Congratulations

Shmoocon IV was a good time for all. A few good talks, lots of good times meeting up with people, and for Alice, Mike, Sean, and Tim it was good old fashioned hacker fun as all of them played in Shmoocon's annual "Hack or Halo" competition. Now Mike was last years champion, and tied for first, but it was Tim who came in with the fastest time, and was this year's Hack or Halo winner.

Congratulations to Tim and everyone who participated.

iPhone sounds alot like iPwn

So as a fairly enthusiastic Apple fan I've been getting asked often how excited I am for the iPhone ("Very"), am I going to get one ("prolly sometime in July"), and if I think it will be that great ("I do"). With someone of a basic technology background this is usually followed by some question about applications, SDKs, and if I think Apple will open it up ("I do") to third party development.

My overall take on it? I've had a number of smartphones and aside from making calls I mostly just used the browser. As for other applications after a few that I tried for experimenting I found I rarely used others, just sticking to the basic software that was included, and even that little enough.

As for the iPhone I truly believe that the killer app will be Safari itself, if it's all that Steve has tried to demonstrate it, may or may not, be cracked up to be. I'm not really sure what applications the developers who are attacking Apple for not providing an SDK think they'll create. In the years of Palm/Windows Mobile/Symbian/Blackberry smart phones I've yet to see an app that overwhelms the function of a phone to make calls, text message, and maybe, if you're lucky, get email or browse the web. All of these are functions the iPhone will do out of the box. Even on my MacBook many of the most important things I do, blogging, reading RSS feeds, getting security news, are all things done in the web browser alone. What app are Apple devs just dying for the chance to make?

Now that multi paragraph rant is not to suggest I'm peachy about the whole thing. This is a security blog after all. By not creating an SDK for creating true applications or widgets, and instead relying on Javascript/Ajax (as though you can have one without the other) you lead to a new problem, web pages can have amazing integration with your personal phone. Let me rephrase that: Advanced applications, running from remote servers, with both instructions and data, that's been shown already to have concerning security issues, will be able to run on your iPhone, and have, in some way, access to your address book, iTunes, and the ability to make phone calls. How was this a good idea?

One of the few inherent security mechanisms built into web browsers is that they, to some extent, exist in a sandbox. Most of the time Javascript can't access the OS file system, it can't control applications other than the browser, it can't access system resources, and all those are only most of the time. There are plenty of side effects to current web technology that make a security researcher pull their hair out, and that's all in the sandbox. Billy Hoffman's Shmoocon presentation discussed many of these, from keylogging to his own technique for web scanning using just Javascript and his particular brand of maniacal thought.

It would seem, based on current information, Apple is deliberately adding such features creating a potential security nightmare, deliberately adding the ability for web applications to circumvent the sandbox. So what will happened? XSS attacks that rewrite your Addressbook? A hidden iframe that calls 911 for you? Who knows really, but when "webapps" can access system functions it's hard to imagine it staying innocent. Now it's very possible, and I'm in fact hopeful, that Apple has considered these things and put protections into place, but even so it is easy to suppose that this would be a thin veil of separation, and the possibility for misuse could easily be close to the surface.

For a company like Apple, who so often touts their security record (no I will not digress into a discussion of Safari now (but yeah, wow, 2 code execution vulnerabilities in a day?)), to not aggressively market that aspect makes me wonder how much consideration that aspect of design received. All of this is obviously speculating the worst, but as Apple has messaged little to nothing about the security features of the iPhone, leaving everyone to evaluate what they see. And based on what we see of the iPhone's design what else are security researchers to assume?

Or maybe I'm the only one who is worried about all this.... well, there's also Billy.

ShmooCon '07 Hack or Halo Virtual Machines Released

Thanks to the ShmooCon 2007 Hack or Halo staff for a great competition this year and a hearty congratulations to fellow Vulnerable Mind LogicX (Mike) for winning the Hack portion. The HoH staff has made the FreeBSD virtual machine available for the public to play with and learn from. You can find it at any of the mirrors below. Thanks to Mike, Tim, and Steve for hosting mirrors. Enjoy!

The image is 1.92 GB and also contains instructions and the packet captures from the competition. Torrent file coming soon. To unzip the file, you may need to download 7Zip (available for nearly all OSes).

MD5 [HoH.7z] = 5fe686660f74d50e2624b963dc34f420

Update: Everything should be fixed now.

Fastest (FTP)
Faster (HTTP)
CoBlitz Mirror (HTTP)
Fast (HTTP)

Jikto Source Code Stories

As I originally blogged about the Jikto Source code here on Vulnerable Minds, its only fair to mention that the situation has expanded a bit. I took the code down, and we stopped linking to it from Vulnerable Minds when Billy Hoffman contacted me about the code.

Today I was contacted by Robert McMillan of IDG, and Interviewed for an article about the release of the source code. I've looked over copies currently being distributed by others, and they actually are not the same as what I offered on my site. I slightly modified the code, essentially creating a watermark. Apparently there were other fast-typing individuals in the audience who may have snagged the code directly from the source.

The article is available many places, as its currently in the IDG newsfeed. Here it is in InfoWorld.

I've also posted some commentary over on my blog, LogicX.net.