Getting beyond the particulars of how Mat Honan had hackers use social engineering to get his passwords reset and his iOS and MacOS devices remote wiped, for my money here's the key lesson of the whole sorry saga:

I bought into the Apple account system originally to buy songs at 99 cents a pop, and over the years that same ID has evolved into a single point of entry that controls my phones, tablets, computers and data-driven life. With this AppleID, someone can make thousands of dollars of purchases in an instant, or do damage at a cost that you can't put a price on.

This isn't just about Apple – it's about all the corporations expanding from their original niches into as many corners of our online life as possible.¹ Having a single sign-on is scary, and only gets more so as the uses of that ID expand over time.²

I'd like to think that scares like this would motivate Apple, Amazon, Google, Microsoft and the rest to get this stuff right lest the public be discouraged from signing up for all the different services they offer, but I fear that convenience wins out all too often.

1. For what it's worth, I haven't enabled iCloud on my Mac Mini or my iPod Touch. Not because I foresaw this sort of problem; it's just that I don't see the benefit of iCloud. I bought my iPod Touch as a replacement PDA, not a device for accessing the internet on the move. In any case, given that when I'm at work I'm not in range of an accessible WiFi service, so my iPod Touch isn't going to be accessing iCloud anyway. ↩
2. I dread the day when Apple finally make some feature I really want/need insist upon having access to iCloud. That might be my cue to take a close look at whatever the successor to the Nexus 7 turns out to be. ↩

OAuth is your future. What a cheerful thought.

Good news and bad news for Mac users.

• Oracle have started producing Java releases for Mac OS X, following Apple's decision to … de-prioritise … updates to their own port of Java.
• Oracle are only supporting MacOS X 10.7 onwards, so those of us still using 10.6 are still at the mercy of Apple's release schedules.

I wondered what software update/new release was finally going to prod me into updating to Lion; I think this might just be it.

[Via Ars Technica]

Paul Vixie has posted details of his work in dismantling a network of DNS servers being used to redirect internet traffic from computers infected with the DNS Changer malware. The problem is, even after all that work there are still hundreds of thousands of internet users with infected computers and/or routers, just waiting for someone to pick up where DNS Changer left off:

Internet users are endlessly bombarded with warnings about their security and with offers of services and software (some of it apparently "free") offering to make their computers healthier. The victims of DNS Changer are by this time jaded or overwhelmed or both. The Internet seems to be a very dangerous place, and most Internet users probably feel that they could spend more than half their waking hours just installing patches and responding to warnings – unless they just put their heads down, ignore all that noise, and try instead to get their work (or play) done. I am sympathetic to this mindset. The problem is, the Internet really is that dangerous, and people really do need to pay more attention to the dangers of unpatched or infected computers.

Short of jumping into a TARDIS and going back to 1982 to give various heads of computer companies a stern talking-to about the need to make designing secure systems a top priority I don't see a good way out of this problem beyond passing the problem to ISPs and having them cut off internet access for customers still using infected systems until they clean up their systems. Which isn't going to happen any time soon, and is a terrible idea anyway.

[Via rc3.org]

This anti-theft briefcase is a lawsuit waiting to happen.

[Via Bruce Schneier]

The CAPTCHA from hell.

[Via Bruce Schneier]

"In theory" is one of the scariest phrases in the world of computing. Take this story about vulnerabilities in the computer systems used to run some federal prisons in the USA:

While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems.

[Emphasis added]

[Via Bruce Schneier]

From the Department of What Could Go Wrong:

Police in Montgomery County, Texas reportedly plan to deploy drones capable of carrying "less lethal" weapons:

[Michael Buscher, CEO of Vanguard Defense Industries said that their drones ...] are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a number of different systems on board. Mostly, for law enforcement, we focus on what we call less lethal systems," he said, including Tazers that can send a jolt to a criminal on the ground or a gun that fires bean bags known as a "stun baton."

