As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
The fact that Apple isn’t complicit in law enforcement’s use of Elcomsoft’s for surveillance doesn’t make the tool any less dangerous, argues Matt Blaze, a computer science professor at the University of Pennsylvania and frequent critic of government spying methods. “What this demonstrates is that even without explicit backdoors, law enforcement has powerful tools that might not always stay inside law enforcement,” he says. “You have to ask if you trust law enforcement. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they’ll use them.”
Apple issued a media advisory related to recent celebrity photo theft, saying the accounts were compromised by a very targeted attack on users names, password and security questions and was not related to any breach of Apple’s systems, including iCloud.
Over the weekend a number of nude celebrity photos appeared online. Jennifer Lawrence, Kate Upton, Lea Michele, Victoria Justice and Kirsten Dunst all had their photos comprised, among others.
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website athttp://support.apple.com/kb/ht4232.
If you are a celebrity, it’s more likely that people know the name of your first pet, or your mothers maiden name…
Rumors are pretty solid about the iPhone 6, but it’s unclear if there’s going to be any wearables, iWatches, or similar.
And the rumors about them are as varied as the rumors were about the original iPhone. So, how accurate are those rumors? Take a look at what people predicted the iPhone will look like, and take that as a reference…
I’ve heard of that boolean arithmetic. Let’s give it a try.
js> true+true===2Ah. It looks like true is equal to one. I’ll just check.
For the occasion, it appears that Apple has been building a massive structure on the campus, which has been kept under tight wraps with a white barricade. A MacRumors reader has sent in images of a mysterious structure at the Flint Center, which appears to span three stories and is protected by “scads” of security people. Administrators had previously declined to comment on what the structure is for, stating only “We are not at liberty to discuss that due to client wishes.”
Apple has not held an event at the Flint Center in many years, so the company’s return to the site of the original Mac unveiling suggests its upcoming announcement will be a major one. The Flint Center has a much higher seating capacity than other venues where Apple has unveiled products in the past, including the Yerba Buena Center and its own Cupertino campus.
Could be just a “here’s a new iPhone model, and it has NFC” but somehow it feels different. I’m going to keep a spare set of pants on standby.
We show that the MEMS gyroscopes found on modern smart phones are sufficiently sensitive to measure acoustic signals in the vicinity of the phone. The resulting signals contain only very low-frequency information (<200Hz). Nevertheless we show, using signal processing and machine learning, that this information is sufficient to identify speaker information and even parse speech. Since iOS and Android require no special permissions to access the gyro, our results show that apps and active web content that cannot access the microphone can nevertheless eavesdrop on speech in the vicinity of the phone.
Apple’s documentation on the tel scheme is really short and easy to read. While reading the first paragraph something caught my attention:
When a user taps a telephone link in a webpage, iOS displays an alert asking if the user really wants to dial the phone number and initiates dialing if the user accepts. When a user opens a URL with the tel scheme in a native app, iOS does not display an alert and initiates dialing without further prompting the user.
So if I click the link in Safari I get the prompt asking me to confirm my action, if I click the link in a native app’s webView it doesn’t ask and performs the action right away (makes the call).
Do people read documentation?
No. And it’s bad.
I instantly assumed people do read documentation so there was no way a big player like Facebook, Twitter, Google, LinkedIn, etc. would do such a silly mistake… but I was wrong.
This is the only time in my entire programming life that I’ve debugged a problem caused by quantum mechanics.
The guys at Sophos know they’re breaking standard web-functionality and have a fix ready but will not release it to its free customers.
Oh, and you know what else they said? They said I should just tell our customers to disable Sophos Antivirus to fix the issue. Being the compliant guy I always am that’s exactly what I’ll do:
Stop using Sophos Antivirus, now.
In sum and once again: Amazon is not your friend. Neither is any other corporation. It and they do what they do for their own interest and are more than willing to try to make you try believe that what they do for their own benefit is in fact for yours. It’s not. In this particular case, this is not about readers or authors or anyone else but Amazon wanting eBooks capped at $9.99 for its own purposes. It should stop pretending that this is about anything other than that. Readers, authors, and everyone else should stop pretending it’s about anything other than that, too.
Apple may well be the only tech company on the planet that would dare compare itself to Picasso.
In a class at the company’s internal training program, the so-called Apple University, the instructor likened the 11 lithographs that make up Picasso’s “The Bull” to the way Apple builds its smartphones and other devices. The idea: Apple designers strive for simplicity just as Picasso eliminated details to create a great work of art.
