Is iMessage secure? The good, the bad, and the complicated

Last week, researchers from QuarksLab gave a presentation at HITBSecConf2013 on the security of iMessage. The researchers sought to investigate claims made by Apple that nobody but the sender and receiver could read iMessage data thanks to their use of end-to-end encryption. While the researchers discovered that they were able to intercept and decrypt iMessages, Apple was quick to respond insisting iMessages infrastructure is not set up for that type of interception. So which is it? Is iMessage secure or not?

Details published on the research cover two kinds of scenarios. The first scenarios is one where a malicious attacker is able to intercept, decrypt, and manipulate iMessages between two users. The researchers properly point out, multiple times, that this attack has "strong requirements". An attacker must be able to acquire both parties private keys (in one type of scenario), impersonate two separate Apple servers, redirect the victims' traffic to those servers, and install a certificate for their own CA on the users' devices. Is this possible? Absolutely, and the researchers even published a (http://www.youtube.com/watch?v=EbqZnTKDVU0&feature=youtu.be) demonstrating the attack. It is probable? No. While the attack is reproducible in an environment where you control and have full access to the devices you're attacking, it becomes tremendously more difficult when you're talking about targeting people in the wild.

The second scenario the researchers discuss, which is slightly more worrisome, though probably not freak-out worthy, is one where Apple could intercept and decrypt iMessage between two users. With Apple, there's no need for an attacker to install their own trusted CA on a victim's device because Apple already has a CA that is trusted by iOS devices. Apple doesn't need to impersonate any servers because they're the ones running the actual servers. This also means Apple doesn't need to redirect the victims' traffic since it's already in the middle of it. Finally, Apple owns the server that assigns the encryption keys. This means that, from a cryptography standpoint, Apple possesses everything necessary to read iMessages between its users.

Apple issued a response to the research, saying that iMessage is not architected in a way that would allow such an attack to take place:

The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.

While theoretically Apple has all the pieces necessary to intercept iMessages, their stance is that technologically their system is not set up in a way that would allow for that. While Apple could be lying about this, the damage that would be caused to their reputation if it was discovered that they were lying doesn't seem like it would be worth the risk. If Apple had a backdoor for reading iMessages, it seems more likely that they simply would have stayed quiet back in June, rather than going on record with a voluntary statement insisting they can't read iMessages. With the number of large tech companies that we now know the NSA taps into data from, Apple would have had nothing to lose by staying quiet about the whole thing, but they have a lot to lose from lying.

Moreover, whether you trust Apple or not, trust them to do what's in their own self-interest. If iMessage is proven to be exploitable in a way Apple has denied, it will harm their business. That's not in Apple's self-interest.

The research raises an interesting point though, which is that, if the NSA wanted to, from a cryptographic standpoint, there is nothing stopping them from requiring Apple go give them access to people's messages. The NSA could coerce Apple into re-engineering the iMessage system to allow for such eavesdropping. With that in mind, it would be nice to see Apple come up with a stronger key infrastructure, or perhaps as a start just sharing more information about their current system.

Another change some people have been proposing is certificate pinning. Ironically, a lack of certificate pinning is what allowed the researchers to analyze iMessage's traffic; the closed protocol which Apple has been scrutinized for not publishing more details on. If Apple had employed certificate pinning, iMessage would not have accepted the researchers' self-signed certificates that they were using on their fake iMessage servers. Certificate pinning would also prevent a malicious attacker from installing their own CA on a victims' devices, in turn preventing them from intercepting iMessage traffic. This would increase security in terms of an outside attacker, which as we already discussed, is a fairly unlikely scenario, but wouldn't change anything about Apple's potential ability to intercept messages. It could be argued that Apple should do this from a security standpoint, but still does not address the bigger concern.

For now, it really comes down to a question of whether or not you should use iMessage. The researchers gave an accurate assessment:

MITM attacks on iMessage are unpractical to the average hacker, and the privacy of iMessage is good enough for the average user.

If the informations being exchanged are sensitive to the point that you don’t want any government agencies to look into them, don’t. It's important to remember that iMessage was introduced as a replacement for SMS, which isn't encrypted at all and can be easily spoofed. The importance of security shouldn't be downplayed, but in the context of text messaging, iMessage continues to be more secure than SMS.

As users, we are left trying to find the right balance of convenience and security. iMessage offers the security of encrypting messaging, but sacrifices some security with the convenience of transparent encryption. Apple could implement a system where a sender and receiver confirm their keys with each other before beginning messaging, but of course this would reduce convenience. If you currently have a need to transmit highly sensitive information that you can't risk the NSA or other three-letter acronyms from seeing, iMessage isn't the best choice and really never was. For the other 99.9% of iOS users, iMessage remains a convenient messaging solution and there's not much need to worry about your communications becoming compromised.

