Friday, March 25, 2011

Stealing Software Is Too Easy At The Apple Store

When building a secure system, you have to think about all the different ways that it can be attacked or compromised. Unfortunately, that is nearly impossible in today's world.

Defender's Advantage

Historically, defenders have the advantage. While modern military communications and mobility, referred to tactically as "shoot, move, and communicate", have slightly shifted the advantage to an attacker, a good defender will still have the upper hand. Think about how difficult it would be to break into the White House or Fort Knox and you can see how much of an advantage a defender has.

Cyber Security

When dealing with cyber security, the advantage is almost completely turned around since it lies with the attacker. There are so many different ways to launch an attack that a networked computer (including via "sneaker net") can't be fully defended against. It is so difficult to safeguard against all attacks that even industry experts such as HBGary and Steve Gibson are at the mercy of the attackers.

Apple Retail Store

I recently checked out the iPad 2 at an Apple retail store and I noticed it was a special demo unit since I couldn't move the app icons to different locations. Obviously, you don't want customers messing up the demo models. But, this got me thinking about how hard it would be for Apple to wall off the computers in the store which are running Mac OS X.

How To Pull It Off

The first thought experiment I conducted to steal software on the Mac, such as Microsoft Office or Adobe Photoshop, was to drop to the command line to tar and gzip the apps, then scp the apps to one of my servers. Obviously, this isn't a simple operation and anyone sophisticated enough to do it would probably realize they'd leave an audit trail.

MobileMe To The Rescue

As I thought more about it, I realized that each Mac on display in the Apple Store has a subscription to MobileMe. MobileMe comes with iDisk, and iDisk comes with a publicly accessible folder. Unlike a Windows application, which usually requires an installer to update the Windows registry, each Macintosh application's settings are stored under the system and user's preferences folder. If those configuration files don't exist when the application is first launched then they're automatically created. These configuration files usually contain any needed software licenses for basic installations, too.

You can probably see how the rest of this plays out. Simply drag a copy of an application, along with its preferences folders, to the iDisk's public folder and then access it from any other Mac, when you get home, and you now have a copy of Microsoft Office, etc. This is probably a key reason companies like Microsoft and Adobe have moved to a subscription based model


What Did I Steal?

What did I actually steal to test out this theory? Well, even in the name of investigative journalism, I saw an ethical issue with actually stealing anything in this case. Both my ethics training at college and my writing on this subject wouldn't allow it. But, as a test, I took a screen shot of a website, for which I own the copyright, and then dropped it on the iDisk's public folder. That's all there is to it.

Next Steps
For starters, don't actually try conducting the thought experiment that I outlined above. What can Apple do to prevent this? Simply setting the public iDisk folder to require a password would prevent this particular attack. Although, pointing out this vulnerability and its solution to a couple Apple Store employees didn't seem to sink in.


Wednesday, March 23, 2011

Living Without Incandescent Bulbs

As with all new technologies, there's a bit of a learning curve to understand the gotchas. Over the past few months, I've started replacing incandescent bulbs with low-energy light-bulbs, more formally known as compact fluorescent bulbs.


When I first started making the switch, my biggest concern was the color and brightness of the light emitted from these bulbs. I did not like many of the ones I've seen in hotel rooms which were too dim and yellow. A visit to Home Depot solved that problem since they had some on display that you could juxtapose which worked out very nicely.

Once I understood the color terminology such as bright white, soft white, etc, I thought I had the problem licked.

Unfortunately, there's a problem that I can't figure out how to solve which is that some compact florescent bulbs take longer than others to reach full brightness (on the order of a couple minutes).

Here's an example where I installed four GE bulbs of the same power and color with very different results. Although the following photo does not show the true difference, I can tell you that the bulb on the right is much, much brighter than the others for the first two minutes. The three on the left are so dim, when first turned on, that they're truly annoying. But, once they're are warmed up, you can't tell the difference.



In my limited experience with these bulbs, the only thing I've noticed, in common, about the bulbs with the long warm up time is that they're all made by GE. Of course, the irony is that GE is suppose to "bring good things to light." If I could go back, and do it again, I'd look for white LED bulbs instead of compact florescent lights to replace my incandescent bulbs.

Saturday, March 12, 2011

Friday, March 11, 2011

San Diego Tsunami a Non-Event

By the time the tsunami traveled from Japan to San Diego, it seemed to have lost all of its power. As spectators flocked to the beaches to see this morning's non-event at Carlsbad, a lone surfer threw caution to the wind as he rode the waves near the very spot where Junior Seau drove his SUV off a cliff. So many people parked along the Coast Highway that the Carlsbad police had to shoo away drivers who parked illegally.



iPad 2 Customers Queue Up in Carlsbad

Last night, I starting gathering some background info for a story that I'm writing on today's iPad 2 launch at the local Carlsbad Apple Store. After interviewing the first person in line, Paul Yorke, he tweeted it out:

I was just interviewed by an AOL news organization called the Carlsbad Patch carlsbadpatch.com #inLine4iPad2less than a minute ago via Twittelator



My editor saw the tweet so we ended up running the story-before-the-story. It was my first real attempt at a video story incorporated into a written article; so the quality should only get better from here.

Monday, March 7, 2011

I Still Don't Get Twitter

"Getting" Twitter isn't really that hard. Most people understand that an e-mail is an online version of a written note or letter. But there are a few short falls of e-mail that don't match how we communicate in the real world.

First, it's difficult to have a real time conversation over e-mail. Second, people usually do not talk to each other by speaking several paragraphs before getting a response during a casual conversation. Third is the fact that you can't easily start a conversation with someone you don't know.

Twitter and Facebook simply take the conversations that we have at parties, cafes, bars and mixers into the online world.

Facebook is the private party or water cooler chat we have with the people we know, whereas Twitter is the place to have a random conversation, in public, usually with strangers. The beauty of Twitter is that you can search the conversations and jump in at any time.

Just like many people don't go to bars or cafes for atmosphere, the same is true for logging onto Twitter or Facebook. You don't have to do it if it doesn't float your boat.