Tag Archives: bruteforce

Start up: cracking iPhone passcodes, why .sucks sucks, Superfish away!, Lyft and Uber face key court case

Posted on by
Reply


Superfish! Photo by noodlepie on Flickr.

A selection of 13 links for you. Helps you work, rest and play. I’m charlesarthur on Twitter. Observations and links welcome.

The SSD endurance experiment: they’re all dead » The Tech Report

Geoff Gasior:

I never thought this whole tech journalism gig would turn me into a mass murderer. Yet here I am, with the blood of six SSDs on my hands, and that’s not even the half of it. You see, these were not crimes of passion or rage, nor were they products of accident. More than 18 months ago, I vowed to push all six drives to their bitter ends. I didn’t do so in the name of god or country or even self-defense, either. I did it just to watch them die.

Technically, I’m also a torturer—or at least an enhanced interrogator. Instead of offering a quick and painless death, I slowly squeezed out every last drop of life with a relentless stream of writes far more demanding than anything the SSDs would face in a typical PC. To make matters worse, I exploited their suffering by chronicling the entire process online.

Brilliant idea for an article, spread over nearly two years, which also provides truly useful info. Those things really last ages.

Uber, Lyft cases could help clarify drivers’ legal status » WSJ

Rachel Emma Silverman:

Two San Francisco judges separately ruled last week that suits filed by drivers of the ride-sharing services should go before juries. At issue in both cases is whether drivers, who are employed as independent contractors, should be considered employees of those firms, and thus entitled to the protections afforded most full-time workers.

A verdict that required Lyft or Uber to reclassify their drivers as employees would throw a wrench in business models that have commanded large investments and valuations. Last week, Japanese e-commerce giant Rakuten led a $530m round of funding for Lyft, helping to boost its valuation to more than $2.5bn. Uber, which is much larger, has raised more than $5bn in funding and is valued at more than $41bn.

Should the cases proceed to trial, the resulting verdicts could also set a legal precedent about how many workers should be classified in the so-called on-demand economy. That could come as welcome news for employment lawyers and others charged with figuring out whether the workers who fulfill Instacart orders, drive UberX passengers, clean homes for Handy clients and perform other tasks assigned by apps should be considered independent contractors or actual employees.

Watch these ones. Though whichever way the verdicts go they probably won’t be the last.

A new, simple way to log in » Yahoo

Chris Stoner is director of product management at Yahoo:

We’ve made the steps easy to follow – check them out below.

1)    Sign in to your Yahoo.com account.
2)    Click on your name at the top right corner to go to your account information page.
3)    Select “Account Security” in the left bar.
4)    Click on the slider for “On-demand passwords” to opt-in.
5)    Enter your phone number and Yahoo will send you a verification code.
6)    Enter the code and voila!

And the next time you sign-in, we’ll send a password to your phone when you need it to log in. On-demand passwords is now available for U.S. users. Try it out today!

What if I lose my phone? Or I’m abroad? Do normal passwords not work any more? Not clear and not answered anywhere I can find.

Apple will offer Android switchers gift cards to trade-in rival smartphones for iPhones » 9to5Mac

Mark Gurman:

Apple is preparing to launch another program to boost iPhone sales in its stores, a stated goal of CEO Tim Cook.

According to sources, Apple will soon introduce a new recycling and trade-in program that will accept non-Apple smartphones, notably including Android devices, in exchange for gift cards to be used toward the purchase of new iPhones. In continuing to court Android switchers, Apple will use a similar system to the one it uses to repurchase iPhones, whereby Apple Retail Store employees determine trade-in values for devices by considering their cosmetic and functional condition.

The new program will begin in the coming weeks, following extensive training programs for retail store employees that will begin later this week. Apple employees will be able to transfer address book contacts from the rival smartphones to the iPhones, but other data will have to be moved by customers.

Two points: 1) we’ve pretty much arrived at “in Gurman we trust”, right? 2) trying to grab rival platforms’ users is the mark of a saturated market – which the US smartphone market increasingly resembles.

People who use Firefox or Chrome are better employees » The Atlantic

Joe Pinsker:

in the world of Big Data, everything means something. Cornerstone OnDemand, a company that sells software that helps employers recruit and retain workers, analyzed data on about 50,000 people who took its 45-minute online job assessment (which is like a thorough personality test) and then were successfully hired at a firm using its software. These candidates ended up working customer-service and sales jobs for companies in industries such as telecommunications, retail, and hospitality.

Cornerstone’s researchers found that people who took the test on a non-default browser, such as Firefox or Chrome, ended up staying at their jobs about 15 percent longer than those who stuck with Safari or Internet Explorer. They performed better on the job as well. (These statistics were roughly the same for both Mac and PC users.)

