Tag: Technology

iOS 5 May Warn About Unsecured Calls

Some chatter has been going around the iOS community about a possible feature in iOS 5 that would warn users of unsecured calls. The encryption used by GSM was cracked and a great presentation and demonstration (which I had the privilege of attending) were given about the crack at Defcon last year. The presentation is available on YouTube for free and is split up into four segments:

[youtube=http://www.youtube.com/watch?v=rXVHPNhsOzo]

[youtube=http://www.youtube.com/watch?v=Fo1OPoBS5Q8]

[youtube=http://www.youtube.com/watch?v=RXqQioV_bpo]

[youtube=http://www.youtube.com/watch?v=a4-KAvWUiDA]

Obviously this feature won’t be able to detect if a government agent at the phone company is listening into your phone call (this is why we need secure point-to-point communication capabilities on all phones) it would at least let you know if your phone call is being intercepted locally.

iOS 5 Beta

So I loaded iOS 5 Beta 1 onto my iPod Touch and took a look around. I haven’t had much time to fiddle with it but I’ve decided that Apple did a great job of ripping off Android’s notification system and that’s a good thing. With that said Apple did add two things that I greatly appreciate; widgets on the notification pull-down and the ability to make notifications appear on the lock screen.

I’m not sure if Apple is going to allow third parties to write widgets for the pull-down menu but they have included one for stocks and another for weather. When you pull down the notification page the weather widget will give you the current temperature which is nice. Hopefully third parties are allowed to write widgets for the notification page as I could name a few things I’d like to see there.

The other change to the notification system that Apple made was making notifications appear on the lock screen if you want them to. When you turn the phone on any notifications set to appear on the lock screen will be there and swiping across a notification will open the app that sent out the notification. Thus swiping across an e-mail notification will open Mail and take you right to the message you swiped across. Overall I really like the new notification system and feel it makes iOS a far better OS to work with.

Apple Announcements

Yesterday was Apple’s World Wide Developer Conference (WWDC). This is generally where Apple announces their new iOS and OS X related stuff and this year I must say they didn’t disappoint. I’ll just link to Engadget’s liveblog coverage as it gives the entire WWDC keynote.

First let me say I’m glad that Apple has finally decided to improve the way notifications are handled in iOS. Instead of those damned popup boxes that interrupt whatever you’re doing Apple is going to use the notification system they ripped off from Android. Basically when a notification comes in a little message will appear at the top of your screen and swiping your finger down from the top of the screen will bring down a full list of notifications. The one improvement Apple has added to Google’s system is the fact notifications will also appear on the lock screen so there is no need to unlock the phone to see what messages you have waiting for you. Overall I think this will fix the primary usability complain I’ve had with iOS for ages now.

Apple also announced iCloud, their new revision of .mac MobileMe. First Apple has finally done away with the stupid annual $99.00 fee which means I will actually try and possibly use this service (I could never justify spending money on something Google offered for free). iCloud also looks to expand greatly on MobileMe’s feature set by adding the ability for your iOS apps to store data on Apple’s servers allowing for back ups and syncing.

Speaking of things that no longer require tethering to iTunes for, Apple has also finally started work on freeing iOS devices from iTunes. Starting with iOS 5 devices will be able to sync and backup via WiFi instead of requiring you to physically plug your device into a computer running iTunes. I’m a huge fan of this as it may allow me to backup my device via WiFi remotely by using a VPN connection. Currently if you’re away from the system you use to backup your iOS device you’re kind of fucked should you need to do a backup and restore. It seems Apple is taking the best features from their competitors and integrating them into iOS and honestly it’s about damned time some of the features were added.

The last announcement that really got my attention was OS X Lion (10.7). Lion is being released next month via the Mac App Store (I’m assuming disk versions will be available as well) for $29.99 for the standard client version and $49.99 for the server version. This is big news as the server version previously costs a fuck ton of money (about ten times what Apple is now asking) and now will be affordable to most people. With a price like that I will actually upgrade my little Mac Mini server instead of letting it sit at 10.6 for the entirety of its life.

Overall I’m actually exciting about the announcements at this year’s WWDC and look forward to the release of iOS 5 and OS X Lion.

iPhone Encryption “Cracked”

One of the features I really like about the iPhone that Android appears to lack is the ability to encrypt the data on the device. Well news has been floating around that a company has found a means of cracking the iPhone’s encryption but from everything I’ve read it appears as through they are just brute forcing the password of the backups.

From the feature list it seems the program attempts to brute force the encrypted iPhone backups on your computer using the Graphics Processor Unit (GPU) to speed up the process. What I find funny is one of the listed features is “Decrypt iPhone/IPad/iPod backup (with known password).” Oh look at that if the application knows the password to decrypt the backup is can… decrypt the backup. No fucking shit. You know how I decrypt encrypted information? By using my password.

Two solutions exist to prevent this application from working on your phone; use a strong pass phrase to encrypt your backup and encrypt the hard drive of your computer for additional security. I’m not sure if the software is able to brute force the passkey on the phone but as my phone wipes all it’s data after 10 failed attempts to unlock it I feel as through I don’t have to worry about this particular problem.

Spammers Utilizing Their Own URL Shortening Services

I’ve explained my hatred for URL shortening services in the past and it seems that hatred continues to be justified. I feel that URL shortening services are a security threat as they prevent a user from knowing where a link will actually take them. This is why I have a policy on this website to delete any and all comments that continue a link to a URL shortening service. Well it appears as through spammers are now using their own shortening services:

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites.

These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

This shouldn’t come as a surprise to anybody. The obvious danger here is a link that appears legitimate (a known URL shortening service link) could redirect you to a spammer controlled shortening service link which could redirect you to a site that attempts to compromise your computer.

