This is a little embarrassing to share, but I’d rather someone else be able to spot a dangerous scam before they fall for it. So, here goes.

One evening last month, my Apple Watch, iPhone, and Mac all lit up with a message prompting me to reset my password. This came out of nowhere; I hadn’t done anything to elicit it. I even had Lockdown Mode running on all my devices. It didn’t matter. Someone was spamming Apple’s legitimate password reset flow against my account—a technique Krebs documented back in 2024. I dismissed the prompts, but the stage was set.

What made the attack impressive was the next move: The scammers actually contacted Apple Support themselves, pretending to be me, and opened a real case claiming I’d lost my phone and needed to update my number. That generated a real case ID, and triggered real Apple emails to my inbox, properly signed, from Apple’s actual servers. These were legitimate; no filter on earth could have caught them.

Then “Alexander from Apple Support” called. He was calm, knowledgeable, and careful. His first moves were solid security advice: check your account, verify nothing’s changed, consider updating your password. He was so good that I actually thanked him for being excellent at his job.

That, of course, was when he moved into the next phase of the attack.

He texted me a link to review and cancel the “pending request.” The site, audit-apple.com, was a pixel-perfect Apple replica, and displayed the exact case ID from the real emails I’d just received. There was even a fake chat transcript of the scammers’ actual conversation with Apple, presented back to me as evidence of the attack against my account. At the bottom of the page was a Sign in with Apple button that he told me to use.

I started poking at the page and noticed I could enter any case ID and get the same result. Nothing was being validated. It was all theater.

“This is really good,” I told Alexander. “This is obviously phishing. So tell me about the scam.”

Silence. *Click*.

Once I’d suspected what was happening, I’d started recording the call, so I was able to save a good chunk of it, which Jamie Marsland used to make a video about the encounter. You can hear for yourself exactly how convincing “Alexander” was.

So let my almost-disaster help you avoid your own. Remember these rules.

• Don’t approve any password-reset prompts—those are the first part of the attack. Do not pass Go, just head directly to your Apple ID settings. 
• Apple will never call you first. 
• When you get an email from Apple—or, really, anyone telling you to complete a digital security measure—check the URL they’re trying to send you to. Apple Support lives on apple.com and getsupport.apple.com, nowhere else.

After all, the best protection is knowing what this looks like before it happens.

Thank you to Peter Rubin and Jamie Marsland for putting this all together.

Courtesy of Kevin Kelly’s Recomendo newsletter (it’s free), here’s a neat iPhone ring hack for those of us who keep the ringer silenced:

Like many people I keep my phone ringer on vibrate, but I don’t usually carry my phone on me – I may leave it on a desk – so I often miss calls. I’ve greatly reduced missed calls by setting the phone to flash its flashlight and flash its screen while it vibrates. That flashing light is enough to notice from a distance. It is easy to program on the iPhone. Go Settings > Accessibility > Audio Visual > Flash for Alerts. For Android: Settings > Accessibility > Audio & Screen Text > Flash Notifications. — KK

It’s bad, but it’s so good. As you read this deep dive into the LiteLLM backdoor hack, or this one, it’s really just quite impressive. The use of ICP canisters, wow. Just as an engineer, I’d love to meet the minds behind this code.

I’m in NYC for the Stephan Wolfram dev/ai/nyc conversation tomorrow at the Automattic Noho space. While walking back from the Apple Store in Soho where I had picked up a new Studio Display XDR to try out, ran into one of my favorite YouTube accounts to follow right now, Ari at Home! I ran into him around 32 minutes into this Twitch stream. Here’s how he set up his rig.

A video I’ve shared with friends recently is when Harry Mack ran into Ari, which was fun for me because they’re two of my favorite accounts to follow. Sorry I didn’t freestyle! I had to get back to do some work, which is why I got the monitor.

In other cool X/Twitter news, they launched an awesome feature today that lets you restrict replies not just to people you follow, but to people they follow as well. Nikita gave a hat tip to the conversation I had with Peter Levels / @levelsio.

I’m kinda proud of the stars we’ve been bringing to our salon series here at Indiana University since 2021. And there are none I’m more excited to welcome than Helen Nissenbaum, who will be here on Tuesday to speak both in person and on Zoom. The title of her talk is “Why Obfuscation is (still) Needed (more than ever).”

Helen is the North Star of personal privacy—a role she earned by changing how the whole field understands what privacy is: specifically, that it’s not about secrecy or control, but about appropriate information flows. This was detailed in her landmark book, Privacy in Context, : Technology, Policy, and the Integrity of Social Life, and backed by her work on practical tools such as the Adnauseum browser extension.

Her day job is as Professor of Information Science and the founding director of the Digital Life Initiative at Cornell Tech. Visit that page to get a small sense of her range of involvements and influences.

Helen has been an influence on my own privacy work, most notably with MyTerms. If privacy matters even a fraction as much to you as it does to me, come or tune in to her talk, and be prepared with questions.

That’s next Tuesday at 4 pm Eastern. You can register and join the crowd here.

Or click on this to put it on your calendar:

On the one hand, AppleTV’s tvOS informing me that Stars-Flyers has gone to overtime WHILE I’M WATCHING THE GAME is kind of annoying.

On the other hand, at least tvOS isn’t as “smart” or privacy-invading to know I’m already watching it.