Stuart Breckenridge

Easily Steal an iOS User's Password

iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.

Astounding work by Felix Krause which shows just how easy it is to replicate an iOS system dialogue in order to steal a user’s password. Apple must fix this.


— Supported by —


Mike Pence Takes Part in Publicity Stunt Instead of Doing His Job

Kneeling during the U.S. national anthem is a form of protest against racial injustice and to do so is protected under the First Amendment. Thus, when you read this, via the BBC, you can’t help but be confused:

US Vice-President Mike Pence has walked out of a National Football League (NFL) game after several players refused to stand for the US national anthem.

Mr Pence said he could not be present at an event that “disrespects our soldiers, our flag” after abandoning the game in his home state of Indiana.

The Vice President of the United States can’t be present when people excercise their First Amendment rights? It gets worse, though:

The Vice President of the United States can’t be present when people excercise their First Amendment rights because he was taking part in a publicity stunt orchestrated by the President of the United States.

It’s beyond shameful.


AIM to be Discontinued

Michael Albers:

If you were a 90’s kid, chances are there was a point in time when AOL Instant Messenger (AIM) was a huge part of your life. You likely remember the CD, your first screenname, your carefully curated away messages, and how you organized your buddy lists. Right now you might be reminiscing about how you had to compete for time on the home computer in order to chat with friends outside of school. You might also remember how characters throughout pop culture from “You’ve Got Mail” to “Sex and the City” used AIM to help navigate their relationships. In the late 1990’s, the world had never seen anything like it. And it captivated all of us.

AIM tapped into new digital technologies and ignited a cultural shift, but the way in which we communicate with each other has profoundly changed. As a result we’ve made the decision that we will be discontinuing AIM effective December 15, 2017

The first internet messaging client I ever used was AIM as it was bundled with one of the many AOL CDs. While my friends and I quickly moved to MSN Messenger — which itself was discontinued in 2013 after morphing into Window Live Messenger — throughout school and university, it was AIM that started everything off.

These days I use Skype for Business at work. It holds up OK in a desktop context but it doesn’t translate well as a mobile experience. The way we communicate has, indeed, changed.


Keybase Introduces Encrypted Git

From the Keybase blog:

It is end-to-end encrypted. It’s hosted, like, say, GitHub, but only you (and teammates) can decrypt any of it. To Keybase, all is but a garbled mess. To you, it’s a regular checkout with no extra steps.

Even your repository names and branch names are encrypted, and thus unreadable by Keybase staff or infiltrators.

We think this is better than paying a fee to store it in plaintext.

I’m no expert, but will encrypting and decrypting larger git repositories not come with a significant performance hit? Regardless, I’m interested in this development and will be testing it out shortly.

(Note: I am one of the people who does sign commits.)


Yahoo Confirms 2013 Data Breach Affected All Accounts

It turns out Yahoo’s 2013 data breach affected all accounts in existence at the time of the breach:

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.

This seemed to be inevitable.

Previously: Yahoo’s 2013 Data Breach Expanded to 2015 and 2016, Yahoo Confirms Security Breach of 1 Billion Accounts