Archive for August 4, 2012

Saturday, August 4, 2012

Find My Mac and Remote Wipe

Mat Honan (via Hacker News):

In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too.

It seems way too dangerous to allow anyone with access to your iCloud account to remote wipe your Mac. (Plus, is remote wiping really necessary if you have FileVault enabled?) It looks like the only way to disable remote wipe is to disable the entire Find My Mac feature in the iCloud pane of System Preferences.

Secondly, the new Allow my Apple ID to reset this user’s password is potentially dangerous. Or, if you’re using File Vault 2, there’s the similar option to store your recovery key with Apple.

Backing up to the cloud is great, but those backups are only as safe as your password, so they shouldn’t be your only backups.

Update (2012-08-04): Daniel Jalkut:

One way to protect yourself is by declining to delegate authentication to third parties. When enrolling in a new service that offers Twitter or Facebook authentication, I usually go through the nuisance of creating a new account instead. That way I can choose a unique passphrase, and store that in my keychain. I prefer this to allowing numerous items to be implicitly added to my Twitter or Facebook “keychain.” Don’t put all your eggs in one basket, as they say. (Well, that’s what I’m doing with my keychain, but I am empowered to personally protect it and to back it up as I see fit.)

Update (2012-08-05): Mat Honan:

I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.

Update (2012-08-05): Jonathan Grynspan reports that there’s a bug that can allow anyone with access to your Apple ID (which obviously includes Apple itself) to access your FileVault-encrypted drive, even if you’ve not shared your FileVault recovery key with Apple.

Update (2012-08-06): Mat Honan:

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me email — which, of course was my .me email.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an Internet connection and a phone can discover.

Update (2012-08-17): Mat Honan:

My data came back to me on an external hard drive, organized by file types. The thing I cared most about, above all else, was my photo library. And there, in a folder full of JPGs, was photo after photo after photo that I had feared were gone forever. Subfolders were organized by the year, month and day files were created. I went immediately to the folder that bore the date my daughter was born. They were there. Everything was there. We were floored. I nearly cried.

Update (2017-09-20): Juli Clover:

Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.

Power Assertions

Mike Abdullah:

So I did a search for “power assertions os x” and frankly came up pretty blank. It seems Apple’s documentation mostly consists of reproducing chunks of the header files. Not to worry, they’re fairly easy to understand, so here for the benefit of future generations is a simple example…

Power assertions are a technology for preventing the Mac from going to sleep automatically. Mountain Lion is more aggressive about doing this, so applications need to tell it which operations shouldn’t be interrupted. He’s also posted a simple Cocoa wrapper for the relevant I/O Kit APIs.

Update (2012-08-09): Keith Harrison:

The pmset command (/usr/bin/pmset) provides command-line access to many of the power management settings that are visible in the Energy Saver preferences pane. In addition it provides a way to view and manage power assertions. For example if I use iTunes to play some music it allows the display to sleep but a power assertion prevents the system from entering the idle sleep mode.

It can also show you which processes are preventing sleep.

Non-Contiguous Range Selections

Kirk McElhearn:

You’re probably familiar with the ability to Shift-click to extend a selection, and Command-click to make a non-contiguous selection. But the ability to combine both of these can be very useful when you want to select a number of items in a list.

Are Functional Languages Inherently Slow?

Jon Harrop (via Dave Dribin):

All modern functional language implementations continue to box excessively. JVM-based languages like Clojure and Scala have little choice because the VM they target cannot even express value types. OCaml sheds type information early in its compilation process and resorts to tagged integers and boxing at run-time to handle polymorphism. Consequently, OCaml will often box individual floating point numbers and always boxes tuples. For example, a triple of bytes in OCaml is represented by a pointer (with an implicit 1-bit tag embedded in it that gets checked repeatedly at run-time) to a heap-allocated block with a 64 bit header and 192 bit body containing three tagged 63-bit integers (where the 3 tags are, again, repeatedly examined at run time!). This is clearly insane.