September 2019: macOS Catalina Preview

The September 17, 2019 meeting of Strait Macintosh User Group focused on macOS Catalina 10.15. The meeting was held at the Sequim Library, 630 N. Sequim Ave., Sequim, WA. Notes by Secretary Kathleen Charters.

Business Meeting

Meeting called to order at 7 p.m. by President Sabrina Davis.

Sabrina welcomed new members and reviewed the group’s finances. In July, dues were set at $24 per family per year. Using dues collected at the July 2019 meeting, treasurer Annalis Schutmann and Secretary Kathleen Charters opened a checking account for SMUG, with a beginning balance of $414. After checks and other fees, this left the group with a balance of $386.

Vice President Lawrence Charters requested that we spend a large portion of this money to finish setting up the SMUG website on WordPress.com. While the site is working as designed, hosted for free, there are limits on what you can do with a free site: you can’t use a custom domain name (every WordPress.com site is going to end in xxx.wordpress.com), there is no technical support, there are severe limits on how much server space you can use, there are limits on how much you can customize a site, you cannot keep WordPress.com from posting ads on the site, you can’t link to social media, etc. The cost for all of this would be less than $150/year, though how much less is not certain.

There are alternatives, with the same benefits for less than $100/year. One big advantage of using WordPress.com: everything can be built and administered with only a web browser. There is no need for specialized software, no arcane knowledge of Unix or HTTP or PHP or various other odd combinations of letters, numbers and symbols, and multiple people can help populate the site with content.

There was a discussion about reusing the existing SMUG domain, straitmac.org. The site domain registration runs out in April 2020 [at the meeting, it was thought it might be December 2019, but checking, it is 4/4/2020], and the site is hosted on plypen.com. Olypen told SMUG last year that they could not support many of the features SMUG wanted without a doubling of the $100/year price.

Hosting the site elsewhere (GoDaddy, Blue Host, etc.) would be less expensive, but would require a higher level of technical knowledge, and while this wouldn’t be a problem for Lawrence, the group felt more comfortable with the idea that wordpress.com required “only a web browser,” with WordPress.com caring for the updates and infrastructure. The motion to spend the money to build out the site on wordpress.com was moved, seconded, and passed unanimously.

Sabrina asked if it would be possible to post ads to buy, sell or trade Macs and iPhones on the site, and Lawrence cautioned that, as SMUG is a non-profit, the organization has to refrain from activities that might appear to be commercial. The group discussed alternatives (Craigslist, Next Door, etc.), including possibly using the group email list. Some members expressed concern about using the email list as “one person’s ad is someone else’s spam.”

A visitor asked how to become a member, and what, exactly, SMUG did. The answer (from a number of people) was: Strait Macintosh User Group (SMUG) is a non-profit organization that meets monthly or, sometimes, bi-monthly, and discusses Macintosh hardware and software, iPhone hardware and software, iPad hardware and software, Apple Watch hardware and software, etc. Family memberships are $24 per year. At present, the major expense will probably be the website. Currently, meetings are in Sequim, but there have been some requests to hold meetings in Port Angeles. A message will be sent out to the mailing lists asking about interest in holding Port Angeles meetings.

Topics suggested for future meetings:

  • How to organize files
  • Introduction to Google Drive, Docs, Sheets, Google Keep
  • How to securely configure a Mac
  • How to securely configure an iPhone

Presentation: Preview of macOS Catalina

At Apple’s Special Event on September 10, 2019 (you can see the entire video on Apple’s site https://www.apple.com/apple-events/september-2019/), Apple said Catalina would be out “in October,” with nothing more specific. iOS 13 and watchOS 6 will be out September 19, and Apple TV 6 and iPad OS 13 (really, the first version, but apparently it will be called 13) should be out the last week of September.

Apple’s event was only focused on hardware and services, introducing new phones, watches, and an iPad, plus a brief review of Apple TV+ and Apple Arcade. Yet even though Catalina was only mentioned in passing, it is a huge advance for macOS, as it will be the first version of any Mac operating system that is 64-bit only; it will not run 32-bit software, or (for that matter), 16-bit or 8-bit. This is a security measure, and a powerful one.

Moving to 64-bit was first pioneered by iOS 11 on the iPhone and iPad. Since that time, iOS devices use only a 64-bit ARM processor and run only 64-bit software. These steps not only made iPhones and iPads faster, but also more secure, for reasons that are very real if a bit hard to explain. Catalina’s move to support just 64-bit processors and 64-bit applications should also see an increase in speed and efficiency, as well as security.

Lawrence did not advise anyone to install the beta of Catalina, unless they happened to have a Mac they are willing to erase at some point. Significant parts of the operating system are still in test. For one thing, any 32-bit applications they have will simply not work. Lawrence demonstrated this by showing that the scanning software he used for his scanner is dead (the manufacturer has released an entirely new suite to replace it), and Apple’s Aperture photo management software is — dead.

Aside: Asked what he uses instead of Aperture, Lawrence said that Apple’s “replacement” for Aperture was Apple Photos, which is free to everyone with a compatible Mac. Apple Photos is quite good, but Lawrence went a different route, and is now using Adobe Lightroom. For people who don’t have tens of thousands of photos, Apple Photos (available for Macs, iPhones, and iPads) is probably more than adequate.

Lawrence then demonstrated one huge advance in Catalina: all user data is on its own disk partition, separate from the operating system. Putting the operating system on its own partition, and then severely limiting access to that partition, vastly improves security. Lawrence demonstrated this by booting into Recovery Mode, launching Disk Utility from the Recovery Partition, and then showing the three partitions of the drive: the Recovery partition, the operating system partition, and the user data partition.

macOS Catalina puts the operating system in its own partition (on this machine, the partition named "Portacray"), separate from all user data (the highlighted "Portacray-Data" partition). The partition used for the Recovery Partition is at the bottom, "macOS Base System."
macOS Catalina puts the operating system in its own partition (on this machine, the partition named “Portacray”), separate from all user data (the highlighted “Portacray-Data” partition). The partition used for the Recovery Partition is at the bottom, “macOS Base System.” Click on the image for a closer look.

As soon as Catalina comes out, Lawrence intends to put it on all his machines except one (and that machine, a Mac mini, is too old to support it, anyway).

Speaking of the Recovery Partition, Lawrence strongly encouraged everyone to learn how to use the Recovery Partition before they had an emergency. The Recovery Partition allows you to launch Disk First Aid (to check the hard drive), to reinstall macOS, to restore a drive from a Time Machine backup, to get help online (the Recovery Mode can use Ethernet or Wi-Fi to reach the Internet), to use Network Utility to check network connection, and to use Terminal to use command-line utilities and diagnostics. Booting the Recovery Partition is easy: restart the machine and hold down ⌘ and R until you see the Apple logo or a spinning globe. More information on the Recovery Partition can be found on Apple’s website at https://support.apple.com/en-us/HT201314

Not all Macs are compatible with Catalina. For a complete list, see Apple’s listing at https://support.apple.com/en-us/HT210222

Macs compatible with macOS Catalina, from Apple's website.
Macs compatible with macOS Catalina, from Apple’s website.

