The Importance of Staying Updated

Does it feel like your Apple devices are always asking you to install operating system updates? You’re not wrong—from September 2022 to January 2024, we saw the following releases in Apple’s previous set of operating systems:

  • macOS 13 Ventura: 20 releases
  • iOS 16: 25 releases
  • iPadOS 16: 20 releases
  • watchOS 9: 15 releases
  • tvOS 16: 12 releases

Apple issued many of those at the same time, but since you might not use all your devices every day, it can seem as though you spend all your time installing updates. As annoying as updating can be, we encourage you to do so soon after you’re notified for three reasons.

Reason One: Fewer Bugs

First, as has always been the case, updates fix bugs. You may not have experienced all the bugs that Apple fixes, but when one blocks something you want to do, the fix comes as a huge relief.

For instance, in a set of releases in January 2024, Apple inadvertently introduced a bug that caused text in many apps, including Mail, Notes, and Safari, to appear to be duplicated and overlap. It was only cosmetic, and switching to another window or resizing the window would make it look right again. But the bug was hugely disconcerting, so Apple fixed it two weeks later in macOS 14.3.1 Sonoma, iOS 17.3.1, iPadOS 17.3.1, and Safari 17.3.1 (which brought the fix to macOS 13 Ventura and macOS 12 Monterey).

Reason Two: Better Security

Second, many of the bugs Apple fixes won’t impact your experience of using your device, but they make it possible for attackers to steal information, install malware, spy on your communications, or even take over your entire device. Nearly all of Apple’s operating system updates contain security fixes to address newly discovered vulnerabilities, and some releases only have security fixes. Apple continues to release security updates for the last two versions of macOS and older versions of iOS and iPadOS as appropriate.

It’s easy to think that you won’t be impacted by security vulnerabilities, but remember that as soon as Apple releases an update outlining what it has fixed, attackers know what vulnerabilities exist in unpatched systems. Apple has to react swiftly to some reported vulnerabilities because blocking them can literally be a matter of life or death when it comes to, for instance, iPhone-using dissidents, activists, or journalists working in opposition to repressive governments that employ spyware against their enemies. (All spyware relies on previously unidentified vulnerabilities.)

However, some security vulnerabilities are more likely to impact regular users. For instance, in macOS 14.2.1, Apple fixed a bug in Screen Sharing. If you were sharing your full screen with someone else and had multiple Spaces, Screen Sharing could show the other person random windows in other Spaces, which could range from embarrassing (adult pictures) to seriously problematic (passwords or financial details).

Reason Three: New Features

Third, on the positive side, many operating system releases introduce welcome new features. When Apple unveils its next set of operating systems at the Worldwide Developer Conference in June, some of the promised features won’t appear with the initial releases. New features that shipped in later releases of macOS 14 Sonoma, iOS 17, iPadOS 17, and watchOS 10 include:

  • watchOS’s double-tap gesture for tapping the default button in many apps
  • AirDrop transfers continuing over the Internet when you move out of AirDrop range
  • Adding NameDrop to share contact info when you bring two devices near each other
  • Additional options to control when the iPhone screen shuts off in StandBy
  • The option to choose a specific album for the Lock Screen’s Photo Shuffle wallpaper
  • HomeKey support for Matter locks
  • Expanded Favorites in the Music app
  • A new automatic Favorite Songs playlist in the Music app
  • The addition of Apple’s Journal app
  • A Translate option for the Action button in the iPhone 15 Pro models
  • 10-day precipitation forecasts in the Weather app
  • Sharing of eligible passes in the Wallet app via NameDrop-like proximity
  • A catch-up arrow in Messages that lets you jump to the first unread message
  • Multiple timers in the Clock app on the Mac
  • Stolen Device Protection for the iPhone
  • Collaborative playlists in Apple Music
  • Support for streaming content to TVs in select hotel rooms using AirPlay

Just Update It

Updates provide both a carrot (user-facing bug fixes and new features) and a stick (security fixes). That’s why we recommend updating soon after Apple pushes out a new release and why devices under management usually receive updates quickly. Even if a security breach is unlikely, the liability of allowing devices to remain unpatched is too high for most organizations. Installing updates is an easy way to reduce worry about things like compromised accounts and ransomware.

