Monday, July 30, 2007

Ouch, this news is a few days old but I am just catching up on security reading and ran across this one. The securityevaluators.com guys have found some real issues with the iPhone's security and have been able to exploit it. The New York Times and others have covered this recently. Seems much of the iPhone application library runs as admin/root. The overall design of the iPhone seems to rely in large part on preventing apps from running, rather than creating a robust security environment. But leverage browser vulnerabilities or similar issues on a hacked wireless network or Internet web site and it can get very interesting very quickly.

From the executive summary in the findings document:

To demonstrate these security weaknesses, we created an exploit for the Safari browser on the iPhone. We used an unmodified iPhone to surf to a malicious HTML document that we created. When this page was viewed, the payload of the exploit forced the iPhone to make an outbound connection to a server we controlled. The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection. All of this data was collected automatically and surreptitiously. After examination of the file system, it is clear that other personal data such as passwords, emails, and browsing history could be obtained from the device. We only retrieved some of the personal data but could just as easily have retrieved any information off the device.

Additionally, we wrote a second exploit that performs physical actions on the phone. When we viewed a second HTML page in our iPhone, it ran the second exploit payload which forced it to make a system sound and vibrate the phone for a second. Alternatively, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio (as a bugging device) and transmitted it over the network for later collection by a malicious party.

This is the sort of thing I was afraid of when I wrote about the potential for iPhone security and use in the enterprise. Security vulnerabilities are not just about the Windows platform, after all. Here's a mobile platform, effectively in v1, and it has flaws that can be readily exploited. Hopefully Apple will be able to get some patches ready and out before the these evaluators release the details the evening of August 2nd at the Black Hat conference, which is where the researchers - who have already provided Apple with the full details so they can create and distribute a fix - will be presenting their discoveries.



Add/Read: Comments [0]
IT Security | Mobile | Tech
Monday, July 30, 2007 2:00:39 PM (Pacific Standard Time, UTC-08:00)
#  

I was randomly looking at blogs and doing some read-click-read-click-drill-down action when I ran across something that made me laugh out loud, which as it turns out was written on a blog of someone that I used to work with. Small world eh?

It's a list of ten URLs that some unfortunate businesses not only registered, but without realizing they put into actual use.

Blatantly copied here from Steve's Rant (hi Steve!):

Everyone knows that if you are going to operate a business in today’s world you need a domain name. It is advisable to look at the domain name selected as other see it and not just as you think it looks. Failure to do this may result in situations such as the following (legitimate) companies who deal in everyday humdrum products and services but clearly didn’t give their domain names enough consideration:

1. A site called ‘Who Represents‘ where you can find the name of the agent that represents a celebrity. Their domain name… wait for it… is
www.whorepresents.com

2. Experts Exchange, a knowledge base where programmers can exchange advice and views at
www.expertsexchange.com

3. Looking for a pen? Look no further than Pen Island at
www.penisland.net

4. Need a therapist? Try Therapist Finder at
www.therapistfinder.com

5. Then of course, there’s the Italian Power Generator company…
www.powergenitalia.com

6. And now, we have the Mole Station Native Nursery, based in New South Wales:
www.molestationnursery.com

7. If you’re looking for computer software, there’s always
www.ipanywhere.com

8. Welcome to the First Cumming Methodist Church. Their website is
www.cummingfirst.com

9. Then, of course, there’s these brainless art designers, and their whacky website:
www.speedofart.com

10. Want to holiday in Lake Tahoe? Try their brochure website at
www.gotahoe.com



Add/Read: Comments [4]
Humor | Random Stuff
Monday, July 30, 2007 11:12:26 AM (Pacific Standard Time, UTC-08:00)
#  
 Saturday, July 28, 2007

Recently I mentioned that my older Infocus X1 projector's lamp has about a zillion hours on it and I had to do a reset of the timer to keep it running. Also, a month and a half ago I discussed my research into 1080p home theater projectors as I thought about stepping up in quality and capability to replace the X1. The thing that's been holding me back is price relative to what you get in the high-def world. I have the Xbox 360, HD-DVD and a satellite receiver that does 1080p images, so that's what I have been looking into. Sure, you can spend like $5,000 and get a pretty incredible projector, and just a couple years ago you couldn't buy a 1080p projector for less than probably $30K.