Aside: Lawrence was asked how to tell which model Mac you might have, since Apple tends to call all their Macs by certain broad names. In order to see what model you have, go to the Apple Menu, select About This Mac, and your Mac’s model and model year will appear.

Under the Apple Menu, About This Mac will tell you what model Macintosh you are using. In this case, the Mac is an iMac 21.5 inch, 2017.
Under the Apple Menu, About This Mac will tell you what model Macintosh you are using. In this case, the Mac is an iMac 21.5 inch, 2017.

Even if you do not plan to upgrade to Catalina, you should immediately go to the Apple App Store and download macOS Mojave. Once Catalina is released, Mojave will not be offered on the App Store for download.

And if you do not think you want to install Catalina, reconsider. With Catalina’s release, Apple will also release acknowledgment of various bugs and vulnerabilities patched in Catalina, and thank the developers who found them. Hackers will immediately use this list of bugs to start attacking Macs that have not been updated.

If you have an older machine that cannot be updated, considering retiring it, and getting a new Mac. Or at least getting a newer Mac. Older Macs that are compatible with Catalina are available from various resellers, or from an individual wanting a newer machine.

As mentioned earlier, Catalina will not launch 32-bit applications; only 64-bit applications. Before installing, you should check for all 32-bit programs on your machine. There are two ways to do this, one easy and another a bit more difficult. The easy way: St. Clair Software has released a free program, Go64, which will inventory every application on your machine and present a nice, neat listing of applications that are 32-bit, 64-bit, or a mixture of both. The listing is sortable, and includes the website of the developer, in case you want to go and check to see if an application has a newer, 64-bit version available. You can get Go64 here: https://www.stclairsoft.com/Go64/

The slightly more difficult way is also free. Go to your Mac’s Apple menu, select About This Mac, press the button called System Report, scroll down to the bottom, where Software is listed, select Applications, and then – wait a bit. Your Mac will build a listing of every application on your machine, and the right-most column, labeled 64-bit, will show a Yes if something is 64-bit and No if something is not. The columns are sortable, so click on the 64-bit column heading to clump all the “No” responses together. This isn’t quite as easy to use as Go64, but it is built right into your Mac.

Lawrence wanted to demonstrate a neat new feature of macOS Catalina and the new iPadOS: the ability to use an iPad as an additional screen for your Mac. Not only can you use an iPad as an additional screen, but you can draw on the iPad, and then use your drawing on the Mac (assuming the iPad and Mac have programs that are compatible with one another). This new capability is called SideCar.

Unfortunately, Lawrence’s MacBook Pro is new enough to support Catalina, but too old to support SideCar. The list of supported Macs is fairly short:

  • 27-inch iMac (Late 2015 or newer)
  • iMac Pro
  • MacBook Pro (2016 or newer)
  • MacBook Air (2018)
  • 12-inch MacBook (early 2016 or newer)
  • Mac mini (2018)
  • Mac Pro (2019)

In addition to the speed and security improvements, Catalina also comes with some revamped applications:

  • Reminders – brings some nice improvements, but Lawrence did not test it as the first thing it did was prompt him to upgrade a whole bunch of devices to iOS 13 and Catalina, which really aren’t out yet.
  • Notes: Catalina adds a nice thumbnail gallery view, which is considerably more useful than the current listing of first lines of notes.
  • Find my: this new application replaces Find iPhone and Find Friends, and now works on iPads, iPhones, and Macs. It works by mapping device locations to the closest Internet access point, which may be a Wi-Fi router in a home or a mobile telephone tower on a different continent.
  • Music: iTunes has been split apart, into a new Music application and a separate Podcast application. This closely matches changes introduced on iPhones and iPads.
  • Apple TV: an Apple TV app was added to iOS last year, and now it is available on the Mac, too. It supports Apple’s new streaming service Apple TV+, and also handles any movies you may have purchased through iTunes. Note: it does not provide local broadcast TV service. For that, look at something like YouTube TV, from Google, https://tv.youtube.com/

Lawrence recommended not connecting Macs running older operating systems to the Internet. Want to use them for playing non-Internet games? Fine. Want to use them for scanning things using an old scanner? Fine. But keep them off the Internet; no email, no web browsing. Virtually all Mac security compromises come from email or web browsing.

One individual stated that he connects multiple hard drives to their Mac, with different operating systems, allowing them to “revert” to an older operating system just by rebooting. Lawrence strongly recommended not to do this. When you boot an operating system from disk, the operating system changes how your Mac uses memory, changes what is in memory, changes how it accesses and stores things on disk, and, in newer operating systems, also encrypts memory. Switching between operating systems on the same Mac runs a high risk of corrupting data on the hard drive and losing everything stored on a drive, without hope of recovery.

One way to maintain old operating systems safely: Parallels. Parallels Desktop for Mac ($79.99) allows you to create “virtual” machines that run on your Mac. You can run Windows 10 (you still need a copy of Windows 10), Linux (you can download Linux for free), or older versions of macOS. These operating systems will run on “top” of Catalina, which was the inspiration for the name Parallels. https://www.parallels.com/products/desktop/

Lawrence was asked about Fusion, which is another software virtualization tool. Fusion is popular with system administrators because most of them are trained in Windows, and VMWare (which makes Fusion) also makes one of the most popular virtualization packages for running on Windows machines. And there is the problem: Fusion is not as fast as Parallels, and is not particularly Mac-like. But it does work. https://www.vmware.com/products/fusion.html

The meeting ended with a Question and Answer session. The rule for this section: the question and the answer should be something that can reasonably be asked in three to five minutes.

Questions and Answers

Q: How do you turn off storing the location of a photo on a specific photo? I don’t want that information uploaded with photos to social media.

A: The iPhone stores the location of where a photo was taken (or at least a guess) inside of every photo as GPS metadata. This is a good thing, as it helps you remember what and where you were when you are sorting through photos. Rather than turn on and off this setting on specific photos, it is much easier to simply remove the metadata from photos with an application. The Apple Mac App Store has free utilities to remove metadata; search for “remove photo exif” data and you should find several.

Q: What should I do if a machine is sluggish?

A: First thing: check hard drive health. Use ⌘-spacebar to bring up a search box on your Mac, type in “disk utility” and press enter. This will find and launch Disk Utility. Click on the first tab, First Aid, and have Disk Utility check your hard drive to see if the directory is healthy. If you see any errors, have Disk Utility fix them. If Disk Utility cannot, seek professional assistance.

