In the sunniest terms possible, Kodak claims a partial victory in the Apple and RIM patent suit they had originally hoped would yield a billion-dollar payout.
The presser points out that, while the current ruling claims that Apple and RIM did violate the patent but that the patent is invalid, one previous ruling was exactly the opposite. They plan to appeal. What’s the chances that they go double-zippo in the next one?
The site PatentlyApple.com has an exhaustive discussion of what it says is a new Apple patent for security systems. H/T Schneier on Security
Here’s the problem: people don’t like passwords much. In fact, they hate them. Having to remember passwords for every stupid website is tedious, plus having to remember all those passwords for your job. But with the era of mobile phones you wave at the checkout counter to pay your shopping bill, the need to secure your little sidekick is more urgent than ever.
Beyond that, there is the trouble of setting a password for a device and then forgetting it. If you forget your password at work, a bored and modestly irritated tech support guy can usually be torn away from his Angry Birds game long enough to reset it. If you forget the password of your favourite website, they all have means of resetting passwords via email.
But a password set on your mobile phone doesn’t have any means of resetting. That makes setting a phone password a bit dangerous, and as a result, most people don’t bother to do anything of the kind.
Apple’s solution is basically the idea of a charging station or other commonly-used accessory that holds a password recovery system embedded on it. A mobile device that is stolen in the field without this password reset system would be effectively disabled.
There’s a lot of questions surrounding this type of system. Like: what happens if you lose or damage the charging station? And do people really want to go back to buying expensive charging stations when we’ve only just entered the world of plug type standards? Finally, the article makes the point that passwords are a big hassle. Agreed. But what about adding another device to your life – one that requires its own configuration at the time of purchase – makes handling passwords any easier or more likely?
Apple Invents an Ingenious Security System for the iWallet Era – Patently Apple.
I recall being a ten or twelve year old and riding in my father’s car. He was excitedly relying to me the new things that were happening at his job at Xerox, wherein a new computer system was being used that required him to “click” on things… on the screen, if you can believe it… by using something he called a “mouse.” Being already an experienced hand at programming BASIC programming language (Apple IIe and Commodore 64), word processing on IBM machines, and whipping ass on Atari games, I quite naturally assumed my father was losing his shit.
But he wasn’t. And one of the great creative minds of that era has left us. Steve Jobs is gone.
I don’t have a whole lot to say that hasn’t already been said, so I’ll eschew the nobility epitaph. What I will remember is the awe of seeing an Apple IIgs for the first time in a kiosk at the mall in Auburn. Or scratching my pre-pubescent head over the meaning Leisure Suit Larry in the Land of the Lounge Lizards on the nascent Mac computers. And of course, no memory of 80’s computing would be complete without fording a river on the Oregon Trail.
Apple was never the only game in town and I played with every computer I could find, as soon as I could find it. Speaking of which: my apologies to anyone working in the computing department of Sears in the Eighties for the PRINT “My butt stinks!!!” GOTO 10 gag. It was funny, honest to god.
But what Apple did then and continues to do now is impart the sense of genuine wonder to the computing world. That drew me in then and it draws people now. With Steve Jobs’ irrepressible inspiration gone – his “vision” as President Obama today called it – I do wonder what keeps the momentum going. Technology will continue to grow and weave its way into our lives. But will it fascinate us the way it fascinated Steve? We’ll have to wait and see.
News this morning is that a security researcher by the name of Charlie Miller discovered a new and potentially troublesome security vuln in Apple laptops. It seems that the CMOS battery is protected using default passwords, meaning the same password is set for every laptop. There is more discussion of the issue here at the Internet Storm Center and the original article, here.
So, ok…. What does all this mean?
Computer motherboards – the sort of backbone of your computer, where all your drives and goodies connect – have a small amount of writable memory on them that holds configuration for the hardware itself. You may never have seen this data, and that’s a good thing: modern computers spare their users the hassle of navigating text-only windows of inscrutable data and settings. Those settings can have huge impact on the usability of your computer, up to and including rendering the computer unusable, and the memory that holds this information is actually much larger than the amount of data held there. That means something else, like a virus, could potentially be stored there.
