Category Archives: General

AT&T - Social Engineering

Justin Williams was the victim of an AT&T social engineering attack:

I instantly called AT&T’s customer service line to explain what is happening. I give them my name, my phone number, and my security passcode (this is key). The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.

One of my co-workers reported this happening to him about three weeks ago (although he didn’t have any money stolen, to my knowledge). This is terrifying, and AT&T needs to address this.

Justin adds:

I’ve been told this is being escalated internally, but I haven’t heard anything from corporate channels, so I remain skeptical until I see or hear something.

I share his skepticism. This hole has existed for years, and AT&T has failed to patch it. I feel terrible for the situation Justin has ended up in, and I’m equally upset by the sense that I don’t have a way to protect myself from an attack like this.

Extra Security

I’ve had Extra Security enabled on my account for a long time, but it doesn’t seem like that would have helped me in this situation at all. From this page, the AT&T documentation says:

Benefits of extra security Without extra security, you or someone you authorize may need your wireless security passcode only in these situations:

  • Calling AT&T Customer Care.
  • Changing the passcode.
  • Managing your account in some retail stores.

When you add extra security to your wireless account, you or someone you authorize may need your wireless security passcode in these additional situations:

  • Managing your wireless account online.
  • Gaining secondary online access to the wireless account.
  • Managing your account in any retail store.

Extra Security doesn’t seem to change any of the requirements when calling in for support.

Additionally, every time I log in to their website, there’s a checkbox below the textfield for the passcode. On a site with normal 2-factor support, that checkbox says something like “Don’t require 2-factor on this machine for 24 hours”. On AT&T’s site, it says “Disable Extra Security”. I almost check this box every damn time, and have disabled it a few times.

Master for iTunes Droplet - Fixed!

In what may be a first for me, Apple just resolved the bug report I filed back in January regarding a problem with the Master for iTunes Droplet.

The root of the problem was that the OS version was being compared to a regular string of 10.6, instead of being compared as a numeric string. The result was that 10.10 was returning false when checked with is less than "10.6" then.

The bug report I filed included my suggested fix, so I was curious to see what they implemented. Here’s the relevant section of code:

set systemVersion to system version of (get system info)
considering numeric strings
    if systemVersion is less than "10.6" then
        log ("ITUNESMASTERINGDROPLET: incompatible system version")
        display alert SYSTEM_CHECK_ERROR_TITLE message SYSTEM_CHECK_ERROR_MESSAGE as warning buttons {CANCEL_BUTTON_TITLE} default button 1
        log ("ITUNESMASTERINGDROPLET: shutting down")
        error number -128
    end if
end considering

Their fix is slightly more elegant than what I suggested, but it’s fundamentally the same. They also addressed the problem with Gatekeeper rejecting the droplet.

The updated droplet is available for download now.

macOS Notification Center Scripts

After listening to a recent Mac Power Users episode on notifications, I decided it was finally time to reduce the flood of notifications I get on my Mac. I realized that the biggest obstacle for me with notifications on the Mac is the inconsistent behavior when I two-finger-edge-swipe to open the notification center: sometimes I get the Today view, and sometimes I get the Notifications view, depending on what I was last looking at it.

There doesn’t seem to be a keyboard shortcut you can use to toggle between the Today and Notifications tabs, so I decided to script it. As a starting point, I found this Stack Overflow answer, but the Applescript didn’t work on Sierra. This answer provided the information I needed to debug the first script; it turns out that the "Notification Center" item moved from menu bar 2 to menu bar 1 with an OS update.

This is the script I ended up with to show the Today tab:

tell application "System Events" to tell process "SystemUIServer"
    click menu bar item "Notification Center" of menu bar 1
end tell

tell application "System Events" to tell process "NotificationCenter"
    click radio button "Today" of radio group 1 of window "NotificationTableWindow"
end tell

And this is the script for the Notifications tab:

tell application "System Events" to tell process "SystemUIServer"
    click menu bar item "Notification Center" of menu bar 1
end tell

tell application "System Events" to tell process "NotificationCenter"
    click radio button "Notifications" of radio group 1 of window "NotificationTableWindow"
end tell

I’ve tied these gestures in Better Touch Tool, and I can also fire them off from LaunchBar.

