Sunday, April 30, 2017

Touch ID security issues are less than i thought.

My Touch ID security post of a year ago didn’t get any reaction. So today, while working on a bak chapter, I decided to retest my concerns.

On my own phone, with iTunes Store Touch ID purchase enabled, I added a new fingerprint of mine. To do this I only needed my iPhone unlock code. I then purchased a song (Cheryl Crow’s Heartbeat Away fwiw).

I wondered if iOS would let me complete the purchase — in which case there would have been a risk issue. It didn’t work that way though. Despite my having Touch ID enabled for iTunes purchases iOS requested by Apple ID password — even though I used an old fingerprint. Adding the new fingerprint seems to have put my phone into a ‘enhanced risk’ category, so Apple ID credentials were required for purchase.

Once I’d entered my Apple ID the first time though I was able to use my new fingerprint for the next purchase. So entering that Apple ID password “blessed” all fingerprints.

So there’s still a way to “sneak” a fingerprint into the cue that might be exploited for unauthorized purchases, but it’s a smaller window than I thought. I tried “gifting” an app to see if I could exploit that, but abruptly my iPhone stopped being able to gift at all. So I couldn’t test. (Bug?).

Saturday, April 22, 2017

Something wrong with Google's Device Activity page?

Google’s device activity page used to let me remove devices that I no longer used:

https://myaccount.google.com/device-activity

Today it lists 3 iPhones for me. I think they are all actually one device, showing up with two different names — none of them current.

There used to be away to remove these devices, but today I can’t. I am able to Remove Account Access, but not the devices.

I removed access to all devices, then reentered credentials on my phone. So now I know that ‘iPhone” is my phone (phone name is John6s).

I think something is broken somewhere….

DreamHost remixer - a brief trail

I tried DreamHost’s remixer web site dev tool. I was able to create a page with it. Reminds me a bit of Apple’s old iWeb. 

It doesn’t output static files though. It is mapped to a folder on my DreamHost site, but there’s some redirection behind the scenes.

That means it’s transient. When Remixer dies, so will all the content in it. It’s not portable either, I can’t move my Remixer work anywhere else.

Might be a good app for something transient, but the little I do on the web today I like to keep portable. WordPress is as far as I’m willing to go into things I can’t readily move and backup.

Tuesday, April 18, 2017

Why is Apple's mysterious two factor authentication better than a strong password?

What would I do if my home burned down and Emily and the kids get out alive but I’m dead?

That’s what I think about when I read about Apple’s “two-factor” authentication (vs. the now obsolete but similar “two-step verification” they used to have). Particularly the scary procedure you need to follow if you’ve lost your authentication devices …

Two-factor authentication for Apple ID - Apple Support

…. If you can’t sign in, reset your password, or receive verification codes, you can request account recovery to regain access to your account. Account recovery is an automatic process designed to get you back in to your account as quickly as possible while denying access to anyone who might be pretending to be you. It might take a few days—or longer—depending on what specific account information you can provide to verify your identity…

… With two-factor authentication, you don't need to choose or remember any security questions. Your identity is verified exclusively using your password and verification codes sent to your devices and trusted phone numbers.

 and

Regain access to your Apple ID with two-factor authentication account recovery - Apple Support

… You might be asked to verify other account information to help shorten your recovery period. After you verify your phone number, you’ll see a confirmation that your request has been received and you’ll be contacted when your account is ready for recovery...

… We’ll also send an email to your Apple ID or notification email address to make sure you’re the person who made the request. You can click Confirm Account Recovery in the email to help us shorten the account recovery period. …

Scary indeed. It’s vague as hell. Even control of a confirmed email account (presumably different from the iCloud account) only “shortens” the recovery period. There’s nothing in Apple’s process comparable to Google’s inactive account manager. There’s no secret recovery key I can store in an encrypted repository on an offsite drive with a password known to 3 family members.

Apple’s 2FA either makes my data too hard to recover or too easy for someone to steal … or both.

I don’t see the advantage, yet, over a strong password used only on a secure device. Google does this better — and even Google 2FA is too complex for me to manage for multiple family members.

I’m staying with a strong iCloud password for now — until Apple forces me to change. (The way they’re forcing 2FA with the 10.3.1 update makes me wonder if iCloud really was thoroughly hacked.)

PS. As best I can tell if you use Apple’s new 2FA when you change your iCloud password on one device you change it on every authenticated device. Better be sure you have them all.

PPS. At least they got rid of the secret questions … but only to replace them with some mysterious, fully automated, no humans involved, identity validation process.

PPPS. Ok, we’re traveling. Both our iPhones are lost. What do we do? hmm. I think Charlie Stross had something about this in a story … accelerando?

See also

Wednesday, April 05, 2017

Migrate Contacts from Outlook/Exchange server to OS X Contacts

I last wrote about migrating contacts from Outlook/Exchange server to OS X in 2011.

Back then one of the issues with migration then was that Exchange uses X400 format email addresses. One way to make Outlook convert to internet is to drag contacts into an email — that produces .vcf files (undocumented) with internet email addresses. In 2011 I wrote that dragging into a local PST did the same thing. Not sure that still works.

Here’s what I did recently …

  1. Drag and drop from Outlook/Exchange into email (undocumented export)
  2. From email save to desktop.
  3. Drag and drop the .vcf files into OS X Contacts (undocumented import.

From OS X contacts they can go to iCloud as usual.

Incidentally, i couldn’t see any way to readily import a set of single contact .vcf files into Outlook 2016. It only wanted to import them one a time. Drag and drop of the files into Outlook resulted simply in Outlook opening each one until Windows 10 die.