#apple

Public notes from activescott tagged with #apple

Friday, June 5, 2026

Mastercard, in comparison, performs this validation correctly and the contrast reveals exactly where Visa fails. The over-the-limit attack succeeds against Visa for one central reason: when the attacker flips the bit in the Card Transaction Qualifiers (CTQ) telling the terminal “on-device authentication has been performed”, Visa does not cryptographically authenticate that field – nor does it cross-check it against the Issuer Application Data (IAD), which contains an independent record (in the Card Verification Results field) of whether Consumer Device Cardholder Verification Method (CDCVM) actually occurred. During the original disclosure process, Visa confirmed to the researchers the relevant data is present in the Application Cryptogram; the company simply does not validate it – whereas Mastercard does. The researchers proved this formally using the Tamarin verification tool: a Mastercard transaction cannot be approved at high value without genuine on-device authentication.

On the touch point of this exploit being one only affecting Apple’s iPhone, it is worth noting how Samsung Pay takes a different approach at the device level – authorising only zero-value transactions in transit mode, with the actual fare settled later through the transit system. This is effective, though it comes with trade-offs; like how fixed-fare transit systems requiring upfront charges are not supported. Apple could theoretically implement a similar restriction, yet doing so would break Express Transit for several transit networks worldwide. The more appropriate long-term solution requiring no compromise on device-level functionality, is simply for Visa to implement the same backend verification Mastercard already uses.

Visa’s official position, reiterated to Veritasium in 2026, is straightforward: the company does not believe the exploit is likely in a real-world setting. The attack requires physical proximity to (or possession of) the victim’s iPhone, specialised hardware, a rooted Android phone, and technical knowledge of EMV protocol manipulation. Visa further notes cardholders are covered by its ‘Zero Liability Policy’, allowing for any fraudulent transaction to be disputed and refunded. Anyone who has ever tried getting a refund from a bank for fraudulent activity will know how tedious and time consuming this process can be, and it is rather telling how Visa would rather put users through inconvenience than simply fixing the known security gap.

With that said, the company’s position is worth examining over outright dismissing. For a start, the hardware requirements are not trivial. Nefarious parties would require a Proxmark device, rooted Android phone, and laptop running custom relay software – all of which represent a higher barrier to entry than most opportunistic theft. Scaled deployment across hundreds of victims simultaneously is, indeed, impractical with current methods.

Even so, this defence has clear structural weaknesses. The existence of a known and, in this case, reproducible vulnerability in a payment network processing billions of transactions annually; cannot simply be mitigated by the argument of it being ‘difficult to exploit at scale’. Mastercard clearly agrees given how they have implemented protections against exactly this class of attack. Moreover, the equipment required is commercially available (the Proxmark, for instance, is an open-source RFID research tool), and the researchers’ methodology was published in full at a major academic conference. It also stands to reason how the barrier to replication lowers every year. Arguing a vulnerability is tolerable because exploitation is currently inconvenient is not a security posture… it is more akin to som

For anyone who regards the security of their financial data as a priority, the recommended course of action is clear and immediate: do not use a Visa card for Express Transit on an iPhone until either Apple or Visa deploys a fix.

To disable Express Transit for Visa on an iPhone, navigate to Settings, then Wallet and Apple Pay, then Express Transit Card, and select None; or assign either a Mastercard or American Express card to the feature instead. Both alternatives are, as of the publication of this article, immune to this specific Visa card vulnerability.

Allow for network traffic audits Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.com

iCloud Private Relay is basically Apple's implementation of oDoH (Oblivious DNS over HTTPS), the idea is you'll be using a proxy server (relay) to avoid the destination (DoH server) knowing who the request is coming from. Would be nice, if the relays would not be managed by Apple, thus not being able to collect the info anyway.

Be aware, by enabling iCloud Private Relay with the above setting, the devices will no longer be using pihole, thus everything will be allowed, regardless of the blocklists you have.

Also read this pihole documentation, here (unbound), where DL6ER explains why unbound is the best choice to get the most out of pihole, from a privacy point of view.

Sunday, April 12, 2026

Wednesday, March 18, 2026

Friday, February 27, 2026

This approval comes down to how Apple builds security into its products. New iPhones and iPads rely on Apple silicon with a Secure Enclave that isolates sensitive data, like encryption keys and biometric information. They also use protections such as Face ID, Touch ID, and Memory Integrity Enforcement, which block entire classes of memory-based attacks before they run.

To be clear, NATO has not crowned the iPhone and iPad as its official devices. But it is validating that Apple's everyday hardware meets the bar for classified government use. In other words, the same phone in your pocket is trusted in environments once reserved for bespoke, locked-down hardware. It also reinforces Apple's claims that privacy and security are core decisions.

Monday, December 22, 2025

Apple’s release notes detail that RDMA integrates with the Thunderbolt framework to enable zero-copy data transfers, meaning data moves directly from one device’s memory to another’s without intermediate buffering. This eliminates bottlenecks associated with TCP/IP protocols, which Thunderbolt previously emulated. Insiders note that while Thunderbolt 5 offers peak speeds, real-world performance depends on factors like cable quality and device compatibility—only M4 and later chips fully support this enhanced mode.

Diving deeper into the technical specifics, Apple’s developer documentation explains that RDMA over Thunderbolt is exposed through new APIs in the macOS networking stack. Developers can initialize clusters using Swift or Objective-C calls that negotiate memory mappings directly over the Thunderbolt bus. This is a departure from traditional Ethernet-based RDMA, which relies on Infiniband or RoCE (RDMA over Converged Ethernet), adapting instead to Thunderbolt’s point-to-point topology.

For those building apps, the update introduces protocols for fault-tolerant clustering. If a device drops out—say, due to a disconnected cable—the system can redistribute workloads dynamically, minimizing disruptions. Testing scenarios outlined in the notes suggest latency as low as microseconds for small transfers, rivaling dedicated high-performance computing setups.

Security is paramount in such a powerful feature. Apple’s notes emphasize built-in encryption for RDMA transfers, preventing unauthorized memory access. A separate 9to5Mac report on the update’s patches reveals fixes for kernel vulnerabilities that could have been exploited in clustered environments, ensuring that the feature doesn’t become a vector for attacks.

Looking at adoption, early sentiment on X suggests enthusiasm among AI researchers. One thread discussed collaborative model training, where multiple users contribute compute power via clustered Macs, democratizing access to high-end AI tools. This could disrupt markets dominated by cloud providers, offering cost savings for startups avoiding subscription fees.

Wednesday, November 12, 2025

Sunday, November 2, 2025