Steven P. Jobs established Apple University as a way to inculcate employees into Apple’s business culture and educate them about its history, particularly as the company grew and the tech business changed. Courses are not required, only recommended, but getting new employees to enroll is rarely a problem.
Although many companies have such internal programs, sometimes referred to as indoctrination, Apple’s version is a topic of speculation and fascination in the tech world.
It is highly secretive and rarely written about, referred to briefly in the biography of Mr. Jobs by Walter Isaacson. Apple employees are discouraged from talking about the company in general, and the classes are no exception. No pictures of the classrooms have surfaced publicly. And a spokeswoman for Apple declined to make instructors available for interviews for this article.
There’s a nice little feuilleton in the New York Times looking at why everyone whines about their iPhone slowing down when Apple releases a new variant.
Starting from a personal complaint by a professor, one of his students looks at the incidence for “iPhone slow” in Google Trends and notes that there’s a leap every time a new model is released.
That is released – not announced – so it must come from actual use, rather than just thinking that it isn’t quite up to date.
It’s also noted that releases of new Samsung models do not coincide so strongly with leaps in similar search terms. Obviously there’s something specific to Apple here, and that’s that major upgrades to the iPhone coincide with upgrades to iOS, something which 90 per cent of iPhone users will implement.
Famously, Android users do not tend to upgrade their OS over time. So, we might think that this observed slow-down is a result of trying to run the new OS on old hardware which isn’t quite up to supporting it. And we’d probably be right there.
However, we can now go off on our own and go a little further than this. For what’s really remarkable about these OS upgrades is how good Apple has been at keeping new versions of iOS compatible with old versions of hardware. No one at all would suggest running today’s Samsung bloatware (that bit that floats around on top of Android) on hardware three years old. But it seems perfectly acceptable to be running this year’s iOS on old kit. It’s also at this point that we can wander off into a couple of bits of economics for illumination.
It’s official, Windows 8 is a write-off . Sales for the operating system have been poor and now it is even starting to lose market share to Windows 7. To Microsoft MSFT credit it has bravely persisted addressing issue after issue. Most notable was the major Windows 8.1 Update 1 patch released in April which makes the OS a genuinely credible platform. Still it remains far from perfect and now Microsoft is prematurely pulling the plug.
In a blog post by Microsoft Senior Marketing Communications Manager Brandon LeBlanc, he explains that there will be no more major update releases for Windows 8: “despite rumours and speculation, we are not planning to deliver a Windows 8.1 ‘Update 2’.”
Word has it that Windows XP, Vista, and 7 might be allowed to upgrade free of charge to Windows 9 in order to boost adoption of the new operating system and thus convince more users to upgrade. This would clearly help not only Microsoft, but also the PC industry, which is still struggling to boost sales despite the release of the Windows 8 modern operating system.
People who upgraded to windows 8 have been punished enough. Poor bastards.
Microsoft Corp must turn over a customer’s emails and other account information stored in a data center in Ireland to the U.S. government, a judge ruled on Thursday, in a case that has drawn concern from privacy groups and major technology companies.
Microsoft and other U.S. companies had challenged the warrant, arguing it improperly extended the authority of federal prosecutors to seize customer information held in foreign countries.
Following a two-hour court hearing in New York, U.S. District Judge Loretta Preska said a search warrant approved by a federal magistrate judge required the company to hand over any data it controlled, regardless of where it was stored.
“It is a question of control, not a question of the location of that information,” Preska said.
So Microsoft can break US law by not handing them over, or European privacy laws by handing them over. Seems like this may be the end of off-shore data centers for US companies…
Russia has proposed that Apple Inc and SAP hand the government access to their source code to make sure their widely used products are not tools for spying on state institutions.
Apple’s App Store design is a big part of the problem. The dominance and prominence of “top lists” stratifies the top 0.02% so far above everyone else that the entire ecosystem is encouraged to design for a theoretical top-list placement that, by definition, won’t happen to 99.98% of them. Top lists reward apps that get people to download them, regardless of quality or long-term use, so that’s what most developers optimize for. Profits at the top are so massive that the promise alone attracts vast floods of spam, sleaziness, clones, and ripoffs.