Beyond that: most people think their computer is sluggish because their Internet connection is slow. A great many things, even searching your hard drive, trigger connecting to the Internet, and if your Internet connection is slow or unreliable, your computer will seem sluggish.

Another common problem specific to web browsers: cache bloat. Your web browser stores bits and pieces of websites on your machine, to increase the apparent speed of sites that you visit over and over. After a while, you end up with thousands, or tens of thousands, of small web bits and pieces on your computer, and it takes a while for your browser to sort through all that stuff. Cleaning the cache can not only speed up your browser, but also recover gigabytes of disk space. Note: emptying the cache may also delete cookies, and if you commonly have your browser store your password, this could keep you out of some websites.

Speeding up Apple Mail: empty out your Junk folder. Some people have tens of thousands of messages in Junk Mail. Empty it. Clearing out Junk Mail and deleting old messages greatly reduces the amount of stuff that Mail has to sort through, and speeds it up immensely.

Don’t store stuff on your Desktop. It is OK to have a document or three, but some people literally cover their desktop with documents and other things. Each time your Mac boots, or you interact with the Desktop, your Mac must sort through all that stuff.

Q: Should I wait for phones with 5G before upgrading my iPhone?

A: 5G doesn’t really exist, despite what commercials on TV might suggest. If and when 5G is deployed, it will appear in large cities long before it appears in Clallam County or Sequim. If you need a new iPhone or iPad, don’t worry about the semi-mythical high-speed 5G services; you won’t miss them, probably for several years.

Similarly, don’t worry about computers or routers supporting Wi-Fi 6. In theory, Wi-Fi 6 is 40% faster than Wi-Fi 5 (previously called 802.11ac). For virtually all of us, our home Wi-Fi router can provide far, far faster speeds than our ISP (Internet Service Provider) can support. In Clallam, most people have broadband Internet speeds of 5 to 10 Mbps (megabits per second). A Wi-Fi 5 router can support speeds of up to several gigabits per second – until it hits your ISP’s cable box, at which point it will be literally a thousand times slower.

Q: Can you use Wi-Fi to improve phone reception?

A: Yes, sometimes. Both AT&T and Verizon support what they call “Wi-Fi calling.” This essentially uses your home’s Wi-Fi and your ISP’s cable service to help send and receive phone calls. You can turn this on under Settings > Cellular > Wi-Fi Calling > On. It doesn’t cost anything extra, and for some people, it may be the only way to get mobile phone service in your home or office.

Q: [General question about 911 service and emergencies.]

A: Several people noted that the Great Washington Shakeout will be held October 17. This is a state-wide, voluntary exercise to prepare an emergency plan for your home and office, and test it on October 17. Given that Clallam County is at the edge of the Cascadia Subduction Zone, and that Clallam has limited access (due to a floating bridge, mountains, an ocean, and few highways), and no electrical power is generated on the peninsula, and the nearest large city is in another nation, and … generally speaking, you should check out the website and participate in the exercise: https://www.shakeout.org

Next meeting

The group decided the October 15 meeting would be on Securely Configuring macOS Catalina. Most of what will be presented also applies to Mojave, High Sierra, and Sierra, in case you haven’t upgraded by then.

The meeting will be at the Sequim Public Library, and begin at 7 p.m.

Note: SMUG received some email messages about the meeting starting “before 7 p.m.” It was explained that, during meeting setup from 6:30-7 p.m., those present did engage in technical gossip about Macs, iPhones, Apple TV, and other things, but the meeting itself didn’t start until 7 p.m., and the presentation started around 7:15. If you arrive early and want to talk about “Mac stuff,” that is fine, but the meeting and program start at 7 p.m.

July 2019: Questions and Answers

Questions were the topic of the evening for the July 16, 2019, Strait Macintosh User Group meeting. The meeting was held at the Sequim Library, 630 N. Sequim Ave., Sequim, WA. Notes by Secretary Kathleen Charters.

Business meeting

The meeting started off with President Sabrina Davis answering questions about recent history, covering such topics as “What happened to our treasury?” [Some former members donated it to Shipley Center, without participation by the current SMUG members or officers, and without holding a meeting.] “What happened to our equipment?”[Donated to Shipley.] and “What do we want to do going forward?”

Going forward, the group decided to hold meetings more or less monthly to get back on track, with the next meeting Tuesday, September 17, at 7 p.m. at the Sequim Public Library. Yes, this means “monthly” doesn’t include August, due to schedule conflicts.

Some members expressed concerns about meeting during the winter months, when it gets dark early and the weather might be unpleasant. This will be discussed some more, as the group is not committed to meeting Tuesday evenings; there are other perfectly good days of the week, and we could meet during daylight hours. We’ll discuss this again in September.

Funds were also an issue. There have been complaints that the new website has advertisements (as some said, “obnoxious ads”) which is a consequence of the free hosting available on WordPress.com. Fixing this, and coming up with a SMUG-specific domain name, would cost money. If we rented space somewhere, that would also cost money; the Library is an excellent location, but the meeting space is quite small (technically, we are supposed to be using only half the space we’ve occupied at the last two meetings).

It was moved, and passed, that dues be set at $24 per year. Treasurer Annalis Schutzmann collected dues from most of those in attendance. [Subsequently, Annalis and Secretary Kathleen Charters set up a SMUG bank account.]

Open Question and Answer (Q&A) session

There were two rules:

  1. The questions had to be about Apple products (hardware or software), and
  2. The questions and responses should take no more than three to four minutes to answer.

Anything more complex will have to be deferred.

Vice President Lawrence Charters conducted the Q&A session.

My Laptop can’t download mojave

Just from looking at the laptop from across the room, it is clear the MacBook Pro has an optical disc drive, which means it is fairly old, as Apple hasn’t shipped a laptop with an optical drive since 2012. As for why Mojave is not supported: Mojave (macOS 10.14) is a 64-bit operating system, and older Macs do not have CPUs (the main “computer”) capable of supporting 64-bit operations. Mojave also uses the video card as if it was another CPU, speeding up not only video but file compression, among other things, and older video cards do not support such operations. Since virtually all Macs, laptop and desktop, have a single circuit board holding the CPU, the video card, and all the supporting chips and circuitry, it isn’t economically or technologically feasible to replace the pieces; a newer machine is the only option.

Incidentally, a “newer” machine does not necessarily mean “brand new.” Apple sells refurbished machines from their websites (with new warranties).

As for why a 64-bit operating system is important: not only are these faster (allowing you to get more speed and efficiency on supported hardware), but they are also much more secure. This is true not only for Macs; iPhones and iPads have been 64-bit-only for several years, and Microsoft is now strongly pushing Windows 10 users to use 64-bit versions of Windows 10. In the Windows world, this has created massive problems, as literally a billion Windows machines are running insecure versions of Windows.

is it wise to beta-test new Mac OS?

