Facebook Friday: Sex offender busted for surfing at Apple store

Originally published 05/27/2011 on lubbockonline.com

Bob Cuddy of the San Luis Obispo Tribune reports that a known sex offender, Robert Nicholis McGuire was arrested at the San Luis Obispo Apple Store for violating his probation. In a perfect example of going to the wrong place at the right time, Mr. McGuire was recognized by sherrif deputies as he went into the Apple Store. He proceeded to log into Facebook on a display computer. A deputy went to the computer next to McGuire's. According to the SLO Sherrif's department press release:

San Luis Obispo County Sheriff's detectives, including the Sexual Assault Felony Enforcement (SAFE) team spotted a known sex offender in downtown San Luis Obispo on Wed afternoon. One of the SAFE team detectives recognized the man from a previous child pornography case. As one detective followed the man, another checked the probation terms of the registered sex offender. They followed the man to the Apple store on Higuera St. where he entered and began to log on to the internet from a display computer. Another detective went to the computer next to the man and logged on to the Megan’s law website. At about the same time the probation term information was received that clearly indicated McGuire was prohibited from using the internet. McGuire had logged on to his Facebook page. McGuire was taken into custody without incident after he left the store. McGuire made a statement to detectives that he thought he was being followed after the man standing next to him logged onto the Megan's Law site. McGuire is being held without bail at the San Luis Obispo County Jail.

Obviously Mr. McGuire is a "mind your own business" kind of guy. Otherwise he would have noticed someone logging onto the California Megan's Law sex offender tracking website on the computer next to him. He would have noticed that it was the private law enforcement version with full info about sex offenders, not the limited info public version. He probably would have not opened a web browser or closed it if it was open. But he didn't notice, and he did open a web browser and log onto Facebook, and now one more predator is off the streets thanks to his own stupidity.

Even Apple had to admit it: Mac Defender is real malware for the Mac.

Originally published 05/25/2011 at lubbockonline.com

 

Mac now has real malware. First announced May 2nd by Intego, it's similar to numerous fake anti-virus and anti-malware programs on the Windows side. As far as danger, it's a standard scam to get your credit card number and other identifying information. Unlike some other trojan software it doesn't do anything to your computer or the data on it.

 

Apple spent 3 weeks seemingly ignoring the problem, but on Monday they added a knowledgebase article on avoiding or removing the malware. They are also preparing an OS update that will explicitly warn if a user downloads Mac Defender or one of it's variants. They haven't said what versions of Mac OS will be getting the update, but hopefully they will cover all the affected OS's, not just OS X 10.5 and 10.6.

Warning a user that they're downloading malware is all well and good, but as time goes on and the list of malware grows that could become pretty unwieldy. Hopefully now that there is a piece of malware for OS X that is real, widespread, and effective at what it does Apple will pay more attention to the reality that, like all other software, OS X is not bulletproof and needs serious attention paid to security.

Congress says, "protect customers", Justice Department says "spy on them."

Originally posted 05/11/2011 on lubbockonline.com

Today Apple and Google execs appeared before congress to answer questions about the way their operating systems gather user data. Darrell Etherington of the Gigaom column at Businessweek reports that Senator Al Franken assured everyone that the purpose of the hearing was not to bring an end to location services, but to move forward while protecting customers.

While Senator Franken was working to protect consumers from overreaching data collection by cell phone makers, the Justice Department was arguing for laws requiring cell phone providers to collect more data on their customers. Declan Mcullagh reported in his Privacy Inc. blog that Jason Weinstein, the deputy assistant attorney general for the criminal division testified on the need for cell phones to collect and retain data to make it easier for law enforcement to gather evidence:

"Many wireless providers do not retain records that would enable law enforcement to identify a suspect's smartphone based on the IP addresses collected by Web sites that the suspect visited," he added.

Really? They won't be able to identify a persons smart phone if they can't use the IP address assigned to it? I know some criminals will avoid putting any identifying information on the phone if they can, but really. The only way to identify a smart phone belongs to someone is by knowing it's IP and the web sites it visited. It makes you wonder how they were ever abe to solve crimes back in the dark ages when there were no smart phones with IP addresses and web sites to record them.

