As part of Apple’s Advanced Manufacturing Fund, Apple is investing $250 million in Corning, a supplier that has been working on glass for the iPhone, Apple Watch and iPad. Apple had previously invested $200 million in May 2017.
The company says that the new investment will support research and development for precision glass processes. While Corning has supplied glass to Apple for every generation of iPhone and iPad, Apple says that glass in the iPhone 11 and 11 Pro is even tougher than before. Apple also uses glass for the back of the device in order to enable wireless charging.
As Apple mentioned before, the company has spent $60 billion with 9,000 American suppliers in 2018. It represents 450,000 jobs.
Today’s investment is part of a commitment to spend billions of dollars in U.S.-based companies with its Advanced Manufacturing Fund in order to build new facilities and help manufacturers. Apple originally planned to invest $1 billion, but it has deployed the entire initial fund.
Apple has now spent $1 billion out of its $5 billion subsequent fund. For instance, Apple has invested $390 million in Finsar, the maker of the TrueDepth camera and $10 million in Elysis, an aluminum maker.
Fujifilm is teasing its forthcoming X-Pro3, the successor to its popular digital rangefinder mirrorless camera, …
The new Google Pay app came out of beta this week, and it marks the first step in a major upheaval in the Google Pay service. Existing Google Pay users are about to go through a transition reminiscent of the recent move from Google Music to YouTube Music: Google is killing one perfectly fine service and replacing it with a worse, less functional service. The fun, confusing wrinkle here is that the new and old services are both called “Google Pay.”
Allow us to explain.
The old Google Pay service that has been around for years is dying. The app will be shut down in the US on April 5, and if you want to continue using New Google Pay, you’ll have to go find and download a totally new app. NFC tap-and-pay functionality won’t really change once you set up the new app, but the New Google Pay app won’t use your Google account for P2P payments anymore. You’ll be required to make a new account. You won’t be able to send any money to your new contacts until they download the new app and make a new account, too. On top of all that, the Google Pay website will be stripped of all payment functionality in the US on April 5, and New Google Pay won’t support doing anything from the web. You won’t be able to transfer money, view payment activity, or see your balance from a browser.
In addition to less convenient access and forcing users to remake their accounts, New Google Pay is also enticing users to switch with new fees for transfers to debit cards. Old Google Pay did this for free, but New Google Pay now has “a fee of 1.5% or $.31 (whichever is higher), when you transfer out money with a debit card.”
Google is currently sending out emails to existing users detailing all this. There’s also a support page link and a notice at the top of pay.google.com. On the Play Store, Google has already started hiding the old Google Pay app from search results, renamed it “Google Pay (old app),” and updated the app home screen with a message to sign up for the new app.
New Google Pay’s Internet-hostile design
We’ve spent some time with the new Google Pay app now that it’s out of beta, and Google looks like it is repeating all the same mistakes it made with Google Allo, one of Google’s biggest messaging-app flops. Google Allo was the messaging app that was released in 2016, a few years after Google Hangouts. The service represented Google’s attempt to clone WhatsApp after losing an acquisition bidding war with Facebook two years earlier. Like New Google Pay, Allo debuted in India and was laser-targeted at the country before being forced on the rest of us for some reason. Allo was thoroughly rejected by consumers and was dead in the water after four months of availability. It was shut down after about two years.
In Google land, targeting an app at India means building an Internet-hostile design that ignores existing Google infrastructure, data, and contacts, and building something powered entirely by the carriers’ SMS system. New Google Pay, like Allo, doesn’t use your Google account (at least, not for payments). Instead, you have to sign up for the new Google Pay using your carrier’s phone number. None of your existing Google Pay contacts will carry over, and they’ll all have to sign up for new accounts with their carrier phone numbers, too. Making payments entirely SMS-driven theoretically makes signing up for the service easier in India, but in the rest of the world—where people interested in a Google service generally have a Google account and multiple devices—it’s more inconvenient compared to rival services.
Just like with Google Allo, SMS-based authentication means there’s no desktop support at all. The Google Pay website is being stripped of all its useful functionality because a browser does not have a carrier SIM card and therefore can’t be authenticated by the SMS-reliant system. Google Allo eventually copied WhatsApp and came up with a clunky, QR-code-driven browser login process that forwarded your phone access to the browser (and didn’t work if your phone was off/dead/missing). Google Pay could eventually cook up something like that, but that seems like a heap of work for what should be (and used to be) a quick money transaction.
