Archive for July 25, 2018

Wednesday, July 25, 2018

Password Rules / UITextInputPasswordRules

Mattt Thompson:

WebKit engineer Daniel Bates submitted this proposal for consideration to the WHATWG on March 1st. On June 6th, the WebKit team announced Safari Technology Preview Release 58, with support for strong password generation using the new passwordrules attribute. This announcement coincided with the release iOS 12 beta SDKs at WWDC, which included a new UITextInputPasswordRules API, along with a number of other password management features, including Security Code AutoFill and federated authentication.

[…]

Apple’s Password Rules Validation Tool allows you to experiment with different rules and get real-time feedback of their results. You can even generate and download passwords by the thousands to use during development and testing!

[…]

On iOS, you set the passwordRules property of a UITextField with a UITextInputPasswordRules object (you should also set the textContentType to .newPassword while you’re at it)[…]

Previously: Minimum Password Lengths.

I Know What You Did Last Month: a New Artifact of Execution on macOS 10.13

Kshitij Kumar and Jai Musunuri:

In macOS 10.13 (High Sierra), Apple introduced CoreAnalytics, which is a system diagnostics mechanism that maintains a record of Mach-O programs that have executed on a system over approximately one month. CoreAnalytics can serve a number of valuable analytical purposes for both insider threat investigations and incident response. The artifact can be used to:

  • Determine the extent to which a system was in use, with accuracy up to one day
  • Determine which programs were run on a particular day, whether in the foreground or in the background
  • Determine how long, approximately, a program was running and/or active, as well as provide an approximate number of times the program was launched or brought to the foreground interactively

Update (2018-08-06): Sarah Edwards:

The knowledgeC.db database can be found on macOS and iOS devices. On Mac systems there will be a system context database located in the /private/var/db/CoreDuet/Knowledge directory, while a user context database is located in the user’s ~/Library/Application Support/Knowledge/ directory.

[…]

The database has many tables which have many columns. This article will only go over three of these that I have found to be particularly interesting. I encourage you to look at your own data to discover other items of investigative value.

Update (2018-09-14): Sarah Edwards:

This database holds a serious amount of data and it can be easy to get tunnel vision. Think about correlating this data with the location data I’ve presented in other presentations and blog articles. Where was the user when they were looking at a specific app or browsing to a specific website? Were they driving distracted and watching YouTube when they shouldn’t have? If the user was using a specific app during a time of interest, go to that app’s data and look to see if it may contain data relevant to your investigation.

Google’s HTTP “Not Secure” Warning

Dave Winer:

Apparently tomorrow is the day Google will start flagging sites that use HTTP, the standard web protocol, as “not secure.” Curious to see how people react. BTW, this link has auto-playing video. It may be “secure” but it’s also obnoxious. This blog and all my other sites use HTTP. I don’t see that changing. I expect this will make writing for the web more of a chore. That’s life I guess. I don’t want Google to be able to mold the web to its needs. I never signed on to being a Google developer, and never would. Basic rule: Google is a guest on the web, as we all are, and guests don’t make the rules.

Brent Simmons:

I am not looking forward to all the work I have to do make my blog http://inessential.com use https.

I’ve got 19 years of posts to go through. I don’t know how much this is going to suck yet.

Troy Hunt (via Peter N Lewis):

In one of many robust internet debates (as is prone to happen on Twitter), the discussion turned to the value proposition of HTTPS on a static website. Is it needed? Does it do any good? What’s it actually protecting? I’d been looking for an opportunity to put together some material on precisely this topic so when a discussion eventually led to just such an offer, it seemed like the perfect time to write this post[…]

[…]

So that’s precisely what I’ve done - intercepted my own traffic passed over an insecure connection and put together a string of demos in a 24-minute video explaining why HTTPS is necessary on a static website. Here’s the video and there’s references and code samples for all the demos used immediately after that[…]

Why No HTTPS? (via Hacker News):

Following is a list of the world’s top 100 websites by Alexa rank not automatically redirecting insecure requests to secure ones.

Previously: Google and HTTP.

Update (2018-08-01): Troy Hunt:

In the launch blog post, I wrote about the nuances of assessing whether a site redirects insecure requests appropriately. The tl;dr of it was that there’s a bunch of factors that can lead to pretty inconsistent behaviour. Just read the comments there and you’ll see a heap of them along the lines of “Hey Troy, site X is redirecting to HTTPS and shouldn’t be on there”, followed by me saying “No they’re not, here’s the evidence”.

[…]

I want to touch on a question that came up quite a few times and indeed I showed this behaviour earlier on with Roblox. What happens if a website doesn’t respond with a redirect in the HTTP response header? Is an HTTP 200 and a meta refresh tag or some funky JS sufficient?

The Secret Call to Andy Grove That May Have Helped Apple Buy NeXT

Chris MacAskill (via Hacker News):

I can’t explain why I couldn’t just chill and trust Steve, George Fisher and our engineers [about the Motorola 88110]. Who was I to to get so worked up over it? Steve called me at 11 one night to settle me down but I couldn’t let it go. I wanted to know what Intel was doing and everyone just shrugged. Steve had a philosophy of betting on technologies in the spring of their lives, not the autumn.

[…]

I closed my office door, picked up the phone, and asked for Andy Grove. I wanted to know why they weren’t in the conversation. I guessed it was because we used the Intel i860 chip on one of our graphics boards and it didn’t impress us. But what were Michael Dell, Bill Gates and Andy going to do about the Intel 80486 facing the same fate as Motorola’s 68040? I had to know.

[…]

Here’s how I’ve remembered Gil’s answer over the years: “Great question, we had big internal debates about that. A lot of people at Apple were afraid of Steve and Jean-Louis had many supporters. Be OS was very respected. In the end it came down to NeXT already supporting Intel and that was important to us.”

I remember thinking, oh my God. Steve, you owe me.

Chris MacAskill:

My opinion after working for [Steve Jobs] (and writing this story) is he couldn’t see obvious things everyone else could see, but he could see things no one else could. I fought with him over stores as did virtually everyone on the board of Apple, and it turned out he was right. Thank God he was stubborn enough to go forward with them. We all said it drove Gateway out of business, yada.