Running beta (pre-release) versions of operating systems on your iPhone, iPad, or Mac is only a good idea if a) you have another perfectly useful machine to do important work and b) you are prepared to erase everything on the machine you use for beta-testing. And “erase” means everything: all data, all applications, and the operating system itself. Beta versions of operating systems are intended to test things to see if they break, and, if they do, how they break; they are not designed for you to test drive.

Note, too, that it takes time to download beta versions of operating systems, time to install the software, and sometimes time to reinstall the software, as one of the things being tested is the installer itself. Also, Apple recommends erasing all beta versions of an operating system (which requires erasing the entire drive) before installing the release version. If you do decide to try the beta versions of an operating system, make sure you have an iCloud account with enough room on it to hold everything on your machine — all data, and all applications — as it gives you some chance to recover in case something goes horribly wrong. “Going horribly wrong” is the whole purpose of beta testing.

what about running another operating system from another drive?

You should never try and have two different operating systems installed on the same machine, even if they are on different drives, as this can corrupt the operating systems and your data. When a Mac boots, it scans all connected drives and based on what it finds, it makes changes in memory to accommodate what it thinks is appropriate for the operating system — and these changes could cause damage when you switch back and forth between the two operating systems. It may make changes to whatever drive is not the boot drive — changes in initial boot parameters, changes in which drive is booted first, changes in preferences for applications, etc. — and those changes can corrupt your data, your applications, and either or both operating systems.

After upgrading to high sierra, not able to access files

High Sierra (macOS 10.13) is much more strict about how applications perform, and if an application does things in an insecure fashion, it simply won’t allow the application to launch. High Sierra also changes the file system on the internal drive (on machines with solid-state drives), which also makes all previous disk analysis and disk management utilities obsolete. Most of the changes in High Sierra are focused on speed, efficiency, and particularly security. If your application doesn’t run anymore, you need to upgrade to a later, supported, more secure version.

I’m getting a warning my application is not optimized for operating system

I’ve run this: the scanner software for my Fujitsu scanner is flagged by my Mac as “[This app] is not optimized for your Mac and needs to be updated.” It is essentially a warning that it is a 32-bit application and absolutely will not run under macOS Catalina 10.15, the next version of the Mac operating system. You need to either get the vendor to update the software, or buy a new version, or find a replacement.

[Fortunately, Fujitsu did come out with a free update the next day.]

Is it important to upgrade? Are Macs really vulnerable?

Yes, you should upgrade, and yes, Macs are vulnerable. The biggest reason they are vulnerable: the Mac user “invites” malware onto their machine.

In the past, the largest source of malware (malignant software) on the Mac was Adobe Flash. Adobe has abandoned Flash (in 2017), and because it is no longer supported, it continues to be a problem. Today the most common vulnerability comes through PDFs, (another Adobe product). A PDF document is essentially a program and hackers “tag” PDF documents with programs that can compromise your Mac.

Apple operating system upgrades are free; the alternative is to never connect a device without upgrades to the Internet.

Is there something we can use to protect ourselves?

Generally don’t recommend installing anti-virus software unless you are a teacher, a lawyer, or someone else who gets a constant stream of documents from strangers. The anti-virus packages for Macs are quite good, but generally, the only things they find are Windows viruses, which your Mac ignores.

The best defense is to install the operating system and application updates as they become available. Among other things, this ensures that Gatekeeper is updated. Gatekeeper is Apple’s background technology that automatically (if you keep the operating system updated) downloads profiles of malware and malicious websites. If you try and visit a suspicious website with Safari, Safari will pop up a warning telling you to go away. If you attempt to download a malicious software package, Gatekeeper will put up a warning.

Does gatekeeper only work with Safari?

Yes, Gatekeeper only works with Safari. Chrome, however, has similar technology, and Chrome tests for updates every time you launch it. Speaking of browsers, Microsoft has released a beta version of Microsoft Edge, their browser. Like Chrome, the new Microsoft Edge is based on Chromium, which is Google’s browser technology. Chromium, in turn, was originally based on WebKit, which is Apple’s technology.

If you are interested in the Microsoft Edge beta for the Mac, visit: https://www.microsoftedgeinsider.com/en-us/ Note: this is a beta, so don’t use it for anything critical.

Should I use MacKeeper?

MacKeeper is not something you should have on your Mac. It is heavily advertised, and many people have installed it accidentally. If you have it, get rid of it. MacKeeper does not tell you how to uninstall it; it is complicated and annoying, and once installed, it slows your machine down and constantly prompts you to upgrade to a paid version. Many people have to pay a consultant to remove it. Here are two different sets of instructions for removing it. Pick one or the other, and don’t skip any steps:

https://www.lifewire.com/remove-mackeeper-4150011

https://www.macworld.com/article/2861435/how-to-uninstall-mackeeper-from-your-mac.html

Free software training

The Sequim Library, as part of NOLS (North Olympic Library System), has as part of its service free access to Lynda.com. Lynda.com has some of the best online software courses on how to do everything from using Microsoft Word to how to write code in PHP for building a website. Ask the library for more information; normally, Lynda.com courses are $60 or more apiece.

Have had problems uploading movies from iPhone 5s

The iPhone takes great movies — but movies are much larger than photos. To upload them, you have to spend a lot of time waiting for them to upload. If you are trying to sync them to iCloud, it can also take a long time. You also have to make sure you have enough space in iCloud to hold them.

To check your available space on the iPhone, go to Settings > General > About, and scroll down to Capacity. Just below that is Available, which displays the available space left on the phone.

To check your iCloud space, go to Settings, and right at the top, press on your name, which opens up the Apple ID and iCloud settings. Scroll down to iCloud, press on the link, and you will see the storage capacity at the top. If you only have the free 5 GB account, and it is all in use, you won’t be able to sync video to iCloud.

When uploading video or syncing to iCloud, it is best to do this from home, using your home Wi-Fi, and the iPhone plugged into power. If you try to do this over a cellular connection, you will use up bandwidth in a hurry, and the sync process is slower. Or sometimes not even available as an option.

Speaking of cloud storage, everyone should consider getting a Google Photos account. You can save “unlimited” photos at high resolution, and up to 15 GB of data, for free. Not as well integrated as iCloud, but there is no reason not to sync to both iCloud and Google Photos.

Do you use offsite storage?

There are lots of “cloud backup” vendors. The one Lawrence uses is Backblaze, https://www.backblaze.com

BackBlaze runs a daemon (a Unix background process) that scans for new files and uploads them automatically; Lawrence has 10.5 TB in BackBlaze. It is perfect for disaster planning, protecting your data in case of a local power outage, or theft, or fire, or some other kind of loss.

