Archive for September 12, 2013

Thursday, September 12, 2013

Ruminating About Apple’s Lowercase Letters

Adam C. Engst:

From the perspective of someone who lives and breathes text, this is a wrong-headed move, because it is both inconsistent and introduces confusion-causing ambiguity, not just into everything that’s written from now on, but also into the historical record. From now on, whenever you see the word “iPhone 5s” in a sentence, you’ll have to read carefully to determine if it’s talking about the iPhone 5s, or several iPhone 5s. In some cases, there may be no way of knowing what’s meant — you can’t know what I’m referring to when I say “The iPhone 5s flew off shelves.”

Using “sudo” Without a Password

Todd C. Miller (via Dan Goodin):

The flaw may allow someone with physical access to a machine that is not password-protected to run sudo commands without knowing the logged in user’s password. On systems where sudo is the principal way of running commands as root, such as on Ubuntu and Mac OS X, there is a greater chance that the logged in user has run sudo before and thus that an attack would succeed.

The bug was reported in March. Mac OS X 10.8.5 ships with sudo 1.7.4p6, which would seem to be within the range of versions exhibiting the bug.

Certifying Certificates

Glenn Fleishman:

Whenever your browser equipped with Perspectives visits a secure site, it consults several notary servers to see if most of them agree that the signature you received matches the one they have seen most regularly. If not, you're warned. It could be that only your part of the world is getting an illegitimate certificate, or that, worldwide, it all changed at once.

Omni’s Plans for iOS 7

Ken Case:

The old versions of OmniFocus for iPhone, OmniOutliner for iPad, and OmniPlan for iPad will be removed from the App Store. If you’re not planning on updating to iOS 7 or need a version of any of these apps that runs on iOS 6 for any reason, you’ll want to grab them before the new releases ship. However, please note that we don’t plan on doing any more work on these iOS 6 apps: our iPhone and iPad development efforts are now fully focused on iOS 7.

If you have an iPhone 3GS or for some reason don’t plan to upgrade to iOS 7, you’ll need to keep your own backups of any apps that you use. The App Store makes it easier to buy apps and to update them, but it’s not designed for folks with older hardware or OS versions.

App Store Rule 11.9

Chris Adamson:

Since people could keep using this app indefinitely, I could be on the hook to MapQuest for service fees indefinitely. So I set the app up under a subscription model: the purchase price gets you three months, and then a year’s service is $5. That way, while my liabilities to MapQuest scaled with usage, so did my ability to pay them.

Unfortunately, since the app’s release, this kind of model has been explicitly forbidden by Apple’s App Store Guidelines:

11.9 Apps containing “rental” content or services that expire after a limited time will be rejected

Unaligned Priorities

Elia Freedman (via Ben Thompson):

Historically, as a developer, our priorities lined up nicely with the big player in the market: Microsoft. Microsoft makes money from software so it wants hardware and peripherals to be free. Since we make money from software, too, us developers have been in pretty good shape. Add in the fact that Microsoft primarily sells productivity software and us productivity app developers have done really well business model-wise.

But Apple and Google want software to be free, as iWork now is.

How Steve Jobs Got Fired From Apple

John Sculley:

Steve came to me and he said, “I want to drop the price of the Macintosh and I want to move the advertising, shift a large portion of it away from the Apple 2 over to the Mac.”

I said, “Steve, it’s not going to make any difference. The reason the Mac is not selling has nothing to do with the price or with the advertising. If you do that, we risk throwing the company into a loss.” And he just totally disagreed with me.

Formatting NSInteger and NSUInteger

Greg Parker:

%zd, %tu, %tx (signed, unsigned, hex) currently format NSInteger and NSUInteger with no warnings.

The printf(3) man page:

Note: the t modifier, when applied to a o, u, x, or X conversion, indicates that the argument is of an unsigned type equivalent in size to a ptrdiff_t. The z modifier, when applied to a d or i conversion, indicates that the argument is of a signed type equivalent in size to a size_t.

Apple’s String Format Specifiers documentation still recommends casting to long or unsigned long and using %ld or %lu.

FreeBSD Switches From GCC to Clang

Michael Larabel (via Marcel Weiher):

Going back for many months we have known that FreeBSD developers (and BSD users in general) have been pushing for a LLVM/Clang world and to limit the usage of GCC. Clang has grown in functionality for being on-par with GCC as a C/C++ compiler and it’s more liberally licensed than the GPLv3 GCC and the LLVM-based feature-set continues to expand like faster and lighter compilations.

Q&A About Fingerprint Scanning

Rich Mogull:

But despite the believed uniqueness of fingerprints, using a fingerprint scan as an authentication credential isn’t a panacea for security problems. It’s worth taking a little time to understand the technology, what it can do, and how it will integrate with your digital life.

[…]

But the real reason is that using fingerprints creates better security through improved usability. Most people, if they use a passcode at all, stick with a simple four-digit passcode, which is easy for an attacker to circumvent with physical possession of your iPhone. Longer passphrases, like the obscure 16-character one I use, are far more secure, but a real pain to enter repeatedly. A fingerprint reader, if properly implemented, provides the security of a long passphrase, with more convenience than even a short passcode.

Update (2013-09-12): Marcia Hofmann:

Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember).

mrtemple:

Apple announced that you can’t unlock via fingerprint after a reboot, or if the phone hasn’t been used within 48 hours.

Danny Yadron and Ian Sherr:

Apple testers have found the device sometimes doesn’t work with moisture-laden fingers covered in sweat, lotion or other liquids.

Update (2013-09-13): Mary Branscombe:

And like the sensor in the iPhone 5S, the sensors that will be in laptops and keyboards and other phones can detect the ridge and valley pattern of your fingerprint not from the layer of dead skin on the outside of your finger (which a fake finger can easily replicate), but from the living layer of skin under the surface of your finger, using an RF signal. That only works on a live finger; not one that's been severed from your body.

Update (2013-09-20): Apple (via Ivan Krstić):

Every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode. Although some passcodes, like “1234", may be more easily guessed, there is no such thing as an easily guessable fingerprint pattern. Instead, the 1 in 50,000 probability means it requires trying up to 50,000 different fingerprints until potentially finding a random match. But Touch ID only allows five unsuccessful fingerprint match attempts before you must enter your passcode, and you cannot proceed until doing so.

It’s disheartening that the writer got the probability wrong. The expectation is that it will take 50,000 different fingerprints. But it could happen on the first try, or take many more than 50,000. This is all assuming that fingerprints are i.i.d., which is probably not the case.

Update (2013-09-23): Chaos Computer Club:

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

Tim Bray:

Is Touch ID Worth Having? I’d say yes (cautiously). John Gruber points out that pre-Touch-ID, the most popular iPhone lock method was none, swipe and you’re in. If this changes that, it’s probably worthwhile.

Gabe Weatherhead:

The fingerprint reader built in to the iPhone 5s is not as fast as I expected. It's not instant as some have suggested but rather requires a slightly longer press than I would typically use. With the screen off, I typically give a quick press to turn it on. This is not sufficient to unlock the phone. I found that to unlock the phone I had to hold my finger on the button until the screen display became active.

Update (2013-09-24): Marc Rogers:

Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.