The security community went into a frenzy this weekend over Apple’s latest iOS security update. On Friday, Apple quietly released iOS 7.0.6 and 6.1.6 to patch a bug in it’s SSL implementation. This particular bug nicknamed “goto fail” for the actual contents of it’s source code behind the error. Basically, one too many goto fail causes the fail not to be conditional, but absolute. This failure allows Apple’s SSL framework (the technology that secures web transmissions) to be easily bypassed. In other words, Safari, Mail, Calendar, Software Update, as well as any 3rd party applications who take advantage of Apple’s SSL libraries could potentially have their communications intercepted by an unscrupulous individual. Apple claims that it is a type-o, but many wonder if this might be a deliberate backdoor (one that has lasted over a year).
The real tragedy of this issue is that it effects Mavericks (Mac OS 10.9.x) as well as iOS, but
there is yet no official fix for Apple Computers. Update Published by Apple! Apple desktops, laptops, and iMacs are now were left in a very dangerous position: unprotected to a known threat. I am sure that the bad guys are already configuring their sslstip, sslsniff, or similar tools. Accounts will be compromised, communications will be intercepted or manipulated, or in the case of software updates, malware could even be introduced.
What can we do? First off, run the 7.0.6 update on any iOS devices not yet up to date. Do this from a trusted wifi, not a public one. With your mac, avoid public wifi until this is resolved. Avoid Apple Mail except when absolutely necessary and only from trusted networks. Only use Google Chrome for secure web browsing (it uses it’s own SSL framework).
Optional: Install @i0n1c’s binary patch. @i0n1c’s patch fixes the bug, but may break other things. Run Apple 10.9.2 update!
Test your system: https://gotofail.com/
Great Writeup: https://www.imperialviolet.org/2014/02/22/applebug.html
Quick & Dirty Patch: http://www.sektioneins.de/en/blog/14-02-22-Apple-SSL-BUG.html
Official Apple Fix http://support.apple.com/kb/HT6150
My new Samsung Galaxy Note II came to me today. My first Android since I got it running on my original iphone. In other words, this is the first time I have had my own full featured and power android device. My first impressions are quite favorable. I am amazed at all the things I can do without voiding the warranty. It is highly configurable. Expect a detailed analysis from me soon.
Blobs are fetched, IPSWs Downloaded, iDevices Backed Up! Now the wait for the latest public jailbreak continues. The latest team includes @pimskeks, @planetbeing, @pod2g, and of course @MuscleNerd. Supposed to drop early tomorrow, but some suspected (myself included) that it might get released on “Funday.”
This jailbreak will support EVERY iPod Touch, iPhone, iPad, or iPad Mini running iOS 6.0-6.1. No doubt that atv2 support will come quickly after. No news yet about atv3.
With the pre-sales of the new iPhone 5 in full swing, Apple released iOS 6 today. It can be installed on iPhones 3gs and newer, iPads 2 and up, and iPod touch 4th gen. (compatibility chart) I am going to start by discussing the software changes and by the end of this post will mention a thing or two about Apple’s latest revolutionary device.
First off, many users will notice that the YouTube app is gone. That’s right, with the Apple/Google breakup complete, Apple has removed it from their default installation and reduced it to an App Store install. Not a big deal and Google has taken the opportunity to add a few features and to revamp their user interface. Along with YouTube, the Maps app has also been deGoogled. Apple claims a whole world of new features in their new Maps app. Unfortunately, unless you have an iPhone 4s or better (or an iPad), you will not get to experience 3D topographical flyovers or turn by turn instruction. All you will notice is a conspicuous lack of Street View.
In addition to Google related changes to the home screen, Apple has introduced their new mobile ticketing platform, Passbook. This unsurprising new feature is the reason Apple has been denying alternative mobile ticketing and payment methods. A clear attempt by apple to expand it’s payment processing to event/flight tickets as well. I am sure I will expand on this as it develops. Apple introduced a panoramic photo feature built into the Camera app that only new devices and iPhone 4s can utilize. In fact, just about the only features that older devices get from iOS 6 are Full Screen Safari, Offline Safari, VIP email, and Do Not Disturb. Jailbreakers have had all these features for years. (not to mention FaceTime over cellular, even on the iPhone 4 gasp!) VIP email can easily be done with gmail or any provider that allows for filters/sorting. Do Not Disturb is just a switch, like airplane mode. Not a timer or a time period. No white or black lists. Lame. The rest of the bunch are useful, but not really the big release material you find in a whole number iteration. This really should be iOS 5.2 at best.
