This week’s show is going to be a little bit different. We’ve got three cool gadget interviews, a Dumb Question asked and answered by Mark Pouley of Twin Lakes Images which is pretty standard fun, but then we’re going to switch gears to Security Bits where Bart and I will spend some quality time going over the FBI/Apple iPhone issue in detail. We both thought it was too important to do a quick bit on it. Bart will explain what we know as facts, then what the security experts think about it and finally Bart will explain his view of the situation. I think it’s a great discussion. As always Bart includes links to all of the articles he quotes.
Chit Chat Across the Pond this Week
In this week’s Chit Chat Across the Pond Bart Busschots takes us through more positioning using CSS. You might have noticed last week that I was just a tiny bit confused towards the end of his last installment. Bart picked up on that too and he created a really cool little web-based tool (made in html and CSS) that lets you change these positioning terms in CSS and see visually how the blocks move around on the page. You can hear the lightbulbs finally going off in my head as I play with it in Chit Chat Across the Pond.
Remember you need to subscribe to Chit Chat Across the Pond separately to get these shows. I did a little poll in our Facebook group (at podfeet.com/facebook) where I asked if people hadn’t subscribed, why that was, and the most common answer was that people intended to subscribe but kept forgetting. I created a page that I’m going to link to from time to time that shows you how to subscribe to NosillaCast, Chit Chat Across the Pond, and Taming the Terminal in iTunes, Stitcher Radio or with an RSS link, but to be honest the easiest way to subscribe is jut to search in your podcatcher. So go do it!
Blog Posts
Solos Cyclist Smart Eyewear
Dumb Question from Mark Pouley
Hi Alison this is Mark Pouley. I have a dumb question and answer for you. Let me tell you how this all started. I’ve had a problem for a couple weeks that I just couldn’t figure out and when I figured out the solution I realized it was fit for a dumb question and answer.
So here’s the problem. Since I got an iPad pro, and promptly left the Apple Pencil behind many times, I started searching for a case that was light, beautiful and had somewhere to store the Pencil. I finally found a leather case that fit the bill, with one nigally problem, the case held the pad with a small leather strip that wrapped around the front bezel. This ended up interfering with the home button and Touch ID. That meant the touch ID only worked about 40% of the time, and as you know if it’s not working reliably it may as well not work it all. After a couple weeks of this I thought I would have to send the case back start my search all over again.
Then the “dumb answer” hit me. I remembered hearing about people having problems with touch id finding a solution by reentering their fingerprint information. That made me think about how the leather was forcing me to touch the home button differently. So I simply went to settings, deleted all of my fingerprints and reentered them with the leather case on the iPad. It worked! Now Touch ID quickly and accurately reads my fingerprints even with the small interference of the case.
So that solved my problem and I wanted to pass this tip on to other Nosillcastaways that might be having Touch ID issues. I guess it’s a bit like rebooting. I dont know what causes touch id problems over time but i know it happens. My phone has been unreliable for some time. Following my success with the ipad I reset Touch ID on my phone and the reliability improved a lot there too. Totally different issue, but the same remedy.
There you go. A not so obvious solution to a kind of simple problem.
Kanex Portable Charger for Apple Watch
Link Portable Data Storage & Streaming
Amazon & iTunes Affiliate links
If you’re trying to think of a way to help the show that doesn’t cost any money, I have a couple of easy ways for you to do that. If you turn off your ad blocker on podfeet.com, you’ll see an Amazon image on the left, and two Apple search boxes on the right. If you buy anything from Amazon or Apple after going through those links, a small percentage of your purchase will go to help the show and it won’t cost you a penny! I appreciate the help!
Security Bits
What a fortnight! 107 news articles were filtered down to create these show notes!
Update on Error 53
Apple have released an update to iOS that fixes Error 53 – it will prevent TouchID integrity problems bricking phones in future, and, it will allow currently bricked phones to be un-bricked. The update does NOT un-brick compromised Touch ID sensors, and it shouldn’t.
iFixIt have tested the fix, and it does indeed work.
Links:
* Apple Apologises for Error 53 and issues a fix – social.techcrunch.com/…
* iFixIt’s confirmation that the fix works – ifixit.org/…
Apple, the FBI, and San Bernardino
This week, Apple were ordered to create a custom version of iOS for an iPhone 5C that will disable the time delay between password input attempts, and the automatic wiping of data after 10 failed attempts. This custom version of iOS would need to be digitally signed by Apple so the phone would accept it, and needed to be able to installed OVER the existing version of iOS without removing any data from the phone.
