I think you have missed my point. If the certificate is signed by some random authority it is "valid" but that only says that the authority (whoever that is) trusts the server. If the client did as it should (and what other Apple apps do), then it should check that the certificate is signed by a authority that it can check directly using the authority's public key built into the client.
That way it would be impossible to spoof the server and perform man-in-the-middle attack without either a) knowing the private key of Apple's signing authority (in which case Apple has bigger problems than people cracking Siri) or b) modifying the binary of the client application itself (always possible not matter what you do).
I just find it interesting that some applications do this properly, and others just seem to say "The cert looks legit to me, let's talk some secret stuff".
I have just done this. That exact text (as far as I can tell) is included in the text about 7/8ths of the way through.
So it looks like Apple is in the clear on this point.
A lesson in client/server security
on
Siri Protocol Cracked
·
· Score: 5, Interesting
TFA is actually pretty interesting:
As you know, the “S” in HTTPS stands for “secure” : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well they did check that it was valid, but thing is, you can add your own “root certificate”, which lets you mark any certificate you want as valid.
Some Apple software (parts of iTunes) goes further and checks that the certificate presented by the server is actually signed by Apple. If the Siri software did this then the server would be impossible to fake man-in-middle-wise without hacking the client itself. Just checking that the certificate is valid is pretty useless protection - any certificate could be valid, what you care about is whether the server is who it says it is.
When your company is circling the drain, and all your previous products don't cut it, then yes, you bet everything on something new, because if you don't, your out of the race anyways. This is what jobs did with OSX, and led to his other stuff.
MacOS was pretty crusty at that point, and Apple hadn't had a breakout product for years but the company was far from dead when Jobs came back. Apple still had a lot of money in the bank - any other company would have limped along for years and then sold itself to one of the giants. Jobs could have done that and been considered a success, but he chose not to.
The iPhone was the real turning point. A lot of people thought that there was no way that Apple could worm its way into the entrenched cell phone market, Apple did so by doing a complete endrun around the traditional telco channels. It could have easily gone sour.
You people talk Jobs up like he was the messiah or something, but he was just a businessman that truely, got lucky
Maybe, but he got lucky several times in a row. Perhaps he was just a good businessman, but there don't seem to be too many of them around.
What has always surprised me about Jobs is the amount of risk he was willing to take on. People forget what a huge leap it was to ditch everything that came before (including several up-and-coming products) and focus on OSX. The iPhone also represented a huge effort - a radical departure for Apple and radically different from other cell phones, if it hadn't been an immediate success Apple would only be a fraction of what it is today.
History is littered with the wreckage of companies that decided to change direction, diverting resources from existing customers to look for fresh fields. Apple somehow managed to do it several times to great success.
Another thing that strikes me about Apple is how old-fashioned the corporate culture seems to be (from the outside). They do business by figuring out what people want, and then selling it directly to the public with a minimum of fuss at a price that both parties can live with. Contrast this with their competitors in the computer and cell phone markets, who sell pretty much the same devices encumbered with "special offers", "free malware detection (for 30 days)", or annoying contracts, none of which customers actually desire. I can't see why other manufacturers haven't gotten the hint yet.
And you'll find that applets are slow because the Java plugin distributed and maintained by Sun/Oracle doesn't use any kind of preloading as far as I can see. Who knows if Dart is better in this regard, but Java is it's own worst enemy when it comes to startup times. It is a shame, because I like almost everything else about it.
You an not wrong, but are missing the point. Java conceded the desktop to other technologies not because it was an inferior language (I find that even the much-maligned Swing produces very nice UIs) but because it took an age to start, making it unacceptable for any kind of in-browser use.
Java (or more correctly; its user base) has been crying out for some sort of faster startup since the mid 90s. No other problem has done more to keep Java off the desktop that the very slow startup times. If Java applets started as quickly as Flash objects manage to then we would still be seeing Java implemented on major web sites. I could never understand why Java doesn't snapshot and cache a prelinked version of a class the first time it loads, if anything the JVM is getting slower - the demo Java Applets on my website take about as long to start up in 2011 as they did in 2000 but my computer is many times faster.
So Google and Samsung decided they ought to delay their press conference to announce the Galaxy Nexus Prime (or whatever they're calling it) out of respect for Steve Jobs' death
Ummm, I hate to break it to you, but large multinational corporations do not delay the launch of a new product that has been anticipated for months because of sensitivity.
The Microsoft-of-the-90s comparisons are overblown. Microsoft didn't get slapped by the antitrust police for being successful. They got punished (weakly) for a series of dick moves against their competitors and even their own OEM "partners". They used their products' power with consumers to drive deeply unfair deals with the OEMs to prevent other products from even being offered.