Child Theme Modifications for Micro.blog

Manton launched Micro.blog this past week, and as a Kickstarter backer I received my invitation (you can fine me at jeff)!

In order to validate an externally-hosted micro blog, like the one I host on this site, Micro.blog requires a rel="me" header link:

<head>
  <link href="https://micro.blog/jeff" rel="me" />
  ...
</head>

I’ve modified my WordPress Child Theme to include this link; here’s the commit.

Fixing the Mastered for iTunes Droplet

Sleep Studies, the band I play with, is in the process of finishing up our next EP. One of the (many) things I’m neurotic about is making sure the masters will translate as well as possible. I’ve written about how I use afclip to examine the master audio files for headroom; another thing I do is run the masters through the Apple’s Master for iTunes Droplet. This is distributed as part of the Mastered for iTunes program.

The Master for iTunes Droplet accepts your lossless files and returns .m4a files that mirror the files the iTunes backend will generate, so you can preview what your content in the store will sound like.

Well, it used to do this until Mac OS X 10.10 Yosemite was released.

The droplet is just a wrapper around an AppleScript file, and it’s easy to examine the script by dragging the entire droplet to the Script Editor application. The problem, it turns out, is just a trivial bug. On lines 62 and 109 you’ll find this chunk of code:

set systemVersion to system version of (get system info)
if systemVersion is less than "10.6" then
    log ("ITUNESMASTERINGDROPLET: incompatible system version")
    display alert SYSTEM_CHECK_ERROR_TITLE message SYSTEM_CHECK_ERROR_MESSAGE as warning buttons {CANCEL_BUTTON_TITLE} default button 1
    log ("ITUNESMASTERINGDROPLET: shutting down")
    error number -128
end if

It’s the if systemVersion is less than "10.6" then part that is troublesome — this is just a string comparison, not a numeric comparison. Starting with Yosemite (10.10), this conditional started doing the wrong thing. “10.10” is in fact less than “10.6” when comparing as strings. The fix is pretty easy, too. The incomparable Michael Tsai laid out a solution on Stack Overflow, which I’ve implemented here:

set systemVersion to system version of (get system info)
considering numeric strings
    set systemVersionNewEnough to systemVersion ≥ 10.6
end considering
if systemVersionNewEnough is false then
    log ("ITUNESMASTERINGDROPLET: incompatible system version")
    display alert SYSTEM_CHECK_ERROR_TITLE message SYSTEM_CHECK_ERROR_MESSAGE as warning buttons {CANCEL_BUTTON_TITLE} default button 1
    log ("ITUNESMASTERINGDROPLET: shutting down")
    error number -128
end if

While I was at it, I wanted to fix the other issue with the Apple-distributed version of the droplet: it isn’t code signed. Because of this, when you download the droplet, Gatekeeper informs you that the application can’t be run.

Sal Soghoian’s MacOSXAutomation site has instructions for signing AppleScript Droplets. They’re easy to follow — the only snag I ran into was that I tried to use my iPhone developer certificate to sign the droplet, and that doesn’t help with Gatekeeper. I had to request a new “Developer ID Application”1 certificate to get things working.

With that, the version of the droplet linked below includes fixes for:

  • Droplet returning an error on Mac OS X 10.10 and later
  • Gatekeeper returning an issue with an unknown developer

I’ve filed a bug report with Apple reflecting these issues — it would be ideal if they fixed the versions they’re distributing. It’s rdar://30067799 if you’re interested in reading it.

Download the fixed Master for iTunes Droplet

On May 22, 2017, Apple released an update for the Master for iTunes Droplet that resolves these bugs. You can read more here, or download the new version here. Now that there’s an official version from Apple, I’ve removed the download link to my unofficial release.


  1. I did this via Xcode 8.2.1 — from the Preferences -> Accounts -> View Details screen, I used the Create button to get the certificate.