Since Backblaze is in the cloud, it is not subject to any household or office or even any regional disaster; you can access the backup files from anywhere on the planet that has Internet access. You can restore files from anywhere, even onto a brand-new machine. If you have a lot of data [Lawrence has a lot of data], you can pay Backblaze a deposit and they will ship a hard drive (or multiple hard drives) to you for restoring files to your machine

why is cloud backup a good idea?

iCloud, and other “true” cloud services (Amazon, Google, Microsoft Azure, etc.) replicates data across millions of drives. If one hard drive fails, it automatically re-creates the data on another drive. The big cloud services are also replicated between regions. You can back up your Mac from your home in Sequim, and the cloud service will make copies of the data in other regions, so not even a regional outage will lose data.

While Apple, Amazon, Microsoft, and Google don’t publish any figures on how their infrastructures are built, a 2016 report estimated that Google has 2.5 million servers worldwide. That is a lot of redundancy. Other estimates put the figure at closer to 10 million.

Encryption is another benefit. Apple iCloud is encrypted by default, as is Google Drive (which includes Google Photos). The encryption ensures that you are the only one with access to your data, even in the cloud. In fact, since most people don’t encrypt their laptop or desktop machines, your data may be more secure in the cloud than at home.

Next meeting

The next meeting will be Tuesday, September 17, 2019, at 7 p.m. at the Sequim Library. The topic: A preview of what is coming with macOS Catalina, and if time, information on the new iOS 13 and iPadOS.

June 2019: Web browsers, continued

Web browsers continued as the meeting topic at the June 18, 2019 Strait Macintosh User Group meeting. In a change from the past, the meeting was held at the Sequim Library, 630 N. Sequim Ave., Sequim, WA.

While President Sabrina Davis and others set up the room for the meeting, Vice President Lawrence Charters hosted a Q&A (Question and Answer) session. The overarching rule: the question had to be about Apple devices, and the question had to be something that could be asked and answered in three minutes or less.

Q&A

Q: I have a new iPhone, and am having trouble moving photos from my old phone to my Mac to my new phone.

A: Once upon a time, you used iPhotos or iTunes or some combination of the two to move photos. Today, by far the best solution is to use iCloud. Every Apple ID account offers 5 gigabytes of space in iCloud for photos, messages, email, and documents. This is not enough for most people, so buy some more space (it is inexpensive, and you can do that through the iClouds pane in macOS System Preferences or through Settings > Apple ID (click on your name at the top) > iCloud > Manage Storage in iOS). This will allow you to move photos around between your iPhone, iPad, and Mac seamlessly, as long as you have an Internet connection.

Q: What do you think of the new Mac [introduced at the June World Wide Developers Conference].

A: The new Mac Pro coming out in Fall 2019 will have a minimum of 8 Xeon W core processors, 32 gigabytes of memory, and 256 gigabytes of solid state disk (SSD) storage. If this is too little, you can configure it with up to 28 Xeon W core processors, 1.5 terabytes of memory, and 4 terabytes of SSD storage. It will start at around $6000, The accompanying Apple Pro Display XDR for the machine (optional) will cost $5000 or $6000, not including the $1000 stand. One person mentioned that it justified getting a bumper sticker that said, “My other car is a Mac.” Highly configurable, very powerful, and not intended for the average user.

Q: I have not upgraded since Sierra; and am reluctant to upgrade. How vulnerable am I to security issues?

A: macOS Mojave, the current operating system, is faster and more secure on your existing hardware. It is like getting a rebuilt engine for an old car, for free, with new tires, airbags and seat belts. You may have to upgrade some software, but you gain a currently supported, secure operating system, much more capable of protecting your computer and your data.

Every time Apple patches their software, they release notes on what was patched and why. Hackers use these notes to discover and exploit weaknesses in machines that have not been patched so: upgrade your system, and stay current. Don’t delay.

Q: Do I need Flash?

A: Flash is a security vulnerability and Mojave tries to keep you from using this; it is not installed by default. Adobe stopped development of Flash in 2017, and will completely abandon it in 2020. If you use something that requires Flash, stop using it. Find an alternative.

Q: My computer is warning me that an application is not optimized for my system. What does that mean?

A: macOS is warning you that the application is not a 32-bit native application, and will not work with future versions of macOS. Apple, and Microsoft with Windows, is pushing 64-bit operating systems and applications as the standard, for security reasons. (iOS has been 64-bit only since iOS 11.) The next version of macOS, macOS Catalina, will not run 32-bit applications.

While some companies, chiefly game companies, have sent out messages warning users that their software will stop running if using macOS Catalina, the real problem is that the game companies aren’t upgrading to their software. If you really think life will end without some obsolete software package, buy a used Mac, put the game or other application on it, and don’t let that machine ever touch the Internet.

Think of that warning message as: “I am a piece of obsolete software on your computer. I’m making your computer vulnerable.”

Note that the move to 64-bit-only is not unique to macOS; iOS moved to 64-bit-only several years ago, and Windows 10 is now moving to 64-bit-only. Intego has a nice blog entry on why 64-bit is better.

Fire Fox, Chrome, Safari, Edge popular Web browsers; 2B androids in use but may not have working browser, 70-80 malicious software per device; iOS does not have malicious software because can upgrade devices; 1 Android (Pixel) gets Google updates but not many devices; may see warnings that an app not optimized for new OS; game manufactures warn if upgrade to OS Catalina games may not work anymore; 64bit processors since 2003/4; can move more data at one time so more efficient, better memory management; 32bit vulnerable to hacker code but 64bit makes memory not used as reserved so hackers cannot exploit; a 32bit OS is less secure; the programs will not run; if run without Internet can use older machines with older OS

Officers, equipment and funds

President Sabrina Davis gave a brief overview of some changes in Strait Macintosh User Group, starting with: equipment and funs.

Sabrina was elected President in October 2018, with Lawrence Charters elected Vice President. They presided over the December 2018 meeting, and had planned out a meeting for February 2019, which was canceled due to a major snow storm.

Sometime in March 2019, some former members discussed, via an email exchange, dissolving the group. As far as we know, none of these individuals attended the October or December meetings, or had standing as officers, but they decided Strait Macintosh User Group was no longer functioning, and gave the treasury (roughly $2,800) and all equipment to Shipley Center, in Sequim. They did this without the President or Vice President calling a meeting, or a vote of the membership attending a meeting. Shipley informed us the funds and equipment are not recoverable.

The June 2019 meeting was moved to the Library because, without funds, we could not pay the room rental at the previous location. One limitation: we can’t book a room more than three months in advance, and can’t guarantee a date. We also do not have control over the old web site or forum, so created this new site, https://straitmac.wordpress.com. For a list of the current officers, see https://straitmac.wordpress.com/contact/.

