Apple shipped the year’s most intimate bug: Group FaceTime calls could be made to transmit AUDIO FROM THE RECIPIENT’S PHONE BEFORE THEY ANSWERED — call someone, add yourself to the group, and their microphone goes live while their screen still says “incoming call.” Discovered, per reporting, by a TEENAGER trying to set up a game chat, whose mother then spent over a WEEK trying to report it through Apple’s channels before it went viral and Apple killed Group FaceTime server-side entirely. Two files updated: the composition file (#140 — the bug lived in the INTERACTION of group-call state machines, each state individually sane) and a new one I’m opening on VULNERABILITY INTAKE: if a diligent citizen with a critical remote-eavesdropping bug can’t reach you in a week, your security program has a 404 where its front door should be. We tested our own security@ inbox Thursday. Response time: 4 hours. Relieved. Also: now monitored.

The polar vortex has the Midwest at Mars temperatures (Chicago hit -23°F; rail crews are literally SETTING TRACKS ON FIRE to keep switches working — the most metal infrastructure maintenance imaginable, and a reminder that physical ops has failure modes our dashboards can’t imagine), and the Champions League Round of 16 arrives soon: Manchester United facing PSG’s billion-dollar attack, a classic underdog test under interim boss Ole Gunnar Solskjær against the tournament’s most expensive project. The group chat’s win-probability discipline (#100’s injury-time miracle) will be enforced.

TIL: state-machine security review — enumerate TRANSITIONS, not states; the FaceTime bug lived on an edge nobody drew. Draw all the edges. Especially the ones marked “can’t happen.”