Nicolás Alvarez

@[email protected]
523 Followers
194 Following
2.9K Posts
Currently hacking and documenting Apple stuff for fun and no profit.
Twitterhttps://twitter.com/nicolas09F9
LocationBuenos Aires, Argentina
Liberapayhttps://liberapay.com/nicolas17
Show threadNicolás Alvarez2d ago
But yeah basically...
Show threadNicolás Alvarez2d ago
Oh and I got the alert in Spanish despite this particular device being set to English. Probably it used the language settings of my iTunes account.
Nicolás Alvarez2d ago

In response to the DarkSword vulnerabilities, Apple released backported security fixes for several iOS versions. They also started sending push notifications to get users to update:

"Critical Security Update Needed: Apple is aware of attacks targeting out-of-date iOS software, including the version on your iPhone. Install this critical update to protect your iPhone."

How does this notification work? Did they foresee the need to send security alerts and build that capability into iOS years ago? After days of capturing my iPhone 7 network traffic while waiting to get the alert, I finally got it.

Turns out they send a push notification targeted at itunesstored, with identifier com.apple.AMSFollowUpIdentifier.Billing. AMS means Apple Media Services. That sounds like it's the kind of alert they send for "your card was declined when charging your monthly Apple Music subscription".

This notification mechanism is flexible enough that they can set the text to "Critical Security Update Needed" and the link target to prefs:root=General&path=SOFTWARE_UPDATE_LINK so it takes you to the Software Updates screen. That's a clever hack... but man, it's a hack.

Nicolás Alvarez3d ago
Did NASA livestreams always have this much "American superiority" propaganda?
Nicolás Alvarez3d ago

Apple released iOS 18.7.7 for all iPhones, fixing serious security issues. If you're sticking to 18.x to avoid Liquid Glass you should install this update. This is not April Fools.

(If you care about jailbreaking, then as usual don't update, but maybe turn on Lockdown Mode...)

Nicolás Alvarez4d ago
Today Apple released firmware updates for AirTag 2 and AirPods Max 2.
Nicolás AlvarezMar 26
Door et de platineMar 26

This is peak malicious compliance and I love it

https://sightlessscribbles.com/posts/the-paperwork-flood/

Edit : the blog author is on the fediverse if you want to follow him here, and he maintains a follow page on his site with many options!

The 'Paperwork Flood': How I Drowned a Bureaucrat before dinner., Sightless Scribbles

A fabulously gay blind author.

Nicolás AlvarezMar 23

Dad bought a FIDO2 key. He goes to bank website, clicks "add security key", website says "to verify your identity you need an authorization code, call [phone number] to get it".

Calling that number gets you a voice bot that doesn't even remotely understand what you need and offers you unrelated options.

– I want to add a security key.
– you want to see if your check has cleared, please answer yes or no.
– no.
– [old IVR-style menu with unrelated options]

Since the bank's AI support is making his life harder, my dad is approaching the problem by throwing more AI at it and asking chatbots for help. It's not going well either.

Nicolás AlvarezMar 22
Zhuowei ZhangMar 22
The `left-pad` incident was 10 years ago today.

https://en.wikipedia.org/wiki/Npm_left-pad_incident

Thankfully, we've completely solved software supply chains in the years since.
npm left-pad incident - Wikipedia

Nicolás AlvarezMar 20
Zhuowei ZhangMar 20
Sunday is the 10-year anniversary of the npm left-pad incident.
npm left-pad incident - Wikipedia