Your time is precious. So, instead of spinning your wheels as you look for the next thing to watch, read, play, or do, try Sofa for iPhone, iPad, and soon, the Vision Pro. It lets you be more intentional with your downtime by creating organized lists as you discover new things to try.

Most apps are designed for work. Sofa’s different. It’s built for play, with a focus on making the most of your free time. It’s more organized than a list in Notes, with just enough structure combined with extensive customization options to make it your own.

You can track anything you want in Sofa: apps, books, movies, TV shows, podcasts, YouTube videos, websites, travel ideas, restaurants, and more. The app includes over 100 themes, Shortcuts support, Smart Lists, user-defined ingredients, and more. It’s the sort of flexibility, from the lists you make to how the app looks, feels, and works, that you won’t find anywhere else.

Most of Sofa, including unlimited lists, syncing via iCloud, tracking your activity, and automating with Shortcuts is completely free. But, with a Super Sofa subscription, you can add custom ingredients, Smart Lists, item and list pinning, sticky notes, and more.

So, download Sofa today for free, and be sure to take advantage of a limited-time deal just for MacStories readers, who can get 40% off their first year of a Super Sofa subscription by going to sofahq.com/macstories.

Our thanks to Sofa for sponsoring MacStories this week.

In a perfect world, end users would only work on managed devices with IT-approved apps. But every day, employees use personal devices and unapproved apps that aren’t protected by MDM, IAM, or any other security tool.

There’s a giant gap between the security tools we have and the way we actually work. 1Password calls it the Access-Trust Gap, and they’ve also created the first ever solution to fill it.

1Password Extended Access Management secures every sign-in for every app on every device. It includes the password manager you know and love, and the device trust solution you’ve probably heard of on this podcast, back when it was called Kolide.

1Password Extended Access Management cares about user experience and privacy, which means it can go places other tools can’t–like personal and contractor devices. It ensures that every device is known and healthy, and every login is protected. So stop trying to ban BYOD or Shadow IT, and start protecting them with 1Password Extended Access Management.

Check it out today.

Our thanks to 1Password for sponsoring our WWDC coverage this week.

Raycast makes your Mac better because it’s fast, ergonomic, and reliable. Best of all, though, Raycast comes with powerful tools your Mac should have but didn’t. Plus, it’s extensible, with a rich catalog of extensions built by developers around the world that solve every productivity need you can imagine.

With Raycast, everything is at your fingertips. The app’s searchable clipboard means always having what you need a few keystrokes away. With emoji and gif search tools, Raycast makes it easy to express yourself. Plus, there are tools to perform quick calculations, currency and unit conversions, and a lot more.

And with broad developer support, there are extensions available to:

• Track your flights
• Take notes
• Save tasks
• Search for your files
• Run scripts
• Kick off shortcuts
• Translate text
• and even manage your windows

With Raycast, all of this and more can be accomplished quickly and easily without switching contexts, reducing distractions and speeding up every interaction with your Mac.

Raycast is also the best way to interact with AI. It’s an always-on window into ChatGPT that helps you code, write email messages, automate repetitive tasks, and more.

Raycast is free to download and use, but with annual plans that start at what works out to just $8/month, you can go pro with its AI features, theming, and setup sync across multiple Macs.

Visit Raycast’s website today to learn more, download Raycast for free, and see how its Pro accounts can take your Raycast experience to the next level.

Our thanks to Raycast for sponsoring MacStories this week.

Raycast makes your Mac better because it’s fast, ergonomic, and reliable. Best of all, though, Raycast comes with powerful tools your Mac should have but didn’t. Plus, it’s extensible, with a rich catalog of extensions built by developers around the world that solve every productivity need you can imagine.

With Raycast, everything is at your fingertips. The app’s searchable clipboard means always having what you need a few keystrokes away. With emoji and gif search tools, Raycast makes it easy to express yourself. Plus, there are tools to perform quick calculations, currency and unit conversions, and a lot more.

