Walmart is teaming up with Apple to sell the Mac for the first time. From a report: In a press release today, the company said that it is now selling the base model M1 MacBook Air online and in select stores for $699. The move comes a week after Apple introduced the new M3 MacBook Air and stopped selling the M1 MacBook Air itself. While Walmart has historically sold Apple devices like the iPhone, iPad, and Apple Watch, it has never sold Macs directly. Instead, it's relied on third-party partners to sell the Mac through its online marketplace.

Read more of this story at Slashdot.

A newly discovered vulnerability baked into Apple's M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. From a report: The flaw -- a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols -- can't be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster. The threat resides in the chips' data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it's actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel's 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years. Security experts have long known that classical prefetchers open a side channel that malicious processes can probe to obtain secret key material from cryptographic operations. This vulnerability is the result of the prefetchers making predictions based on previous access patterns, which can create changes in state that attackers can exploit to leak information. In response, cryptographic engineers have devised constant-time programming, an approach that ensures that all operations take the same amount of time to complete, regardless of their operands. It does this by keeping code free of secret-dependent memory accesses or structures.

Read more of this story at Slashdot.

"On December 28 2023, bugreport 12604 was filed in the curl issue tracker," writes cURL lead developer Daniel Stenberg: The title stated of the problem in this case was quite clear: flag -cacert behavior isn't consistent between macOS and Linux , and it was filed by Yuedong Wu. The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine. The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error. This particular behavior and functionality in curl has been established since many years (this option was added to curl in December 2000) and of course is provided to allow users to know that it communicates with a known and trusted server. A pretty fundamental part of what TLS does really. When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise. Therefore, when a user runs the check with a trimmed and dedicated CA cert file, it will not fail if the system CA store contains a cert that can verify the server! This is a security problem because now suddenly certificate checks pass that should not pass. "We don't consider this something that needs to be addressed in our platforms," Apple Product Security responded. Stenberg's blog post responds, "I disagree." Long-time Slashdot reader lee1 shares their reaction: I started to sour on MacOS about 20 years ago when I discovered that they had, without notice, substituted their own, nonstandard version of the Readline library for the one that the rest of the Unix-like world was using. This broke gnuplot and a lot of other free software... Apple is still breaking things, this time with serious security and privacy implications.

Read more of this story at Slashdot.

Apple, aiming to boost sluggish computer sales, is preparing to overhaul its entire Mac line with a new family of in-house processors designed to highlight AI. Bloomberg News: The company, which released its first Macs with M3 chips five months ago, is already nearing production of the next generation -- the M4 processor -- according to people with knowledge of the matter. The new chip will come in at least three main varieties, and Apple is looking to update every Mac model with it, said the people, who asked not to be identified because the plans haven't been announced. The new Macs are underway at a critical time. After peaking in 2022, Mac sales fell 27% in the last fiscal year, which ended in September. In the holiday period, revenue from the computer line was flat. Apple attempted to breathe new life into the Mac business with an M3-focused launch event last October, but those chips didn't bring major performance improvements over the M2 from the prior year. Apple also is playing catch-up in AI, where it's seen as a laggard to Microsoft, Alphabet's Google and other tech peers. The new chips are part of a broader push to weave AI capabilities into all its products. Apple is aiming to release the updated computers beginning late this year and extending into early next year.

Read more of this story at Slashdot.