Restarting SMUG

Our membership list is three years old, and needs to be updated. If you receive a message from us, and don’t want to, please just use the contact page to request we stop. We will be sending out notices to our mailing list of meetings and any other interesting events, and a volunteer will also post announcements on NextDoor.

We will be hosting monthly meetings for a while, to regain momentum. The next meeting will be the third Tuesday in July, July 16, 2019, at 7 p.m., at at the Sequim Library, 630 N. Sequim Ave., Sequim, WA. We can only reserve a room at the library a few months in advance; we can’t have a standing meeting for the entire year.

Several people were asked what do we do for money, since the treasury is empty. If we wish to have a custom domain for this website (straitmac.org or something that does not include “wordpress.com” in the name), and get rid of the advertising, we need $130-150 per year. If we wish to use another meeting space, and have a projector for presentations, we need considerably more. We will talk about options at future meetings.

Presentation: web browsers, continued

If it seems that much of the talk about web browsers involves security, there is a good reason: it does involve security.

The major current web browsers, in order, are Safari (on a billion and a half iOS devices, plus Macs), Chrome (on iOS devices, Android devices, Macs, and Windows), Firefox (on Macs, Windows, Linux, Android, and iOS devices), Microsoft Edge (on Windows and, now in beta, on Macs), and Internet Explorer (completely abandoned by Microsoft, but still used on almost a billion compromised machines).

HTTPS Everywhere, a free browser extension for Chrome (but not Safari) puts up a giant warning screen when you attempt to visit an insecure website.

Almost all Mac and iOS compromises involve something download over the web, so it is important to keep all your iOS and Mac devices running the current operating system and a current browser. If your device is too old to support a current operating system, don’t connect it to the Internet.

Your day-to-day account on your Mac should be a non-admin account. Why? An admin account can accidentally authorize a piece of malware to be installed by simply clicking an “OK” box in your browser. Non-admin accounts cannot install software and, therefore, are far more secure from accidental compromise.

The big reason over a billion Windows machines are infected with malware: they are running obsolete versions of Windows, and the user account is an admin account. In the U.S., the government is as guilty as this as anyone else; the U.S. Navy, for example, is still in the process of retiring thousands of machines running Windows XP and Windows 7, instead of the current Windows 10.

If you think you, the “average user,” are not vulnerable — you most definitely are a target, and are vulnerable. Thieves are attacking not only adults and teens, but even taking out credit and home loans in the names of one year olds, confident that it will be a decade or more before the child learns their credit has been ruined. Even if they scam you out of only a couple hundred dollars, this is still a tempting target for thieves, as they can attack hundreds or thousand of accounts a day.

Visiting straitmac.org with Safari is flagged as “Not secure.”

To protect yourself, avoid unencrypted sites. The old Strait Macintosh User Group Site, straitmac.org, is unencrypted. If you visit with Safari, Chrome or Microsoft Edge for Mac (now in beta), the location bar will flag the site as “Not Secure” because it does not have a valid security certificate. The SMUG Forum is also not encrypted, which means that user names and passwords entered on the site are sent in clear text and can be intercepted and exploited. This is, by the way, why you should use unique passwords for every account, as otherwise, all a hacker has to do is compromise one site and they can use that password on any and every site that you’ve reused that password.

Visiting straitmac.org with Chrome is flagged as “Not secure.”

To keep track of all the unique passwords, use a password vault, such as 1Password. The iPhone and the Mac versions of 1Password sync, allowing you to use 1Password on your iPhone when away from Mac. 1Password can do more than store passwords; you can also use it to store credit cards, your license plate number your VIN (Vehicle Identification Number), or anything else that is associated with you as an individual and is difficult to remember.

Someone asked if 1Password was different from Keychain, Apple’s built-in technology for storing and syncing passwords. The short answer is that they accomplish the same goals, but Keychain tends to confuse most users, whereas most users have no trouble at all properly using 1Password. Take Control Books, by the way, has electronic books on how to use 1Password, specifically, and how to manage Your Passwords, generally.

Visiting straitmac.org with Microsoft Edge for Macintosh (beta) is flagged as “Not Secure.”

straitmac.wordpress.com– shows a lock; secure site; has valid certificate from a 3rd party; has been audited; Browsers recognize this as a legitimate site; the machine has a valid certificate for the site so can encrypt the information exchanged; Chrome shows green icon if very secure e.g., banks; 

Safari, Chrome, and Firefox were briefly demonstrated, with brought up two interesting questions:

Why would you need more than one browser? The answer is: there are sites that might not work with Safari that will work with Chrome, or Firefox. Since the browsers are free, there is no “cost” to having all three. Another important consideration: Apple tends to update Safari, on the Mac and in iOS, with new operating system releases; Chrome checks to see if it needs to be updated every time it launches, and doesn’t bother to even ask you about updates. Firefox is somewhat in the middle; it checks every time, but asks you before updating.

The second question: is it possible for a site to be secure with one browser and not secure with another? The literal answer is: no. A properly secure site should be secure with all browsers, and if it is insecure with any browser it should be considered insecure with all. However, it is possible for a site to be secure and not work properly with a given browser. Again, this is a good reason to have Safari, Chrome and Firefox.

July meeting, third Tuesday, July 16, 7 p.m.

The July meeting topic will be an open-ended Q&A (Question and Answer) meeting. There are simple rules: the question must be about an Apple product, or something that runs on an Apple product, and the answer must be something that can be reasonably handled in a three to five minute answer. Questions do not need to be answered by a SMUG officer; if you know the answer to a question, feel free to chime right in.

Coming soon

Coming soon

Apple WWDC19 was full of wonders

Apple’s World Wide Developer Conference (WWDC) was held earlier today, and Apple made a number of announcements:

New Mac Pro is a highly customizable box.
The new Mac Pro is endlessly customizable, offering huge amounts of memory, storage, video power, etc. There is even a rack-mounted version, in case you want a small herd of these for crunching vast herds of bits and bytes.
  • iOS 13 is aimed at being much faster, even on existing hardware, and is bringing Dark Mode to the small screen, along with outstanding security and privacy;
  • iPad software is being split off from the iPhone to a new iPadOS, with features that take advantage of the vastly larger screen;
  • the Mac Pro returns, in a powerful 28-core monster;
  • Apple returns to the display business with an exotic Pro Display XDR;
  • watchOS 6 will add new health and fitness metrics and capabilities, and new watch faces;
  • tvOS 13 will allow multiple user profiles, so you can watch what you want, and listen to what you want;
  • macOS Catalina returns to the California coast, and splits iTunes apart with separate apps for Apple Music, podcasts, and Apple TV;
  • another huge change to macOS Catalina is Sidecar, a built-in capability to use your iPad as an additional screen of your Mac, and use iPad capabilities — such as the pen — with your Mac;
  • accessibility changes, to macOS, iOS, and iPadOS, promise to vastly expand what can be done by those with vision, hearing, or mobility limitations, including both the very young and the very old.
iPadOS showing Dark Mode and something more than apps on the home screen.
New iPadOS showing Dark Mode and the ability to display information on the home screen.

