Apple Hides The Master Key.
Also Crypto Backdoors and Smart Bed Intrusion.

The U.K. Demands the Master Key to the Cloud Supply Closet

Apple has done the only sensible thing a company can do when a major client demands the master key to the global server room; it simply closed the door for that client. In the United Kingdom, Apple is removing its Advanced Data Protection tool for all customers following a request from the government for a security 'backdoor'. The tool, known as ADP, applies end-to-end encryption to key iCloud data, which means not even Apple has access to the content. This is essentially the company following the only logical security model: if you do not have the master key, you cannot be forced to hand it over.

The U.K. Home Office allegedly served a secret request under the Investigatory Powers Act to compel the company to provide this access. Apple's response was not to comply, but instead to simply pull the opt-in service for new users and prepare to phase it out for existing ones. It is a spectacular way to handle an impossible request. Rather than building a theoretical 'master key' that only the government is supposed to use, Apple just made the office less secure for everyone in that region, sending a clear corporate memo that you cannot weak-link the whole supply chain for one government's peculiar requests. After the change, all data becomes accessible by Apple, which can then be shared with law enforcement if a proper warrant is issued.

Removing Jeff Bezos From My Bed: IoT Security Takes a Nap

There is a new candidate for the most absurd thing connected to the internet this week. Security researchers from Truffle Security published a blog post aptly titled "Removing Jeff Bezos From My Bed" after finding a profound security mishap in the Eight Sleep smart bed. Apparently, this luxury temperature-controlled mattress pad operates on a fully functional Linux computer and exposes an SSH connection to the company's engineers. This allows any Eight Sleep engineer to remotely log in and execute arbitrary code on the home network device, bypassing the standard formal code review process.

The blog post details how the company could monitor when users are sleeping, or even if two people are in the bed instead of one. Beyond just the remote code execution, researchers also found hardcoded AWS keys in the device firmware, which is a wonderful touch of incompetence that could have theoretically racked up a six-figure monthly AWS bill for the smart bed company. The future of comfort is truly a bizarre, unauthenticated endpoint in your bedroom.

The $1.5 Billion Expense Report Typo

Cryptocurrency exchange Bybit has suffered a security breach, losing approximately $1.5 billion worth of Ethereum from one of its cold wallets. The massive theft is being treated by CEO Ben Zhou like a slightly high quarterly expense report, as he immediately reassured the public that the company is "solvent even if this hack loss is not recovered." The attack was traced to compromised developer credentials on a commonly used open-source storage tool, allowing the attacker to deceive signers during a routine wallet transfer.

Apparently, the largest single digital heist in history was orchestrated by exploiting a vulnerability in a third-party open-source tool during a planned, routine transfer from the Ethereum Multisig Cold Wallet. This whole event is a perfect illustration of the crypto industry's risk profile: an asset class volatile enough that a company can simultaneously lose $1.5 billion and still have enough cash to not really care. The Lazarus Group, a North Korean state-sponsored hacking organization, is reportedly linked to the incident, turning the ledger into a geopolitical accounting footnote.

Meta's Legal Team Finds the Torrenting EULA Fine Print

Meta, in its ongoing copyright battle with authors over using pirated books to train its LLaMA AI models, has unveiled its legal strategy. The company admits to torrenting an 82-terabyte dataset of copyrighted material from 'shadow libraries' but claims the act is not illegal because its employees took precautions "not to 'seed' any downloaded files." Seeding is the act of uploading/sharing, and Meta's defense is banking on the technicality that they were merely 'leeching' the data, not distributing it.

The entire defense seems to hinge on convincing the court that torrenting is just a "widely-used protocol to download large files," not a piracy tool, and that without proof of distribution, there is no infringement. This is the new tech giant playbook: leverage a highly technical, obscure piece of internet terminology to justify using other people's property to build a trillion-dollar model. In a deposition, an executive did testify that configuration settings were adjusted "so that the smallest amount of seeding possible could occur"; which is a truly spectacular level of self-awareness.

Briefs

• The Steering Wheel Update: Tesla is recalling almost 380,000 Model 3 and Model Y vehicles for a software problem that can cause an electrical overload and disable the power steering, forcing drivers to suddenly remember how to steer their 4,000-pound sedan manually. It is being fixed, naturally, by a free over-the-air software update.
• Container Pull Budget Cuts: Docker is limiting unauthenticated image pulls from Docker Hub to a mere 10 pulls per hour per IP address starting March 1st. This marks the day the open source community realized that bandwidth does not, in fact, grow on trees, and that a free lunch is not a business model, it is just a venture capital tax break.
• Dev-Ops Nostalgia Corner: A developer published a story on working on the same software product for 20 years, proving that not everyone in the industry changes jobs every 18 months, or that some people are just extremely good at version control. Also, a post went viral asking Why Ruby on Rails Still Matters, answering the rhetorical question that the framework's entire community asks itself every Tuesday morning.