This is a typical overreach. The idea that government can require gathering data on everyone because there are a few instances the data may help in a criminal case goes against the spirit of the 4th Amendment and the idea of innocent until proven guilty. Why is a cell phone any different than the information in my home? They can't go into everyone's home and gather data to make it easier to solve criminal cases. Why should they be allowed to go into my phone? And why should they be able to gather data, or have someone else gather data from my phone without any evidence I've committed a crime? They shouldn't. That's what the Bill of Rights was written to protect us from.

Should Apple map your travels? Should police seize your cell phone data?

Thanks to Kenny Ketner for pointing this Apple privacy invasion out to me. TalkingPointsMemo reports that Apple iPhones and iPads are tracking every move we make (if we own one). I would assume iPod Touches are also guilty. Sam Biddle, the author, has a map on the article showing everywhere he's been for the last six months.

At this point it looks like the information isn't transmitted to anyone, it's only gathered on the i-device and the computer it is tied to. But does that really matter? Why gather that much information on your customers? There is no reason if you don't intend to use it - or find a use for it. Which begs the question of whether or not Apple or any company has the right to be gathering the data in the first place. But even if you do have the right and you do have a use for it, gathering it could put your customers at risk in a number of ways. Which leads us into the second half of this post:

infosec island reports that Michigan state police are using data extraction devices to collect data from cell phones when they make a traffic stop, and have been for several years. According to the report the extraction devices used by the Michigan police are capable of breaking encryption if data collected is encrypted. According to a brochure for the UFED mobile data extraction device it can extract:

• Call logs, including SIM deleted call history
• Contacts
• Phone details (IMEI / ESN, phone number)
• ICCID and IMSI
• Text messages (SMS), including SIM deleted messages
• Photos
• Videos
• Audio files
• SIM location information: TMSI, MCC, MNC, LAC
• Image geotags

If that's not enough:

 

The UFED’s SIM ID cloning feature allows data extraction from PIN locked SIMs, phones with missing SIM cards, and phones without network service. The cloned SIM card also allows access phones without connecting to a network, preventing incoming calls and messages, while preserving the existing call and message history.

 

Now we have police downloading the data from cell phones of people who have done nothing more than be pulled over for speeding. Shouldn't that fall under the heading of unreasonable search and seizure? Today it's not unusual for someone to have more of their personal lives on their cell phones than in the filing cabinet in their home office. Maybe even more than is in their computer. To say that police can download that data without having to get a warrant or even have probable cause is a gross violation of privacy and civil liberties.

I can understand and to some extent agree with the "border" searches of laptops. Sort of. But the pseudo-justifications given for those searches and seizures do not apply to most, if not all, of the people giving up their cell phone data because an officer said they had to. If it was an iPhone, they've given their life history for the last 6 months. I can already see misuses and abuses for such information. Imagine if you happened to be in the area of an unsolved crime at the wrong time. It wouldn't be the first time limited circumstantial evidence has been hyped into a conviction.

The ACLU of Michigan has requested info on what types of data has been gathered and what is being done with it. The state has agreed - if the ACLU will cough up over $500,000 to pay for it. From here something smells rotten in the state of Michigan.

What data is gathered about us, how it is gathered and who gathers it should be something we have a lot more awareness of and say in. Apple's movement mapping and Michigan's data theft are two things that must be brought to a screeching halt.

Apple, Trojans, and FUD

Originally published 3/1/11 on lubbockonline.com/glasshouses

People seem to really enjoy finding any type of malware for Mac OS. In the decade since Apple introduced OS X there have been a handful (barely) of malicious softwares introduced for it, but only one really had the potential to be serious. I wrote about OSX/Koobface.A because it was the first serious malware for OS X - or would have been if it hadn't been broken in porting it and never fixed.

Now we have Blackhole RAT, which is being hailed as a new trojan for MacOS - again, a piece of Malware that has been ported over from Windows.

