From the Mozilla Bugzilla entry:

This patch adds the platform agnostic media selector and changes the way our themes behave as follows: If the default Firefox theme is selected, Firefox will match the system appearance (current default theme in light mode, dark theme in dark mode). Note that about:addons will continue to show “default” as the selected theme, even when it is technically using the dark theme under the hood to match the system’s dark mode. If any Firefox theme other than “default” is selected in about:addons, Firefox will not change themes when the system appearance changes.

This is missed in the release notes. I think this is true for macOS and Windows. I am not sure about other platforms.

Granted, this is not the most egregious lapse CPB and it’s ecosystem have wrought. But it might be the one that gets traction.

US Customs Contractor Hack Breaches Traveller Images:

US Customs Contractor Hack Breaches Traveller Images

US Customs and Border Protection (CBP) has admitted a data breach at a sub-contractor has compromised images of individuals and vehicles entering and leaving the country.

The controversial agency first learned of the “malicious cyber-attack” on May 31.

And we know this was a “malicious cyber-attack” exactly how? 

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” it said in a statement.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”

“Security by contract” isn’t a thing. And the data was breached … how?

 

(Via Infosecurity) also here here here here here here and many other places I’m sure.

CBP and the Transportation Security Administration (TSA) both fall under the Department of Homeland Security (DHS). Their collective track record on privacy, cybersecurity, and basic physical security leaves much to be desired.

Which leaves me scratching my head about why Delta asks their customers to risk their unchangeable data in a breach for convenience. And, to be clear, the convenience of the boarding gate scanners at some US airports is not for the passengers – it’s for Delta.

I always opt out. Not a U.S. citizen? Or you are but maybe your name (or one like yours) is on a watchlist? I have nothing for you, I’m afraid.

Back to the breach! Thank goodness the CPB is now on the case. Per the Atlantic,

CBP claims they’ve already conducted a search, but haven’t found any of the stolen images on the dark web, where hackers sometimes trade post stolen information for sale. In its statement to The Atlantic, CBP said it’s working with law enforcement to continue the search and survey the full extent of the damage. It hasn’t yet commented on the scope of the breach or offered specifics on the data that was stolen. Perceptics did not immediately respond to a request for comment.

And how do we know what third party vendor left this data vulnerable? The CPB told us by way of the Washington Post:

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

Perceptics representatives did not immediately respond to requests for comment.

CBP spokeswoman Jackie Wren said she was “unable to confirm” if Perceptics was the source of the breach.

This whole thing – from prevention to protection to monitoring to response to recovery – was manageable. Yet another takeaway is that CPB has no Incident Response Plan (IRP) at its most basic level. How do we know? They would not have sent the press a Word document titled with the name of the vendor that is the source of the leak.

It also throws into question the whole idea of a “malicious cyber-attack”. It seems more likely Perceptics, the alleged source of the data leak, failed to safeguard the data their contract said they shouldn’t have access to yet somehow acquired from CPB without their knowledge.

Hanlon’s Razor says to never attribute to malice that which is adequately explained by stupidity. Maybe the corollary in this case is never attribute to “malicious cyber-attack” that which is adequately explained by opportunism met by trivial, if any, security? I merely speculate … 

Why do I feel a bunch of SSSS branded boarding passes in my future?

Apple Pay Suica Service Mode by Joel Breckinridge Bassett:

Apple Pay Suica Service Mode is a weird function that doesn’t have a counterpart on the Android Suica side. The JR East Apple Pay Suica help page mentions this. The iPhone Service Mode explanation says, “Service Mode will allow station agents and kiosks to help with any issues with your card.” The street reality is that station agents don’t need you to put the device in Service Mode, just fork it over and they can fix any Suica issue for you.
This difference exists because Osaifu Keitai smartphones (and the candy wrapper Google Pay Suica) have a dedicated FeliCa chip. Apple created it’s own custom FeliCa implementation hosted on the iPhone A Series and Apple Watch S Series SOC. But the Apple implementation did not really mature until A12 Bionic and the Express Card (Student ID)/Express Transit cards with power reserve feature. The A12 Bionic Secure Enclave supports limited NFC transactions that bypass iOS. It’s the same way a dedicated FeliCa chip works on Android.
This means that Apple Pay Suica on non-A12 devices requires iOS/watchOS to be up and running for Suica to work. Unfortunately this also means that different iOS versions sometimes have performance issues on non-A12 devices and that iOS occasionally drops the ball. Fortunately iOS 12.3 fixes all issues and has great Apple Pay Suica Express Transit performance. iOS 12.3 is a highly recommended update.
The Dead Suica Notifications/No Suica Balance Update problem happened occasionally and the way to fix it is to turn on Service Mode and leave it until it turns off automatically in 60 seconds or the screen goes dark, whichever comes first.
In this case Service Mode syncs and reconciles iOS with the Suica Stored Fare (SF) balance information from the FeliCa embedded Secure Element implemented inside the A Series/S Series Secure Enclave.
Service Mode seems pretty useless on A12 Bionic devices. I imagine it’s there more for show than actual functionality, although Service Mode is useful for cash recharge on 7-Eleven ATM machines where you have to put the device upside down to capture the ATM NFC antenna hit area.