From the Department of Cargo Cults:

Nicholas Negroponte appears to have decided that the way to revive the One Laptop Per Child project is to resort to desperate measures:

The One Laptop Per Child (OLPC) project has devised a bizarre plan for deploying its new XO-3 tablet. The organization plans to drop the touchscreen computers from helicopters near remote villages in developing countries. The devices will then be abandoned and left for the villagers to find, distribute, support, and use on their own.

OLPC founder Nicholas Negroponte is optimistic that the portable devices – which will be stocked with electronic books – will empower children to learn to read without any external support or instruction.

[Drone story via Bruce Schneier, OLPC story via MetaFilter]

File under 'Famous last words': Computer Virus Hits U.S. Drone Fleet:

A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other warzones.

The virus, first detected nearly two weeks ago by the military's Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. [...]

"We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it's benign. But we just don't know." [...]

Retaliation for Stuxnet, or someone too high up the chain of command to be told what to do getting a bit careless with their USB drive and bringing in some malware they picked up on their home PC?

Worst. Security. Question. Ever!

Prompted by xkcd's take on creating passwords, Troy Hunt reminds us that the problem isn't coming up with a good password, it's remembering it – and the three dozen or more passwords for other accounts that you created using the same method – afterwards:

The issue is simply this: you can't apply [the xkcd-endorsed approach of stringing together four random common words together to make a password] consistently (if at all, in some cases) and uniquely across all your accounts and remember what on earth they are and which sites they belong to. In fact you're really back at the conclusion in the first part of the strip with the character substitution password where Randall concludes "Difficulty to remember: hard".

Sadly, in the absence of a widely supported,¹ secure portable online authentication and identification system, we're pretty much stuck with having to remember dozens of passwords.²

[Via The Tao of Mac]

1. Which is to say, 'supported by everyone who does online commerce, including the banks, credit card companies, PayPal, Amazon and the iTunes Store.' ↩
2. I've been using SplashID on my various PalmOS devices for a few years now, and happily it also works nicely on the iPod Touch that I now use as my PDA. It's far safer than relying on my memory. ↩

Possibly the Stupidest Bank in the World?

Essentially, my bank is asking me to install is a keylogger. Just so they can warn me not to use the same password on suntrust.com and playboy.com.

[Via The Tao of Mac]

Cinemas are getting into the habit of projecting 2D films using lenses designed for 3D films, even though this can render the onscreen image unacceptably dim. Part of the reason for this is that projectionists may not have the technical skills required to swap out a 3D lens. Partly, it's that cinemas imagine that not running the bulb at full power will prolong the bulb's operating life. And partly it's because of security measures built into many modern projectors that require passwords and logins and can shut the projector down if you screw up. Wendy M Grossman sees two threat models colliding:

Hollywood is making a trade-off here: believing that 3D and digital are the new technologies that will get people back into theaters BUT believing that anything not locked down will be copied and redistributed without payment, the studios et al have opted to secure the projectors. Understandable. But in doing so, they've made it difficult for the people running the projectors to do their jobs properly. So they don't, and the long-term consequence will be the alienation of customers and loss of revenues.

[Via Bruce Schneier]

The largest data breaches of all time, compared.

I feel quite fortunate that as far as I can tell not a single one of those incidents would have involved my personal details.¹ I shouldn't get too complacent: I have a horrible feeling that if you extended the chart to cover the next 20 or 30 incidents then I'd see a familiar name or two.

Between the effects of governmental incompetence, corporate laxity and plain old malware, I wonder how many of us don't have our personal details up for sale, on a list alongside 99,999 other poor saps, on some dodgy bulletin board somewhere.

1. Unless one of the organisations involved was holding/processing data on behalf of a company I've had dealings with. ↩

Troy Hunt undertook a brief Sony password analysis, using email address and password information from some 37,000 registered users of Sony Pictures that is now freely available to download, thanks to the efforts of LulzSec. His most interesting findings relate to password re-use:

• 92% of users with multiple accounts recorded in various Sony databases across their different services and locations used the same password for more than one account.
• Comparing the Sony data with the account details released during the Gawker data loss last year, 67% of users who had registered with Sony and Gawker using the same email address also used the same password for both accounts.¹

There are lots of other fascinating scary statistics in Hunt's post. I'd love to write more about this, but I have to go and update some account details on some web sites. Now!

