Slashdot Mirror

It's not good enough that a given computer can perform all sorts of useful functions. It has to be reinvented as more powerful every 374 days.

Yet the Mac is not able to perform "all sorts of useful functions", it can perform "Many sorts of useful functions", but if you have that one use case that you can't run on a Mac, then it's useless.

In my case, it's memory, I run a couple VM's and a memory hungry IDE. My 16GB Macbook was no longer able to keep up

That's because of your small penis, not the MacBook Pro. https://www.zdziarski.com/blog...

To someone who needs 32GB of RAM, having 32GB of RAM is more important than the slight battery savings of using DDR4L. What's your excuse for not understanding that?.

And who needs 32 GB RAM? And no, your sexual fetish doesn't count. https://www.zdziarski.com/blog/?p=6355

https://www.zdziarski.com/blog...

Or maybe they want more than 16GB of RAM. Crazy talk I know.

Yup - https://www.zdziarski.com/blog...

First, define what you think you need. Look at the tests this guy reports running: https://www.zdziarski.com/blog...

I've done similar tests on a late-2013 16GB Macbook Pro, and I've seen similar results. The only thing that would make additional RAM a lot better for me would be the ability to spin up more vagrant instances simultaneously for testing of larger / more complicated stacks of applications. But I've had multiple VMs, terminal sessions, outlook, omnifocus, evernote, atom, 3 or 4 RDP sessions, half a dozen different messaging apps (hipchat, slack, messages, irc, twitter, instagram), tower git client, itunes, safari, word, excel, kaleidoscope, docker (with a couple containers running), xcode, dropbox, antivirus, crash plan, and corporate VPN all running, along with half a dozen little menubar utilities (alfred, dash, textexpander, cloak, moom, flux)... and my system hardly ever breaks a sweat, RAM-wise.

What, exactly, are you doing that *REQUIRES* more than 16GB of RAM? I wouldn't *mind* having more ram - I could spin up more (or larger) VMs, which would be nice since I often work disconnected. However, I have yet to hit any hard limits, and I've spent 3 years putting this laptop through some pretty heavy usage. If *I'm* still in the level of casual user, I'm really interested to know how you define that term.

I have the same experience with my mid-2012 MacBook Pro with 4 GB of RAM. OS X/macOS is simply (MUCH!) more efficient at memory-management that Windows.

Can't speak to Linux in that regard; but as far as my (pretty extensive) Windows experience, I have never seen a Mac in "swap file hell" like Windows routinely exhibits.

I think that those clamoring for more RAM either come from a Windows background, and are simply "scared", due to Windows-induced PTSD; OR they want to run multiple VMs.

You can never be too rich, too thin, or have too much RAM; so I'm not opposed to such an improvement; but, in most cases, gigantic pools of RAM are not NEARLY as important to performance in macOS as it is in Windows.

First, define what you think you need. Look at the tests this guy reports running: https://www.zdziarski.com/blog...

I've done similar tests on a late-2013 16GB Macbook Pro, and I've seen similar results. The only thing that would make additional RAM a lot better for me would be the ability to spin up more vagrant instances simultaneously for testing of larger / more complicated stacks of applications. But I've had multiple VMs, terminal sessions, outlook, omnifocus, evernote, atom, 3 or 4 RDP sessions, half a dozen different messaging apps (hipchat, slack, messages, irc, twitter, instagram), tower git client, itunes, safari, word, excel, kaleidoscope, docker (with a couple containers running), xcode, dropbox, antivirus, crash plan, and corporate VPN all running, along with half a dozen little menubar utilities (alfred, dash, textexpander, cloak, moom, flux)... and my system hardly ever breaks a sweat, RAM-wise.

What, exactly, are you doing that *REQUIRES* more than 16GB of RAM? I wouldn't *mind* having more ram - I could spin up more (or larger) VMs, which would be nice since I often work disconnected. However, I have yet to hit any hard limits, and I've spent 3 years putting this laptop through some pretty heavy usage. If *I'm* still in the level of casual user, I'm really interested to know how you define that term.

Uh, Apple admitted in their briefs to the court that they can be hacked, especially older OSes.