Source: http://feedproxy.google.com/~r/TheIphoneBlog/~3/pc2gMsqxeds/story01.htm
Tags: scarlett johansson   yom kippur   detroit lions   Claude Debussy   Kendrick Lamar diss  

Fifty Shades' Star Jamie Dornan Told Us He's 'Nervous' Around Ladies... These Steamy Photos Prove Otherwise

MTV News once asked the 'Once Upon A Time' actor what he says to ladies to woo them.


By Jocelyn Vena

Source:
http://www.mtv.com/news/articles/1716103/jamie-dornan-fifty-shades-christian-grey-memes.jhtml

Similar Articles: seahawks   bob newhart   nfl schedule   twerk   Al Jazeera America  

Australia PM: Climate change not causing wildfires

CANBERRA, Australia (AP) — The government staunchly rejected arguments that climate change is causing the wildfires ravaging parts of eastern Australia following a record hot start to the spring season.

"That is complete hogwash," Prime Minister Tony Abbott told News Corp. Australian newspapers in an interview published on Friday.

Environment Minister Greg Hunt backed his prime minister, saying no individual event can be linked to climate change.

But a climate science organization abolished by Abbott's government released a report on Friday declaring a clear link between climate change and the wildfires. The severity and scale of the fires was unprecedented for this time of year, it said. Last month had been the hottest September on record in New South Wales state. The 12 months preceding it had been the hottest year on record across Australia.

The government abolished the state-funded Climate Commission after being elected last month. But the organization survives through public donations as the Climate Council to continue its independent work of communicating reliable information about global warming.

To deny the influence of climate change on extreme fire weather placed people and property an unnecessarily high risk, the report warned. The findings are interim, and the final report will be released next month.

Will Steffen, a Climate Council member and director of the Australian National University's Climate Change Institute, said he was frustrated that the established science on global warming was not yet accepted in Australia.

"We'd like to see a discussion in this country that gets beyond these futile debates about the science that have been settled for decades in the scientific literature and get on with the real debate about what is really the best way of dealing with the problem," Steffen told reporters. "That's where the political debate really needs to be."

Abbott argues that Australia has experienced wildfires for more than 200 years of European settlement and had suffered worse fires in the past.

This week, he accused Christiana Figueres, executive secretary of the U.N. Framework Convention on Climate Change, of "talking through her hat" when she referred to the Australian wildfires as the world "paying the price of carbon" in the atmosphere.

"They are desperate to find anything that they think might pass as ammunition for their cause," Abbott said, referring to people who link the fires to global warming and who criticize his government's climate change policies.

Abbott's conservative government plans to repeal laws that force Australia's worst greenhouse gas polluters to pay a tax for every ton of carbon dioxide that they emit. The tax was introduced last year to reduce Australia's abundant greenhouse gas emissions.

Australia is one of the world's worst greenhouse gas emitters on a per capita basis because of its heavy reliance on cheap coal for power generation. As the world's driest continent after Antarctica, scientists warn that Australia is also particularly vulnerable to climate extremes that come with climate change.

A U.N.-created climate change panel issued a major report in Stockholm last month that said it was "extremely likely," or 95 percent likely, that global warming was man-made. The U.S. National Oceanic and Atmospheric Administration and the British meteorological office also released research in September that used computer simulations to conclude that climate change influenced some recent weather occurrences in Europe and the United States.

The wildfires that have burned around Sydney razed more than 200 homes and resulted in two deaths. One resident died of a heart attack while throwing buckets of water on his home last week, and a pilot died Thursday when his plane crashed while attempting to drop water on flames.

Adam Bandt, a lawmaker for the Australian Greens party that champions the carbon tax, was widely accused of politicizing the disaster when be tweeted at the height of the fire emergency last week: "Tony Abbott's plan means more bushfires for Australia & more pics like this of Sydney."

His comment came as television networks were airing images of destroyed homes.

• Nature & Environment
• Climate Change
• climate change
• Australia
• eastern Australia
• global warming

Source: http://news.yahoo.com/australia-pm-climate-change-not-causing-wildfires-061504799.html
Related Topics: American Horror Story   Steam Controller   Costa Concordia   floyd mayweather   Mary Lambert  

Paul Ryan wants narrower focus for new budget talks

By David Lawder

WASHINGTON (Reuters) - A new round of U.S. budget negotiations starting next week should focus more narrowly on replacing automatic spending cuts rather than an elusive "grand bargain," House Budget Committee Chairman Paul Ryan said on Thursday.

