Apple Security

Apple Suspects Hardware Espionage

From 9to5Mac:

At least part of the driver for this is to ensure that the servers are secure. Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter. At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.

I can’t say this is terribly surprising. There’s been reports of this sort of thing happening to Cisco hardware among others.

Google Security

Chrome Enables Do-Not-Track

Chrome finally added Do-Not-Track (DNT) to Chromium. They are the last major browser to complete implementation and start giving users a choice in terms of their preference to tracking.

DNT isn’t a perfect solution as it has no enforcement. Regardless it’s a step in the right direction and empowers ad networks to respect users privacy preferences, something that in the past was difficult even for those willing to do so. It won’t solve the problem, but it helps and has a low barrier to entry. That’s a good thing.


Wikipedia’s Jimmy Wales Threatens To Encrypt Wikipedia

Wikipedia’s Jimmy Wales threatened to encrypt traffic to the UK if new tracking laws are implemented:

But if we find that UK ISPs are mandated to keep track of every single web page that you read on Wikipedia, I’m almost certain – err, I shouldn’t speak for our technical staff – we would immediately move to a default of encrypting all our connections in the UK.

Truthfully, we’re going that way anyway. It’s only a matter of time before all websites will be moving to HTTPS for the sake of implementing SPDY or whatever succeeds it. I don’t see a non-secure standard taking hold any longer. Security is no longer considered a bonus, it’s a requirement. Facebook does it by default now, Twitter does it by default now, does it by default now (for SPDY). It’s not just personal communications. Lots of non-personal data is going over HTTPS now. The trend will keep accelerating. It’s no longer as cost prohibitive to implement. Don’t be shocked if this entire blog is HTTPS only in the not too distant future.


On Perception Of The Cloud

Citrix commissioned an interesting survey to see how people define “the cloud”.

Most of the press was focused on:

51 percent of respondents, including a majority of Millennials, believe stormy weather can interfere with cloud computing.

Technically weather can cause your internet connection to go down, so yes it does interfere with your access to cloud computing. If you can’t access it, for all intents and purposes it doesn’t exist. I’d further argue any remotely decent data center is not impacted by “stormy weather”, it would need to be along the lines of “act of god”. A notable difference.

They also focused on:

You’re not alone: While many admit they don’t understand the cloud, 56 percent of respondents say they think other people refer to cloud computing in conversation when they really don’t know what they are talking about.

Again, I’d argue no big deal. You shouldn’t need to know what a utility is anymore than you need to know the molecular makeup of natural gas. You just need to know how to safely operate a stove. Cloud computing is turning computing into a utility. It removes the complexities (how to gather wood to keep with the fire/stove example).

The part that gets me is what was ignored by seemingly everyone else (emphasis mine):

Softer advantages, like working from home in the buff: People offered additional, unexpected benefits of the cloud, including the ability to access work information from home in their “birthday suit” (40 percent); tanning on the beach and accessing computer files at the same time (33 percent); keeping embarrassing videos off of their personal hard drive (25 percent); and sharing information with people they’d rather not interact with in person (35 percent).

We’ve failed miserably as technology professionals if 25% of the population think putting their embarrassing photos in the cloud is a good way to keep them private. This is akin to if 25% of the population said they trusted random Nigerian email’s for their banking needs.

If I were Apple, or Microsoft, or anyone else in the market, I’d be asking myself how to fix this misconception and make security on the desktop visibly superior as well as technologically. Perhaps make disk encryption standard for at least the user data which could be partitioned (especially since adjusting partitions isn’t impossible these days). A lot of privacy is lost in the cloud. It’s also potentially not subject to many of the protective laws the US provides to physical property in terms of search as I’ve mentioned before.


CmdrTaco On Data Collection

Rob “CmdrTaco” Malda, (of Slashdot fame), did an IAmA on Reddit. Overall interesting but this particular answer caught my attention. When asked “How do you see a company like Google using the data it collects, and specifically your interest in Google+?”:

Data is just data. When I ran Slashdot, I logged everything I practically could because without it, I couldn’t make informed decisions.

What corporations DO with that data will pretty much define the future of the internet. I don’t think people truly understand the implications.

The biggest databases- things like Facebook and Google could be used in so many awful ways. But I collected all the data I possibly could too, and I really tried to impress upon everyone I worked with the RESPONSIBILITY that this data entails. Like, just because you gave me your email address is not permission for me to sell it or spam you.

I hope that the giants play nicely. I want the cool shiny things they make… and I’ll give them the benefit of the doubt in most cases.

The only thing I disagree with is he didn’t mention anything about disclosing to users how that data is used and will be handled. Of course current privacy policies suck, they need to be easier to understand without having a law degree.