But they've also said they're working toward encryption that even they cannot access. ie a warrant-proof phone.

http://www.zdziarski.com/blog/...

Directory Comey made another misleading statement – twice – to Congress yesterday; namely that the FBI has attempted every possibility of unlocking the device on their own, and is even willing to accept input from any experts. Quite the contrary, at least three possibilities have come to light that the FBI has not yet explored:

• Imaging the NAND flash of the device and trying ten passcodes at a time; when the device wipes, re-flash the NAND with the original image and try again. This technique is done in kiosks in Chinese malls to upgrade your 16 GB iPhone to 128GB for about $60 US. $60 for ten tries, they could pay retail and still get this done for $60,000.

An insightful forensics article on several more important reasons why Apple should not be forced to comply.

        http://www.zdziarski.com/blog/...

This is all distraction, as operating system configuration and patching is not a "backdoor'.

The best response to the FBI's request I've read thus far comes from the noted IOS forensics security guru, Jonathan Zdziarski where he wrote the following

An instrument is the term used in the courts to describe anything from a breathalyzer device to a forensics tool, and in order to get judicial notice of a new instrument, it must be established that it is validated, peer reviewed, and accepted in the scientific community. It is also held to strict requirements of reproducibility and predictability, requiring third parties (such as defense experts) to have access to it. I've often heard Cellebrite referred to, for example, as the Cellebrite instrument in courts. Instruments are treated very differently from a simple lab service, like dumping a phone. I've done both of these for law enforcement in the past: provided services, and developed a forensics tool. Providing a simple dump of a disk image only involves my giving testimony of my technique. My forensics tools, however, required a much thorough process that took significant resources, and they would for Apple too.

The tool must be designed and developed under much more stringent practices that involve reproducible, predictable results, extensive error checking, documentation, adequate logging of errors, and so on. The tool must be forensically sound and not change anything on the target, or document every change that it makes / is made in the process. Full documentation must be written that explains the methods and techniques used to disable Apple's own security features. The tool cannot simply be some throw-together to break a PIN; it must be designed in a manner in which its function can be explained, and its methodology could be reproduced by independent third parties. Since FBI is supposedly the ones to provide the PIN codes to try, Apple must also design and develop an interface / harness to communicate PINs into the tool, which means added engineering for input validation, protocol design, more logging, error handling, and so on. FBI has asked to do this wirelessly (possibly remotely), which also means transit encryption, validation, certificate revocation, and so on.

Once the tool itself is designed, it must be tested internally on a number of devices with exactly matching versions of hardware and operating system, and peer reviewed internally to establish a pool of peer-review experts that can vouch for the technology. In my case, it was a bunch of scientists from various government agencies doing the peer-review for me. The test devices will be imaged before and after, and their disk images compared to ensure that no bits were changed; changes that do occur from the operating system unlocking, logging, etc., will need to be documented so they can be explained to the courts. Bugs must be addressed. The user interface must be simplified and robust in its error handling so that it can be used by third parties.

Once the tool is ready, it must be tested and validated by a third party. In this case, it would be NIST/NIJ (which is where my own tools were validated). NIST has a mobile forensics testing and validation process by which Apple would need to provide a copy of the tool (which would have to work on all of their test devices) for NIST to verify. NIST checks to ensure that all of the data on the test devices is recovered. Any time the software is updated, it should go back through the validation process. Once NIST tests and validates the device, it would be clear for the FBI to use on the device. Here is an example of what my tools validation from NIJ looks like: https://www.ncjrs.gov/pdffiles...

During trial, the court will want to see what kind of scientific peer review the tool has had; if it is not validated by NIST or some other third party, or has no acceptance in the scientific community,

You might consider these cases as possible examples of being a bit hostile...

http://www.cnet.com/news/debun...
http://www.dailytech.com/Googl...
http://www.zdziarski.com/blog/...
http://www.mail-archive.com/cr...

and to the lesser extent where Linus posts stuff like ...

one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior. It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.

or

I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.

So basically, this security "expert" found a way for a thief to enter my home through the backdoor, as long as the thief has the keys for my front door.