It’s been odd the last few times I’ve needed assistance that I didn’t need to put my watch or iPhone in service mode. Which is good, because I can never remember how to do it.

The service mode tip could have fixed my last snafu, and I had no idea about 7-11 ATMs!

Joel, keep up the great work!

From bash to zsh on macOS:

In anticipation of macOS 10.15 Catalina, I have changed my shell from bash to zsh. macOS 10.15 will use zsh as the new default, and I was pretty sure that things will break immediately unless I prepare – so I did prepare, and I found the transition very simple.

(Via Worklog of Christian Tietze)

No. Just wrong.

It is correct that the default shell for new accounts in the next major macOS release is zsh. However, it does not mean current users need to switch. Apple is not forcing existing users to zsh. Unless you’re installing from scratch and are not planning to use MacPorts or Homebrew to install the latest bash for your shell (the built-in bash is dangerously out of date and insecure), then …

This

Does

Not

Impact

You

Please don’t confuse the issue for others.

Switch if you want to switch. Follow your joy. I’m not going to tell you otherwise, though it is not a path I expect to walk in the near term. zsh is fine. I played with it several times. There is no compelling reason for me to switch.

Here endeth the rant.

As expected, more good information from ATADistance:

JR East Suica System Downtime Notice by Joel Breckinridge Bassett:

Mobile Suica maintenance is a regular nightly occurrence from 1am~4am with longer once a month sessions. The July 6~7 and July 20~21 Suica system maintenance work is very unusual for both the time, 9pm~5am on each night, and the reach: both Mobile Suica and JR East station Suica ticket machine services are going offline.
During the offline period you can still use plastic Suica and Apple Pay Suica for transit and purchases as usual, but Apple Pay Suica Recharge will be limited to cash only from 1am~4am. Remember that you can always cash recharge Apple Pay Suica at any convenience store cash register or 7-Eleven ATM machine.
All other operations such as adding Suica to Wallet and all Suica App functions, and corresponding services at JR East station Suica ticket machines, will be offline for the entire maintenance window.
This is heavy system work that JR East is doing in preparation for the new eTicketing system due next April. JR East already had one system meltdown last month. Let’s hope they don’t have another.

Be forewarned.

I’m using this odd weather day in Tokyo to do some maintenance on this site. I’m afraid I’m going to post some light weight stories and ephemera and whatnots while I work to improve things.

Every stroke our fury strikes is sure to hit ourselves at last.

  • William Penn, Fruits of Solitude, 1693

Shot-clog \Shot”-clog`\, n.
A person tolerated only because he pays the shot, or reckoning, for the rest of the company, otherwise a mere clog on them. [Old Slang]

Here’s some more info …

a bore tolerated only because he or she pays the shot

Examples:

I’d planned to reimburse Jerry for the meal via PayPal, but after sitting through a lengthy evening of him holding forth on myriad topics, I decided it would be an unfair challenge to his reputation as a shot-clog.

“Alas! I behold thee with pity, not with anger: thou common shot-clog, gull of all companies; methinks I see thee walking in Moorfields without a cloak, with half a hat … borrowing and begging threepence.” — John Marston, Ben Jonson, and George Chapman, Eastward Ho!, 1605

Did you know?

The shot in shot-clog refers to a charge to be paid. It’s a cousin to, and synonymous with, scot, a word likely only familiar to modern speakers in the term scot-free, meaning “completely free from obligation, harm, or penalty.” The origin of the clog part of shot-clog is less clear. Perhaps it’s meant to draw a parallel between a substance that impedes a pipe’s flow and a person who impedes a good time; or perhaps companions’ tabs accumulate before the shot-clog as so much dross in a clogged pipe, while the shot-clog yammers on unawares. The 17th-century playwright Ben Jonson was particularly fond of shot-clog, and while the word is no longer in regular use, it might work for you as a suitable old-time insult for that person in your party who is fine to have around so long as they pick up the tab.

Word of the Day: Shot-clog | Merriam-Webster