So The NY Times aids and abets the Trump administration in spreading false and unverified information about a tiny, infinitesimal number of slightly unusually cases.

What could the Trump administration and The NY Times possibly have as gain? I'm being sarcastic of course. We know why the Trump administration wants it - to throw another bone to their base and to placate the religious right and The NY Times to, well, I'm not sure - more clicks?

There's nothing the Trump administration won't lie about to further their power.

woke = "something that doesn't make money for Trump or his corrupt friends like Musk"

Shame on Bleeping to fail to include Apple's own Passwords in the 2FA recommendation. A huge population of Apple users already have the tools right on their device if folks mentioned it.

It's a prime vector for scam attacks on desperate people looking for jobs. So many posts on Reddit /r/scams of people getting their contact info scraped or scam companies just loitering on LinkedIn.

And only enabled if 2FA is enabled. It won't work without (as won't many Apple services).

Thank you, this was the missing piece of the puzzle for me.

I read the original article to find the narrow range of conditions. It states "iOS and macOS are vulnerable when Bluetooth is enabled and a Magic Keyboard has been paired with the phone or computer" so does this mean if a computer has ever paired with a Magic Keyboard, it would allow itself to be paired with additional keyboards that the user did not want to pair?

As someone who has bought multiple Magic Keyboards, this definitely concerns me.

I’m sort of assuming the Magic Keyboard has to be present, but we don’t know that based on the write up. It’s a great question though. All desktop Macs come pre-paired with a Magic Keyboard even if you never use it. so if the keyboard doesn’t have to be actively connected at the time that would make them all vulnerable unless someone had unpaired them.

The other thing that wasn’t clear to me is if the vulnerability exists if a Magic Keyboard isn’t in the mix. If I have never paired one to my laptop and instead I am use a different brand of Bluetooth keyboard is it still a problem?

In other words is this Magic Keyboard specific? I’m assuming the author had other Bluetooth keyboards. Of course even if it is that doesn’t mean there aren’t other vulnerabilities lurking in iOS/macOS in this area.

Alas, merely guessing, but it sounds like you can tell an apple device "I am the magic keyboard you know and trust" and it will believe you.

Wouldn't that require knowing/guessing/brute-forcing a unique device identifier that's probably not available to be sniffed if the genuine keyboard in question isn't in use?

Perhaps there is a bug and the unique identifier isn't checked.

That was sort of the impression I got. It’s not that Apple is doing something unfixable, it’s that they have a bug that enables something that shouldn’t happen.

Still guessing here, but if I have a Magic Keyboard paired to my computer right now and I’m using it, is there any reason to let a second Magic Keyboard automatically pair itself?

If your Bluetooth device pretends to be the second Magic Keyboard and automatically pairs it could start injecting keystrokes. That seems like it would fit the description here.

Maybe (or maybe not) that involves pretending to be the first Magic Keyboard. Apple makes their stuff, they KNOW that no to have the same serial number (unlike some cheap stuff you can buy). But if they don’t protect against that…

Apple's "Magic Keyboard" is supposed to exchange Bluetooth keys with a MacOS host over its USB/Lightning cable the first time it gets plugged in.

Perhaps default pairing is left open to allow smoother pairing with iOS/iPadOS, as pairing otherwise would have required a cable with Lightning connector in both ends — which I don't think exists.

I was pretty surprised to see that Linux/BlueZ is only vulnerable under a very specific, rare situation. And fixing it for that situation doesn't even require a patch, just a small change to a configuration file. BlueZ (and its related GUI tools) otherwise is a usability nightmare. At least it's decently secure?

Because that was the last meeting they could have before Colossus required Forbin to be under 24/7 surveillance.

I think it makes perfect sense. How else could he send/get information unless he had a plan to convince Colossus to not observe him.

My big issue with this whole thing is that they actually believed Colossus wouldn't listen in because it said so.

> My big issue with this whole thing is that they actually believed Colossus wouldn't listen in because it said so.

Yes, this was the other big plot hole.

Like his own?

Interesting - you don't seem to have researched your own opinion. A cursory search of Youtube for rebuttal videos shows plenty of people that provide evidence and sources to show how wrong she is in her "out of her lane" videos.

She's no better than any YouTuber looking for clicks and monetization.