The other SMS-based limitation of Google Pay is that you can only be logged in on one device at a time, just like Allo. This is less of an issue for a payment app, but the old version of Google Pay worked on smart watches, too. If Google ever wants to revive its wearables segment, this seems like a bad limitation.
Basically, everyone is being kicked off the old Google Pay service, and you’ll all have to join and reconnect on this new thing. Like with YouTube Music, this is a great chance for Google to lose users as they are forced to re-evaluate their app choices and set up something new. There’s a possibility that users move to a different, more stable, more respectful platform. This move also kills the synergy between NFC tap-and-pay Google Pay and Send-money-to-people Google Pay. The two services, both in a single app, now use completely different log-in methods: Google Pay NFC on the new app still uses your Google account and will carry over your credit cards.
SMS identity is not a completely unworkable solution, but it’s definitely not the future we should be pushing for, when regular account systems are free, more accessible, and much more stable. I know you technically don’t own anything on any company cloud service, but a phone number, which is tied to a bill and your ability to pay, feels a lot more temporary than something like an email address. I am sure there are people who have had the same phone number for many years, but that only happens if you constantly pay the bill, every single month, for years. You’re also trusting the notoriously bad billing and customer service departments of your local cell phone carrier to do the right thing and screw you out of your phone number for some dumb reason, which has definitely happened before. You might even have a moral argument that tying identity to your ability to pay a bill is wrong.
The other problem with SMS is that it’s considerably easier to get Internet service than it is cell service. In a Venn diagram of Internet access, cell phone service is a smaller circle inside a bigger “Internet” circle, which also has options for wired Internet from your local ISP. For instance, my parents live in a cottage in the woods and don’t get cell phone service, which has never been a big deal thanks to wired services. But they would have to leave the house to set up Google Pay. We’ll probably switch to something else.
A new type of supply chain attack unveiled last month is targeting more and more companies, with new rounds this week taking aim at Microsoft, Amazon, Slack, Lyft, Zillow, and an unknown number of others. In weeks past, Apple, Microsoft, Tesla, and 32 other companies were targeted by a similar attack that allowed a security researcher to execute unauthorized code inside their networks.
The latest attack against Microsoft was also carried out as a proof-of-concept by a researcher. Attacks targeting Amazon, Slack, Lyft, and Zillow, by contrast, were malicious, but it’s not clear if they succeeded in executing the malware inside their networks. The npm and PyPi open source code repositories, meanwhile, have been flooded with more than 5,000 proof-of-concept packages, according to Sonatype, a firm that helps customers secure the applications they develop.
“Given the daily volume of suspicious npm packages being picked up by Sonatype’s automated malware detection systems, we only expect this trend to increase, with adversaries abusing dependency confusion to conduct even more sinister activities,” Sonatype researcher Ax Sharma, wrote earlier this week.
A slick attack
The goal of these attacks is to execute unauthorized code inside a target’s internal software build system. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the target developer’s internal repository.
Developers’ software management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. Alex Birsan—the researcher who tricked Apple and the other 34 companies into running the proof-of-concept packages he uploaded to NPM and PyPi—dubbed the new type of supply chain attack dependency confusion or namespace confusion because it relies of software dependencies with misleading names.
Software dependencies are code libraries that an application must incorporate for it to work. Normally, developers closely guard the names of dependencies inside their software build systems. But Birsan found that the names often leak when package.json files—which hold various metadata relevant to a development project—are embedded into public script files. Internal paths and public scripts that contain the require() programming call can also leak dependency names.
In the event the file with the same name isn’t available in a public repository, hackers can upload a malicious package and give it the same file name and a version number that’s higher than the authentic file stored internally. In many cases, developers either accidentally use the malicious library or their build application automatically does so.
“It’s a slick attack,” HD Moore, co-founder and CEO of network discovery platform Rumble, said. “My guess is it affects a ton of folks,” He added that most at risk are organizations that use large numbers of internal packages and don’t take special steps to prevent public packages from replacing internal ones.