Before anybody brings this up I do realize that my Twitter feed uses a URL shortening service. I can’t do anything about that and if you don’t like it then subscribe to the RSS feed instead like normal people.

Hacking the United State’s Government Could Get You Bombed

Here is another example of a completely reasonable reaction by the United States government. In their recently released International Strategy for Cyberspace [PDF] the United States made a few statement one of which was a threat to bomb the shit out of anybody who hacks their computers:

States have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace,” says the policy. Indeed, such aggressive acts might compel a country like the US to act even when the hacking is targeted at an allied country.

Certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners,” says the document. “When warranted, the United States will respond to hostile acts in cyberspace as we would any other threat to our country.”

Personally I feel that may be a bit of an overreaction, especially threatening to bomb countries that hack into computers owned by allied countries. I certainly feel this is an overreaction as the paper says the United States will take these actions “when warranted” which translates roughly into “if you country has any natural resources we desire.” Yeah I’m cynical.

The Best Data Protection is Not Having Data

Although I just got done talking about protecting your data via encrypting your hard drive there is a much better means of protecting data that I didn’t cover, not having it:

As both data storage and data processing becomes cheaper, more and more data is collected and stored. An unanticipated effect of this is that more and more data can be stolen and used. As the article says, data minimization is the most effective security tool against this sort of thing.

This advice applies to anything. If there is an absence of something it can’t be taken. If you don’t actually have incriminating data on your computer then it can’t be used against you. If you don’t have a television to steal then a crook can’t take your television. Unfortunately this isn’t very practical and the real problem is one of personal information that is stored by third parties.

Like it or not third parties store a lot of information about you. Even if you’ve never purchased anything online the government likely has countless documents relating to you and your identity. If you use a credit or debit card there is a record of every purchase you make, where you made it, what day you made it one, how much it cost, etc. Most people have cellular phones these days which means a third party, the cellular provider, has your personal information, a history of calls you’ve made or received, your location, etc. Even automobiles are starting to store more and more information about drivers.

I would love to see a world where the amount of data stored by third parties was kept at an absolute bear minimum. Sadly I don’t foresee such a world as personal data is valuable and thus people want to have it.

FBI Surveillance Spyware

It’s no secret that the Federal Bureau of Investigations (FBI) use various form of technology to perform surveillance. In this day of high tech gadgets far more information can often be gleamed from a computer than simply tapping phone lines. The Electronic Frontier Foundation (EFF) was able to use a Freedom of Information Act (FOIA) request to obtain information on the FBI’s Computer and Internet Protocol Address Verifier (CIPAV) spyware (by the way was that enough acronym soup for you?):

What is CIPAV and How Does It Work?
The documents discuss technology that, when installed on a target’s computer, allows the FBI to collect the following information:

  • IP Address
  • Media Access Control (MAC) address
  • “Browser environment variables”
  • Open communication ports
  • List of the programs running
  • Operating system type, version, and serial number
  • Browser type and version
  • Language encoding
  • The URL that the target computer was previously connected to
  • Registered computer name
  • Registered company name
  • Currently logged in user name
  • Other information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”

The documents are an interesting read and it really brings up the question of how one could defend themselves against such a tool. This depends on how the FBI installs the software. If they break into your computer remotely to install it the only option available is to ensure your system is locked down as tightly as possible. That doesn’t solve the problem of the FBI sneaking into your dwelling or place of business and installing the software remotely.

This is where full disk encryption comes into play. If you entire hard disk is encrypted there really isn’t much that can be done without the password. Not only can data on the drive not be seen but it also can’t be changed and thus you can’t install software onto the system without the decryption key. Not only does full disk encryption protect your data if your device is stolen but it also protects your from third parties installing software onto the system.

Government in Your Phone

Happy days are afoot now. In 2006 the federal government approved the creation of the Commercial Mobile Alert System and it’s ready for action. On the surface it’s claimed to be a mechanism of alerting people in an area of a disaster. I’m sure anybody reading this blog long enough know that I’m very skeptical of anything the government does. First I find the following interesting:

A special chip is required to allow a phone to receive the messages, and soon all new phones will have the technology. Some smartphones already have the chip, and software updates will be available when the network goes online later this year, Genachowski said.

Why does this interest me? It interests me for several reasons. First is the design of this chip open for anybody to develop or is production of these chips controlled by one company that was granted a government monopoly? If the design of this chip isn’t open we have no clue what it can actually do. When the government controls something I can’t verify the abilities of I worry.

Another thing I find interesting are the levels of alerts this system can implement:

Presidential Alerts – Alerts for all Americans related to national emergencies, such as terrorist attacks, that will preempt any other pending alerts;

Imminent Threat Alerts – Alerts with information on emergencies, such as hurricanes or tornadoes, where life or property is at risk, the event is likely to occur, and some responsive action should be taken; and

Child Abduction Emergency/AMBER Alerts – Alerts related to missing or endangered children due to an abduction or runaway situation.

Combine this with the following:

People will be able to opt out of receiving all but the presidential alerts.

So what the Hell is this system supposed to accomplish? Obviously not warning people in an area of natural disasters because those messages can be opted out of. But if there is a terrorist attack in New York again I’m unable to opt-out of that message. I’m sorry but a terrorist attack in another state isn’t something I need to be warned about immediately while a tornado touching down over my house would be of some interest to me. The opt-out mechanism is backwards to say the last and that is also cause for suspicion.

Basically the government has legislated a new chip be required in all new cell phones yet have no released any documents that I can find that give the exact specifications of this chip or its capabilities. I’m guessing we’re going to find something additional functionality further down the road but I could just be cynical due to the history of government implemented projects.

What’s interesting is currently only AT&T and Verizon are signed up for this. Sprint and T-Mobile (who will soon be AT&T) haven’t which really makes me want to utilize my Sprint phone more.