Apple are fighting this order, and Tim Cook wrote a public letter explaining Apple’s reasons.
The DOJ have filed paperwork requesting Apple be forced to comply, and Apple have been granted more time to make their official response to the order – they have until the 26th of February.
The phone in question was used by one of the San Bernardino attackers, but belongs to his employer. The phone was not managed by his employer though, otherwise, there would be no problem.
It has also emerged that Apple have been working with the FBI since early January, and offered four different plans for accessing data that does not involve a back door. Having received an appropriate court order, Apple handed over all the user’s data from iCloud to the FBI. The most recent iCloud backup was about 6 weeks old, so they do have a lot of data from the phone, just not anything that changed in the six weeks between the last backup and the attacks.
Apple also developed a plan for getting the most recent data off the phone without creating a back door by plugging the phone in while connected to a trusted wifi network so it would back itself up to iCloud again. This plan failed because county officials had changed the iCloud password after the phone was in a government custody – a SPECTACULAR blunder on the government’s part.
The government have no reason to believe this phone contains any specific information they need – they just want to know what is on it in case it happens to be useful.
Apple have a long history of complying with court orders that ask them to do reasonable things. You’ll see reports that Apple have unlocked 70 iPhones in the past – this is not true, Apple have handed over unencrypted data from iPhones in the past, because older versions of iOS did not encrypt everything on the device, so Apple would hand over what was not encrypted, but not what was.
There are also some wrong-headed comparisons being made between Apple allowing the Chinese government to do a security audit of iOS, and Apple refusing to break iOS security – primarily by Reuters – this makes no sense at all. Allowing a government to see the source is totally different from demanding a whole new version of iOS be written to circumvent its own security!
News Links
- The news of the order – www.reuters.com/…
- The actual court order – assets.documentcloud.org/…
- Tim Cook’s Open Letter – www.apple.com/…
- The US DOJ filed papers requesting Apple be compelled to comply with the court order – www.macobserver.com/…
- Apple granted more time to respond – www.macobserver.com/…
- The US House Commerce Committee have asked Tim Cook and the director of the FBI to testify on encryption – www.imore.com/…
- Apple confirm they have been helping the FBI, and that their plan to get the data was foiled by the password reset by county officials AFTER the attacks – www.macobserver.com/… & arstechnica.com/…
- A petition has been started on WhiteHouse.gov asking the government to stop asking Apple for back doors – petitions.whitehouse.gov/…
- Apple have hired free speech lawyers to help fight this case – www.macobserver.com/…
- EFF hold a rally in support of Apple outside the downtown San Francisco Apple Store – www.theguardian.com/…
Opinions From Experts
- Security maven Bruce Schneier comes out in favour of Apple “either everyone gets security, or no one does” – www.washingtonpost.com/…
- Security researcher Rich Mogull explains why the core question raised is “do we have a right to security” – securosis.com/…
- Another piece from Rich Mogull explain why this is is the most important civil rights case for a decade – “the FBI need the precedent more than the evidence” – www.macworld.com/…
- General Hayden, former director of the CIA and NSA has reiterated his support for unbreakable encryption, because it makes Americans “more secure” – www.macobserver.com/…
- Security researcher Jonathan Zdziarski (we’ve talked about his work before) explains that what the FBI is asking for is MUCH more onerous than you might think – www.zdziarski.com/…
- Security researcher Nicholas Weaver explains why this is not so much a slippery slope as a cliff – www.lawfareblog.com/…
- Security firm Sophos comes out in support of Apple – nakedsecurity.sophos.com/…
- Google, WhatsApp, Microsoft, Facebook, and Twitter back Apple – nakedsecurity.sophos.com/… & www.imore.com/…
- The “Reform Government Surveillance” coalition, a group including AOL, Apple, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo, have come out in support of Apple – daringfireball.net/…
- The ACLU come out in support of Apple – www.aclu.org/…
- The EFF come out in support of Apple – www.eff.org/…
Other Opinions
- Mark Cuban gives Apple “a standing ovation” for their stand against the FBI – blogmaverick.com/…
- Adam Engst explains why he thinks Apple is doing the right thing – tidbits.com/…
- Dan Goodin explains why it is appropriate to call what the FBI as demanding a back door – arstechnica.com/…
- The New Your Times editorial board chimes in with support for Apple – www.nytimes.com/…
- US congressman Ted Lieu from California does out in support of Apple – www.macobserver.com/… & lieu.house.gov/…
- Donald Trump has called for a boycott of Apple products over this – he did so on Twitter from an iPhone – www.imore.com/…
Other Links
- A nice FAQ on the whole thing from iMore – www.imore.com/…
- A good explanation of why the “Apple did this 70 times before” meme is very wrong and very dangerous – social.techcrunch.com/…
- An explanation of why Reuters is wrong on China – www.macobserver.com/…
My Take
- The FBI chose this case VERY carefully – it is really emotive, it creates fear, and the issues are complex – the FBI are trying to play the American people like a fiddle, and it is working – just look at the supposedly small-government conservatives falling over themselves to be the most angry at Apple the most quickly. Emotive cases make for REALLY bad laws. This is a very emotive case, and it could very easily end up making VERY bad law.
