The Italian luxury brand Bulgari has broken the record for the world’s thinnest mechanical watch yet again. Its new Bulgari Octo Finissimo Ultra COSC watch measures just 1.7mm thick — about the same thickness as your typical strand of spaghetti, as reported earlier by Dezeen.

Bulgari has long held the record for the world’s thinnest watch, but it had to go even thinner following the 2022 release of Richard Mille’s 1.75mm RM UP-01 Ferrari watch. The result is the Bulgari Octo Finissimo Ultra COSC, which comes with an “optimized” 40mm case that’s “even thinner than a coin.” Bulgari somehow managed to fit all 170 components that power the wearable within its case, some of which you can see at work with the openwork dial.

Bulgari uses...

Continue reading…

Sign up here to get Recomendo a week early in your inbox.

Books in bullet points 

BookPecker.com summarizes popular books into 5 key points. Five bullet points may not be enough information to learn and absorb new concepts, but just enough to pique your interest and help you decide if you want to read a particular book or not. Here’s an example of a book I’ve been wanting to read: King, Warrior, Magician, Lover. Based on the summary, I decided to forgo reading the book and instead try to do some online research on each of the masculine archetypes. Currently there are 14,509 books summarized in 5 bullet points. — CD 

Things that don’t work

Here’s a list of 43 things that don’t work, according to the author of the Dynomight newsletter. I don’t agree with all of them, but I’m on board with item number 12: Explaining board games (you should just start playing and answer questions as they come up), and 17: Arguing with people (“Words do not exist that will make people [change their minds] aside from a few weirdos who’ve intentionally cultivated the habit.”) — MF

Switching to a phone camera

I’ve been a serious photographer for more than 50 years. The best camera I have ever owned is a new iPhone 15 Pro. It is now the only camera I carry. But I had to learn and unlearn some tricks to use a phone as a camera well. Scott Kelby, a veteran pro photographer, made a fabulously helpful 45-minute video explaining his favorite 20 tips on using an iPhone for a serious travel camera. Most of the tips in Kelby’s Using Your iPhone for Travel Photography tutorial were new to me, and right on. Would probably be useful for any current smartphone. — KK

The secret to a heavier Chipotle burrito

Ben Braddock offers a devilishly clever tactic for Chipotle aficionados who want to maximize their protein bang-for-buck: “l always wait until after the employee puts the first scoop of chicken on my burrito to ask for double chicken, so the size of the first scoop isn’t compromised by the knowledge I’m getting a second scoop and now the employee has shown their hand in terms of their default scoop size, so they can’t skimp with my second scoop.” — MF

No, They’re Not Mad At You

If you’re ever feeling rejected, anxious, or insecure, at AreTheyMadAtMe.com you’ll find a wall of comforting messages from anonymous posters to remind you that you are not alone. Uncertainty can make me feel lonely or disconnected from other people, and this is a good reminder to not make assumptions about how others might be feeling toward me and practice some self-soothing. — CD 

Quotable

• “Today is the worst AI will ever be.” — Alex Irpan
• “There are two kinds of people in the world… and who is not both of them?” — James Richardson
• “To understand recursion, one must first understand recursion.”  — Stephen Hawking
• “When you write a story, you’re telling yourself the story. When you rewrite, your main job is taking out all the things that are not the story.”  — Stephen King
• “There is no failure in sports.”  — Giannis Antetokounmpo
• “Scarcity is the one thing you can never have enough of.” — Marc Randolph
• “I wouldn’t have seen it, if I didn’t believe it.” — Marshall McLuhan
• “No man was ever wise by chance.” — Seneca
• “What people say about you behind your back is none of your business.” — John Maeda
• “The most selfish act of all is kindness, because its reward is so much greater than the investment.” — Tom Peters
• “The privilege of a lifetime is to become who you truly are.” — Carl Jung

That is another set of quotes I greatly appreciate, and find useful to remember. — KK

Two years ago, British inventor Tristan Thompson (not the Cleveland Cavaliers player) created an Invisibility Shield, Kickstarting it with £446,676 in pledges. (That's about USD $565,000.) Now Thompson says he's improved the design, making it larger and more comfortable to carry, and is Kickstarting this Invisibility Shield 2.0:

As for how it works:

"Each shield uses a precision engineered lens array to direct light reflected from the subject standing behind it, away from the observer standing in front. The lenses in this array are oriented so that the vertical strip of light reflected by the standing/crouching subject becomes diffuse when spread out horizontally on passing through the back of the shield. In contrast, the strip of light reflected from the background is much wider, so when it passes through the back of the shield, far more of it is refracted both across the shield and towards the observer. From the observer's perspective, this background light is effectively smeared horizontally across the front face of the shield, over the area where the subject would ordinarily be seen."

"The optical arrays we use to construct our shields are manufactured by extruding and then embossing a polymer to form sheets of elongate, convex lenses. In order for these sheets to manipulate light in the right way to create functional invisibility shields, the lenses must have a highly specific shape and each one must be formed with high precision as they are very small."

The video footage, assuming it's undoctored, is fairly startling:

The shields come in multiple sizes: The one-person version runs $378, and the two-person Megashield is $883.

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Some of the many notifications Patel says he received from Apple all at once.

Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve [a reset of the account password], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.

But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).

“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called PeopleDataLabs.

Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.

“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”

Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the user’s device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the user’s Apple devices.

THE PHONE NUMBER IS KEY

Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.

“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris said. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”

Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.