You can watch the keynote (a bit more than two hours) here.

Tapping the Apple Watch face will soon allow you to record a voice memo.
Soon you will be able to record a voice memo on your Apple Watch with just a tap.

Most people will never own a Mac Pro; fully equipped with the new Pro Display XDR, you could buy a decent car — a new car — for the same price, or less. But almost everyone with an Apple device will benefit from iOS 13, iPadOS, tvOS 13, watchOS 6, and macOS Catalina. In particular, the accessibility features, and the vastly expanded iPad capabilities, are worth a long, thoughtful look. And the security and privacy features built into the new operating systems — all the operating systems — are extraordinary.

The programming tools will roll out immediately, with the finished iPhone, iPad, watch, TV, and Mac operating systems coming out in the fall. The Mac Pro and Pro Monitor will be out “this fall,” but you can sign up to be notified when they are getting close.

An iPhone Note in Dark Mode, with an option to send an email notification directly from the Note.
iPhone Notes in Dark Mode, with the option of sending an email notification directly from the note.

Since this is the World Wide Developers conference, there was also a presentation on coding, and it was impressive. While GUI (Graphical User Interface) programming has been touted for a couple decades, the reality is that complex programming is almost entirely based on thousands, or millions, of lines of text-only code. But with the forthcoming Xcode 11, you really can drag-and-drop large chunks of graphical elements, and large chunks of code, into your application code. And Apple has vastly reduced the code barriers between macOS and iOS apps with new technology that lets you very quickly, and fairly painlessly, transform an iOS app into a Macintosh application in just a few days.

Xcode 11 will offer drag-and-drop programming, and you can code for a Watch, Apple TV, Mac, iPad or iPhone by just selecting an option at the start of the project -- and little more.
Code on the left, with a live preview of the result on the right, compliments of the new Xcode 11.

Safari 12.1.1 security update

Apple released a security update for Safari, Safari 12.1.1, on May 13, 2019. This security update applies to macOS Sierra, macOS High Sierra, and macOS Mojave, and is included with the security updates for these operating systems released on May 13, 2019. You can subscribe to Apple security announcements at https://lists.apple.com/mailman/listinfo/security-announce/


APPLE-SA-2019-5-13-5 Safari 12.1.1

Safari 12.1.1 is now available and addresses the following:

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day
Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571: 01 working with Trend Micro’s Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_)
of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security &
Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro’s Zero Day
Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel Groß of Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro’s
Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Groß of Google Project Zero
CVE-2019-8623: Samuel Groß of Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab

Additional recognition

Safari
We would like to acknowledge Michael Ball of Gradescope by Turnitin
for their assistance.

Installation note:

Safari 12.1.1 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

macOS Mojave 10.14.5 security update

Apple released a security update on May 13 that updated Mojave from macOS 10.14.4 to 10.14.5, updated High Sierra (macOS 10.13) with Security Update 2019-003, and updates Sierra (macOS 10.12) with Security Update 2019-003. You can subscribe to Apple security announcements at https://lists.apple.com/mailman/listinfo/security-announce/


APPLE-SA-2019-5-13-2 macOS Mojave 10.14.5, Security Update
2019-003 High Sierra, Security Update 2019-003 Sierra

macOS Mojave 10.14.5, Security Update 2019-003 High Sierra,
Security Update 2019-003 Sierra are now available and
addresses the following:

Accessibility Framework
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8603: Phoenhex and qwerty (@_niklasb, @qwertyoruiopz,
@bkth_) working with Trend Micro’s Zero Day Initiative

AMD
Available for: macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8635: Lilang Wu and Moony Li of TrendMicro Mobile Security
Research Team working with Trend Micro’s Zero Day Initiative

Application Firewall
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved restrictions.
CVE-2019-8590: The UK’s National Cyber Security Centre (NCSC)

CoreAudio
Available for: macOS Sierra 10.12.6
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
error handling.
CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro’s Zero
Day Initiative

CoreAudio
Available for: macOS Mojave 10.14.4
Impact: Processing a maliciously crafted movie file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8585: riusksk of VulWar Corp working with Trend Micro’s Zero
Day Initiative

DesktopServices
Available for: macOS Mojave 10.14.4
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved checks.
CVE-2019-8589: Andreas Clementi, Stefan Haselwanter, and Peter
Stelzhammer of AV-Comparatives

Disk Images
Available for: macOS Sierra 10.12.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8560: Nikita Pupyshev of Bauman Moscow State Technological
University

Disk Images
Available for: macOS Mojave 10.14.4
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8560: Nikita Pupyshev of Bauman Moscow State Technological
University

EFI
Available for: macOS Mojave 10.14.4
Impact: A user may be unexpectedly logged in to another user’s
account
Description: An authentication issue was addressed with improved
state management.
CVE-2019-8634: Jenny Sprenger and Maik Hoepfel

Intel Graphics Driver
Available for: macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8616: Lilang Wu and Moony Li of Trend Micro Mobile Security
Research Team working with Trend Micro’s Zero Day Initiative

Intel Graphics Driver
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8629: Arash Tohidi of Solita Oy

IOAcceleratorFamily
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4456: Tyler Bohan of Cisco Talos

IOKit
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: A local user may be able to load unsigned kernel extensions
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2019-8606: Phoenhex and qwerty (@_niklasb, @qwertyoruiopz,
@bkth_) working with Trend Micro’s Zero Day Initiative

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8605: Ned Williamson working with Google Project Zero

Kernel
Available for: macOS Mojave 10.14.4
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8576: Brandon Azad of Google Project Zero, unho Jang and
Hanul Choi of LINE Security Team

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2019-8591: Ned Williamson working with Google Project Zero

Security
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8604: Fluoroacetate working with Trend Micro’s Zero Day
Initiative

SQLite
Available for: macOS Mojave 10.14.4
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: macOS Mojave 10.14.4
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8600: Omer Gull of Checkpoint Research

SQLite
Available for: macOS Mojave 10.14.4
Impact: A malicious application may be able to read restricted memory
Description: An input validation issue was addressed with improved
input validation.
CVE-2019-8598: Omer Gull of Checkpoint Research

SQLite
Available for: macOS Mojave 10.14.4
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2019-8602: Omer Gull of Checkpoint Research

StreamingZip
Available for: macOS Mojave 10.14.4
Impact: A local user may be able to modify protected parts of the
file system
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2019-8568: Dany Lisiansky (@DanyL931)

sysdiagnose
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8574: Dayton Pidhirney (@_watbulb) of Seekintoo (@seekintoo)

Touch Bar Support
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8569: Viktor Oreshkin (@stek29)

WebKit
Available for: macOS Mojave 10.14.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day
Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571: 01 working with Trend Micro’s Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_)
of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security &
Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro’s Zero Day
Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel Groß of Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro’s
Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Groß of Google Project Zero
CVE-2019-8623: Samuel Groß of Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab

WebKit
Available for: macOS Mojave 10.14.4
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

Additional recognition

CoreFoundation
We would like to acknowledge Vozzie and Rami and m4bln, Xiangqian
Zhang, Huiming Liu of Tencent’s Xuanwu Lab for their assistance.

