Archive for October 9, 2015

Friday, October 9, 2015

Gatekeeper Exploit

Dan Goodin:

Patrick Wardle, director of research of security firm Synack, said the bypass stems from a key shortcoming in the design of Gatekeeper rather than a defect in the way it operates. Gatekeeper’s sole function is to check the digital certificate of a downloaded app before it’s installed to see if it’s signed by an Apple-recognized developer or originated from the official Apple App Store. It was never set up to prevent apps already trusted by OS X from running in unintended or malicious ways, as the proof-of-concept exploit he developed does.

[…]

Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one. At the request of Apple officials, he and Ars have agreed to withhold the names of the two files, and instead will refer to them only as Binary A and Binary B. His exploit works by renaming Binary A but otherwise making no other changes to it. He then packages it inside an Apple disk image. Because the renamed Binary A is a known file signed by Apple, it will immediately be approved by Gatekeeper and be executed by OS X.

From there, Binary A will look for Binary B located in the same folder, which in this case is the downloaded disk image. Since Gatekeeper checks only the original file an end user clicks on, Wardle’s exploit swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants.

Glenn Fleishman:

This modified Trojan Horse software still needs to be downloaded or copied, and then launched by the user. “This is merely a Gatekeeper bypass,” Wardle notes, although there are many ways in which less-sophisticated users are fooled into running software with uncertain origins. Many free and trial software can be found at download sites, and are repackaged with adware and other unreliable software.

But Wardell also notes that because this affects third-party signed apps, malware could be intercepted over unencrypted downloads by anyone who could insert themselves into a network connection. This could include criminals and governments.

“What do you think?”

Arno Gourdol:

A few weeks later, sitting at the same computer, Steve is leaning in, his face just a few inches from the screen as he studies the pixels. On the screen is a new design for the shape of the Aqua windows. In the previous iterations, the windows had four rounded corners, but now the corners at the bottom are square, to solve a design problem with the placement of the scrollbars.

Historical Photos

Sean O’Kane:

You’ve seen images from the Apollo missions before, but you’ve never seen anything like this. More than 8,400 images from NASA’s Moon missions have been uploaded to Flickr at a resolution of 1800 dpi.

NASA didn’t just send astronauts to the Moon to do scientific exploration, it also sent them equipped with a handful of Hasselblad cameras. The images from these cameras were preserved, and many were digitized. But in recent years the screens we use — the ones in our living rooms, on our desks, and even the ones in our pockets — have seen a drastic increase in quality, leaving these photos looking pixelated and fuzzy. Thanks to some tireless work from a few enthusiasts, every photo taken on the Moon (and many of the ones taken on the way there and back) has been uploaded in high resolution to one massive Flickr gallery.

Jason Kottke:

Yale has made 170,000 Library of Congress photos of the US from 1935 to 1945 available online, searchable and sortable in many different ways.

With the county map, it was easy to find photos of my area from the 1930s.

Update (2015-10-14): Dr. Drang:

You may have scrolled through the albums and downloaded a few photos. And you may have thought it would be cool if you could just download all of them. If you have about 60 GB of disk space free, you can.

iOS 9 Universal Links and Forgotten Passwords

Curtis Herbert (via Federico Viticci):

For your first-party iOS client, Universal Links aren't just for your brand or increasing engagement, they can also be used to greatly improve the user experience of previously annoying workflows.

[…]

With universal links we can remove Safari from that process entirely. Users can now reset their password in-app, allowing the app to also automatically log them in after the reset. This is all possible while still having the security of the reset password email to confirm identity.

His Slopes app for skiing and snowboarding looks nice (App Store).

Wi-Fi Calling

Dan Moren:

The good news is that AT&T and the FCC seem to have finally finished whatever spat discussions they’ve been having, and iPhone users on the carrier can now enable the Wi-Fi Calling feature added for all in iOS 9. (Previously, it was offered by other carriers, including T-Mobile, but not for AT&T.)

I expect this to work much better than AT&T’s MicroCell, which has limited range and sometimes inexplicably stops working. Unfortunately, Wi-Fi Calling requires an iPhone 6 or 6s.

Update (2015-10-14): Rosyna Keller:

AT&T, Sprint, and T-Mobile do not charge minutes when using Wifi calling. However, only AT&T restricts to US.

Overcast 2

Marco Arment:

And with the new storage manager, you can see how much space your downloads are consuming for each show, and optionally delete the downloads and stream the episodes on demand.

[…]

Overcast 1.0 locked the best features behind an in-app purchase, which about 20% of customers bought.

[…]

With Overcast 2.0, I’ve changed that by unlocking everything, for everyone, for free. I’d rather have you using Overcast for free than not using it at all, and I want everyone to be using the good version of Overcast.

If you can pay, I’m trying to make up the revenue difference by offering a simple $1 monthly patronage. It’s completely optional, it doesn’t get you any additional features, and it doesn’t even auto-renew — it’s just a direct way to support Overcast’s ongoing development and hosting without having to make the app terrible for 80% of its users.

Marco Arment (comments):

I wasn’t very competitive against Pocket with Instapaper, and Pocket “won” (at least in the sense of having far more users, although if I had to choose either company to be running today, I’d definitely pick Instapaper).

I’m trying not to repeat my mistakes, and one of the biggest mistakes I made was putting short-term gain from paid-app sales above long-term growth. I watched my biggest competitor clone all of my features, raise VC money, and hire a staff. I knew he’d go completely free months before he did.

[…]

Podcasts are hot right now. Big Money is coming.

[…]

They’re coming with shitty apps and fantastic business deals to dominate the market, lock down this open medium into proprietary “technology”, and build empires of middlemen to control distribution and take a cut of everyone’s revenue.

Update (2015-10-15): Dave Winer:

Now people seem to think there has to be a linear relationship between code created and money paid. I come from the distant past where this was considered gospel. I made the mistake of charging for Frontier, a powerful system-level scripting environment, in its early days (1992). Ultimately it would have to compete with a product from Apple which of course was free, and even though our product solved many problems Apple left as “third-party opportunities” the users and developers gravitated to Apple. We went out of business quickly.