Archive for May 19, 2020

Tuesday, May 19, 2020

Timing in SSH

Dr. Drang:

Apparently, in its neverending quest to save battery, Apple is powering down the wifi system between packets, which means a delay when new packets arrive or need to be sent. This doesn’t materially affect file transfers or streaming because the packets keep coming, but it plays havoc with intermittent communication like a terminal session.

Pistos’s solution was to set up two connections: one that keeps up a constant, albeit low volume, flow of bytes between the Mac and whatever was connected to it; and another for what he really wanted to do. I took his solution and turned it into this short shell script[…]


A better question might be why Apple is trying to save battery life on a Mac that doesn’t run on battery.


Why NetNewsWire Is Fast

Brent Simmons (tweet):

The parsers are fast — but we also do our best to skip parsing entirely when we can. There are two ways we do that.

We use conditional GET, which gives the server the chance to respond with a 304 Not Modified, and no content, when a feed hasn’t changed since the last time we asked for it.

This is wonderful in theory, but it doesn’t seem to work consistently with my blog. I’ve tested it, and the logs show that a few percent of NetNewsWire users are getting 304-cached content, but the vast majority are not. This may be a WordPress issue.

WP Super Cache:

Supercache doesn’t support 304 header checks in Expert mode but does support it in Simple mode.

I think at one point it worked when I hacked WP Super Cache to cache feeds using mod_rewrite, but currently I’m using the unmodified version in Simple mode.

Back to Simmons:

The same API that marks a single article as read is used to mark 10,000 articles as read. This way the database is updated once, the unread counts are updated once, and we push just one action on the undo stack.

The Cocoa frameworks can provide all sorts of notification and undo functionality almost for free, but to get bulk operations right you need to do it by hand.


Update (2020-05-25): See also: Hacker News.

FBI Unlocks Pensacola Phone

Joe Rossignol:

FBI officials have somehow managed to unlock at least one of two passcode-protected iPhones owned by Mohammed Saeed Alshamrani, the perpetrator of a mass shooting at a Naval Air Station in Florida last December, according to CNN.

Apple provided the FBI with iCloud data belonging to Alshamrani, but it refused to assist investigators with gaining access to the iPhones.

Malcolm Owen:

Though the unlock method wasn’t revealed, the fact that the FBI has been able to gain access to evidence would usually be thought to slightly reduce the pressure applied by the US government and law enforcement agencies upon Apple to provide more assistance beyond what is already offered by the iPhone maker. To US Attorney General William Barr, the press conference was an opportunity to try and increase that pressure.


Apple responded to the FBI’s first requests for information just hours after the attack on December 6, 2019 and continued to support law enforcement during their investigation. We provided every piece of information available to us, including iCloud backups, account information and transactional data for multiple accounts, and we lent continuous and ongoing technical and investigative support to FBI offices in Jacksonville, Pensacola and New York over the months since.


It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers. There is no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations.

I’m trying to figure out what the last clause means. It seems like Apple is saying that it’s good that there was a security flaw that the FBI was able to exploit. This seems to let everyone have their cake and eat it, too. We get strong encryption, and the FBI gets the information it wants. But, if Apple ever fixes all the flaws, then there will be a hard choice between weakening encryption for all and impeding investigations. And, in the meantime, the strong encryption carries a huge asterisk because the government seems to be able to get into every high-profile phone, and there are tools for sale that let others do so as well.


Update (2020-05-20): Kevin Collier and Cyrus Farivar:

The FBI was able to eventually access Alshamrani’s phone not by an unprecedented technical feat, but rather by “an automated passcode guesser,” according to a person familiar with the situation who spoke on condition of anonymity because the person was not authorized to speak publicly on the matter.

Via John Gruber:

So you can see why the FBI and DOJ are still pressuring Apple to build backdoors into devices — if the Pensacola shooter had used a decent alphanumeric passphrase it’s very unlikely they’d have been able to get into his iPhone.

On the other hand, law enforcement benefits greatly from the fact that the default iOS passcode remains only 6 numeric digits.

Apple vs. Security Researchers

Lorenzo Franceschi-Bicchierai:

The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit’s proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

“Apple has created a chilling effect,” a security researcher familiar with Corellium’s product, who asked to remain anonymous because he wasn’t allowed to talk to the press, told Motherboard.

“I don’t know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible,” the researcher added, referring to Apple’s subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium.

Peter Steinberger:

So we’re back at security through obscurity? That always worked out great in history.

Joe Rossignol:

Zerodium this week announced that it will not be purchasing any iOS exploits for the next two to three months due to a high number of submissions. In other words, the company has so many security vulnerabilities at its disposal that it does not need any more.

Thomas Claburn (Hacker News):

“iOS Security is fucked,” said Zerodium’s founder Chaouki Bekrar via Twitter. “Only [Pointer Authentication Codes] and non-persistence are holding it from going to zero…but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let’s hope iOS 14 will be better.”


The market for iOS vulnerabilities took a hit last September when Zerodium said for the first time that it would pay more for flaws in Android than in iOS.


Asked whether Zerodium’s statement reflects the actual state of iOS security or should be taken as a company just trying to make waves, Patrick Wardle, principal security researcher at Jamf Security and founder of Objective-See, told The Register that it’s probably a bit of both.

Peter Steinberger:

Almost seems like Apple suing the #1 company allowing security research on iOS (Corellium) and not paying out bounties could have a chilling effect on white hats while black hats thrive.


Update (2021-02-05): Joshua Hill:

Apple denied my access to the security developer program because I haven’t done enough work. Almost all my CVE’s are credited to anonymous or my team name.

Csaba Fitzl:

I had to realize as well that reporting vulnerabilities and applying for security entitlements are two unrelated things. The entitlement team doesn’t care at all about the other type of work although it took me 10 months to get the ES one, KEXT is a clear no-go

For example the product-security team supported me in getting a kext signing cert, yet the entitlement team said they don’t care and they also said that it’s not the product-security team’s authority to decide. Sigh.

Update (2021-07-16): Khaos Tian:

lol apparently reporting security issue to Apple product security can lead to termination from Apple Developer Program? Got a notice of termination from the personal account that has no activity recently today 🙃

Standard termination template citing violation of 3.2(f) of the agreement… Typically I think it’s used for people making fraudulent/scam apps? I haven’t submit any apps for years so who knows ¯\_(ツ)_/¯