This security "expert" has a very solid background and street cred in the field of iOS forensics so I would not dismiss him so lightly.

apple response here: http://support.apple.com/kb/HT...
JZ's response response here: http://www.zdziarski.com/blog/...

dropping some fact bombs on this conversation.

Why link to a re-post and not to the source: http://www.zdziarski.com/blog/

There we find this:

DON'T PANIC

Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released documents) that some of these services MAY have been used by NSA to collect data on potential targets. I am not suggesting some grand conspiracy; there are, however, some services running in iOS that shouldnâ(TM)t be there, that were intentionally added by Apple as part of the firmware, and that bypass backup encryption while copying more of your personal data than ever should come off the phone for the average consumer. I think at the very least, this warrants an explanation and disclosure to the some 600 million customers out there running iOS devices. At the same time, this is NOT a zero day and NOT some widespread security emergency. My paranoia level is tweaked, but not going crazy. My hope is that Apple will correct the problem. Nothing less, nothing more. I want these services off my phone. They donâ(TM)t belong there.

It looks like it's impossible for Apple to issue an honest denial, because...
http://www.zdziarski.com/blog/...

there are actually back-doors specifically built into iOS devices -- back doors not used by any Apple software on the device, not usable by genius-bar or any user-benefitting scenario, but still that make it possible for "someone" to get at a lot of the personal data.

Quote: "Why do we need a packet-sniffer running on 600 million personal iOS devices?"

Quote: "com.apple.mobile_file_relay - exposes much personal data - very intentionally placed and intended to dump data from the device by request"

Quote: "Apple has worked hard to ensure that Apple can access data on behalf of law enforcement.

I think the reason "anything can be picked apart" is because Apple DO create backdoors for the benefit of government, but for PR purposes they want to appear to deny it.

The AC nailed it; this is an utter non-story. Last time I checked, locking an iPhone does not enable full -disk encryption. Raise your hand if you thought the iPhone contains some magical Steve Jobs fart that would prevent someone with hardware access (leave alone Apple with hardware access!) from ripping the unencryped data (which, in a default setup, is essentially everything except your e-mail) from the flash chips. And yes, hardware access is necessary even if it isn't explicilty stated in the summary. Anyhow, those that did raise their hands earlier, please hand in your geek card and don't let the door hit you in the ass on the way out.

OnStar is a GM brand. I'm told the Toyota/Lexus Enform/Safety-Connect system is run by OnStar. (on verizon's network.)

Duly noted.

If you're going to boost a car thusly equiped, you'd be wise to remove or disable the thing FIRST. When manufacturers get wise and link the module into the anti-theft logic -- meaning the car won't work without it -- simply disable the radio/antenna.

For the record (and the benefit of my fellow paranoids), you can actually request this equipment be disabled for you by the dealer prior to purchase, or by the owner if they know where to look. Of course, this is a moot point for those who actually intend to pay for and use the service, but personally I would never subscribe to a service that can arbitrarily disable my vehicle without my permission... among other, privacy related issues.

Not being able to start your car because it cannot see T-Mobile's network (for example) would never be accepted by customers.

Yea... I remember saying something similar when GPS devices started becoming ubiquitous in cell phones... 'surely no one will accept a phone with a built in tracking device!'

Ah, the naivety of youth..

up front disclaimer, I hate Apple, and will not buy any of their devices for the forseeable future. But I have good reasons for this hatred, not all of which I have time or room to fit here. Now, lets try actually citing some sources here, shall we?

The release of the iPhone 3GS (and later iPod Touch 3rd Generation) brought hardware-based full disk encryption (FDE) to the iPhone. This was designed to accomplish one thing: instantaneous remote wipe....Jonathan Zdziarski found that the iPhone OS automatically decrypts data when a request for data is made, effectively making the encryption worthless for protecting data.

source . Some of what Zdziarski says here. After a little more research, I discovered that apparently iOS 4 devices do use your passcode to encrypt the hardware keys, so they can't be read when you are logged out. source That is actually a reasonable system: the original one, not so much. Just because something uses "hardware encryption" doesn't mean it actually encrypts data effectively. As I said, the original system didn't, and wasn't intended to: it was only intended to make remote wiping your device faster (since you can just erase the key, not the whole drive.)