There are three types of operating system releases:

  • Minor bug fix and security updates: Install these as soon as convenient, usually within a few days. Examples of these include macOS 14.3 to 14.3.1.
  • Interim feature updates: Because these include bug fixes and security updates alongside the new features, you’ll also want to install these within a few days. An example is iOS 17.2.1 to iOS 17.3.
  • Major version upgrades: Because Apple always releases security updates for the two versions of macOS before the current one, you can wait a month or three before installing a major upgrade, such as from macOS 13 to macOS 14. However, once you’ve verified that your apps and workflow are compatible with the new version, we recommend upgrading because skipping a major version of macOS often results in a more difficult upgrade experience.

In each of these cases, if you’re worried about how an update might impact your workflow, check online forums for discussions of each update and feel free to ask us what we recommend for your particular situation.

(Featured image by

Changing Passwords Periodically Doesn’t Increase Security

Does your organization or some financial website require you to create a new password periodically? This practice was recommended long ago, but some organizations haven’t kept up with current recommendations that discourage such policies. If you’re bound by a password expiration policy, you can use this article to encourage your IT department or financial institution to update its approach to password security.

The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Over time, security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

Of course, if there’s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately—that’s entirely different than requiring passwords to be changed on a schedule.

Interestingly, NIST also doesn’t recommend password composition requirements—such as requiring the password to contain a letter, number, and special character—because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.

If you’re forced to change a website password periodically, it’s easiest to use a password manager to generate and enter a new strong password, and you won’t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.

(Featured image based on an original by

Loose Lips Sink Chips: Beware What You Say to AI Chatbots

Generative AI chatbots like ChatGPT, Microsoft’s Bing/CoPilot, and Google’s Gemini are the vanguard of a significant advance in computing. Among much else, they can be compelling tools for finding just the right word, drafting simple legal documents, starting awkward emails, and coding in unfamiliar languages. Much has been written about how AI chatbots “hallucinate,” making up plausible details that are completely wrong. That’s a real concern, but worries about privacy and confidentiality have gotten less attention.

To be sure, many conversations aren’t sensitive, such as asking for a recommendation of bands similar to The Guess Who or help writing an AppleScript. But increasingly, we’re hearing about people who’ve asked an AI chatbot to analyze or summarize some information and then pasted in the contents of an entire file. Plus, services like ChatPDF and features in Adobe Acrobat let you ask questions about a PDF you provide—it can be a good way to extract content from a lengthy document.

While potentially useful from a productivity standpoint, such situations provide a troubling opportunity to reveal personally sensitive data or confidential corporate information. We’re not talking hypothetically here: Samsung engineers inadvertently leaked confidential information while using ChatGPT to fix errors in their code. What might go wrong?

The most significant concern is that sensitive personal and business information might be used to train future versions of the large language models used by the chatbots. That information could then be regurgitated to other users in unpredictable contexts. People worry about this partly because early large language models were trained on text that was publicly accessible online but without the knowledge or permission of the authors of that text. As we all know, lots of stuff can unintentionally end up on the Internet.

Although the privacy policies for the best-known AI chatbots say the right things about how uploaded data won’t be used to train future versions, there’s no guarantee that companies will adhere to those policies. Even if they intend to, there’s room for error—conversation history could accidentally be added to a training model. Worse, because chatbot prompts aren’t simple database queries, there’s no easy way to determine if confidential information has made its way into a large language model.

More down to earth, because chatbots store conversation history (some let you turn off that feature), anything added to a conversation is in an uncontrolled environment where at least employees of the chatbot service could see it, and it could be shared with other partners. Such information could also be vulnerable should attackers compromise the service and steal data. These privacy considerations are the main reason to avoid sharing sensitive information with chatbots.

Adding emphasis to that recommendation is the fact that many companies operate under master services agreements that specify how client data must be handled. For instance, a marketing agency tasked with generating an ad campaign for a manufacturer’s new product should avoid using any details about the product in AI-based brainstorming or content generation. If those details were revealed in any way, the agency could be in violation of its contract with the manufacturer and be subject to significant legal and financial penalties.

In the end, although it may feel like you’re having a private conversation with an AI chatbot, don’t share anything you wouldn’t tell a stranger. As Samsung’s engineers discovered, loose lips sink chips.

(Featured image by Lukichev)