobile phone business underwent major shifts away from two-year contracts and outright device purchases and toward phone leasing and carrier and device maker trade-in programs like Apple's.

Long-time Slashdot reader phalse phace quotes the Washington Post: Phillipe Christodoulou wanted to check his bitcoin balance last month, so he searched the App Store on his iPhone for "Trezor," the maker of a small hardware device he uses to store his cryptocurrency. Up popped the company's padlock logo set against a bright green background. The app was rated close to five stars. He downloaded it and typed in his credentials.

In less than a second, nearly all of his life savings — 17.1 bitcoin worth $600,000 at the time — was gone. The app was a fake, designed to trick people into thinking it was a legitimate app.

But Christodoulou is angrier at Apple than at the thieves themselves: He says Apple marketed the App Store as a safe and trusted place, where each app is reviewed before it is allowed in the store. Christodoulou, once a loyal Apple customer, said he no longer admires the company. "They betrayed the trust that I had in them," he said in an interview. "Apple doesn't deserve to get away with this."

Apple bills its App Store as "the world's most trusted marketplace for apps," where every submission is scanned and reviewed, ensuring they are safe, secure, useful and unique. But in fact, it's easy for scammers to circumvent Apple's rules, according to experts. Criminal app developers can break Apple's rules by submitting seemingly innocuous apps for approval and then transforming them into phishing apps that trick people into giving up their information, according to Apple. When Apple finds out, it removes the apps and bans the developers, the company says. But it's too late for the people who fell for the scam.
The Post also points out that the 15 to 30 percent commission Apple collects on all sales in the App Store "goes to fund the 'highly curated' customer experience, the company has said."

This week the lead consumer technology writer for The New York Times urged readers to switch their browser from Chrome, Safari, or Microsoft Edge to a private browser.

"For about a week, I tested three of the most popular options — DuckDuckGo, Brave and Firefox Focus. Even I was surprised that I eventually switched to Brave as the default browser on my iPhone." Firefox Focus, available only for mobile devices like iPhones and Android smartphones, is bare-bones. You punch in a web address and, when done browsing, hit the trash icon to erase the session. Quitting the app automatically purges the history. When you load a website, the browser relies on a database of trackers to determine which to block.

The DuckDuckGo browser, also available only for mobile devices, is more like a traditional browser. That means you can bookmark your favorite sites and open multiple browser tabs. When you use the search bar, the browser returns results from the DuckDuckGo search engine, which the company says is more focused on privacy because its ads do not track people's online behavior. DuckDuckGo also prevents ad trackers from loading. When done browsing, you can hit the flame icon at the bottom to erase the session.

Brave is also more like a traditional web browser, with anti-tracking technology and features like bookmarks and tabs. It includes a private mode that must be turned on if you don't want people scrutinizing your web history. Brave is also so aggressive about blocking trackers that in the process, it almost always blocks ads entirely. The other private browsers blocked ads less frequently....

In the end, though, you probably would be happy using any of the private browsers... For me, Brave won by a hair. My favorite websites loaded flawlessly, and I enjoyed the clean look of ad-free sites, along with the flexibility of opting in to see ads whenever I felt like it. Brendan Eich, the chief executive of Brave, said the company's browser blocked tracking cookies "without mercy."

"If everybody used Brave, it would wipe out the tracking-based ad economy," he said.

Count me in.

An anonymous reader quotes a report from The Record by Recorded Future: Academic research published last week looked at the telemetry traffic sent by modern iOS and Android devices back to Apple and Google servers and found that Google collects around 20 times more telemetry data from Android devices than Apple from iOS. The research, conducted by Professor Douglas J. Leith from Trinity College at the University of Dublin, analyzed traffic originating from iOS and Android devices heading to Apple and Google servers at various stages of a phone's operation... [...] The study unearthed some uncomfortable results. For starters, Prof. Leith said that "both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this [option]." Furthermore, "this data is sent even when a user is not logged in (indeed even if they have never logged in)," the researcher said.

But while the Irish researcher found that Apple tends to collect more information data types from an iOS device, it was Google that collected "a notably larger volume of handset data. During the first 10 minutes of startup the Pixel handset sends around 1MB of data is sent to Google compared with the iPhone sending around 42KB of data to Apple," Prof. Leith said. "When the handsets are sitting idle the Pixel sends roughly 1MB of data to Google every 12 hours compared with the iPhone sending 52KB to Apple i.e., Google collects around 20 times more handset data than Apple." In response to the findings, a Google spokesperson said: "This research outlines how smartphones work. Modern cars regularly send basic data about vehicle components, their safety status and service schedules to car manufacturers, and mobile phones work in very similar ways. This report details those communications, which help ensure that iOS or Android software is up to date, services are working as intended, and that the phone is secure and running efficiently." The Android maker also disputed the paper's methodology, which they claim under-counted iOS' telemetry volume by excluding certain types of traffic, which Google believes resulted in skewed results that found Android devices collecting 20 times more data than iOS.

Apple echoed its rival's response. "The report conflates a number of items in relation to different services and misunderstands how personal location data is protected," an Apple spokesperson told The Record. "Apple is not collecting data that can be associated with individuals without a user's knowledge or consent."

Additional information about the findings can be found here (PDF).