Archive for August 17, 2015

Monday, August 17, 2015

Thunderstrike 2

Trammel Hudson (comments):

This is the annotated transcript of our DefCon 23 / BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple’s Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system’s motherboard. The original slides are available.

Rich Mogull:

The concept is based on earlier firmware vulnerabilities. According to articles, five new vulnerabilities were reported to Apple after the original Thunderstrike proof of concept. Of those, one has been patched, one has been partially patched, and three more are still being dealt with.

However, Apple also added code to block an attack from a Web page (or other software) from infecting the firmware. It may still be possible to attack the Mac’s firmware if the bad guy can gain physical access, but you don’t have to worry about your firmware becoming infected because you browsed to the wrong Web site.


[Nearly] everyone can ignore Thunderstrike 2 entirely. The research really is excellent, compelling work that the Wired piece unfortunately turned into a bit of a fright-fest. The Web attack vector, in particular, is blocked in OS X 10.10.4.

Previously: Mac OS X 10.10.2.

Twitter Removes 140-Character Limit From Direct Messages

Juli Clover:

Twitter today announced a major change to the way Direct Messages work on the Twitter platform, removing the 140-character limit that restricted the length of private messages. With the change, Twitter’s Direct Message feature is on par with other chat and messaging apps, allowing for unrestricted conversation.

Except that, presumably, sending URLs is still restricted.

Manton Reece:

It was around this time, nearly 3 years ago, that I posted my last tweet. My bet with Daniel is over whether I will return to Twitter within 5 years. People ask if I’ll come back sooner, and if I did, what it would take. I’ve often struggled to articulate those conditions, because I think we are seeing slow but consistent progress to unwind the developer-hostile decisions made a few years ago. It may be that in a couple years the environment will be much improved, but there won’t be any single decision that “fixed” it, or it may be that Twitter is doomed to have changing leadership and there will never be any guarantees.

There is one thing, though. There is one change that was made while rolling out the version 1.1 Twitter API: they removed support for unauthenticated RSS feeds of user tweets or timelines. If they reversed that one decision, the next day I would be back on Twitter.

Update (2015-08-18): It looks like Twitter has allowed DMs to include URLs since December (via Joe Fabisevich).

Windows 10’s New Licensing Scheme

Nick Heer:

Ed Bott explains how Windows 10’s licensing works. In short, it now ties a Windows 10 license to the hardware and stores it on Microsoft’s servers, so it’s possible to wipe your system and do a reinstall without having to enter the key again.

Microsoft WinObjC

Salmaan Ahmed (via Daniel Jalkut):

Today I’m going to take you a bit deeper on what’s in the Windows Bridge for iOS (previously referred to as ‘Project Islandwood’), how it enables iOS developers to bring their code and skills to Windows, and why we’ve decided to make this particular Windows bridge available as open-source on GitHub.


Our goal with the iOS bridge has never been simply to run iOS apps on Windows. Rather, our goal is to help you write great Windows apps that use as much of your existing code and knowledge as possible. We will, of course, continue to work to expand our iOS compatibility, but it’s important to note that there is much more you can do with the bridge.

Previously: Microsoft’s New Middleware: Islandwood and Astoria.

Craig Hockenberry:

This work was based on our own Chameleon Project, written by Sean Heber.

Christopher Lloyd:

So far I know of 3 iOS compatibility layers built with Cocotron: Inception Mobile (now MS), Apportable and Stella

Guy English:

Looks like Microsoft played fast and loose with licenses of open source projects they used for WinObjC. They should work hard to fix this.

Peter Steinberger:

WinObjC’s source code is well worth a read. Some parts are super interesting, others just plain scary.

Ari Weinstein:

WinObjC is chock full of crude shortcuts, questionable design decisions, and ridiculously incomplete implementations.

Landon Fuller:

When including an actual copy of arc4random involves borrowing a single .c from the BSDs, there’s really no excuse

Mike Ash:

That’s the cryptographic equivalent of leaving brown liquid high-level nuclear waste sitting around in sealed Coke bottles.

Logan Collins (compare with Apple’s):

Ladies and Gents, WinObjC’s implementation of the (supposedly) thread-safe dispatch_once.

Frank A. Krueger:

Ouch the NSLayoutConstraint solver is pretty weak :-( Single-pass, only 2 levels of priority. Still fun to read.

Rosyna Keller:

This Objective-C bridge Microsoft released the source to is so bizarre. Many things not implemented (CFUUID), strange coding conventions…

Some of it just makes you want to curl into a ball and cry. Also, check!

Tim Dierks:

WTF code from Microsoft. None of these are correct; some are just crazy.

Brian Webster:

Soooo Microsoft basically reimplemented Objective-C synthesized accessors in C++?


AppHub (comments):

Use git push to instantly update your iOS apps. Stop waiting weeks to iterate on your app. Just add our iOS framework and start pushing updates.


Section 3.3.2 of the iOS Developer Program explicitly permits this “provided that code does not change the primary or advertised purpose of the Application as submitted to the App Store.”


You can make changes to JavaScript code and assets (images, sounds, etc).


Yes, AppHub only supports React Native.


The PhoneGap app (and probably many others) has been pushing JS code without the need of Apple’s approval for a long time now, and Apple hasn’t had any problem with it. If this is not abused, to do things against the ToS, it is a really nice thing to have.

However, the very next guideline, 3.3.3, states:

Without Apple’s prior written approval or as permitted under Section 3.3.25 (In-App Purchase API), an Application may not provide, unlock or enable additional features or functionality through distribution mechanisms other than the App Store or VPP/B2B Program Site.

I wouldn’t plan on Apple continuing to approve applications that do this. However, if you are already using React Native, anyway, I guess you would not be risking very much by giving it a try.

iCloud Can Now Restore Contacts, Calendars, and Reminders

Kirk McElhearn:

This isn’t related to iCloud backups. I don’t back up any of my iOS devices to iCloud, yet I see a number of available backups to restore. for example, for my calendars and reminders, I see this[…]

I’m not sure what triggers a backup on iCloud, but there are clearly gaps there. However, this is better than nothing.

Finally. Unfortunately, it simply says “No archives available” when I try to restore my contacts. For calendars, it offers me 6 backups for the 17 days of August, even though I make many edits per day. And you can’t restore data for third-party apps. So, better than nothing, but there is still a long way to go.

Mac OS X 10.11 Removes /usr/bin/lockfile

Dave Nanian:

Little did we know that there was a shoe preparing to drop (although perhaps the fact that it was in /usr/bin was a hint): in El Capitan B4, Apple decided to stop shipping Procmail, and with it, lockfile. It wasn’t deprecated and then removed… it was unceremoniously sent to the bit bucket. So, as of B4, scheduling in El Capitan broke.


In the end, we did none of those things. Instead, since Procmail is Open Source, we changed our build process to build lockfile as well, and included that command, unmodified, in our bundle.


This also meant we had to change the scripts that were looking for lockfile to find our application bundle and call the new, “local” version of lockfile instead. And that means, unfortunately, that users have to delete and recreate their schedules.