[Via Waxy.org Links]

1. Admittedly, there were only 88 instances of the same email address being used at Sony and Gawker, so the small sample size may mean that this isn't representative of the wider picture. In a world where passwords still end up jotted down on Post-It™ notes, it feels believable, though. ↩

Quote of the day: Charlie Stross,¹ quoting a character from his forthcoming novel, Rule 34…

"The twenty-first century so far has been a really fucking awful couple of decades for paranoid schizophrenics".

1. Prompted by a demo of NewsTweak. ↩

John Naughton has posted a good summary of the varying reactions to the 'spyPhone' story as it has developed over the last day or so:

Firstly, lots of people began posting maps of where their iPhones had been, which is a clear demonstration of the First Law of Technology – which says that if something can be done then it will be done, irrespective of whether it makes sense or not.

To my mind, this story is much like the Dropbox insecurity stories that broke over the last week.

Geeks who are motivated enough to pay attention will mostly understand that:

1. Mobile phone carriers have always been able to plot the approximate location of your phone over time according to which cell towers it connects to. Which means that the truly interesting element of this story is that iOS 4 seems to keep an unencrypted version of that data on your smartphone and in your phone's backups, meaning that anyone who can access your phone or an unencrypted backup of your phone on your computer could – in principle – access this data.
2. At least some of Dropbox's system administrators are bound to have a way to access the contents of users' dropbox folders, if only in order to comply with legally-binding requests for information from the appropriate authorities.¹ The big questions here are how widespread and carefully monitored access to unencrypted copies of users' data is among Dropbox staff, and the extent to which the company's marketing claims actively misled users about how secure data held in their Dropbox is.

Never mind the geeks: the big question in both cases is whether ordinary users (and/or their employers) get so freaked out about these security issues that they look for an alternative with a better balance of convenience and security. I'm guessing that they won't, unless either company completely mishandles their response to these stories or there are new, scary developments suggesting that these vulnerabilities are being actively exploited.

1. If you really want to secure the data you share via Dropbox, create an 'secure' container for it on your computer – be it a TrueCrypt volume, a Mac OS encrypted disk image or just a password-protected .zip file. – and put that in your Dropbox folder. Of course, you'll then lose the convenience of Dropbox seamlessly doing versioning of individual files and will be dependent upon all your Dropbox client devices being able to access the same type of encrypted container. Also, the more you require users to enter passphrases to delve down to the level where they can access their files via Dropbox, the less likely they are to want to bother. Dropbox users mostly value convenience over absolute security, IMHO. ↩

From One Thing Well, a clever way to come up with a secure but memorable password:

Talking of password generation, if you need to come up with a secure password without the help of software, you should make it one you can sing!

[...]

As an example, my favourite Prince & The Revolution B-side is She's Always In My Hair, and the second verse has been stuck in my head for a decade or two:

Whenever I feel like not 2 great at all
Whenever I'm all alone
And even if I hit the wrong notes
She's always in my boat
She's always there

Take the initial letters, and you get:

wifln2gaawiaaaeiihtwnsaimbsat

Nice. My only problems with this technique are that

1. I have a lousy memory for lyrics.¹
2. Given the number of passwords I have to remember these days, I have a horrible feeling that I'd end up forgetting not just the password, but which song was associated with which account/password.

1. The consequences of which could be ameliorated by my making sure that whichever track I chose is on my iPod and has lyrics. I'm fairly confident that once I saw the lyrics I'd quickly remember which verse I'd used to generate the password. ↩

Andrew McAfee has found a hole in the iTunes Store privacy model: if you try to gift music (or an App, or a Tv programme or film) to an iTunes Store user, iTunes warns you if the user already has that item.

This snooping process is iterative and cumbersome, but I'm pretty sure it could be at least somewhat automated. It's also a little fluky; to learn what I have, [the snooper] has to gift media to me in the same form I bought it. For example, if he sent me only a single episode of "Breaking Bad" season 3 iTunes wouldn't send him a message like the one above. This is because I bought the whole season at once, so [the snooper] has to gift me the whole season to learn about my purchase. Similar rules appear to hold for music.