The only way that Apple could so something similar would be to prevent retail outlets selling Apple gear from selling any competitor's product. There are pretty strict rules about that sort of thing, and (so far) Apple hasn't broken them.
Pixel Doubling looks terrible but for a lot of apps it can actually be better unless the app is designed to be resolution independent right from the start. Sure you can just scaling any vector drawing and fonts to full the larger screen, but some programs rely on drawing over bitmaps (for instance) in a pixel perfect way. Trying to do any kind of intelligent scaling is going to ruin the look of these apps. I can understand why Apple did it this way.
This is only true if you are an iOS Registered Developer which is easy to set up but will cost you $US99 per year. Personally I find this a small price to pay since XCode itself is free whereas compilers used to cost hundreds of dollars, but it annoys other people.
Have you actually tried one? They have bigger problems than the touch screen, the one I tried was under-powered with an incredibly laggy UI. It did play flash, but couldn't keep up with full screen video, the browser was slow, and the apps didn't work very well since it emulated the standard Android buttons with onscreen controls. At best it was 1/10th of an iPad at 1/4 the price.
Based on my experience, at least 80% of the home routers in use still have the default credentials unchanged since they were unpacked. That's a lot of the population vulnerable.
I am pretty sure it is cell phones - I believe [citation needed] that the iPhone (for one) does this as part of the anonymized data sent back to Apple. Google's database is probably kept up to date in a similar fashion.
What scares me the most is that to get the location they demonstrate a plausible way to access the settings on your router (if you use the default credentials.) If I was evil (or more evil) I wouldn't care about the location, I would just changed the router's DNS settings and redirect all the traffic through a server of my choice.
Have you published your experiments anywhere? I have done some experiments with the audio tag and have been disappointed with the way it handles short programatically triggered sounds. It works (baring bug, like in Chrome) but I would love to see a better way.
Correct. If Adobe had open sourced Flash right from the beginning and provided a free dev environment it may have been ubiquitous by now instead of being a glorified video codec. But the other reason Flash applications haven't taken off is simple - nobody whose opinion matters wants them to!
Microsoft is terrified by anything that would let it's locked-in customer base easily migrate to another desktop OS. Apple doesn't care so much, but would much prefer applications be developed specifically for MacOSX (and guards the iPhone like Fort Knox). The linux desktop people are busy with other stuff and distrust Adobe. The application developers would maybe like to use Flash (or maybe not) but are hindered by insane licensing fees. The only people (apart from Adobe) who really want Flash are Google, who stand to make more money if applications are pushed out onto the web. Google are the only ones who push out Flash with their browser, and include good Flash support in their mobile OS.
Adobe really tried to get people to develop whole applications in Flash, but I could never see a compelling reason to do this. HTML works well enough for most things (even more with HTML5), anything more demanding is maybe not a good candidate for implementing as a web-based application. Where is the Flash facebook or imdb? They don't exist because they wouldn't provide anything more than what we already have. Where is the cross-platform Flash email client? Nobody cares.
I don't mean to dump on Flash too much - it serves its purpose. Even with HTML5, Flash will still be used for games, advertising, and maybe video for years to come. But it will never be the all-encompassing platform that Adobe wants it to be.
Agreed. I work in a "serious Microsoft shop" and we have just migrated our projects to VS2008. Experience has taught us that although the Microsoft Dev environments are of high quality, for the first 12 months there will be service packs and patches. We do not want to have to migrate our whole team and our projects every 3 months just to keep up.
That said, I am looking forward to using VS2010 eventually. I couldn't care less about.NET but the new C++ language features are neat.
Er... we have multiple incompatible graphic formats on web pages, and nobody says much about it anymore. Once upon the time, people were concerned about GIF vs. JPEG vs. PNG, and now it's apparently such a non-issue that you don't even realize that web pages aren't all using JPEG.
For a start, GIF and PNG are used quite differently to JPEG - there are good reasons why multiple image formats exist. All videos are pretty much the same, unless someone comes up with a codec for low-colour animation or something.
Now imagine if Google (for instance) has come up with a fantastic new image format - GPEG. Its great (10% better compression), but only Chrome supports it. Further more, imagine Chrome doesn't support GIF due to licensing costs). Sites that want to work in all browsers now need to encode images in two different formats and use browser fallbacks to display the correct version. It may not matter for your blog, but it is a major hassle for sites like flickr and wikipedia. Many sites wouldn't bother and just look bad on minority browsers, or maybe even rely on Flash to display images on all systems.