Epson Projector - PowerLite Home Cinema 1080I know I want to replace the old projector I have. But I really don't want to spend $5K. Maybe half that amount would be okay, but not much more. So I put my research hat back on today and discovered Epson recently released their PowerLite Home Cinema 1080 projector for home theater. It's super-bright, has a great picture, it's a three-LCD setup, and gets some great reviews. It's practically identical to the 'pro' model of the same line but costs literally $2,000 less. Most notably the retail price is just under $3,000 and for the next few days (til the end of July) there's a $300 mail in rebate from Epson.

Needless to say, I am considering making the move. I'll take some more time to weigh my options and keep researching. I do wonder what (if anything) Epson will do for an incentive once this month's rebate period runs out, but hey who knows...

As I type this, my X1's fan is starting to make a noise like the fan bearings are going bad. Not a good thing. Murphy's law, really. It may be time to break that thing open and clean it out so I can make it last as long as possible, but from the sounds of it I think it may be on its last legs.

Anyone have any experience with the Epson PowerLite Home Cinema 1080 projector? Or have a good alternative I should be considering? Let me know!

UPDATE: I ordered one, so the Epson is my choice for a new projector. Review to come after it arrives Wednesday (Amazon Prime rocks) and I get a little time with it.



Add/Read: Comments [0]
Tech
Saturday, July 28, 2007 7:23:32 PM (Pacific Standard Time, UTC-08:00)
#  

I recently (meaning a couple months ago) dumped my increasingly unreliable and time-consuming self-hosted POP and SMTP email server in favor of one of the big hosted service options available for free from a variety of sources. In my case I looked at several of the more ubiquitous options, and chose to go with Google Apps for my domain. A close second was Windows Live Custom Domains from Microsoft, but a couple missing critical features prevented me from going that route (namely access to my email via POP3). Since I am not worried about either company going away or anything, I went with the one that seems to best fit my needs as far as features and functionality are concerned. Getting the Blackberry client app for Google mail was another bonus.

However, I ran into two frustrating problems when I set up the Google Mail for greghughes.net and started accessing the email server via POP access from Thunderbird and my Blackberry Internet service.

First, I found that in some cases, once an email had been downloaded by any POP client, no others had access to download it. This is a problem if you're relying on having your email available in more than one place as I have taken for granted before.

Second, any emails sent to my own email address - the same one associated with the account - simply would not download via POP3 access, ever. Since my weblog sends email to me from my own email address (as do a couple other apps), this was a real problem. I could not really change the behavior of my applications, since doing so would break other aspects of the systems. Besides, every other mail server with POP3 support had always worked the same way (and worked just fine), so why was Google Mail's so different?

Well, it turns out there is a not-so-obvious option (not used by default) that allows you to resolve both of these issues. It's called "recent mode." Google explains it in their help in the context of the "how do I use multiple clients" issue, but the problem related to POP-ing messages sent to 'Me' is resolved as well. The solution relates to putting an overload modifier on the front end of the email account name when you log in (a little weird and probably sloppy, but perfectly functional). It's explained below. Too bad one can't just toggle the functionality as a permanent setting in the Google Mail web interface (you can set it for a one-time download option, but it always reverts to the default after that, so it appears the below option is the only way to permanently resolve this).

To solve the problem, you have to modify your login in your POP settings with the overloading prefix:

"yourname@yourdomain.com"

 needs to change to:

 "recent:yourname@yourdomain.com"

The following information is snipped from the Google GMail help center (since this applies to both the general GMail and Google Apps mail services):

If you're accessing your Gmail using POP from multiple clients, Gmail's recent mode makes sure that all messages are made available to each client, rather than only to the first client to access new mail.