Why? Perhaps, the company hazards, because it means they’re “non-default”, and so are an “informed consumer”. (Other datum: “people who use “boozy” or “sexy” in their email addresses make for worse employees.”)

Joint effort guts Superfish » Computerworld

In a blog post announcing the addition of another Superfish clean-up tool, Microsoft’s security team said that the number of infected PCs detected by its software peaked at around 60,000 on Feb. 21, slumped slightly over the next two days before falling precipitously. By Feb. 25, the daily number of infected PCs encountered by Microsoft’s tools had dropped to around 3,000, sliding further over the next several days to what appeared to be less than 1,000 each day.

All told, Microsoft implied that about a quarter of a million Lenovo PCs were cleansed of Superfish between Feb. 20 and March 4.

Useful to know how many “consumer” PCs Lenovo sold over the course of three months or so, which this in effect is.

Apple iOS hardware assisted screenlock bruteforce crack » MDSec blog

Dominic Chell:

We recently became aware of a device known as an IP Box that was being used in the phone repair markets to bruteforce the iOS screenlock. This obviously has huge security implications and naturally it was something we wanted to investigate and validate. For as little as £200 we were able to acquire one of these devices and put it to work.

Although we’re still analyzing the device it appears to be relatively simple in that it simulates the PIN entry over the USB connection and sequentially bruteforces every possible PIN combination. That in itself is not unsurprising and has been known for some time. What is surprising however is that this still works even with the “Erase data after 10 attempts” configuration setting enabled.

Our initial analysis indicates that the IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory. As such, each PIN entry takes approximately 40 seconds, meaning that it would take up to ~111 hours to bruteforce a 4 digit PIN.

Multiply by 10 for each extra digit on your PIN; use a password instead. (Clever, cutting the power before the write-to-memory.)

“.sucks” registrations begin soon — at up to $2,500 per domain » Ars Technica

Lee Hutchinson:

The number of generic top-level domains (gTLDs) available for use has climbed into the hundreds, and “.sucks” will soon be added to the list. However, angry customers eager to get their hands on brand-specific domains like “bestbuy.sucks” or “comcast.sucks” shouldn’t get their hopes up; according to MarketingLand, the domains will cost far more than most consumers will want to pay.

The pricing situation around .sucks domain names is complicated. Companies with registered trademarks will have to pay an astounding $2,499 to register their trademarked names in .sucks. Registration of non-trademarked names during the “sunrise” period (March 30 until June 1) before .sucks goes live will cost at least $199 per name, while the standard registration fee after June 1 rises to $249 per name.

Companies are typically hyper-sensitive about brand usage, and few will want their .sucks domains under someone else’s control. The .sucks pricing scheme has led to outrage from many quarters, with MarketingLand’s writeup quoting several industry figures who use words like “extortion” and “predatory.”

The words of Seth Finkelstein from 2007 on the topic of “.xxx” remain just as relevant: these TLDs are just money-making schemes for registrars (and for Icann).

In a world with any more than zero working search engines, TLDs are next to pointless, and the exotic ones like .sucks amount to nothing more than legitimised extortion schemes against companies worried about attacks on their brand.

Samsung to beat forecast on S6 » Korea Times

Kim Yoo-chul:

Bernstein Research and Deutsche Bank expect [the] S6 to boost the company’s bottom line.

“For our thesis on Samsung Electronics, the S6 does not need to be a mega-success; even a further decline to 27% market share in the premium segment would be more than enough,” Mark Newman at Bernstein Research said.

“We believe the unveiled phone is sufficient to deliver and has the potential to beat that modest expectation. Furthermore, we think the components side of the S6 is more positive for Samsung’s earnings direction with the processor moving internal (saving potentially $28 per phone), significantly more memory (DRAM and particularly NAND) and the display showing off their technology lead in flexible OLED.”

Han Seung-hoon at Deutsche Bank said Samsung’s strategies for diversified pricing on the S6 according to memory storage capacity like Apple will help its semiconductor division see a big divisional increase.

Apple seems to be having a strong quarter – analyst expectations are for well over 50m sales (compared to 43.7 in Q1 2014). Last year Samsung shipped 85m smartphones.

June 2007: Apple iPhone debut to flop, product to crash in flames » Suckbusters

David Platt in June 2007:

the iPhone is going to fail because its design is fundamentally flawed. The designers and technophiles who encouraged development of the iPhone have fallen into the trap of all overreaching hardware and software designers; thinking that their users are like themselves. As I expound in great detail in my book Why Software Sucks (Addison-Wesley, 2006, http://www.whysoftwaresucks.com) your user is not you. The iPhone’s designers have forgotten this fundamental law of the universe. The market will severely punish them for doing so.

