The Broken-Crypto Edition Thursday, March 24, 2016

Some Mac Users Unable To Log Into iMessage And FaceTime Following OS X 10.11.4 Update, by Juli Clover, MacRumors

The majority of the complaints are coming from users who did a fresh install of OS X, requiring them to log into the FaceTime and iMessage services. When attempting to sign in, an error pops up or nothing happens after entering an Apple ID and password, as seen in the video below. Customers who have recently purchased a new Mac also appear to be affected, and while most customers with login problems seem to be running OS X 10.11.4, there are also reports from those using earlier versions of OS X.

iMessage Crypto Fundamentally Broken, Apple Must Replace It, Say Researchers, by Lucian Armasu, Tom's Hardware

The flaws that were found allow more sophisticated attackers to decrypt picture and video attachments from iMessage. Although this attack has been made more difficult on recent iOS devices thanks to certificate pinning, someone with access to Apple’s servers could still intercept and decrypt those attachments. End-to-end encryption is not supposed to be affected by a server hack, which is why at this point iMessage’s “end-to-end encrypted” benefit is put into question.

Green did praise iMessage for being the first widely used messenger to even come close to end-to-end encryption back in 2011, at a time when most people were still using SMS texts and completely unencrypted messengers. However, iMessage has always had a centralized key server, which is a major weakness and a “feature” that’s not common on end-to-end encrypted services.

Zero Day

SentinelOne Finds Apple OS X Zero Day Bug, by Michael Hill, Info Security

The zero day vulnerability is a non-memory corruption bug present in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass the key security feature of SIP, which is designed to stop potentially malicious software from modifying protected files and folders, protecting systems from anyone who has root access, authorized or not.

In order to exploit the vulnerability, an attacker must first compromise the target system, which they could do with a spear phishing attack or by exploiting the user’s browser, for example. SentinelOne says the vulnerability is logic-based, extremely reliable and stable, and does not crash machines or processes – the kind of exploit that could be used in highly targeted or state sponsored attacks.

Apple / FBI

Apple Wasn't 'Flouting' iPhone Order, Judge Says, by Josh Gerstein and Tony Romm, Politico

“I certainly don't think, let me just comment, that Apple's been flouting the order,” Magistrate Judge Sheri Pym said Monday, according to a transcript obtained by POLITICO. “The order, essentially … pending a final decision, there's not really — it's not in a stage that it could be enforced at this point,” Pym said.

Israeli Firm Helping FBI To Open Encrypted iPhone: Report, by Tova Cohen, Reuters

Israel's Cellebrite, a provider of mobile forensic software, is helping the U.S. Federal Bureau of Investigation's attempt to unlock an iPhone used by one of the San Bernardino, California shooters, the Yedioth Ahronoth newspaper reported on Wednesday.

Thank You For Hacking iPhone, Now Tell Apple How You Did It, by Chris Strohm, Jordan Robertson, and Michael Riley, Bloomberg

The FBI’s new tactic may be subject to a relatively new and little-known rule that would require the government to tell Apple about any vulnerability potentially affecting millions of iPhones unless it can show a group of administration officials that there’s a substantial national security need to keep the flaw secret. This process, known as an equities review, was created by the Obama administration to determine if new security flaws should be kept secret or disclosed, and gives the government a specific time frame for alerting companies to the flaws.

[...] The FBI declined to comment on whether the review process will be used in the Apple dispute. Apple lawyers on Monday said that if the case proceeds, the company would want the government to share the nature of the vulnerability it found in the iPhone.

The Sims

Explainer Alert! Here’s What The iPad Pro’s Embedded Apple SIM Means For You, by Matthew Panzarino, TechCrunch

All iPad Pro 9.7″ devices have a SIM slot right on the exterior and you can put another carrier’s SIM in that slot even if the iPad Pro’s embedded Apple SIM itself has been locked to AT&T. In other words, the internal SIM may be locked, but you can “switch” carriers by using another physical SIM that you buy — the device itself is never locked.