And as for why there isn't any iOS malware: seriously, stop and think for a second. If Apple reviews every last app on the official App Store, its kinda hard to sneak malware in, isn't it? Also, you might want to actually look up Android's security system. After about 20 seconds, I found that, surprise surprise, Android also sandboxes applications so that they can't read each others data. In other words: it doesn't matter if the passwords are stored plaintext, since other applications can't read them anyways. Hence, why all the Android malware I've ever heard about doesn't mess with the phone itself, but rather calls home/ phones premium numbers/ etc. Maybe there is an actual virus for Android that messes with the data on the phone. Never heard of it though.(edit:someone mentioned storing apps on SD cards, and then reading those. You can't do that from the phone directly any more than you can read the internal memory, and if you get physical access no encryption is really gonna help. And the same problem exist on iPhone... oh wait, you can't use SD cards with those at all. Apple likes the flash memory premium too much) If it breaks the sandboxing, sure, but if it does that on the iPhone it can do the exact same thing, password keychain or no (proof: they did). And precisely how you said they can't: through root. I'm not sure how passcode encryption effects this or what iOS version they were using, but I would presume its iOS 4.

And I never said an encrypted system wasn't better, I said it wasn't much better... which, as it turns out, it isn't. I absolutely think that passwords should be encrypted. But with another password, not a keychain stored on the device itself. Its just the tiniest bit better than plaintext, but not by much. I can't believe people on Slashdot still keep thinking "oh, encryption, that means my data is secure!"

And I'm not sure how "Google specifically designed" Android to be locked down. AFAIK all the phones that prevent custom firmware use an encrypted bootloader system, which has very little to do with Android itself. Please, inform me how Google is responsible for that. As for Honeycomb source: straw man much? Where is ANY iOS source? Android source will be out at least by Ice Cream Sandwich, relax, Google is just being prudent. For once. I know FOSS fanatics want absolutel

What a useless report if we don't know which version of iPhone is targetted ? If this attack is effective against an iPhone4 then that's very interesting news, overwise who cares, we already know that 3GS and previous models are wide open.

I'd assume they're recharging radios, GPS devices, or even a Predator ground station, not an iPhone ;)

I wouldn't be so sure of that

As the article states, Jonathan Zdziarski has been doing this for several years. He's the author of iErase/iWipe (which seems to have been in the App Store previously but is Cydia-only now), runs iPhoneInsecurity.com, and has a blog with quite of bit of stuff related to iPhone forensics and security. He even has a post specifically addressing the "screenshot leak".

As the article states, Jonathan Zdziarski has been doing this for several years. He's the author of iErase/iWipe (which seems to have been in the App Store previously but is Cydia-only now), runs iPhoneInsecurity.com, and has a blog with quite of bit of stuff related to iPhone forensics and security. He even has a post specifically addressing the "screenshot leak".

The good/great ballistics apps are on iOS, so I reckon it has the general edge.

http://isnipe.webdiligence.ca/
http://www.knightarmco.com/bulletflight/
http://ballistic.zdziarski.com/

There are a couple for Android, but they aren't as good as iOS has.

Sorry but my laptop can do it faster when using something like CRM114 or DSPAM.

When ever I see those wild claims how good and accurate a commercial service or filter is, then I get reminded on the excellent text written in 2005 by Jonathan A. Zdziarski called Justifying Statistical Filtering.
 
Postini might be good but I am not letting them decide what spam is and what not. Users have their own opinion and something so static as Postini can not adapt fast/good enough to my needs. And the same goes for the other services like MXLogic, SpamSpy, MessageLabs, Barracuda, IronPort and all the others out there.
 
And why paying money when I can have better for free?

I wonder if Ballistic: Field Tactical Edition ($9.99) is as good? I know....at 1/3 the price the military would never go for it.

No. The CoreLocation blacklist doesn't prevent applications from using CoreLocation, it kills applcations that use it. That's a big difference.

No. This kills applications that use CoreLocation, preventing them from working at all.

> Do you think the passwords execs could remember would help with securing PDAs and smart phones? No, because PDA passwords are easily defeated.

Correct, but the to-do app shown is not the first. Many other apps are in the works or already done, like NES.app