And with broad developer support, there are extensions available to:

• Track your flights
• Take notes
• Save tasks
• Search for your files
• Run scripts
• Kick off shortcuts
• Translate text
• and even manage your windows

With Raycast, all of this and more can be accomplished quickly and easily without switching contexts, reducing distractions and speeding up every interaction with your Mac.

Raycast is also the best way to interact with AI. It’s an always-on window into ChatGPT that helps you code, write email messages, automate repetitive tasks, and more.

Raycast is free to download and use, but with annual plans that start at what works out to just $8/month, you can go pro with its AI features, theming, and setup sync across multiple Macs.

Visit Raycast’s website today to learn more, download Raycast for free, and see how its Pro accounts can take your Raycast experience to the next level.

Our thanks to Raycast for sponsoring MacStories this week.

When MGM Resorts suffered a $100 million hack in September, CEO Bill Hornbuckle wasn’t too worried about the lost revenue, because cyber insurance would cover the tab. “I can only imagine what next year’s bill will be,” he joked.

Weeks later, on a call with analysts, Hornbuckle complained about the “staggering” rise of insurance costs in the past few years.

This story neatly illustrates the crisis in cyber liability coverage. For years, companies have invested more in security insurance than in actual security. The result has been a tidal wave of data breaches that have driven up the cost of premiums to the point that they are rapidly becoming unaffordable.

Some large enterprises are responding to the increased costs by creating their own “captive carriers,” insurance providers that exist only to serve them. But that’s clearly not an option for small businesses, which are more likely to go without insurance altogether.

According to Andrew Bucci, VP of Sales at Amplified Insurance Partners, “It’s going to come to a point where some people may have to self-insure, which means that they don’t take a cyber policy out and they just cross their fingers they don’t have some sort of breach.” That’s a huge gamble for SMBs, since they could be driven to bankruptcy by a single security incident.

At Kolide, we’ve seen our cyber insurance premiums go up by 40% in just the last two years, and we got curious about:

• What’s driving the increases?
• Who really needs cybersecurity insurance?
• How can the average company reduce their premiums?

What we found was that insurance companies themselves can help get us out of this crisis, by mandating some (pretty basic) security requirements for their customers–things like MFA, endpoint security, and retiring end-of-life software. 

Read the full blog to learn more about our findings.

Our thanks to Kolide for sponsoring MacStories this week.

Now, don’t get offended, but – you aren’t as good at clocking deepfakes as you think you are. 

And it’s not just you–nobody’s that good at it. Not your mom, or your boss, or anyone in your IT department. 

To make matters worse, you probably think you can spot a fake. After all, you see weird AI-generated videos of celebrities on social media and they give you that uncanny valley tingle. But it’s a different ballgame when all you’ve got to go on is a voice. 

In real life, people only catch voice clones about 50% of the time. You might as well flip a coin.

And that makes us extremely vulnerable to attacks.

In the “classic” voice clone scam, the caller is after an immediate payout (“Hi it’s me, your boss. Wire a bunch of company money to this account ASAP”). Then there are the more complex social engineering attacks, where a phone call is just the entryway to break into a company’s systems and steal data or plant malware (that’s what happened in the MGM attack, albeit without the use of AI).

As more and more hackers use voice cloning in social engineering attacks, deepfakes are becoming such a hot-button issue that it’s hard to tell the fear-mongering (for instance, it definitely takes more than three seconds of audio to clone a voice) from the actual risk.

To disentangle the true risks from the exaggerations, we need to answer some basic questions:

1. How hard is it to deepfake someone’s voice? 
2. How do hackers use voice clones to attack companies?
3. And how do we guard ourselves against this… attack of the clones?

Like a lot of modern technologies, deepfake attacks actually exploit some deep-seated fears. Fears like, “your boss is mad at you.” These anxieties have been used by social engineers since the dawn of the scam, and voice clones add a shiny new boost to their tactics. 