What irks me most is the devices and features Apple choose to support (or not to). For example, Apple opted to support the iPhone 3gs (introduced June 2009), but not to support the original iPad released 6 months later (January 2010). Much like the iOS 4 blockade on the original iPhone, despite supporting the 3g (with exactly the same cpu/gpu/spec). FaceTime on cellular is only available on the iPhone 4s. This is interesting because the 4s and 4 have nearly identical cellular hardware. This begs the question, why? The answer is obvious and unfortunate: Planned Obsolescence. Apple decides what features will push users to new devices and those are conveniently left out of earlier models. This is most evident with Siri. Siri is almost entirely a web service. None of the actually processing of speech is handled by the mobile device. Originally an App Store app available on ANY device, now Apple only allows the iPhone 4s/5 and the latest iPad. With the frequency of Siri outages, I have mostly been unimpressed and primarily use it as a novelty.
Finally we’ve come to the new iPhone 5. I like the ideas of better power management and a bigger battery. I remember that the iPhone 4 was the first iPhone with the power to run my life all day without recharging. This was quickly undone with the 4s who’s power hungry A5 processor ate through the larger battery faster then ever. The specs we are seeing online look impressive and put the iPhone back on top of the smart phone benchmark.
We will not know if these claims are true until they arrive in fanboy (and girl) hands and we see how they do. What I can tell you is why I will not be getting one (at least not on launch day). Honestly, it has less to do with the features of the phone then that of the carriers. I have been using an unlimited data plan since I started iPhoning around in 2007. That ends with the iPhone 5. In the US, both AT$T and Verizon have ended their unlimited data packages. Any grandfathered users loose their unlimited as soon as they upgrade to an LTE device. Only Sprint remains as an unlimited data provider. Like I would ever go back to them. (if you think AT$T has bad coverage? try Sprint) I have learned that Tmobile will be adding LTE coverage as well as iPhone support for such a network. They also provide unlimited data. I may possibly switch to them in the future. I love LTE speed, but I am a data junkie and my habit is bad.
In conclusion, the iPhone 5 is alright, but iOS 6 is laughable. Apple better get on the ball with some real features or they won’t keep ahead of Android for long.
Update: I forgot to mention the new dock connector. I actually like the more durable and reversible dock connector. My only complaint has to do with the available adapter. It actually fails to adapt most audio equipment. The new connector has removed the analog audio line out. Now, the only analog from the new iPhone is from the pre-amped headphones port. This will cause problems with speaker sets, and car adapter kits from here to Singapore. See: Planned Obsolescence.
I built a little package that leverages the power of the mupdfclean command line tool into something a little easier to swallow for mac users. Not a finished project at all, but please enjoy if you have PDFs giving you trouble.
The Dream Team did it again! With Absinthe
2.0.1 2.0.4, Chronic Dev & iPhone Dev Team have piled amazing exploits into a very easy tool. Official Press Release. Get your download here. Wish i was in Amsterdam with all of you having a blast. Thanks for all your work. I missed you Cydia, VLC, SBSettings, now if only i had Safari downloader!
Here is a link to get an extra 25% GB. (I get a bonus too) http://db.tt/RBSMYlTr I am trying to max out their referal program.
Another Java privilege escalation exploit spotted in the wild. Trojans and web based java classes are already installing remote access tunnels into Macs across the globe. Apple finally updated their java binaries and you should too! Protect yourself! Just run Software Update from the Apple menu.
More info (including a AppleScript test for infection):
This is Deja Vu of an attack from years ago where RAM was accessed from the firewire buss. This study published back in Sept 2011 (that i am late to discover) revisits this attack on Lion. Security researchers from frameloss published the specifics on an attack and how to avoid it. Learn how your password could be extracted from your computer’s memory via your firewire port. Even when you thought it was locked! Even with FileVault!
Mostly you must turn off fast user switching, and activate a feature that dumps the password for added security. read all about it here. . .