Quality, sustainability, and updates are almost irrelevant to App Store success and usually aren’t rewarded as much as we think they should be, and that’s mostly the fault of Apple’s lazy reliance on top lists instead of more editorial selections and better search.
The best thing Apple could do to increase the quality of apps is remove every top list from the App Store.
In 1991 Steve Jobs’ company commissioned an head-to-head programming competition to show how much faster and easier it was to program a NeXT computer vs a Sun workstation. The NeXT operating system went on to be the foundation for Apple’s Macintosh OS-X about a decade later.
As a veteran of the aerospace industry, I’m very familiar with layoff notices. During the almost-decade I spent working for Boeing, I survived probably a dozen major reductions in force, and they all had two things in common: a plainly stated promise of an open and transparent process and a hilariously terrible lack of actual transparency.
Well, congratulations to Satya Nadella and the Microsoft HR and communications teams, because you’re stealing from the best—or maybe you all took the same course in corporate doubletalk and truthiness as part of your MBA programs. Microsoft this morning announced far and away the largest round of layoffs in its history, and Nadella’s e-mail drips with that familiar mixture of faux sympathy and non-information that is so typical of carefully managed corporate communication.
There’s a name for this kind of uninformative spin-talk: it’s known as “ducking and fucking.”
This, sadly, is not a Microsoft-specific issue; it’s standard all across not just the tech industry but essentially every large American company.
The first sentence of any story sets the tone—and look at the robo-sentence the Microsoft layoff notification e-mail starts off with:
Last week in my email to you I synthesized our strategic direction as a productivity and platform company.
Leading off with a sentence like this immediately creates distance between the reader and the speaker—the kind of distance necessary to dehumanize both parties so that the big blow to come hurts less. The corporate-speak continues with creaky euphemism after creaky euphemism, including using the phrase “workforce realignment” instead of simply saying “staff reduction” or “layoff.” People and corporations both use euphemisms to cloak unpleasantness; however, it’s much more honest and personal to simply speak the unadorned truth when dealing with people’s livelihoods. “We’re going to realign our work force” might sound a lot better than “we’re firing 18,000 people,” but the latter more properly informs employees that jobs are going to be lost and lives are going to be affected.
“synthesizing a strategic direction”, right? If you were up until that minute the person responsible for corporate strategic direction, that is the very last thing you care about. Because it has instantly become completely irrelevant to you. Forever. So, yeah, great way to start.
and don’t get me started on how you talk about Microsoft’s strategy is focused on productivity and our desire to help people “do more” and then listing XBox as an example.
Shortly after the initial news came out that NSA fakes google and yahoo servers with stolen or faked certificates:
the german computer magazine C’T issued a warning that it is a security risk, when microsoft automatically updates its list of certificates without any noticing of the users, so that dubious certificates could easily get into the windows certificate list, which is thrusted by webbrowsers like internet explorer or google chrome for windows:
After reading this, I filed a bug in chromium, which then was dismissed as a “won’t fix”, with the chromium developers saying that the certificate list is “signed by Microsoft” and there would not be any break in the “chain of thrust”.
And now I see this message from google:
“On Wednesday, July 2, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by the National Informatics Centre (NIC) of India, which holds several intermediate CA certificates trusted by the Indian Controller of Certifying Authorities (India CCA).
The India CCA certificates are included in the Microsoft Root Store and thus are trusted by the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox is not affected because it uses its own root store that doesn’t include these certificates.
We are not aware of any other root stores that include the India CCA certificates, thus Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally, Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning, although misissued certificates for other sites may exist.”
Update Jul 9: India CCA informed us of the results of their investigation on July 8. They reported that NIC’s issuance process was compromised and that only four certificates were misissued; the first on June 25. The four certificates provided included three for Google domains (one of which we were previously aware of) and one for Yahoo domains. However, we are also aware of misissued certificates not included in that set of four and can only conclude that the scope of the breach is unknown.”
Now microsoft has removed the certificates in question and it turnes out that the issue affected 45 domains:
In view of this list, the advice from google looks especially funny:
“Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of widespread abuse and we are not suggesting that people change passwords.”
The microsoft certificate list is used in the browser chrome. Faking of a google server is difficult, since chrome checks its certificate by different means and that was how the attack was revealed. But chrome does not have a similar check for yahoo. If that attack would not be working after all, the hackers would not have used it.
