Courtesy Juli Clover, Macrumors.com
When tethering an iPhone or an iPad, iOS users have the option of using an automatically generated password for their personal hotspots, which Apple implemented to provide all users with a secure password option.
According to researchers at Germany’s University of Erlangen (via ZDNeT), the way that the keys are generated – with a combination of a short English word along with random numbers – is predictable to the point where the researchers are able to crack the hotspot password in less than a minute.
In their paper, the three researchers detail the process that they used to figure out the weak spots in the hotspot’s protection. Apple’s word list uses approximately 52,500 entries, so initially, cracking the hotspot took almost 50 minutes. After finding a WiFi connection, the researchers used an AMD Radeon HD 6990 GPU to run through word and number combinations.
"This list consists of around 52,500 entries, and was originated from an open-source Scrabble crossword game. Using this unofﬁcial Scrabble word list within ofﬂine dictionary attacks, we already had a 100 percent success rate of cracking any arbitrary iOS hotspot default password," the researchers wrote.
The team discovered that only a small set of Apple’s larger word list was being used, so with GPU cluster of four AMD Radeon HD 7970s, they narrowed their iOS-generated hotspot password cracking time down to just 50 seconds. In the paper, the team goes on to criticize Apple’s password generation standards, suggesting that system generated passwords be composed of random letters and numbers.
"In the context of mobile hotspots, there is no need to create easily memorizable passwords. After a device has been paired once by typing out the displayed hotspot password, the entered credentials are usually cached within the associating device, and are reused within subsequent connections," the paper states.
"System-generated passwords should be reasonably long, and should use a reasonably large character set. Consequently, hotspot passwords should be composed of completely random sequences of letters, numbers, and special characters."
As noted by ZDNet though Apple’s password generation system is flawed, it is a more robust solution than what is used by other companies like Microsoft. For example, the Windows 8 phone utilizes default passwords that consist of eight digit numbers.
To avoid a weak iPhone hotspot password, users can still choose to use passwords of their own creation, which should contain a sequence of random numbers and letters for enhanced security.
Courtesy Ars Technica
Apple’s iCloud is marketed to us end users as a convenient and centralized way to manage data on all of our Macs and iOS devices: sync contacts and bookmarks, re-download music and apps, back up iOS devices, and sync documents and data for third-party apps as MobileMe did. The last item, syncing of documents and data, is one of the least glossy features of iCloud, but it is one of the most important, and it should be among the most straightforward. Right?
Perhaps not. Almost a year after Apple shut down MobileMe for good in favor of iCloud, third-party developers have begun to speak out about the difficulty involved in working with Apple’s cloud service. A piece published at The Verge this week highlights many of those complaints, with quotes coming from well-known developers and anonymous sources alike about the challenges faced by the developer community. From data loss and corruption to unexpected Apple ID use cases, developers have seen it all—but are stymied by the persistence of problems that prevent them from shipping products with working iCloud support.
What’s the big problem, exactly? According to Bare Bones Software’s Rich Siegel, there are a number of moving parts to iCloud that all affect how things come out on the other end.
"In concept, the service is pretty simple. A central iCloud server holds the truth: the canonical version of the user’s data for an app. As the user manipulates an app’s data, iCloud tracks and reconciles the changes into the central truth and makes sure that all copies of the data, on each computer, are brought up to date," Siegel told Ars. "In order for this to work, though, a lot has to happen behind the scenes. What we casually refer to as iCloud is many parts, each with a role to play."
Indeed, there are multiple ways in which iCloud enables the syncing of data, though both users and developers are kept in the dark when things go wrong. Siegel described scenarios in which iCloud simply declares that a file upload has timed out ("Apart from not being semantically relevant, the message is also unhelpful because it doesn’t provide any information that either the user or developer can apply to diagnose and resolve the problem"), or says that corrupted baselines are causing sync problems without making the problem visible, or just plain barfs up an opaque, internal error. This has resulted not just in headaches for developers, but also in inconvenience, confusion, and even anger on the part of end users, who go on to rate applications poorly because of these symptoms.