Ryan told Reuters in an interview that simply maintaining the automatic "sequester" cuts was the fallback position for Republicans if Democrats do not agree to substitute longer-term savings on expensive federal benefits programs.

"We have spending cuts coming. The question is, can we get something that's better than this?" said Ryan, last year's Republican vice presidential nominee. "If we can get an agreement, it's obviously going to be better than the status quo."

He said reducing expectations could make the talks more successful than past efforts, such as the 2011 "supercommittee" that failed to find $1.2 trillion in savings over 10 years.

"My hope is that it has a better chance because we'll set more rational expectations of what we're setting out to achieve," Ryan said.

"If we focused on doing some big grand bargain, like those prior efforts ... then I don't think we'll be successful because we'll focus on our differences. Each party will demand that the other compromises a core principle and then we'll get nothing done," he said.

The 29-member negotiating committee, set in motion by last week's deal to end a government shutdown and raise the federal debt limit, will convene on Wednesday.

Ryan, who will lead Republicans on the panel, said there was a better chance of finding common ground with Democrats on "smarter" spending cuts to replace the across-the-board reductions to discretionary spending. He said those include reforms to "entitlements," which include the Medicare and Social Security programs for the elderly, Medicaid healthcare for the poor and some farm subsidy programs.

He noted that President Barack Obama had proposed changes to those programs, such as a lower inflation gauge for the Social Security retirement program's cost-of-living increases. His Democratic counterpart, Senate Budget Committee Chairwoman Patty Murray, also has proposed some ways to reduce healthcare costs by $275 billion over 10 years through new efficiencies.

Both parties want to mitigate the sequester's impact, especially with a further $109 billion round of cuts due to launch on January 15 - the same date that government agency funding runs out again. Military programs favored by Republicans would bear more than half of those cuts.

REVENUE STICKING POINT

Ryan reiterated his long-standing opposition to further tax revenue increases as part of the budget negotiations, saying a major tax hike for the wealthiest Americans in January was already hurting the economy.

"If people see this conference as an excuse to raise taxes, I don't think it's going to be successful," Ryan said.

Democratic Representative Chris Van Hollen, another member of the budget panel, told Reuters on Tuesday that Democrats would not agree to significant cuts in social programs without increasing revenues by eliminating some tax breaks.

Without that, they will not consider proposals such as the cost-of-living change or charging wealthier seniors more for their Medicare health coverage, Van Hollen said.

If the two sides remain at loggerheads over revenues and benefits cuts, Ryan said the sequester cuts would simply remain in place, hitting agencies and programs ranging from education to military readiness.

"It's not our preferred route to reducing deficit and spending, but it works," he said, adding that Republicans were "proud" of the fact it had produced tangible savings.

"If we can't replace these spending cuts with smarter spending cuts, then we'll take what we have," he said.

He also said he believed the panel could help ease some sequester pain on federal agencies and the military by offering them more flexibility to spend their reduced budgets more effectively.

He also would like the panel to discuss ways to support comprehensive tax reform, which he views as a revenue-neutral endeavor that jolts economic growth by closing tax breaks, reducing rates and simplifying a complex tax code.

The negotiating panel is due to issue a recommendation by December 13, requiring majority approval among panelists from each chamber - seven House of Representatives members and 22 Senate members. The January 15 expiration of government funding creates the threat of another government shutdown if the two sides cannot come to some agreement.

Ryan said he was not interested in threatening another shutdown, adding, "I'd rather focus on the here and the now rather than January 15."

(Reporting by David Lawder; Editing by Eric Beech and Peter Cooney)

• Politics & Government
• Budget, Tax & Economy
• Republicans

Source: http://news.yahoo.com/paul-ryan-wants-narrower-focus-budget-talks-001305385--sector.html
Related Topics: First Day Of Fall 2013   Star Trek Into Darkness   aaron hernandez   Rafael Caro Quintero   food network star  

Oracle gears up to battle Salesforce.com, IBM with Eloqua update

Oracle is rolling out a series of new features for its Eloqua marketing automation suite, hoping to get a leg up on rivals like Salesforce.com and IBM in the red-hot software segment.

Now generally available is AdFocus, which provides marketers with tools for running multichannel advertising campaigns. A key feature is the ability to deliver targeted display ads to customers and prospects, while comparing their effectiveness to so-called "owned" and "earned" media, such as company websites and buzz on social networks, respectively.