In the weeks since Birsan published his findings, dependency confusion attacks have flourished. Already hit by a proof-of-concept attack that executed Birsan’s unauthorized package in its network, Microsoft recently fell to a second attack, which was done by researchers from firm Contrast Security.
Shortly after doing so, a script Austin put into the module started contacting him from several internal Microsoft IP addresses. Austin wrote:
Whether the responses I saw were automated or manual, the fact that I was able to generate this reaction poses significant risk. By taking advantage of the post-install script, I was able to execute code in whatever environment this was being installed on. If attackers were to execute code the way I did on a build server for a desktop application update that was about to be distributed, they could insert anything they wanted into that update, and that code would go out to every desktop using Teams—more than 115 million machines. Such an attack could have monumental repercussions, potentially affecting as many organizations as the massive attack on the SolarWinds software factory that was revealed in December.
He provided the following figure illustrating how a malicious attack might work under this theoretical scenario:
A Microsoft spokeswoman wrote: “As part of our larger efforts to mitigate package substitution attacks, we quickly identified the issue mentioned and addressed it, and at no point did it pose a serious security risk to our customers.” The spokeswoman added that system that executed Ausin’s code was part of our security testing infrastructure. Microsoft has more about the risks and ways to mitigate them here.
Attacks turn malicious
Like the packages uploaded by Birsan and Austin, the thousands of files that flooded NPM and PyPi have mostly contained benign scripts that send the researchers the IP address and other generic details of the computer that runs them.
But not all of the uploads have observed such restraint. On Monday, Sonatype researchers reported files uploaded to NPM that attempted to steal password hashes and bash script histories from companies including Amazon, Slack, Lyft, Zillow.
“These activities would take place as soon as a dependency confusion attack succeeds and would need no action from the victim, given the nature of the dependency/namespace hijacking issue,” Sharma, the researcher at Sonatype, wrote.
Bash histories, which store commands and other input that administrators type into their computers, often contain plaintext passwords and other sensitive data. Files stored in the /etc/shadow path of Linux machines store the cryptographic hashes of passwords needed to access user accounts on the computer. (For hashes to be compromised, the NPM app would have to be running in super user mode, an extremely elevated set of privileges that are almost never given to software management apps.)
Sonatype said it had no way of knowing whether the files were executed by any of the companies targeted by the scripts.
The targets respond
In a statement, Slack officials wrote:
The mimicked library in question is not part of Slack’s product, nor is it maintained or supported by Slack. We have no reason to believe the malicious software was executed in production. Our security team regularly scans the dependencies used in our product with internal and external tools to prevent attacks of this nature. Additionally, Slack’s secure development practices, such as using a private scope when using private dependencies, make it unlikely that a dependency-related attack would be successful against our product.
A Lyft statement read: “Lyft was not harmed in this attempt.There is no indication that this malicious software was executed on Lyft’s network. Lyft has a dedicated information security program to defend against such supply chain attacks and runs an active bug bounty program to continuously test its security controls.”
Zillow officials wrote:
We are aware of the recent security report involving a possible attack involving spoofed software packages. After an investigation by our security team, we found no evidence that our systems were compromised or exploited by the disclosed technique. Our team is also taking a number of actions to monitor and defend against any future possible attempts to gain unauthorized access to our systems.
NPM representatives, meanwhile, wrote: “We’ve provided guidance on how to best protect against these types of substitution attacks in this blog post. We’re committed to keeping npm secure and continuing to improve the security of the ecosystem.”
Amazon representatives didn’t respond to an email seeking comment. A representative for PyPi didn’t immediately have a comment.
The recent hack against network tools provider Solar Winds—which compromised the Texas company’s software build system and used it to distribute malicious updates to 18,000 customers—was a stark reminder of the damage that can result from supply-side attacks. Dependency confusion attacks have the potential to inflict even more damage unless developers take precautionary measures.
This week, Microsoft announced several more features trickling down to Edge Stable from its Beta insider channel. These features include Startup Boost, Sleeping Tabs, Vertical Tabs, and a more navigable History dialog. The company also announced some welcome interface tweaks to Bing—which Microsoft insists on categorizing as Edge features, but these items seem to apply equally to Bing in any browser so far.