Kernel
We would like to acknowledge an anonymous researcher for their
assistance.

PackageKit
We would like to acknowledge Csaba Fitzl (@theevilbit) for their
assistance.

Safari
We would like to acknowledge Michael Ball of Gradescope by Turnitin
for their assistance.

System Preferences
We would like to acknowledge an anonymous researcher for their
assistance.

Installation note:

macOS Mojave 10.14.5, Security Update 2019-003 High Sierra,
Security Update 2019-003 Sierra may be obtained from the
Mac App Store or Apple’s Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

April 2019: Web browsers

Strait Macintosh User’s Group (SMUG)
April 2, 2019

Meeting: 7:00 p.m. to 8:00 p.m. at St. Luke’s Episcopal Church, Sequim

Meeting called to order by President Sabrina Davis and Vice President Lawrence Charters.

Two outstanding board positions, Treasurer and Secretary, remained to be filled. By unanimous vote, Analiss Schutzman was elected Treasurer and Kathleen Charters elected Secretary.

There was a discussion of the need for better communications. The SMUG forum had a note that the meeting was canceled and the organization dissolved, but at the last meeting in December, no such motions were entertained, and the February meeting was canceled due to show. Most attendees found out about the meeting either through direct contact with the President or Vice President, or through an announcement posted on Next Door (https://nextdoor.com/).

At present, there are no plans to charge for membership in 2019. The domain name and Internet hosting fees for the website are paid through 2019, with the only remaining expense being room rental for meetings. The membership voted to pay the room rental on a yearly basis, and to reimburse Sabrina for paying out of pocket for the April meeting rental.

It was also agreed that meetings would continue every other month in Sequim. If attendance and conditions warrant, more frequent meetings may be adopted.

Meeting topic: Web browsers

Lawrence Charters did a live, interactive presentation on the World Wide Web in general, with a particular emphasis on web security and privacy. The web began in 1990, with an experiment at the European Organization for Nuclear Research (CERN, from the French Conseil européen pour la recherche nucléaire). Tim Berners-Lee developed a prototype web server on a NeXT computer, and it started serving out pages over the Internet in 1991. It rapidly eclipsed or replaced Gopher, FTP, newsgroups, and other Internet sources of information, and now the most widely used communications medium in history.

At its foundation, the web is based on text. As an example, this curl command (curl is built in to macOS) will fetch the opening page from the National Ocean Service website:

Capturing the first page of the National Ocean Service site using curl.
Capturing the first page of the National Ocean Service website using curl and macOS Terminal. Click on image for a larger view.

These elements of code are assembled by your web browser (Safari, Chrome, Firefox, etc.) into something (usually) much more useful: shopping sites, encyclopedias, dating sites, travel maps, etc.

Incidentally, email messages — even ones with graphics and sound and video — are also based on text. The text is assembled by your email client into discrete messages that look more like paper-based letters.

Because of abusive practices on the web, Google and Apple have been pushing hard for increased security and privacy. Safari on your Mac shows a lock icon when visiting an encrypted site; Google will show a lock in the location bar, and if visiting an insecure site, will display “Not Secure” right next to the URL.

It doesn’t matter if a site “sells” something; Apple and Google, and more recently Microsoft, want you to visit only encrypted sites. An unencrypted site can be easily compromised to, among other things, pass malware to your computer, or be used to “impersonate” a site.

With an encrypted site, anything you send between your device and the website is encrypted; it can’t be intercepted and read, or intercepted and modified. Google Chrome and Apple Safari also check the encryption certificates of a site to ensure that a) the certificate is valid and b) it is for the site it claims to represent.

Apple and Google also maintain a blacklist of sites that are known to be harmful. Apple does this through Gatekeeper, which is a combination of technologies that, among other things, periodically downloads a list of domains that your will refuse to visit. Google does this dynamically; every Chrome URL request checks with Google’s list of blacklisted sites.

Because of the security risks, Google also “downrates” sites that are not encrypted, pushing them down their rating results to discourage visits. Similarly, Apple does not allow iOS apps to make unencrypted web connections. These and other measures have resulted in a very rapid change to make encrypted websites (https and not http) the default on the web. There are still hundreds of millions of unencrypted sites; avoid them.

The easiest way to protect your Mac or iOS device: stay current with system and security updates.

In response to a question, Lawrence explained one major security difference between iOS devices and Android devices. Apple directly updates iOS (iPhone, iPad, iPod) devices. In the Android world, with one major exception, you need to go through your phone company. What this means: if you are on T-Mobile, or AT&T, or Verizon, or whatever, you can update your iPhone by just asking your device to do a software update, or responding to a prompt sent by Apple. But with almost all Android devices, the updates come directly from Verizon, T-Mobile, AT&T, etc., and while the device might theoretically qualify for a security update, the phone companies generally will not provide updates; they expect you to buy a new phone if you want an update. The exception: Google updates their Pixel devices directly.

Lawrence strongly recommended that everyone use long (15 characters or more), unique passwords for everything on the Internet. No password, for anything, should be reused somewhere else. To keep track of the passwords, use Apple’s Key Chain (free, and shared between iOS and Mac) or 1Password (paid, but much easier to understand and organize).

Don’t worry about “complex” passwords (use one upper case, one lower case, one symbol, one number) password. The important thing is to make them unique, and long; the longer the better. Spaces, by the way, count as a character.

Good: Kim Jong-un is a nutcase

Too short, and much harder to type correctly: K1mJ0Ng-nUTs

Passwords that are hard to type are easy to compromise because people tend to reuse them, or leave notes reminding themselves how to type them.

There were many more questions and topics than time available, so at the June meeting we will continue with:

Web security and privacy

While there are no privacy laws in the US, the European Union has imposed fairly demanding privacy laws, and as US companies want to do business with the EU, improved privacy is rapidly improving on major US websites. But individuals ultimately have the most control over their own privacy and security. We’ll talk about that in June.