But wait. What is Blackhole RAT? What does it do? By itself, Blackhole RAT is just another remote administration tool like VNC, Apple's Remote Desktop, or Microsofts Remote Desktop. Sure, it allows someone to take over your computer across a network, but so do a host of other tools. Blackhole RAT isn't, by itself, malware. It has to be installed - probably using a trojan. It's not a trojan itself, it would be the soldier inside the horse. In the computer world, that's usually referred to as the "payload." 

So should you be worried about Blackhole RAT on a Mac? I don't think so. Apple Remote Desktop is as much a concern. Before worrying about remote administration tools (RATs) you need to understand how many ways there are to install them on your system. On a Mac, the answer is, not many.

So why am I writing about a non-issue? Because so many reputable publications are, such as PCWorld and MacWorld. But they are spreading the FUD (Fear, Uncertainty and Doubt) rather than calm, reasoned information. Someone needs to be the voice of reason.

If you are concerned about malware, Sophos offers a free antivirus software for home use. But don't panic, the Mac universe is still relatively safe unless you're exploring the seamier side of the internet. If you're doing that, I hope you're already aware of the risks.

Intel completes Light Peak. Verizon to offer unlimited iPhone data plan?

Intel completes Light Peak

According to Electronista.com Intel has completed work on it's Light Peak technology. Light Peak is ultimately an optical communications protocol, but to bring it to market faster the initial offering uses copper cables. It currently has a top transfer rate of 10Gb/s, which according to Intel will transfer a full Blu-Ray movie in under 30 seconds. When the fiber optic version is released it will have a top speed of 100Gb/s, which I suppose means it will transfer 10 Blu-Ray movies in 30 seconds. I'm sure the MPAA will be thrilled when they hear about it.

But the high bandwidth offered by Light Peak may not be it's most interesting feature. Light Peak is a multiple protocol technology. What that means is that with one Light Peak port you can support multiple data transfer technologies. For example, after Light Peak becomes available you may be able to buy a multi-protocol hub that has USB, Firewire, SCSI, PS/2 and maybe other ports, connect it to a Light Peak port and connect all of your peripherals to the one port. The idea is to reduce the number and type of ports necessary on the computer. If you like computers with small form factors like netbooks, you can understand the need for such a port.

Verizon may offer unlimited data plan for iPhone

According to the Wall Street Journal, Verizon will be offering an unlimited data plan for the iPhone - if the rumors are true and a Verizon iPhone will be announced later this month. If they can support the added demand of millions of iPhones, that will be a major feather in Verizon's hat - and a major reason for people to move from AT&T to Verizon.

Verizon iPhone pretty definite in 2011; another iPhone alarm fail

iPhone on Verizon soon

If reports on Pocketnow.com are drawing the correct conclusions Apple should be announcing a Verizon iPhone soon. Apparently there are accessories availble for Verizon iPhones, and Verizon is buying iPhone related domains like "iPhoneVerizon.com" among others. Apple exclusive contract with AT&T ended in 2010, so there's nothing to keep Apple from making deals with other carriers - and if they want tocontinue to grow and remain a power in the smartphone market, they need other carriers. So there will probably be an announcement in January with phones available March or April. Or they may make a low end iPhone available immediately with higher end phones later. They may make high and low end available immediately, it's just not the way Apple usually does these things.

Another iPhone Alarm fail

It's over now, but for the first two days of January 2011 if you set a one time alarm on your iPhone it wouldn't go off. No word on what caused the problem, only that it would fix itself January 3rd. So if you missed something important because the alarm you set in your iPhone didn't go off, it won't happen again. Really.

Is Apple's Mac App store a game changer?

The Mac App Store is coming in roughly 90 days. Steve is excited, and so are quite a few other people. According to two articles with brief developer interviews on Cult of Mac Most developers are looking forward to it. (1, 2) They also aren't sure exactly how it's going to work into their business strategies, yet, but they're excited about figuring it out.

What does an App store on Mac mean to the rest of us, though? It's hard to say right now, but the idea of high quality software for $0 and up is enticing. The software in the iPhone/iPad app store is generally of high quality. Apple's App review policy ensures that it stays that way.