Video and audio are like this today. It is a bit of a nightmare and is holding back HTML5 media adoption. Safari won't play Theora, Firefox won't play h264 (and probably never will due to licensing issues), Chrome plays everything but has bugs in some formats, IE plays nothing currently. It is a mess.
Out of curiosity, what are these better ways of storing photos than JPEG, and in which ways are they better?
I was thinking of jpeg2000, but other formats exist.
Slashdot Mirror
I think you have missed my point. If the certificate is signed by some random authority it is "valid" but that only says that the authority (whoever that is) trusts the server. If the client did as it should (and what other Apple apps do), then it should check that the certificate is signed by a authority that it can check directly using the authority's public key built into the client.
That way it would be impossible to spoof the server and perform man-in-the-middle attack without either a) knowing the private key of Apple's signing authority (in which case Apple has bigger problems than people cracking Siri) or b) modifying the binary of the client application itself (always possible not matter what you do).
I just find it interesting that some applications do this properly, and others just seem to say "The cert looks legit to me, let's talk some secret stuff".
I have just done this. That exact text (as far as I can tell) is included in the text about 7/8ths of the way through.
So it looks like Apple is in the clear on this point.
TFA is actually pretty interesting:
Some Apple software (parts of iTunes) goes further and checks that the certificate presented by the server is actually signed by Apple. If the Siri software did this then the server would be impossible to fake man-in-middle-wise without hacking the client itself. Just checking that the certificate is valid is pretty useless protection - any certificate could be valid, what you care about is whether the server is who it says it is.
MacOS was pretty crusty at that point, and Apple hadn't had a breakout product for years but the company was far from dead when Jobs came back. Apple still had a lot of money in the bank - any other company would have limped along for years and then sold itself to one of the giants. Jobs could have done that and been considered a success, but he chose not to.
The iPhone was the real turning point. A lot of people thought that there was no way that Apple could worm its way into the entrenched cell phone market, Apple did so by doing a complete endrun around the traditional telco channels. It could have easily gone sour.
Maybe, but he got lucky several times in a row. Perhaps he was just a good businessman, but there don't seem to be too many of them around.
What has always surprised me about Jobs is the amount of risk he was willing to take on. People forget what a huge leap it was to ditch everything that came before (including several up-and-coming products) and focus on OSX. The iPhone also represented a huge effort - a radical departure for Apple and radically different from other cell phones, if it hadn't been an immediate success Apple would only be a fraction of what it is today.
History is littered with the wreckage of companies that decided to change direction, diverting resources from existing customers to look for fresh fields. Apple somehow managed to do it several times to great success.
Another thing that strikes me about Apple is how old-fashioned the corporate culture seems to be (from the outside). They do business by figuring out what people want, and then selling it directly to the public with a minimum of fuss at a price that both parties can live with. Contrast this with their competitors in the computer and cell phone markets, who sell pretty much the same devices encumbered with "special offers", "free malware detection (for 30 days)", or annoying contracts, none of which customers actually desire. I can't see why other manufacturers haven't gotten the hint yet.
And you'll find that applets are slow because the Java plugin distributed and maintained by Sun/Oracle doesn't use any kind of preloading as far as I can see. Who knows if Dart is better in this regard, but Java is it's own worst enemy when it comes to startup times. It is a shame, because I like almost everything else about it.
You an not wrong, but are missing the point. Java conceded the desktop to other technologies not because it was an inferior language (I find that even the much-maligned Swing produces very nice UIs) but because it took an age to start, making it unacceptable for any kind of in-browser use.
Oh please,
Java (or more correctly; its user base) has been crying out for some sort of faster startup since the mid 90s. No other problem has done more to keep Java off the desktop that the very slow startup times. If Java applets started as quickly as Flash objects manage to then we would still be seeing Java implemented on major web sites. I could never understand why Java doesn't snapshot and cache a prelinked version of a class the first time it loads, if anything the JVM is getting slower - the demo Java Applets on my website take about as long to start up in 2011 as they did in 2000 but my computer is many times faster.
Ummm, I hate to break it to you, but large multinational corporations do not delay the launch of a new product that has been anticipated for months because of sensitivity.
Actually, that is a terrible idea. Consumers know Compaq.
The Microsoft-of-the-90s comparisons are overblown. Microsoft didn't get slapped by the antitrust police for being successful. They got punished (weakly) for a series of dick moves against their competitors and even their own OEM "partners". They used their products' power with consumers to drive deeply unfair deals with the OEMs to prevent other products from even being offered.
The only way that Apple could so something similar would be to prevent retail outlets selling Apple gear from selling any competitor's product. There are pretty strict rules about that sort of thing, and (so far) Apple hasn't broken them.
