reminds me of John Oliver's fake Apple ad from last week:
"We're barely one step of hackers at any time," https://www.youtube.com/watch?v=zsjZ2r9Ygzw#t=15m50
Thanks JH researchers for finding it, thanks Apple for patching it.
Whoops, looks like the Washington Post just leaked the iOS 9.3 release date with this article. Now we know what Apple has in store for their keynote tomorrow morning ;)
- Christina Garman,@matthew_d_green, Gabriel Kaptchuk, Michael Rushanan, and I found some crypto exploits in iMessage
- Details, blog post, paper, etc to come after Apple ships the patch.
- And now you have 14 hours to guess what the attack is. As a hint, no, its not a bug in how Apple stores or encrypts attachments.
I'll await the paper.
That sounds like a timing attack against the iMessage servers, probably also involving the unpatched client.
These researchers took a phone they owned and setup a situation where a server they controlled sent messages the phone interpreted as coming from Apple. Those messages were used to extract the key from the phone they owned. They then used that key to access an account they owned and were the authorized user of.
Is there a technical case of unauthorized access if they used a non Apple client to access the photo? Maybe. Did they establish the same pattern as Weev, accessing information related to many other users? No.
Not to mention giving the hack to Gawker before notifying AT&T, getting caught with cocaine, violating a gag order, and saying "I won't nearly be as nice next time" shortly before his sentencing.
No locks were broken - not even the weakest 1bit password. Weev only incremented a number of a public endpoint.
The prosecution in his case, as in Aaron Swartz's, conspired to use their legal enforcement powers to intimidate the innocent. They literally, knowingly, tried to charge people for things they knew at the time weren't crimes, because they had been "humiliated" by losing earlier.
(*Innocent of the charges at hand - questions of someone's "other" guilt are out of scope.)
The problem isn't that easy hacks can be criminal, it's that the punishments are out of line with the harm done.
And yes, a guilty-verdict and a one-cent fine wouldn't be too big of a deal. But ideally the courts just wouldn't even hear the case.
Weev took the data provided to him by his codefendant and gave it to Gawker.
Door in the face technique: Ask for a backdoor to all mobiles. Settle for keeping security holes private and leaving those mobiles vulnerable.
Snowden told us about the latter and there was outrage. Now it's an acceptable trade off because the FBI is threatening to take Apple's signing keys? Classic door in the face technique.
Not sure what cave this guy was living in, unless he's using 'strong' literally (in which case the statement is wrong).
Biggest reason not to trust 'consumer-grade' encryption is that consumers aren't under constant attack, or aren't aware if they are. If I buy a car, I know when it breaks down. Consumer Reports can say if it sucks. There are way fewer 'educated consumers' for encryption technology.
I think there is also an expiration time limit running from the moment the first device receive a message for the others devices to get the same message, but we are in undocumented territory about that AFAIK...
Is this different when iCloud is enabled?
However once the message has been delivered onto the device, they're either stored in plaintext, or backed up in plaintext (with the backup itself being encrypted with a key Apple has)
In saying that... I'm now wondering why they aren't encrypting the messages using the passcode like other sensitive data. I guess so the backup can be restored onto another phone and have the messages persist.
It's a fairly hard problem to do very well. What they do today isn't particularly close to "very well", so even some easy improvements could make it a lot better.
PS: But yeah the optional iCloud backup is currently the weak spot.
Though I get why it's nicer to prefer non-paywalled sources if it exists...
For Safari, I went ahead and added the rules missing from uBlock from uBlock Origin too. This seems to have helped somewhat (Forbes wall etc.)