blog

Finally it gets the attention in the press it deserves:

The first concerns the iPhone's email application, which automatically downloads images within an e-mail, said Aviv Raff, a security researcher, on Thursday.
That's problematic because the image will refer back to a server-side script when it is downloaded, indicating to the sender that the e-mail has been opened and the e-mail address is valid. The address can then be spammed.

Apple already knew about this design flaw when they released the iPhone. Also I wrote the support several times about how to disable the loading of images but all I heard back (from both Apple and t-mobile) was that this feature is not available. The support person did not not confirm that this is a security issue or write back anything in particular about this problem.

It's the same problem (with Apple, not with the products!) that they don't listen to the community or bug reports - I also reported the SSL issue in MobileMe as a detailed bug report and through the support. The bug report was closed with "thanks, we don't confirm anything" and the tech support.... uhm... to be polite: was not very tech savy and said "SSL is not needed as MobileMe uses JavaScript and CSS"....

Grml. Why the heck don't they fix those issues and take more care about the security of their users data? Is Steve Jobs himself using MobileMe and exposing all his calendar data, business contacts and mails to the public? Would be interested to hear back from him... or is he not using his own service?

Read more about the iPhone security issues.

Labels: apple, mac, security

Do you regularly create backups of your data? Just in case the harddisk decides to die? Or anything else happens to your computer?
I sort of do. "Sort of" means that I used to run a backup only about once a month - then I started iBackup and waited for about 3-4 hours until it finished the backup to my NAS system (which I bought exactly 2 1/2 weeks before Apple announced its TimeCapsule :( ). Way too long for just an incremental backup. The reason for this lengthy incremental backup is that iBackup uses SMB to connect to the NAS - which means it transfers too much data to just check if it has been changed since the last backup.

Time to create my own script - a bit of Bash scripting, rsync with an exclude file and an Automator workflow - voila, my incremental backups are now executing in about 5 minutes! Perfect for daily backups via cron and way better than the old backup "process" which took a few hours!

Here is the script: rsyncbackup.sh.txt. Feel free to adopt it as needed!

So my recommendation to everyone - review your backup process, it has to be simple, painless and fast. Otherwise you are not going to use it! Which brings up Mozy - why not using this great, unlimited online backup service? My personal reason is that I don't want my Mac to be running to do the uploads - that's what my NAS does in the background - and that I already own a me.com account as well as a 50GB Bingodisk account. No need for another service...

Labels: english, mac, security, tech

Ja, laut Apple zumindest, ist SSL völlig unnötig. Warum und wie ich darauf komme, dies zu behaupten? Nun, ich maile schon seit einiger Zeit mit dem Apple-Support betreffend des Sicherheitsproblems von MobileMe. Und irgendwie kommt mir vor sie verstehen das Problem nicht - dass die Daten wie z.B. E-Mails, das Addressbuch oder Kalendereinträge unverschlüsselt zwischen meinem Rechner und den MobileMe-Servern übertragen werden. Was man nicht nur an der URL erkennen kann sondern sich auch sehr leicht mit z.B. Firebug, Fiddler oder Wireshark nachvollziehen lässt.
Nun schreibt mir aber der Apple-Support folgendes:

...die SSL-Verschluesselung stellt sicher, dass Sie mit dem richtigen Server verbunden werden und dass Ihr Benutzername und Passwort verschluesselt uebertragen werden.
Ein Aufzeichnen von Netzwerkverkehr ist nur moeglich, wenn das Netzwerk unsicher ist, d.h. das Passwort oder die Verschluesselungsart zu schwach ist bei WLAN-Netzen o.a..

Und genau darum geht es. Unsichere Netzwerke wie z.B. Hotspots. Oder einfach nur die Sicherheit, dass meine Kontakt-(Kunden?)-Daten nicht abgefangen werden können! Auf meine Bitte zur Klärung mit Technikern habe ich die folgende Antwort erhalten:

...es tut mir leid, dass ich nicht genauer auf die Sicherheit von MobileMe eingegangen bin. Tatsächlich basiert MobileMe auf Javascript und CSS, beides ist mit der neuesten Verschlüsselungstechnologie gesichert. Da alle Vorgänge auf unseren Servern ablaufen, ist kein SSL notwendig. SSL ist lediglich für den Loginvorgang notwendig, da dieser Clientseitig, also auf Ihrem Rechner passiert.

Aha. CSS ist also verschlüsselt. Genau. Und das Login passiert im Browser. Genau. SSL ist also wirklich völlig unnötig!

Labels: apple, deutsch, iphone, mobileme, rant, security

Discussing about telnet usage in a forum:

> Who the heck is still using telnet? It's the same as
> with FTP - the password is transmitted in plaintext...

Considering that the wifi connection is encrypted (if using wep/wpa), it really makes no difference.

Outch!

Labels: english, security, tech