- The FBI may say they just want this once, for one phone, but that is impossible. Firstly, if it works on one iPhone 5C, it is trivially easy to make it work on another – they are all the same! Secondly, precedence does not work that way! If it is legal to order it now, it is legal to order it again in future!
- This is a pandora’s box – right now no tool exists to make iPhones bypass their own security. Once it does exist, it cannot be vanished out of existence. It could leak, but even if it doesn’t, any court in any country in the world can order it to be handed over. Even if you trust the American government not to use the secret FISA courts to make Apple use the tool over and over again to spy on Americans, can you trust the British Government not to demand a copy? Or the Chinese Government? Or the Saudi Arabian Government? If the FBI succeed in prying open this pandora’s box, it will inevitably be used to attack Americans, and indeed, to attack human rights.
- It is one thing for the FBI to hack into systems, it is something entirely different for the FBI to force a company to hack into its own systems. This would set a very dangerous precedent – any American company providing actual security can be forced to destroy that security at any time. It would become impossible for any American company to build a product with credible security.
- Make no mistake about it – strictly speaking, this is not a back door to an encryption cypher, but is IS a back door against iPhone encryption. The encryption protections Apple put in place are more than just the cypher – the rate control and auto-deleting are EVERY BIT as vital to our protection from criminals, terrorists, and hostile governments, as the cyphers used. It doesn’t matter what the FBI says, this IS a back door they are demanding Apple build.
GLibC Vulnerability
A remote code execution bug has been found in the GNU C Library, GLibC. This library is a critical part of Linux, and implements common functionality used by most apps on Linux. A bug has been found in the GLibC function for converting a domain name into an IP address. This function makes a DNS request on behalf of the calling app – asking the library to look up the IP address for a domain name like www.podfeet.com. A maliciously crafted DNS response can crash the library in such a way that arbitrary code execution is possible.
DNS is an insecure protocol (for all sorts of legacy reasons), so a malicious response can come from a malicious DNS server, or a man-in-the-middle, like a fellow wifi-surfer in your favourite coffee shop.
Just about every app that uses the network in any way needs to do DNS lookups, so this bug affects a staggering amount of apps. Although the bug was just discovered recently, it dates back to 2008, so the bad code has had time to spread far and wide, including into all sorts of embedded devices.
So, you will need to update all your Linux computers ASAP, and hope you can get firmware updates for your embedded devices.
Links:
* A good explanation of the issue from Ars Technica – arstechnica.com/…
* glibc may not be in routers: thehackernews.com/…
Sparkle, and Badly Written Apps
Sparkle is a common open source library that many non-App-Store Mac apps use to implement software update. Every app needs a mechanism for updating itself, so why re-invent the wheel? Also, software updates are inherently dangerous – allowing new code to be injected into your app, so it makes sense to leave designing a safe and secure mechanism to the experts.
From a software developer’s point of view, one of the advantages the Mac App Store offers is that it takes care of software updates for you – one less problem for your to solve!
The Sparkle library’s documentation is very clear on the importance of using HTTPS for all software updates – otherwise, a Man-in-the-middle could alter the code en-route to the client, and inject malware into the app being updated. While Sparkle do their best to warn people about using HTTP instead of HTTPS, it turns out a lot of developers didn’t bother reading the manual, or, didn’t understand the significance of what it said, or just didn’t care about the security of their users. Either way, security researchers did a survey of Mac apps that user Sparkle, and found that many do not use HTTPS, and are hence vulnerable to man-in-the-middle attacks.
One other point to make is that while the Sparkle documentation was spot-on, the default behaviour was silly – the library defaulted to HTTP. So, any developer who thought that the documentation for such a critical component was “TL;DR”, ended up with an insecure app. Sparkle have addressed this by making the default HTTPS, but of course, that default won’t come into effect until developers update the version of Sparkle they incorporate into their apps.
Developers who were not using Sparkle correctly will need to update their apps, and, ironically, that update will need to be sent to the app insecurely!
