Tuesday, July 22, 2008

iPhone 3G hacks - wasting ur tim3

The group of coders who hang out around the iphone-dev corner store have released code that jail breaks iPhone 2.0 firmware. The current version is PwnageTool 2.0.1. Don't waste your time hacking up your 3G unless your a tech junkie who like to smash things. Even with this successfully installed on the 3G iPhone your still stuck with AT&T. There are no SIM lock hacks for the current base-band firmware to remove the requirement to use a contract-bound carrier. However, you can use this firmware 2.0 hack on the iPhone 2G running 2.0 firmware. SIM hacks are readily available for this platform. I think, once the dust settles, the 2G iPhone will make a nice tech-junkie toy that you can pick up cheap on e-bay ;)

Don't waste your time. Be patient, and don't take the risk! The iPhone 3G will be available for direct purchase without a contract soon enough. Not to mention, no one I know actually complains about being an AT&T customer while toting an iPhone. 6 months from now you will be able to pick one up at a fraction of the total cost of ownership. Meanwhile, I'll continue to chuckle when I see new iPhone 3G users...

silly tech-junkie.

Wednesday, March 5, 2008

HP acquisition of Spydynamics leaves a blurry line

After HP acquired Spydynamics it was pretty clear that HP did not want to interrupt the success and innovation of the Atlanta based company. Personally, I think acquisition without assimilation can be a great way to grow and diversify an enterprise like HP. However, acquisitions aren't always clean, and more often than not they provide very quick pathways to increase the risk profiles of both companies.

That risk includes but isn't limited to technology, fiscal, procedural or human resources challenges. Not to mention, and the issue driving this post, the risks of damaged reputation. Now, I would not go so far as to say this will drive shares down, but the blurry line left between the two regarding who owns and delivers the Spydynamics software lineup will affect potential consumers. That could have a customer service impact, result in a total loss of the reputation of Spydynamics and ultimately impact the bottom line.

And lastly, an example of this risk that you would think someone at Spy would take care to address (that is, if they still have the independence and control) can be seen in the interaction of the two domains, hp.com and spydynamics.com. Visit any download link on spydynamics.com, and you may notice that spy passes the request to the HP BTO software delivery site. And, if you are a paranoid script blocker like myself, you'll notice that the action between the domains is a cross site scripting exchange (XSS). I say exchange, because in reality XSS happens all over the place and the action of XSS is not inherently evil. However, that's the issue. The unfortunate reality is that just like the term "hacker", XSS has very negative connotations. Script blockers like noScript flag this action as a suspicious request. This could result in that negative impact as discussed above. Now, this isn't a huge issue, but it's frustrating and obvious to some. I think the work here is unclear and unfinished. If I ran a company touting that we could "implement a security risk assessment at every phase of the application lifecycle" I would certainly start with my own applications. Maybe they don't see this as a risk, but I do. If you can't critique yourself, who can you critique?

Wednesday, February 6, 2008

TrueCrypt for Mac is out....Finally

Truecrypt 5.0 for the mac has been released. I encountered an issue with permissions on the default install under leopard/intel. If you try to run it from finder as a normal user it spits out an "unsupported architecture" error. A quick work around is to set the binary to setuid:

sudo chmod u+s /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt

I'm not sure how to work in the Leopard privilege controls (still researching, they may fix it first) and I can make no guarantee that this is a "secure" means of running the software. i.e. if there are vulnerabilities in the TrueCrypt binary one could exploit the fact that it is setuid and take control of the system...

You would need to be local to the machine to do that. Happy encrypting...

Also: checkout http://www.wilderssecurity.com/showthread.php?p=1177223 since the TrueCrypt forums seem to be down ...like forever. There are some bugs in 5.0, maybe the dev team should have put out a beta for testing and while they were at it, fix their forums...