Will the App store put an end to traditional software distribution? I doubt it. Not in the near future anyway. Apple wants 30% of the apps sale price, which won't fly with companies like Adobe or Microsoft. Not to mention that internet speeds are still slow enough in many places that downloading the installer for something like the Adobe Creative Suite - especially the Master Collection - would take too long for most people. But Adobe and Microsoft may find themselves left in the cold if they continue to push bloated programs that no one can truly master because no one uses most of the 'features' they have. Why spend $150 for a program that does more than you'll ever need if you can spend $20 and get a compatible program that will do everything you do need?

Another good thing for consumers is that Apple's approval process, while flawed, does create a minimum quality that developers won't be allowed to fall below. It will put a dent in shareware on the Mac, if not kill it. Why hunt for shareware of questionable quality when you can go to the app store and download an app you know will at least do what it says, and probably cheaper than a shareware program.

What about competitors? Will Microsoft create an App store for desktop Windows? For all versions? What about Google and the Chrome OS? If they do, will either have an approval process similar to Apple's? I can already answer that last question. They won't. Google's Android has an app store, but there is no review process that I'm aware of. Microsoft won't because it's not in the companies DNA. Steve Jobs has always been a micromanager, at least of projects he's really interested in. He has always wanted to control as much about the Mac's user experience as he can. The App store is one more step to total control.

If successful the Mac App store will have a profound change on software delivery on the Mac, and quickly. It's already having an effect. The effect it will have on other OS's is harder to predict, but unless it totally flops, it will have an effect. If it is as popular as the iPhone app store, Microsoft will have an App store for Windows by Summer 2011 at the very latest. They're probably already working on one. So the Mac App store has kept a few Microsoft software engineers employed for a few more months even if it flops.

(1) http://www.cultofmac.com/mac-app-store-what-do-developers-think/64859

(2) http://www.cultofmac.com/mac-app-store-more-developer-reaction/65036.

Apple patenting "traitorware"

Julie Samuels of the Electronic Frontier Foundations (EFF) "Deeplinks" blog has a lot to say about Apple's recent application for a patent on "Systems and methods for identifying unauthorized users of an electronic device." It doesn't sound too bad, does it. How do we identify someone who's stolen our $500 iPhone or our $1500 laptop? Use Apples newest development in user identification and monitoring, of course!

This technology is waaaay beyond what would be necessary to tell whether a device is stolen or not. With this "traitorware" as the EFF is calling it, Apple can collect and store biometric data on you, tell if the device has been jailbroken (and take action if it has), alert the appropriate parties of where the device is ... here's the EFF's partial list of what Apple's proposed system can do:

• The system can take a picture of the user's face, "without a flash, any noise, or any indication that a picture is being taken to prevent the current user from knowing he is being photographed";
• The system can record the user's voice, whether or not a phone call is even being made;
• The system can determine the user's unique individual heartbeat "signature";
• To determine if the device has been hacked, the device can watch for "a sudden increase in memory usage of the electronic device";
• The user's "Internet activity can be monitored or any communication packets that are served to the electronic device can be recorded"; and
• The device can take a photograph of the surrounding location to determine where it is being used.

In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple's "invention," this information "can be gathered every time the electronic device is turned on, unlocked, or used." When an "unauthorized use" is detected, Apple can contact a "responsible party." A "responsible party" may be the device's owner, it may also be "proper authorities or the police."

There is no need for Apple, or anyone, to gather that much information about you as a purchaser of their products. This is information that can be used to steal your identity. We're not talking about a single biometric identifier - that would be bad enough. Apple want to gather your picture, voiceprint and heartrhythm at least, and maybe more. They want to monitor your internet usage - and log not just where you go, but record the actual data packets that are being sent to and from your device. They want to monitor memory usage for patterns that may indicate the device has been jailbroken - even though jailbreaking is legal.

With this patent application Apple is reaching far beyond any information they have a right or a need to gather. Pray the patent is denied and that Apple doesn't try to change it and reapply. This is an idea whose time will never come.

iTunes breach: Much ado about nothing.