Recent mode fetches the last 30 days of mail, regardless of whether it's been sent to another POP client already.

If you sign in to Gmail using your Blackberry, you're signed in to recent mode automatically. For all other POP clients, replace 'username@gmail.com' in your POP client settings with 'recent:username@gmail.com'.

Source: Gmail - Help Center - How should I use POP on mobile or multiple devices?



Add/Read: Comments [7]
Tech
Saturday, July 28, 2007 2:09:25 PM (Pacific Standard Time, UTC-08:00)
#  
 Thursday, July 26, 2007

I have used an Infocus X1 projector as my relatively inexpensive but good enough home theater equipment for a few years now. It's served me pretty incredibly well. We put a lot of hours on it, between the zillion movies, satellite TV, and extensive Xbox/Xbox360 use. It's not HD resolution and I will soon upgrade (as I have mentioned before), but for not it does the trick.

Anyhow, the other day we turned the projector on and it displayed a warning that there were only like 8 hours remaining on the bulb timer. When they released the projector, as I recall they rated the lamp (and timer) at 3,000 hours. Since then they re-rated it at 4,000 hours. Some people get that much out of a bulb, others don't.

Today my friend Cory and I went to start a movie (Wesley Snipes is The Contractor) and the projector would not fire up the lamp. Enough use had taken place in the past few days since we first saw the timer warnings to ensure the timer had run out. Even though the bulb was not burned out, the projector would not turn it on. I started searching for replacement lamps online and found I was going to have to spend between $260 and $300 in order to replace it (ouch - like I said, time for a new projector at this rate).

While searching for lamps, I decided before I spent that kind of money on a projector I intend to replace that maybe I should ask the Google gods a question in the form of keywords: x1 projector bulb timer wont start. I was lucky, even if I was not necessarily feeling it. The first search result was an Infocus support page that told me exactly what to do at the very end of the long list of equipment (it covers every other projector they have made in detail).

If your X1, X1a, X2, X3 projector's bulb timer has run down to nada and the bulb won't light anymore, do this: Power on the projector and you will probably see a flashing red light on the control panel. Press and hold the Volume + and the Volume – buttons simultaneously for 10 seconds. The projector will reset the lamp counter to zero hours and the lamp will start. Note that what I probably should have done when I started seeing the warning was to reset the timer to zero using the on-screen menu system, but once it goes dead the volume button reset is your only choice.

Turns out the same or a similar tactic applies to a number of their other projectors, too. Check here to find out what to do for your model.



Add/Read: Comments [1]
Tech
Thursday, July 26, 2007 10:01:40 PM (Pacific Standard Time, UTC-08:00)
#  

Well here's news via Digital Media Thoughts that the cost of the HD-DVD player for the Xbox 360 is suddenly cheaper. I bought mine about a month ago. I don't suppose they'll grandfather me in? Probably not...

"Today at Comic-Con International 2007, Microsoft Corp. announced it will lower the price of the popular Xbox 360(TM) HD DVD Player from $199 to $179 ERP (United States only) starting Aug. 1, 2007, and will add five free HD DVD movies for anyone purchasing an Xbox 360 HD DVD Player between Aug. 1 and Sept. 30. In addition, Microsoft further solidified the Xbox 360 as the ultimate high-definition (HD) entertainment platform, with key announcements around the HD DVD launches of "300" from Warner Bros. Home Entertainment Group and "Heroes: Season 1" from Universal Studios."

This is a great deal, but let me give you even more incentive: most of the Xbox 360 HD DVD drives on store shelves also include the media remote, and King Kong on HD DVD. On top of that, through the Xbox Live Rewards program (which is free), you can get an additional 10% off at Circuit City. So to sum up: the drive, the remote, and six movies, for just $162. Hell of a deal!

Source: Digital Media Thoughts



Add/Read: Comments [3]
Tech
Thursday, July 26, 2007 12:30:57 PM (Pacific Standard Time, UTC-08:00)
#