“I said I would call them back and hung up,” Chris said, demonstrating the proper response to such unbidden solicitations. “When I called back to the real Apple, they couldn’t say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted.”

Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.

Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account — all the while still sitting at the local Apple Genius Bar.

Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the target’s Apple account. After all, that was the only aspect of Chris’s new iPhone and iCloud account that hadn’t changed.

WATCH OUT!

“Ken” is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.

“This recently happened to me in the middle of the night at 12:30 a.m.,” Ken said. “And even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts. Thank god I didn’t press ‘Allow,’ which was the first option shown on my watch. I had to scroll watch the wheel to see and press the ‘Don’t Allow’ button.”

Ken shared this photo he took of an alert on his watch that woke him up at 12:30 a.m. Ken said he had to scroll on the watch face to see the “Don’t Allow” button.

Unnerved by the idea that he could have rolled over on his watch while sleeping and allowed criminals to take over his Apple account, Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.

A recovery key is an optional security feature that Apple says “helps improve the security of your Apple ID account.” It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Apple’s standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.

Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.

KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Apple’s “forgot password” page — https://iforgot.apple.com — asks for an email address and for the visitor to solve a CAPTCHA.

After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.

The password reset page at iforgot.apple.com.

RATE LIMITS

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Apple has not yet responded to requests for comment.

Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at Cisco, Microsoft and Uber. In response, Microsoft began enforcing “MFA number matching,” a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account owner’s Microsoft authenticator app on their mobile device to verify they are logging into the account.

Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he’s convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed “AirDoS” because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop — a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple’s fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple’s rate limit on how many of these password reset requests can be sent in a given timeframe.

“I think this could be a legit Apple rate limit bug that should be reported,” Bagaria said.

Adblock test (Why?)

You're probably familiar with tech debt. There is a joke that if there is tech debt, surely there must be derivatives to work with that debt? I'm happy to say that the Rust ecosystem has created an environment where it looks like one solution for tech debt is collateralization.

Here is how this miracle works. Say you have a library stuff which depends on some other library learned-rust-this-way. The author of learned-rust-this-way at one point lost interest in this thing and issues keep piling up. Some of those issues are feature requests, others are legitimate bugs. However you as the person that wrote stuff never ran into any of those problems. Yet it's hard to argue that learned-rust-this-way isn't tech debt. It's one that does not bother you all that much, but it's debt nonetheless.

At one point someone else figures out that learned-rust-this-way is debt. One of the ways in which this happens is because the name is great. Clearly that's not the only person that learned Rust this way and someone else also wants that name. Except the original author is unreachable. So now there is one more reason for that package to get added to the RUSTSEC database and all the sudden all hell breaks lose. Within minutes CI will start failing for a lot of people that directly or indirectly use learned-rust-this-way notifying them that something happened. That's because RUSTSEC is basically a rating agency and they decided that your debt is now junk.

What happens next? As the maintainer of stuff your users all the sudden start calling you out for using learned-rust-this-way and you suffer. Stress levels increase. You gotta unload that shit. Why? Not because it does not work for you, but someone called you out of that debt. If we really want to stress the financial terms this is your margin call. Your users demand action to deal with your debt.

So what can you do? One option is to move to alternatives (unload the debt). In this particular case for whatever reason all the alternatives to learned-rust-this-way are not looking very appealing either. One is a fork of that thing which also only has a single maintained, but all the sudden pulls in 3 more dependencies, one of which already have a "B-" rating. Another option in the ecosystem just decided to default before they are called out.

Remember you never touched learned-rust-this-way actively. It worked for you in the unmaintained way of the last four years. If you now fork that library (and name it learned-rust-this-way-and-its-okay) you are now subject to the same demands. Forking that library is putting cash on the pile of debt. Except if you don't act up on the bug reports there, you will eventually be called out like learned-rust-this-way was. So while that might buy you time, it does not really solve the issue.

However here is what actually does work: you just merge that code into your own library. Now that junk tech debt is suddenly rated “AAA”. For as long as you never touch that code any more, you never reveal to anyone that you did that, and you just keep maintaining your library like you did before, the world keeps spinning on.

So as of today: I collateralized yaml-rust by vendoring it in insta. It's now an amalgamation of insta code and yaml-rust. And by doing so, I successfully upgraded this junk tech debt to a perfect AAA.

Who won? I think nobody really.

A 2018 article on how Joel Spolsky broke IT recruiting randomly popped up in my news feed today. I particularly enjoyed the section that discussed IT recruiting, though the bits relating to StackOverflow haven't aged well; that site is beyond having jumped the shark.

I'm not a people manager, but I have assisted in hiring a number of folks over the years. Some of them turned out to be great developers, while others turned out to be terrible. It's so hard to vet folks based on a handful of interviews. Back when in-person interviews were more of a thing, it was easier. Today's online-only world makes that nearly impossible, especially given that some candidates are no longer local.

Having an actual apprenticeship program would make the process so much easier. New candidates could come aboard for a trial period; 6 or 12 months. Financially, it would be treated like a contract position. During this period they could then be evaluated over time:

• Is the candidate reliable?
• Are their development skills what they said they were?
• Can they communicate effectively?
• Do they complete deliverables on time?

After the apprenticeship is up, they'd become a "journeyman" and a full-time employee. A program of this sort would greatly reduce the ridiculous speed bump some employers put in the way of hiring developers. It would also make it really easy to get rid of the downright awful developers who occasionally creep in.

This really needs to become a thing.