"When it fails, there’s no option to recover—all you can do is try again (and again…) until it finally works. And when it does initialize successfully, it can take an extremely long time," Siegel said. "In some cases, we’ve seen delays of up to 25 minutes while waiting for the iCloud stack to initialize. There’s no discernible consistency or rationale for when it says no and when it finally says yes… you can just keep trying, and eventually it might just work, or not."
Opaque errors are just the beginning—developers are also frustrated with how iCloud handles a user’s data if the user chooses to turn off document and data syncing. Doing this, it turns out, completely removes a user’s locally stored iCloud data. And signing out of iCloud results in the system moving iCloud data outside of an application’s sandbox container, making it impossible for the app to use the data any longer. The assumption here is clear: you’re either using iCloud exclusively for data storage or you don’t want to use that data at all.
Indeed, Core Data is one of the main parts of iCloud causing headaches for developers. Black Pixel recently mentioned its own Core Data problems in a blog post about the future of NetNewsWire’s syncing capabilities. "As far as sync is concerned, we knew we would likely need an alternative to Google Reader as early as last year. At the time, the option that seemed to make the most sense was to embrace iCloud and Core Data as the new sync solution of choice. We spent a considerable amount of time on this effort, but iCloud and Core Data syncing had issues that we simply could not resolve," wrote Black Pixel’s Daniel Pasco.
Another developer Michael Göbel wrote in a blog post titled "Why all my iOS Apps are on hold": "Core Data and iCloud sync are still a joke. I can’t count the number of developers and companies that all ran into the same trouble and finally gave up—meaning they dropped iCloud support completely after hundreds of thousands of users lost their data."
Siegel expanded a bit upon some of the problems Core Data presents. "This is where the rubber meets the road for database-backed applications," he said. "Core Data is the application-level database framework supplied by OS X and iOS that provides the means for applications to store items, and data about those items, in a single database."
Returning to the iCloud signout problem, he explained how his company ran into problems dealing with the limitations of Core Data and sandboxing with its product Yojimbo.
"The recovery from iCloud signout involves taking the opportunity to migrate all of your Core Data storage from ‘Mobile Documents’ to the private sandbox container on your Mac. We found, to our dismay, that the practical reality didn’t hold up to theory—part of the problem is that you don’t get notified until after the data has been made inaccessible, and once in that state, there’s no choice but to use Core Data to make a copy of the data that’s just been sequestered," Siegel told Ars. "And of course, given a database of sufficient size, the process of using Core Data to relocate the database ties up the application in an unresponsive state, without visible progress, for as long as it takes. (And woe betide you if something goes wrong in the middle of it.)"
These are only some of the issues iCloud has presented to third-party developers, and Apple reportedly has not been effective. Some—including Black Pixel—have begun to create their own syncing services, while others opt to rely on other solutions like Dropbox. Others still are holding out hope that Apple will hear their cries and offer some help. "We and other affected developers are continuing to iterate with Apple regarding the technical problems we’ve run into. However, if iCloud sync can’t be made to work, perhaps another service will do the job," Siegel said.
Apple has been weaning app developers away from UDID and its privacy concerns for more than a year, but it looks like the company’s about to put its foot down — and up the hardware support requirements in the process. As of May 1st, the company will stop accepting new app submissions that demand a UDID to single out individual devices; creators will have to use the ad and vendor identifiers that came with iOS 6. They’ll also have to develop apps for Retina displays as a matter of course, including the taller iPhone 5 screen. We can’t imagine that the news will please those who have a need for legacy UDID support, or can’t easily update a long-serving app for Retina screens, but Apple clearly feels it’s time to move on.
Back in 1989, “The Simpsons” had yet to appear on our screens, and 35-year-old Matt Groening — who had been working as a professional cartoonist on his original strip “Life in Hell” — picked up some work from a declining computer company by the name of Apple.
The job? Making computers appear “hip” in a brochure called “Who Needs a Computer Anyway?” starring his characters from “Life in Hell.” The images featured an appropriately wide-eyed Bongo — the main character’s son — who was overburdened with work.
This isn’t exactly news; scans of the brochure have been floating around the Web for a couple of years now, thanks to The Comics Alliance via Reddit.
Courtesy of CNET