It's a big story. It was reported on TechCrunch that there's a flaw in iTunes that allows bad guys to go in and empty your bank account if you have Paypal selected as the payment method. One poor customer racked up $4700 worth of charges in a matter of hours. Other customers were reporting hundreds and thousands of dollars stolen. The story grew from there.

There was just one problem. It was wrong. The real culprit wasn't a flaw in iTunes or Paypal, it was a successful phishing attack that harvested peoples usernames and passwords, allowing the hackers to access accounts and rack up charges as if they were the legitimate owners.

An overzealous reporter or editor at TechCrunch fails to adequately check a story, uses twitter to verify that there's a problem, and runs with it. There was a real newsworthy story here, but it wasn't a flaw in iTunes, it was gullible users passing on their passwords.

Don't trust requests for identifying information in email. Don't trust anything in such an email, and whatever you do, don't give out your information just because the email looks pretty. You'll keep your account and your sanity intact.

 

Apple sprays for worms

In my inbox today I had an email from Apple detailing over 80 vulnerabilities plugged in their latest OS update - OSX 10.6.3. Included in the details are the people who reported the various vulnerabilities. It fixes everything from a bug that allows a Mac to be hijacked when a user performs a spell check to the Apache web server built into OS X. This is a large update, and it really covers a lot of stuff. If you want to learn more, you can check out Apple's page on it.

Apple also released a security update for Leopard (10.5).

If you have a Mac running OS X Leopard (10.5) or Snow Leopard (10.6) you can get the updates through Software Update (either automatically or under the Apple menu) or the Apple download page.

OS X: Safer but less secure than Windows

Darren Murph at Endgadget reports that Charlie Miller is going to expose 20 zero day exploits for OS X at the upcoming CanSecWest. Mr. Miller has been exposing holes in OS X for years, and has twice won the PWN 2 OWN hacker contest by taking control of Apple computers. A third time he took control of an iPhone.

A zero day exploit is a piece of malware that takes advantage of a vulnerability that is not generally known, so there are no patches, updates, or workarounds to keep it from being used. Unless the person who discovers the zero day exploit informs the creators of the software being exploited the vulnerability probably won't patched until after someone writes some type of malware that takes advantage of the exploit.

If you, like me, are a big fan of Apple Macs, you know that Apple likes to tout the security of OS X and the Mac. If you are an honest Mac user you realize that OS X has vulnerabilities. Some have even been exploited, if not very successfully.

Charlie Miller is very good at what he does - find security holes so they can be patched before the bad guys can take advantage of them. His years of work in computer security have given him a good perspective on the state of Mac security vs Windows security, and that insight produced one of my favorite quotes on the subject:

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town."

In other words, Macs are safer, because there aren't that many people trying to break into them. Windows computers are more secure because the security holes are constantly being patched. As much as I wish it weren't so, the analogy works.

OS X: Safer but less secure than Windows for now

Darren Murph at Endgadget reports that Charlie Miller is going to expose 20 zero day exploits for OS X at the upcoming CanSecWest. Mr. Miller has been exposing holes in OS X for years, and has twice won the PWN 2 OWN hacker contest by taking control of Apple computers. A third time he took control of an iPhone.

A zero day exploit is a piece of malware that takes advantage of a vulnerability that is not generally known, so there are no patches, updates, or workarounds to keep it from being used. Unless the person who discovers the zero day exploit informs the creators of the software being exploited the vulnerability probably won’t patched until after someone writes some type of malware that takes advantage of the exploit.

If you, like me, are a big fan of Apple Macs, you know that Apple likes to tout the security of OS X and the Mac. If you are an honest Mac user you realize that OS X has vulnerabilities. Some have even been exploited, if not very successfully.

Charlie Miller is very good at what he does – find security holes so they can be patched before the bad guys can take advantage of them. His years of work in computer security have given him a good perspective on the state of Mac security vs Windows security, and that insight produced one of my favorite quotes on the subject:

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.”

In other words, Macs are safer, because there aren’t that many people trying to break into them. Windows computers are more secure because the security holes are constantly being patched. As much as I wish it weren’t so, the analogy works. Hopefully Apple is working to change that.