I have seen lives ruined this way - be careful out there.
Pixel Doubling looks terrible but for a lot of apps it can actually be better unless the app is designed to be resolution independent right from the start. Sure you can just scaling any vector drawing and fonts to full the larger screen, but some programs rely on drawing over bitmaps (for instance) in a pixel perfect way. Trying to do any kind of intelligent scaling is going to ruin the look of these apps. I can understand why Apple did it this way.
This is only true if you are an iOS Registered Developer which is easy to set up but will cost you $US99 per year. Personally I find this a small price to pay since XCode itself is free whereas compilers used to cost hundreds of dollars, but it annoys other people.
Have you actually tried one? They have bigger problems than the touch screen, the one I tried was under-powered with an incredibly laggy UI. It did play flash, but couldn't keep up with full screen video, the browser was slow, and the apps didn't work very well since it emulated the standard Android buttons with onscreen controls. At best it was 1/10th of an iPad at 1/4 the price.
What do you base this assumption on?
Based on my experience, at least 80% of the home routers in use still have the default credentials unchanged since they were unpacked. That's a lot of the population vulnerable.
I am pretty sure it is cell phones - I believe [citation needed] that the iPhone (for one) does this as part of the anonymized data sent back to Apple. Google's database is probably kept up to date in a similar fashion.
What scares me the most is that to get the location they demonstrate a plausible way to access the settings on your router (if you use the default credentials.) If I was evil (or more evil) I wouldn't care about the location, I would just changed the router's DNS settings and redirect all the traffic through a server of my choice.
+1 Insightful
Have you published your experiments anywhere? I have done some experiments with the audio tag and have been disappointed with the way it handles short programatically triggered sounds. It works (baring bug, like in Chrome) but I would love to see a better way.
Correct. If Adobe had open sourced Flash right from the beginning and provided a free dev environment it may have been ubiquitous by now instead of being a glorified video codec. But the other reason Flash applications haven't taken off is simple - nobody whose opinion matters wants them to!
Microsoft is terrified by anything that would let it's locked-in customer base easily migrate to another desktop OS. Apple doesn't care so much, but would much prefer applications be developed specifically for MacOSX (and guards the iPhone like Fort Knox). The linux desktop people are busy with other stuff and distrust Adobe. The application developers would maybe like to use Flash (or maybe not) but are hindered by insane licensing fees. The only people (apart from Adobe) who really want Flash are Google, who stand to make more money if applications are pushed out onto the web. Google are the only ones who push out Flash with their browser, and include good Flash support in their mobile OS.
Adobe really tried to get people to develop whole applications in Flash, but I could never see a compelling reason to do this. HTML works well enough for most things (even more with HTML5), anything more demanding is maybe not a good candidate for implementing as a web-based application. Where is the Flash facebook or imdb? They don't exist because they wouldn't provide anything more than what we already have. Where is the cross-platform Flash email client? Nobody cares.
I don't mean to dump on Flash too much - it serves its purpose. Even with HTML5, Flash will still be used for games, advertising, and maybe video for years to come. But it will never be the all-encompassing platform that Adobe wants it to be.
Are you saying that Apple will sell as many iPads in the next 10 days as it did on the huge first day? I don't think Apple has a problem with that.
Agreed. I work in a "serious Microsoft shop" and we have just migrated our projects to VS2008. Experience has taught us that although the Microsoft Dev environments are of high quality, for the first 12 months there will be service packs and patches. We do not want to have to migrate our whole team and our projects every 3 months just to keep up.
That said, I am looking forward to using VS2010 eventually. I couldn't care less about .NET but the new C++ language features are neat.
For a start, GIF and PNG are used quite differently to JPEG - there are good reasons why multiple image formats exist. All videos are pretty much the same, unless someone comes up with a codec for low-colour animation or something.
Now imagine if Google (for instance) has come up with a fantastic new image format - GPEG. Its great (10% better compression), but only Chrome supports it. Further more, imagine Chrome doesn't support GIF due to licensing costs). Sites that want to work in all browsers now need to encode images in two different formats and use browser fallbacks to display the correct version. It may not matter for your blog, but it is a major hassle for sites like flickr and wikipedia. Many sites wouldn't bother and just look bad on minority browsers, or maybe even rely on Flash to display images on all systems.
Video and audio are like this today. It is a bit of a nightmare and is holding back HTML5 media adoption. Safari won't play Theora, Firefox won't play h264 (and probably never will due to licensing issues), Chrome plays everything but has bugs in some formats, IE plays nothing currently. It is a mess.
I was thinking of jpeg2000, but other formats exist.