I have three specific reasons why the iPhone’s design will cause it to crash in flames the way Apple’s late and unlamented Newton did, only much more loudly and publicly because of all the hype it’s gotten.

None of them is its price. Platt seems to have a line writing for Microsoft’s Developer Network magazine and admitted his mistake in 2012.

Microsoft X-box and a family problem » Medium

Jeremy Hillman’s son ran up thousands of dollars on Xbox Live buying “players” for FIFA at a hundred dollars a pop:

So these are my questions to Microsoft on behalf of the thousands and thousands of parents who have fallen into this same situation (you can see online that this isn’t a rare occurrence and Microsoft employs its many escalation analysts for a reason).

With all the brilliance of your engineers and sophisticated systems to protect data how hard could it be to put a realistic ceiling on what can be spent on in-app purchases before the credit card details and security code need to be re-entered? Most Apple iTunes purchases need a password to be re-entered for each new purchase.

How many users legitimately spend thousands of dollars on in-app purchases and just how much usage would it actually take for you to flag this as unusual behaviour and require confirmation that the purchase is legitimate? Banks and credit card companies regularly do this — there can’t be many reasons you don’t.

Might just want to check your credit card statement, parents.

Behind Apple’s openness is desire for data centre help » The Information

Steve Nellis and Amir Efrati:

Both Google and Amazon long have designed their own racks, servers and switches in their data centers, contracting with Asian manufacturers for production. They see their hardware designs as a competitive advantage, keeping them under wraps. Neither are in the Open Compute Project [which Apple has joined].

Facebook also designs its own data center equipment but started much later than Amazon and Google. By helping found the Open Compute Project, it has a chance to catch up. In the group, Facebook released its designs for servers and switches publicly and invited others to do the same. Microsoft, Intel, IBM and others eventually joined. The idea was that lots of companies working together can build better data centers cheaper.

“There’s this industry pattern I’ve come to observe: Open when you’re behind, closed when you’re ahead,” said Christopher Nguyen, CEO of Adatao and former engineering director of Google Apps.

That last point is so insightful, and worth bearing in mind. The article meanwhile confirms that Apple outsources some of iCloud’s services to Microsoft (Azure) and Amazon (S3).

New YouTube interface rolling out to some users ditches the hamburger menu » Android Police

Liam Spradin:

Just in case you were getting comfortable with the YouTube app’s latest design, it looks like there may be more changes in store. It seems a number of users are encountering a new YouTube interface, apparently triggered server-side without an app update.

The change sees YouTube’s hamburger menu flipping right out of the interface, going the way of Google+ in discarding the left-side navigation drawer. Instead, users are given four primary tabs – Home, Trending, Subscriptions, and your profile. Interestingly, a couple of these tabs seem to have bars underneath to switch from, say, all videos to music on the home tab, or from uploads to channels on the subscription tab. Besides these changes, things are ostensibly working just like before.

Apple doesn’t like hamburger menus (those three lines at the top left or right of a screen where “other options” are available): here’s a summary of a WWDC 2014 talk about it – from which they key extract is

Remember, the three key things about an intuitive navigation system is that they tell you where you are, and they show you where else you can go.

Hamburger menus are terrible at both of those things, because the menu is not on the screen. It’s not visible. Only the button to display the menu is. And in practice, talking to developers, they found this out themselves.

Samsung tablets made spy-proof by BlackBerry using IBM software » Bloomberg Business

Cornelius Rahn:

BlackBerry introduced a modified Samsung Electronics Co. tablet computer that lets government and corporate users access consumer applications such as YouTube and WhatsApp while keeping confidential work-related information away from spies and crooks.

The €2,250 ($2,360) SecuTABLET will be available by the third quarter, Hans-Christoph Quelle, head of BlackBerry’s Secusmart unit, said in an interview Sunday. More than 10,000 units will be shipped annually in Germany alone by next year, with a higher number sold by IBM, which is handling sales to companies worldwide, he said.

The SecuTABLET combines Samsung Electronics’s Tab S 10.5 with Secusmart’s microSD card and IBM software to wrap applications that hold sensitive data into a virtual container where they can’t be harmed by malware. Germany’s computer-security watchdog is evaluating the device for classified government communication and will probably give its approval before the end of the year, Quelle said.

I’m not sure in what sense BlackBerry “introduced” this. Its tieup with Samsung seems to be as an MDM (mobile device management) vendor. Samsung makes the hardware, IBM does the virtualisation, BlackBerry does the..?