UK Wants to MITM SSL Connections to Facebook/Gmail

The UK Government wants ISP’s to record secure transmission of messages with services like Facebook and Gmail, which are currently using SSL. I’d be curious to know how the UK government actually plans to pull this off. To pull that off they’d need to get browsers to include their root certificate so they can MITM Gmail and Facebook. I can’t see that happening.

Of course anyone really wanting to do something criminal will just employ a VPN to tunnel past these ISP’s, or encrypt messages using GPG. Therefore, I don’t see what the point is.

Around The Web

“The Future” As Seen In 1961

1961 Vintage Motorola Ad

Images of what the future would look like have long been a fascination. 1950’s and 1960’s always focused on a sleek, minimalist future with a very retro (by today’s standard) color palette. It’s easy to dismiss them as silly, until you realize the basis of them is pretty spot on.

Take the image up top of Motorola’s vision of the future from a 1961 set. The two main themes in these images actually happened:

  1. Media Everywhere – A reoccurring theme in the set is that there’s media (in the form of a TV) everywhere. It’s the centerpiece of every home. This isn’t shocking for an electronics company. For the 1960’s when not everyone owned a TV, this was pretty bold. Of course today that’s true. It’s even a step beyond. Most of us now have phones that can play video. We have laptops. Media is everywhere.
  2. Transparency/Lack of Privacy – The other strong theme is the lack of privacy. From open floor plans to glass walls. The future is out in the open. This is hardly just a Motorola idea. Glass House was built in 1949 and Case Study Houses were often built in this style including the notable Stahl House. The illusion to Facebook and social media shouldn’t be lost here. The transparency that’s normal in this modern age was unthinkable in the 1960’s.

Of course part of Motorola (the Motorola Mobility part) is now part of Google, and had an influence on both of those changes as cell phones played a big role in both trends.

When you really think about it, TV’s are flatter and we cram more things into the same square footage, but these aren’t terribly far off concepts of what the future holds. From a high level they are spot on. These are really the biggest changes to the American home.


Use SSL By Default

Twitter is now the latest site defaulting to HTTPS. Kudos to them. I love seeing the web get more secure, even if it’s one site at a time.

If you’ve got a site where login is required, please make sure to use SSL. It’s not that costly anymore. Even this blog uses SSL where necessary.

It’s not needed for general public consumption things (like this webpage), but anywhere a session can be hijacked or confidential data could be transfered, SSL is a good idea. When not possible to default, at least make it an option (I do this for

Apple Security

Path’s Privacy Folly Proves Shift In Privacy Views

Path uploaded address book data from its users in order to provide “social” functionality. After this became public they deleted all address data and apologized.

Everyone is ignoring the worst part of this. While very bad, it’s not that Path actually uploaded their address book (I’d venture most store it in “the cloud” already, so true privacy is out the window). The worst part is that Path didn’t even think this would be a problem until it became news. Even 2 years ago I don’t think there was anyone other than malware developers who would think uploading an entire address book of contacts without an explicit approval would be an OK practice. That is a huge cultural shift.

If Path were a desktop app in 2010, they would be competing with AntiVirus and Spyware blockers who would be racing to provide protection to their users.

In just a short time, a practice that would be reserved for illegal and dubious software was adopted by what seems like a mainstream startup. It’s electronic moral decay.

Apple doesn’t get a free pass either. Why in iOS 5 a sandboxed app can access an address book without alerting the user is beyond me. Addresses, calendar data, geolocation, and the ability to make a call are sacred API’s and should have obvious UI and/or warnings. Geolocation does have an interstitial alert. Phone calls have an obvious UI. Address and calendar data need to have an alert before the app is granted access.

Mozilla Open Source

Why Open Source Is Pretty Awesome

At some point I think it’s easy to take things for granted. Being able to alter software to meet your needs is an awesome power.

Today, a tweet rehashed an annoyance regarding a tactic on websites to alter copy/paste and put a link with tracking code in your clipboard. I could opt out, but that doesn’t fix when websites roll their own. It’s a fairly simple thing to implement. In my mind there’s little (read: no) legitimate justification for oncopy, oncut or onpaste events.

So I did an hg pull while working on some other stuff. I came back and wrote a quick patch, started compiling and went back to working on other stuff.

Then came back to a shiny new Firefox build with a shiny new preference that disabled the offending functionality. A quick test against a few websites shows it works as I intended by simply killing that event. You can’t do these things with closed source.

Of course I found the relevant bug and added a patch for anyone interested.

A 15 minute diversion and my web browsing experience got a little better. Sometimes I forget I’ve got experience on that side of the wire too 😉 .