July 2007 Archives
AirPort Extreme Update 2007-004
Available now from Apple. Use Software Update to get it, or you can download it yourself from Apple's support page. "This update is recommended for all Intel-based MacBook, MacBook Pro, and Mac mini computers and improves the reliability of AirPort connections." No specifics mentioned, so it's unclear if this update addresses the kernel panic problem.
New Elektron Release: 2.0.1744
This is a bug fix release. It fixes a memory leak in Windows authentication, a bug in how Elektron determines which Active Directory groups a user belongs to, and removes the reliance of the Elektron double-clickable Windows certificate installers on msvcrt8.dll. This release is recommended for Windows-hosted Elektron servers, and optional for Mac OS X-hosted Elektron servers. Get it from our support page.
PARC: Wi-Fi PKI Usability Stinks
The title actually paraphrases Drs. Balfanz, Durfee, Smetters, and Grinter, but the gist is correct: managing your Wi-Fi PKI is nigh impossible. We've been seeing this here at the Labs from the beginning — from day one, the vast majority of our technical support questions have been certificate-related.
PARC conducted the study on Wi-Fi PKI usability, "In Search of Usable Security: Five Lessons from the Field." [PDF] two years ago. They asked expert computer users to try to configure their Windows XP machines to connect to the PARC Wi-Fi network:
Once the wireless network and the PKI were in place, our HCI researcher studied eight subjects’ enrollment experiences. All the subjects had advanced degrees, typically PhDs in computer science and related disciplines, but the average time it took for them to request and retrieve their certificates and then configure their systems was 140 minutes. More significantly, despite using a fairly automated Web-based enrollment system (similar to those used by commercial certificate vendors such as Verisign) and the GUI-based 802.1x wireless configuration software provided by Microsoft Windows XP, the process involved a total of 38 steps to complete enrollment.
Executive summary: "We took a bunch of computer science Phd's, gave them explicit step-by-step instructions, and it still took them over two hours to complete the configuration task, and in the end they didn't know what they had just done to their computers."
Microsoft is clearly aware of the problem, as they modified the Wi-Fi network enrollment process in Vista to suck slightly less. They've still got a long way to go, though. Personally, I'm a fan of the Mac OS X process: just connect to the network, the Mac asks "hey, I've never seen this certificate before, should I trust it?" and you're off. Clearly, Apple is on to something. Of those technical support questions I mentioned above, a lot of them start with "Help: my Macs connect to my Elektron-secured network just fine, but my Windows XP machines refuse to connect!" We've never once received the opposite.
A Real iPhone Exploit?
A brace of industry pundits has been claiming for months that the iPhone suffers from poor security. Today, the first actual exploit appeared. I haven't verified this myself, but from the (incomplete) description, it seems plausible. "This looks like a very genuine hack," says Steven M. Bellovin, a respected computer security researcher.
The attack requires a user to visit a malicious website. My favorite question from the FAQ: "Could the vulnerability be used to 'unlock' the iPhone from AT&T?" The authors demur, but if it could, the attack might be a blessing in disguise!
Duke: iPhones Don't Actually Attack
Duke put out a press release indicating their network woes were due to a Cisco problem, not an iPhone problem. Oops.
When iPhones Attack
Duke network administrators are complaining that iPhones are launching inadvertent ARP floods on their Wi-Fi network. Their research indicates that the iPhone is holding on to an old gateway address even when it is issued a new one via DHCP. The iPhone then proceeds to issue ARP requests to a host that will never answer, DoS'ing the network in the process. Ouch.
via Slashdot
iPhone Apps Run as Root
Ars Technica notes that applications on the iPhone run as the root user. That provides a good explanation for the lack of an SDK for third party developers: every application would have access to every function on the phone ("What? I didn't make a ten hour call to Albania!"). I'm not sure that running applications as root is huge news though, given that the root account password has already been cracked (it's 'dottie', by the way). Plus, it's hard for me to complain given that we sell an application that starts up as root (or LocalSystem on Windows), even if it does drop that privilege later on.
Catharsis
We just had the big Elektron 2 announcement, but for some of us here in the lab the big change didn't occur with the press release, the new web site, or even the first Elektron 2 sale. No &mdash the change occurred in our minds when we made the branch in our Subversion repository to work on the next release of Elektron. Woot!
Recent Entries
AirPort Extreme Update 2007-004
New Elektron Release: 2.0.1744
PARC: Wi-Fi PKI Usability Stinks
A Real iPhone Exploit?
Duke: iPhones Don't Actually Attack
When iPhones Attack
iPhone Apps Run as Root
Catharsis
Monthly Archives
October 2009 (1)
February 2009 (1)
December 2008 (1)
June 2008 (2)
March 2008 (1)
January 2008 (2)
November 2007 (1)
October 2007 (1)
September 2007 (1)
August 2007 (1)
July 2007 (8)
June 2007 (16)
November 2005 (8)
October 2005 (13)
September 2005 (22)
August 2005 (23)
July 2005 (21)
June 2005 (26)
May 2005 (23)
April 2005 (23)
March 2005 (25)
February 2005 (23)
January 2005 (29)
December 2004 (32)
November 2004 (32)
Subscribe to Lab Notes