If you’re not familiar with Microsoft Edge’s release and download system, there are three Insider channels (Canary, Dev, and Beta) that represent daily, weekly, and six-weekly updates in increasing order of stability. New features debut there before eventually making their way into Stable, where normal users will encounter them.
If you’re a Windows user, you can’t actually download new builds in the Stable channel directly. Instead, you must either look for them in Windows Update or navigate to edge://settings/help in-browser and ask Edge to check for updates to itself. If you’d also like to check out the Edge Insider builds, you can do so safely—they won’t replace your Edge Stable; they install side-by-side, with separate icons on your taskbar making them easy to distinguish.
Edge’s new Startup Boost feature is pretty simple. Instead of killing all processes when you close the browser, it leaves a minimal set open and running. Microsoft says that these always-on background processes decrease Edge launch times—whether opened from an Edge icon or opened automatically as an association with hyperlinks from other applications—by 29% to 41%.
Microsoft also says that the background processes have very little impact on CPU and memory footprint of the system as a whole. The new feature is enabled by default in Edge Stable Build 89, but if you don’t like it, you can disable it on your system—go to edge://settings/system and disable Continue running background apps when Microsoft Edge is closed.
Edge’s new Sleeping Tabs feature automatically puts tabs to sleep—building upon Chromium’s “tab freezing” feature—after two hours of background status without interaction. You can adjust this timeout period manually if it’s not right for you, and Edge also uses heuristics to detect cases when sleep might be inappropriate (for example, tabs that are streaming music in the background).
You can see which tabs have gone to sleep due to their faded appearance in the tab bar; clicking a sleeping tab wakes it up and brings it back into the foreground. To our disappointment, there’s no option to right-click a tab and put it to sleep manually yet—all you can do is wait for the browser to do it for you after a sufficiently long inactivity period.
Vertical tabs—a feature we first reported nearly a year ago—finally made it to release this week in Edge Stable 89.
Modern displays generally have nearly twice as much horizontal screen real estate as vertical, and arranging tabs, application icons, and so forth across the display’s horizontal axis rather than its vertical makes more efficient use of the working space you have.
Edge certainly isn’t the first application to notice this fact—Ubuntu began using a vertical application launcher (its equivalent to the Windows taskbar) by default almost 10 years ago, for one example. We’ve found that the more efficient use of screen real estate is a great idea, but many users have an immediate, strong negative reaction to such a basic change to their navigation concepts.
Probably for that reason, Microsoft left the default tab bar orientation horizontal. If you’d like to browse like it’s 2021, though, the new vertical tab bar is a single click away—as is putting it back the way you found it.
Edge’s new History Hub is another welcome UX update, and it’s simpler to use than it is to describe. Navigating to History from the hamburger menu (or hitting the Ctrl+H hotkey) opens your browsing history as a drop-down menu rather than a full page.
The drop-down History menu also has a stickpin icon on its upper right—clicking the pin dynamically resizes the browser pane, making room for a persistent, pinned History pane to its right. The History pane remains in place and is visible as you navigate the web, whether through links in pages or clicking the History links themselves. This makes it much easier to find what you’re looking for in the recent past.
Rounding out the goodies this week, Microsoft announced some updates to how it displays search results. These updates were also billed as Edge improvements, but when we checked bing.com in Google Chrome on a Linux workstation, we saw the same results there.
Local search results in Bing will begin showing stickpins on a map, dynamically updated as you browse them. This makes it easier to sort your search results by geographical area—which isn’t always as simple as “what’s closest” or “what’s furthest away.” This feature isn’t fully implemented yet; Microsoft says it will be fully available in the US in the coming weeks.
The search engine is also adapting its search results contextually when it understands the broad category of what you’re searching for in the first place. Carousel results for recipes now include dynamically updated panes showing caloric information alongside the picture and meta text of the recipe, for one example. Documentary film search results are another good showcase for this update. They pop up in tiles showing box art, title, and little else; hovering over each tile slides open further detailed information about the film.
Finally, educational searches may give more easily digestible, infographic-style returns instead of the simple dense-text based output we’ve become familiar with in the last two decades. It’s not clear exactly what topics will or will not receive the infographic returns or how those are generated, but Microsoft showcases the result of a Bing search for “giraffe animal” as one example.