The good news is that while the problem is very real, the chances of getting burned are small – you would need to update an app while on a shared network with an attacker who would then man-in-the-middle you.
The best defence is not to update any non-App-Store apps while on a public network. Do it in the safety of your own home, and you should be fine.
Links:
* A nice FAQ from iMore: www.imore.com/…
* A nice description of the problem form TidBITS – tidbits.com/…
* A nice description of the problem from Ars Technica – arstechnica.com/…
The 1970s are Evil!
A bug has been found in how the 64bit version of iOS deals with dates before 1970. This bug causes phones to brick themselves when the date is set that far back in time.
The internet, being full of such nice people, responded by creating a fake meme that said that if you put your iPhone back to before 1970 you’ll get a secret hidden vintage theme. If you think about it – that makes no sense – Appel did not exist back in 1970, so why would they build such an easter-egg?
Anyway – don’t believe everything you read on the net! DO NOT SET YOUR PHONE’S DATE TO ANY TIME BEFORE 1970!
Apple have acknowledged the problem, and are working on a fix.
Links:
* Description of the problem – arstechnica.com/…
* Apple confirm the bug – www.macobserver.com/…
* Video showing a phone being bricked – 9to5mac.com/…
* A great video explaining what’s so special about 1970 (it’s the Unix Epoch) – www.youtube.com/…
Important Security Updates
- Patch Tuesday has been and gone with important updates from Microsoft, Adobe & Oracle: krebsonsecurity.com/…
Important Security News
- Google starts blocking pages with ads containing fake download buttons to their Safe Browsing feature in Chrome – sites with such ads will get a big red warning explaining they contain deceptive ads before the page is show – similar to warnings about bad certs – nakedsecurity.sophos.com/…
- A bill has been introduced in the US house of representatives in response to state-level bills in NY and CA that would force all smartphones sold in those states to have a back door – this bill would ban such laws at the state level – arstechnica.com/…
- Facebook have been given three months to stop tracking non-users in France – nakedsecurity.sophos.com/…
- Twitter try to fight trolls with a new “Twitter Trust & Safety Council” – nakedsecurity.sophos.com/…
- US Director of National Intelligence, James Clapper, told the US Senate that intelligence services will use internet of things devices to spy on people – nakedsecurity.sophos.com/…
- An interesting report by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar shows just how futile mandatory encryption back doors would be – 63% f crypto products are from outside the US, so criminals and terrorists could just use those, even if secure encryption were outlawed in the US – arstechnica.com/…
- President Obama urges the use of 2 Factor Auth because passwords are not secure enough – nakedsecurity.sophos.com/…
- Instagram introduce 2 Factor Auth – www.imore.com/…
- The Locky ransomeware spreads through Word Macros, and uses social engineering to try trick users into enabling macros – the booby-trapped document is designed to look like garbage, but has a message saying that if you can’t read the document, it is because of an encoding problem that can be fixed by enabling macros – arstechnica.com/…
- A few weeks ago we reported that it appeared Dell had lost control of it’s customer database, because scammers were phoning Dell customers citing service tags and service histories to make themselves sound legitimate. Dell is now asking that anyone targeted by such scammers get in touch – they want to track down who these people are, and how they got the customer details they have – krebsonsecurity.com/…
- Google are warning of yet more insecure security software from Comodo – their security product ships with a VNC server that is insecure, and on by default – even their first attempt at fixing the problem was utterly inadequate – arstechnica.com/…
Notable Breaches
- It appears DHS and FBI employee data has been breached – nakedsecurity.sophos.com/…
- An attack on the IRS website leaks e-filing credentials for 101,000 US tax payers – arstechnica.com/…
- A bug in Lyft’s account validation is exposing some rider data – arstechnica.com/…
Suggested Reading
- Agile bits launch “1Password for Families” – a $5 a month subscription service to the password manager – www.macobserver.com/…
- An interesting history of malware on the Mac – www.intego.com/…
- An interesting rundown of how Apple have evolved OS X’s security features over time – www.intego.com/…
- The NYPD has admitted to using Sting Ray devices for over 1,000 cellphone interceptions – nakedsecurity.sophos.com/…
- Stuxnet was just the tip of the iceberg – arstechnica.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions (and like Mark Pouley you can answer your own question too if you like!), send those questions, comments and suggestions emailing me at [email protected], follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community at podfeet.com/googplus and the Facebook Group at podfeet.com/facebook. If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.
Allison and Bart – Especially enjoyed your Apple vs FBI discussion.
Thanks for your work to inform us all.
May have even evolved my position a little…