But still, google does explicitely not suggesting anyone that they should change passwords…
Is it reasonable to expect mere mortals to have mastery over every facet of the development stack? Probably not, but Facebook can ask for it. I was told at OSCON by a Facebook employee that they only hire ‘Full Stack’ developers. Well, what does that mean?
Microsoft is offering a limited time Surface Pro 3 promotion via which users can get up to $650 in store credit for trading in certain Apple MacBook Air models.
The new promotion, running June 20 to July 31, 2014 — “or while supplies last” — requires users to bring MacBook Airs into select Microsoft retail stores in the U.S., Puerto Rico and Canada. (The trade-in isn’t valid online.)
“while supplies last” is probably the least of their worries…
Here recently I run by the store on the way home to pick up some
milk. Was in a rush and left my Surface Pro on the front seat, in
When I came out, I discovered someone had broken into my car and
left three more Surface Pro’s
By the time its entire fleet of 24 satellites has launched in 2018, Skybox will be imaging the entire Earth at a resolution sufficient to capture, for example, real-time video of cars driving down the highway. And it will be doing it three times a day.
The ability to take such frequent imaging will certainly aid Google’s Maps product, but it also opens up a market for competitive intelligence. Skybox says they are already looking at Foxconn every week and are able to pinpoint the next iPhone release based on the density of trucks outside their manufacturing facilities.
This NYT profile of Tim Cook opens with a harrowing anecdote from the Apple CEO’s early life in 1970s Alabama:
Bicycling home on a new 10-speed, [Cook] passed a large cross in flames in front of a house — one that he knew belonged to a black family. Around the cross were Klansmen, dressed in white cloaks and hoods, chanting racial slurs. Mr. Cook heard glass break, maybe someone throwing something through a window. He yelled, “Stop!”
One of the men lifted his conical hood, and Mr. Cook recognized a deacon from a local church (not Mr. Cook’s). Startled, he pedaled away.
Reflecting on this event in December during his acceptance speech for Auburn University’s International Quality of Life Award, he said, “This image was permanently imprinted in my brain, and it would change my life forever” — human rights and dignity are “values that need to be acted upon,” and Apple is a company that believes in “advancing humanity.”
Of course. Remember this?
I wonder if that deacon is still alive. I want him to see how vastly that one act of hatred has backfired…
What we saw last week at WWDC 2014 would not have happened under Steve Jobs
So you can run the Google Docs store app in Chrome as a Chrome App which runs as an App on my android device, or, alternatively, run the Google Docs store app in Firefox as a web app which runs as an app on Firefox OS?
What does the word “app” even mean?
Microsoft is challenging the authority of federal prosecutors to force the giant technology company to hand over a customer’s email stored in a data center in Ireland.
The objection is believed to be the first time a corporation has challenged a domestic search warrant seeking digital information overseas. The case has attracted the concern of privacy groups and major United States technology companies, which are already under pressure from foreign governments worried that the personal data of their citizens is not adequately protected in the data centers of American companies.
Verizon filed a brief on Tuesday, echoing Microsoft’s objections, and more corporations are expected to join. The Electronic Frontier Foundation is working on a brief supporting Microsoft. European officials have expressed alarm.
In a court filing made public on Monday, Microsoft said that if the judicial order to surrender the email stored abroad is upheld, it “would violate international law and treaties, and reduce the privacy protection of everyone on the planet.”
Sounds very noble of Microsoft, but it would be more honest to say that if they lose this one, everybody will stop doing business with companies that operate in more than one jurisdiction. Which would kill them.
It wasn’t touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy. As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize that address, effectively disguising any trace of the real device until it decides to connect to a network.
“Any phone using iOS 8 will be invisible to the process”
Why are iPhones checking out Wi-Fi networks in disguise? Because there’s an entire industry devoted to tracking customers through that signal. As The New York Times reported last summer, shops from Nordstrom’s to JC Penney have tried out the system. (London even tried out a system using public trash cans.) The system automatically logs any phone within Wi-Fi range, giving stores a complete record of who walked into the shop and when. But any phone using iOS 8 will be invisible to the process, potentially calling the whole system into question.
Just for fun, I decided to launch a new Linux server and run rm -rf / as root to see what remains. As I found out, rm lives in the future with idiots like me, so you have to specify –no-preserve-root to kick this exercise off.
For the first time, iOS 8 opens up the keyboard to developers. And once new keyboards are available, you’ll be able to choose your favorite input method or layout systemwide.
Braille keyboard anyone?