This system of data is held in memory by a small watch battery on the motherboard. Note that this is not the same battery that powers the computer while you work.
Because laptops are portable and therefore more susceptible to theft and shenanigans, laptop CMOS settings are usually protected by a password. In the case of Apple laptops, the study now shows that this password is a default password common to a host of other laptops. This means that a hacker could learn this default password and find their way onto any Apple laptop that has not had its default password changed.
What makes this especially bad is a twist of hardware design: Apple laptops have batteries that are permanently mounted inside the chassis. Unlike most laptops, whose batteries can be replaced, Apple laptops make due with a single battery. This means that if the CMOS is sufficiently nutted, you’re not going to be able to get into the system to fix the problem. At least, not through conventional methods.
So, what is the potential fallout from this new security vuln? This is a threat which is pretty limited, but very significant for someone who is affected. The likelihood is that, in order to infect or otherwise harm a laptop in this manner, the hacker has to be physically present. This is not the kind of vulnerability that lends itself to Internet attack because CMOS settings are set and unchangeable once the computer is fully booted.
If someone is able to get into the CMOS settings, the first and most obvious threat would be for them to render the computer either inoperable or else significantly impaired, then change the CMOS password to something the legitimate user does not know. This would constitute a single-user Denial of Service type of hack, as one user is not able to use their computer and unable to fix the problem.
More serious would be someone filling the CMOS memory with junk data and effectively rendering the computer unbootable at all. The gravity of this particular attack is that, if the computer can’t even boot to the CMOS settings window, it may not be possible to zero out and replace the junk data.
Probably the least-likely threat is the idea of a hacker putting a CMOS virus on the system. The amount of data that can be held in CMOS is actually pretty limited, so whatever virus is there would have to be extremely small. Still, it might be possible to place a virus in CMOS that can dial home and install a fuller, more serious virus onto the hard drive.
If the intruder is able to replace and rewrite CMOS settings, clearly you can as well. They call this “flashing” the CMOS, and its typically done to upgrade firmware or resolve hardware issues. But you could also flash the CMOS to get rid of errant settings, which is exactly what you’d want to do in the case of this type of attack. In the worst-case scenario, pulling the CMOS battery off the motherboard would discharge the memory and bring your computer back to factory default settings. Problem solved.
Except in this case, the battery is a permanent resident of the motherboard. There’s no pulling this battery and no way to reset the CMOS settings in the event that normal CMOS settings pages are inaccessible. And that’s the real threat.
Overall, this is a very low-level threat, given the nature of the attack. And it should be pointed out that all motherboards have CMOS and very few are protected by any kind of password, especially not desktops. Still, the fact that all Apple laptops are secured with the same password is arguably more serious than other laptops not having any password at all, if only because the spread of this knowledge among the hacking community makes exploiting it more tempting.
It seems that the story about Apple’s location tracking has widened quite a bit since going to the Senate and additional hearings have been called:
These hearings might possibly lead to some genuinely important and helpful laws to enhance our individual privacy.
But since the word “tracking” is getting used a lot, there is an important point that is likely to get lost in the public debate. That is: it doesn’t matter if Apple or Google (who produce the Android Operating System that powers many other smart phones) or AT&T are “tracking” your location. What matters is that information about your whereabouts for the last year or more are available to… anyone.
I should also point out that smart phones logging nearby wifi locations and other data points makes perfect sense to me as a developer: developers are always looking for the most efficient means of delivering content, the better to enhance the user experience. So, keeping record of the spots the user will likely revisit is a good idea, in a purely theoretical programmatic bubble.
The trouble is: if that data is available and not encrypted in some fashion, then not just the developer but any person with access to your phone can access this data. Bluetooth and wifi make having access to your phone a lot less personal than you might think, too.
I am not writing to raise the red flag of panic, either: very simple measures can solve these problems. Encrypting the data would be sufficient. But if the public debate centers on the companies like Apple “snooping” on their customers, we’ll get sidetracked by trust issues.