But the good news is that we can be trained to look past those fears and recognize a suspicious phone call–even if the voice sounds just like someone we trust.  

If you want to learn more about our findings, read our piece on the Kolide blog. It’s a frank and thorough exploration of what we should be worried about when it comes to audio deepfakes.**

Our thanks to Kolide for sponsoring MacStories this week.

Collections Database is the premier personal database app for organizing anything and everything on your iPhone, iPad, and Mac.

The app features more than 20 field types, linkable sub-databases, reusable lists, and a robust customization system. It’s a powerful and flexible solution that makes Collections easy to get started with for beginners, while meeting the needs of advanced users too.

Collections provides essential templates to get started, including Expenses, Contacts, Subscriptions, Books and more. However, you’re always free to start from scratch by building your own custom templates.

A long, complete list of field types is available for your databases too. The set includes everything you’d expect from a modern database app, including Text, Number, Date, Picture - even Barcode fields. Collections can import spreadsheets from other apps, using its powerful CSV import functionality. Collections also offers quick filters, sorting, password protection, smart text-based search, and more.

Apple Shortcuts.

A standout feature is the extensive support for Shortcuts, which expands the app capabilities even more.

Collections is free to try, but by upgrading to the Pro version via In-App Purchase, you’ll gain access to an unlimited number of database entries and files, plus advanced filters. The Pro version also includes a unique visual formula editor the makes building complex formulas intuitive and easy.

The app is a universal purchase, so your purchase will be available on the iPhone, iPad, and Mac. At the same time, though, Collections has been carefully optimized to each Apple platform for the best experience on every platform.

Collections is regularly updated to take advantage of the latest Apple technologies and is privacy-minded. Your data isn’t collected or sent anywhere else.

To learn more, and download Collections Database visit the App Store today.

Our thanks to Collections Database for sponsoring MacStories this week.

The September 2023 MGM hack quickly became one of the most notorious ransomware attacks in recent memory. Journalists and cybersecurity experts rushed to report on the broken slot machines, angry hotel guests, and the fateful phishing call to MGM’s help desk that started it all.

And, like a slick magic trick, the public’s attention was drawn in the wrong direction. Now, months later, we’re still missing something critical about the MGM hack.

That’s because, for many of the most important questions about the breach, the popular answers are either incomplete or inaccurate. Those include: who hacked MGM, what tactics they used to breach the system, and how security teams can protect themselves against similar attacks.

Why is that a problem? Because it lets us write off the MGM hack as a one-off story, instead of an example of an emerging style of attack that we’ll certainly be seeing more of. And that leaves companies and security teams unprepared. 

Who hacked MGM?

Plenty of news stories have confidently blamed the MGM attack on either the Scattered Spider or ALPHV hacking group, but the truth is still murky, and likely involves a dangerous team up between different groups, each bringing their own expertise to the table.

Their attacks first use fluent English social engineering skills to get onto networks, where they then deploy sophisticated ransomware that quickly establishes persistence across multiple systems. 

What tactics did they use? 

The dominant narrative has been that “a single phone call hacked MGM.” A phone vishing attack to MGM’s IT help desk is what started the hack, but there’s much more to it than that. The real issue is that this help desk worker was set up to fail by MGM’s weak ID verification protocols, and probably wasn’t doing anything “wrong” when they gave the bad actors access to a super administrator account. 

How can security teams protect themselves? 

Cybersecurity experts have centered most of their advice on user ID verification. But while it’s true that MGM’s help desk needed better ways of verifying employee identity, there’s another factor that should have stopped the hackers in their tracks. 

That’s where you need to focus your attention. In fact, if you just focus your vision, you’ll find you’re already staring at the security story the pros have been missing.

It’s the device you’re reading this on. 

To read more of what we learned when we researched the MGM hack–like how hacker groups get their names, the worrying gaps in MGM’s security, and why device trust is the real core of the story–check out the Kolide Blog.

Our thanks to Kolide for sponsoring MacStories this week.