Vice And Apple Music Launch The Score, A Docu-series About Local Music Scenes, by Jordan Crook, TechCrunch

Vice and Apple Music are teaming up to release a new docu-series that takes a hard look at some of the most interesting local music scenes in the world.

How To Set Up Medical ID On Your iPhone, by Dennis Sellers, Apple World Today

It allows you to enter info about yourself that can be useful during medical emergencies. This includes the name and phone number of a family member or friend that you want to be contacted in the event that you have a medical crisis.

Apple’s Lightning To USB 3 Adapter Brings iPad Podcasting One Step Closer, by Jason Snell, Six Colors

So there’s more work to do on this front, but this new adapter removes another barrier. Podcasters like me are now one step closer to the dream of doing it all on iOS. I hope Apple eliminates the final roadblock with iOS 10 this fall. Until then, my MacBook Air will be mandatory equipment whenever I’m traveling and podcasting simultaneously.

Apple Is Selling Microsoft Office 365 As An Accessory For The iPad Pro, by James Vincent, The Verge

As part of the ordering process for the new iPad Pro, buyers are given the option of adding a subscription for Office 365 — the only non-Apple accessory to appear in the order form. Office 365 bundles in the mobile apps and full Mac versions of a number of old standbys, including Word, Excel, PowerPoint, and OneNote. (You can also choose between the Home, Personal, and University tiers, each of which offers different features.)

Apple's iPhone SE And 9.7-inch iPad Pro Now Available For Preorder In 13 Territories, by AppleInsider

AI-Powered Apps That’ll School You In The Ways Of Chess And Go, by April Glaser, Wired

I started playing chess against artificial intelligence in mobile apps a few years ago, out of curiosity as much as anything else. But my curiosity quickly turned to timid admiration. Without any ambition or intention to do so, by playing the computer, I improved. Dramatically. If you engage in some human-computer play, you can improve too. And all you need is a smartphone or a tablet.

Denver Entrepreneur Creates App To Help Those With OCD, by Mary Clare Fischer, 5280


Macs Dent The Enterprise, But Not By Much, by Esther Shein, Computerworld

Thanks in part to the corporate BYOD movement, Apple's AppleCare service and support plan, and just plain old demand, enterprises are more steadily adopting Macs in their organizations. Those factors, coupled with Apple's partnership with IBM last year to develop a set of business apps for the iPhone and iPad, are leading Apple to make strides in the enterprise. That said, industry observers don't believe Macs will be overtaking PCs anytime soon.

Report: Apple Developing At Least 6 Cloud Infrastructure Projects Incl. Servers To Prevent Snooping, by Jordan Kahn, 9to5Mac

And when it comes to building its own servers, the report claims that Apple is partly motivated by the fact that it believes the servers it receives from third-parties have been “intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration.”

Intel’s ‘Tick-Tock’ Seemingly Dead, Becomes ‘Process-Architecture-Optimization’, by Ian Cutress, Anandtech

Intel’s latest 10-K / annual report filing would seem to suggest that the ‘Tick-Tock’ strategy of introducing a new lithographic process note in one product cycle (a ‘tick’) and then an upgraded microarchitecture the next product cycle (a ‘tock’) is going to fall by the wayside for the next two lithographic nodes at a minimum, to be replaced with a three element cycle known as ‘Process-Architecture-Optimization’.

Rumor of the Day

Apple Pay Coming To Mobile Websites Before Holiday Shopping Season, by Jason Del Rey, Re/code

Apple has been telling potential partners that its payment service, which lets shoppers complete a purchase on mobile apps with their fingerprint rather than by entering credit card details, is expanding to websites later this year, multiple sources told Re/code.

The service will be available to shoppers using the Safari browser on models of iPhones and iPads that possess Apple’s TouchID fingerprint technology, these people said. Apple has also considered making the service available on Apple laptops and desktops, too, though it’s not clear if the company will launch that capability.

Bottom of the Page

Still waiting for Apple Pay to work here in Singapore...


Thanks for reading.