[ InfoWorld presents the Bossies 2013, the best open source software for data centers, clouds, mobile, and more. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

Another update concerns Eloqua Profiler, which like its name suggests, is used to build out profiles of prospects based on their interactions with "assets" tracked in Eloqua, such as emails and web pages. Now Profiler can also include asset activity that's occurring on properties the marketer's organization doesn't own, such as video content hosted on a third-party website.

Finally it's now possible to tap Facebook's custom audience feature from AdFocus, giving marketers the ability to target discrete blocks of users based on their social profile.

There's perhaps no hotter area of enterprise software these days than marketing automation, following a rash of consolidation as platform vendors attempt to build out broad product suites.

Last week, Oracle bought Compendium in order to bolster the capabilities of Eloqua, which it acquired in December for $871 million. Compendium provides software for creating different types of content that can be used to entice customers to visit a marketer's web site or other property, said John Stetic, vice president of products, Oracle Eloqua Marketing Cloud.

Among others, Salesforce.com has also invested heavily in marketing software, scooping up ExactTarget, Buddy Media and Radian6 for its own cloud-based suite.

Oracle gets an edge over the competition with Eloqua, as its always been "built by marketers, for marketers," Stetic said. "We allow for really advanced targeting throughout the entire buying process."

In addition, Oracle is taking a more open approach, offering a full suite but not forcing customers to use it all, he said. "Lots of vendors want to think they'll have this whole stack and own the world, but what I hear from customers is, I want choice."

Meanwhile, as online privacy concerns mount in the wake of revelations over surveillance programs by the U.S. National Security Agency, marketers need to be mindful of the boundaries between themselves and customers, Stetic said.

"Ultimately what it comes down to things like government surveillance, people can't vote with their wallets on that, whereas in the commercial world if someone feels they're being overly tracked and overly monitored and not getting value out of it, they vote with their wallets," he said.

Source: http://www.infoworld.com/d/the-industry-standard/oracle-gears-battle-salesforcecom-ibm-eloqua-update-229499?source=rss_business_intelligence
Similar Articles: Kendrick Lamar   iOS 7   Gareth Bale   Big Brother 15   al jazeera  

OS X Mavericks Server can create bots to help developers make better apps faster

If you're a developer and you've ever wished you had magical bots to help you build, analyze, and test your apps, well OS X Mavericks Server can do just that. And Apple has sent out an email saying so:

Take advantage of continuous integration in Xcode by creating bots with OS X Server for Mavericks that automate the process of building, analyzing, testing, and archiving your apps. As the bots do their work on the remote Mac, Xcode on your development machine displays the build and test reports. Bots can generate a regular release for your QA team, be configured to execute on every check-in, and even test your apps on connected iOS devices.

Get a redemption code from the Mac Dev Center to download OS X Server for OS X Mavericks from the Mac App Store.

Anyone trying it out, let me know how it works. (They follow the 3 Laws, right? ...Right?)

Source: http://feedproxy.google.com/~r/TheIphoneBlog/~3/T9q0gKCNyJY/story01.htm
Tags: ufc   grand theft auto 5   Canelo Vs Mayweather   Ozil   Disney Infinity  

High School Musical Cast to Reunite After Five Years For Charity

The wildcats are back! Us Weekly can exclusively confirm that the cast of Disney's High School Musical will be reuniting after five years -- and all for a great cause! The cast from the 2006 hit will reunite in December to help support social activist Monique Coleman in her nonprofit web series GimmeMo' Foundation, which helps to invest in and create programs to improve the lives of youth globally.

PHOTOS: Costars reunited!

The private reunion party will take place in Los Angeles, but fans can enter to win for the chance to attend! Fans who would like the chance to win can donate starting at $3 to the fundraiser in order to be entered to win the grand prize. The grand prize winner and a friend — chosen at random -- will then win a trip to L.A. to join the HSM cast in their VIP homecoming party.

PHOTOS: Zac's buff body!

Those who donate more can receive other exclusive prizes though, including exclusive campaign t-shirts, hoodies and personalized thank-you's from the cast.

Cast members attending include Vanessa Hudgens, Ashley Tisdale, Corbin Bleu, Lucas Grabeel, Kaycee Stroh, Olesya Rulin and director Kenny Ortega. Zac Efron won't be in attendance, but will be providing the special winner a surprise video.

PHOTOS: Zac Efron -- TV to movie stars

High School Musical premiered in 2006. The cast returned one year later for High School Musical 2 and later filmed High School Musical 3: Senior Year in 2008.

To enter a chance to win, go to: Prizeo.com/HSMreunion. The last chance to donate is Dec. 1.

Source: http://www.usmagazine.com/entertainment/news/high-school-musical-cast-to-reunite-after-five-years-for-charity-20132410
Tags: BART strike   glee