Even though [the snooper] has to work a bit, I'm not thrilled that he (or anyone else) can so easily learn about my media purchases and tastes. If I want to share my iTunes holdings with my friends or broadcast them to the world Apple gives me tools to do so, but if I want to keep them private I can't.

McAfee says that Amazon handles this sort of problem differently; it simply converts duplicate items to store credit, informing the recipient of the duplicate items but not the gift-giver, and suggests that Apple would do well to adopt this approach. My online gift-giving is usually selected from users' wishlists so I've never encountered this problem in the wild, but if I were giving a gift I think I'd prefer to be given the chance to choose a different item rather than have my gift silently converted to an impersonal store credit: if I'd wanted to give an iTunes Store credit I'd have chosen that option. However, I can see that both approaches have their merits.¹

My feeling about this is that whilst it's technically a privacy breach, it's not a terribly scary one. The would-be snooper needs to:

1. Guess the email address I use with my iTunes Store account.²
2. Guess what music/apps/ebooks etc I might own and whether I bought them as individual items or as part of an album/season purchase.³
3. Automate this process so that Apple won't notice that some rabid fan of mine has made X attempts to gift me Y different tracks/apps/ebooks without ever going through with a purchase and throttle or block their access.

Having successfully negotiated those hurdles, the snoop is now in possession of … a listing of a small portion of the contents of my iTunes Library. Given that I display ample evidence of my taste in music on the internet for the whole world to see as a matter of course, you'll understand if I'm not terribly worried by this potential attack vector.

That being said, I do take the point that users who wish to keep their music choices to themselves should have the ability to do just that: Apple should probably get right on it.⁴

[Via Risks Digest]

1. Perhaps iTunes Store users should be allowed to specify in their account settings whether gift-givers should be warned of duplicates. ↩
2. Admittedly not everyone sets up a distinct email address to use just for iTunes, so this could be straightforward in some cases where the snooper already has your email address. ↩
3. Which raises another question: what if I have a track that I ripped from a CD in MP3 format and the potential snooper tries to gift me the iTunes Store version of that track in AAC/m4a format. Does iTunes recognise that it's the same track despite the format difference? ↩
4. Interestingly, McAfee points out that in the US it an offence to give out details of an individual's video rental/purchase history and suggests that if the iTunes Store makes it possible to find out what films a user has purchased this might leave the firm open to legal action. That sounds more like the sort of motivation Apple will need to close this hole. ↩

I posted last October about my surprise that the iPad didn't allow for multi-user logins to preserve the security of each user's logins. Matt Jones has done Apple the favour of sketching a multi-user UI for the iPad.

It's nice but, like commenter Michael O'Brien, I wonder if I'd be able to live with the asymmetry if my iPad had only three users and had to leave a corner vacant. Come to that, what if my iPad had five users and it ran out of corners? Simpler, I think, to have a centred list of potential users to choose from, much like the standard login dialog for OS X.

All this remains academic until Apple decide to build in the requisite functionality, but surely that'll come one day.¹ Even if the price of an iPad falls by 50%, I find it hard to believe that enough households will buy multiple iPads to keep Apple ahead of the pack. Though if any company can persuade families to buy an iPad Family Pack – 5 for the price of 4 – it's Apple.

There again, Apple being Apple they'll just as likely be thinking at least three steps ahead of us mere mortals even as I type this. Perhaps they're going to wait as the clamour for a multi-user iPad grows, then release an iPad 3 that does facial recognition on the fly so that it 'knows' who is using it and invokes Fast User Switching to fire up the appropriate account automagically, or the Guest account if the user's face isn't recognised.

1. It all depends, to my mind, upon whether they have to contend with rival tablet makers whose devices make it easier for individual users to protect their login details so they can safely share their tablet with family members. As long as the iPad is the only serious game in town tablet-wise Apple will be under no great pressure to change their approach. ↩