The frailty of wireless encryption

WEP I knew was almost worthless. This is the most concise description of WPA limitations I’ve seen …
Coding Horror: Open Wireless and the Illusion of Security

… here are a few guidelines.
  1. WEP = Worthless Encryption Protocol
    WEP, the original encryption protocol for wireless networks, is so fundamentally flawed and so deeply compromised it should arguably be removed from the firmware of every wireless router in the world. It's possible to crack WEP in under a minute on any vaguely modern laptop. If you choose WEP, you have effectively chosen to run an open wireless network. There's no difference.
  2. WPA requires a very strong password
    The common "personal" (PSK) variant of WPA is quite vulnerable to brute force dictionary attacks. It only takes a trivial amount of wireless sniffing to obtain enough data to attack your WPA password offline -- which means an unlimited amount of computing power could potentially be marshaled against your password. While brute force attacks are still for dummies, most people are, statistically speaking, dummies. They rarely pick good passwords. If ever there was a time to take my advice on using long passphrases, this is it. Experts recommend you shoot for a 33 character passphrase.
In the end, perhaps wireless security is more of a deterrent than anything else, another element of defense in depth. It's important to consider the underlying message Bruce was sending: if you've enabled WEP, or WPA with anything less than a truly random passphrase of 33 characters, you don't have security.

You have the illusion of security.
The implication is that other versions of WPA (WPA-2?) are less vulnerable. In practice, as Schneier would probably say, it comes down to the value of what you’re trying to protect vs. the cost of the attack. Security is not a binary thing, it’s a spectrum. Relative, not absolute.

I suspect a good 20 character random password would suffice for most of us.

Update: A comment includes a nice link to a web site that helps create memorable passphrases.

Best review of the OS X ARDA root escalation vulnerability

I might follow the advice outlined here, though I may simply avoid installing software until Apple provides a fix. It is a bigger problem than I'd assumed when I first saw the Slashdot story:
TidBITS Safe Computing: How to Protect Yourself from the New Mac OS X Trojans

... Simply running the AppleScript command

osascript -e 'tell app "ARDAgent" to do shell script "reallybadstuff"'

runs "reallybadstuff" as root, without asking you for your password....

... the attacker exploits a vulnerability that gives them access to your user account, then he uses privilege escalation to take over your system as root, often installing additional malicious software. These combined attacks are common, although we don't see them often on Macs (in fact, I've never seen one on Mac OS X). The attacker will use something like a Web browser vulnerability to get his foot in the door, followed by the privilege escalation...

... The first major Trojan to leverage the ARDAgent vulnerability is called "PokerStealer" (identified by antivirus vendor Intego). Rather than using some sort of attack to get on your system, it pretends to be a poker game. When it's run, it uses the ARDAgent vulnerability to escalate its rights (without asking for your password) and installs malicious software like a keystroke capture program.

A more serious problem is that, as reported by Brian Krebs at the Washington Post, some bad guys developed a tool to bundle a package of malicious software into any downloadable Mac application. It uses the ARDAgent vulnerability to run these pieces without your interaction, like PokerStealer. The program needs to run only once, then it embeds itself in your system. Interestingly enough, Krebs reports that this tool was in development since May 2008. We can expect the bad guys to use all sorts of social engineering tricks (like writing little games) to get us to run their software on our systems.

To protect yourself, if you don't use (or plan on using) Apple Remote Desktop (which is different from Screen Sharing), you can go to /System/Library/CoreServices/RemoteManagement/ in the Finder, copy to your Desktop, right-click and compress it, and move the file someplace like your Documents folder. Then delete the original file. That way you just need to unzip and reinstall the file if you ever need ARDAgent down the road...
Following these preventive measures may mess up future Apple updates however.

The most important security measure for most OS X users is not to run as an admin user -- save the admin account for admin tasks. This security defect bypasses that protection.

Why Blackberry deserves to die

Tolkien wrote: "Many that live deserve death. Some that die deserve life."

So I'm not saying that the Blackberry will die, just that it doesn't deserve to live.

It's not just the inexcusable memory capacity limitations. It's not even the astounding lack of imagination in the software environment. No, the ultimate offense is this:
Passwords are masked on entry. Even on the Blackberry Pearl -- with its predictive text matching.
I realize very few products are as smart as OS X, which allows users to optionally unmask passwords. I could forgive Blackberry for omitting this feature if the Pearl had a conventional keyboard. It doesn't of course, and, speaking only for myself, text prediction does not work on my passwords.

The brief single character display (not available for numeric entry) is not enough.

This is one of the stupidest things I've come across. I've had plenty of time to investigate my wife's Pearl while traveling cross-country flat on my back, and my relatively positive initial impressions have dissolved. It really deserves to perish. If the iPhone 2.0 is half-decent I'll be selling a Pearl cheap as soon as ePocrates will run on the iPhone.

Open DNS saves my day

OpenDNS has some issues:

[Gruber] I linked to OpenDNS last week, praising their service after Comcast’s own DNS servers had failed me for the last time. It ends up though that OpenDNS is a polarizing service — they’re both praised and scorned. One of the reasons they’re
scorned is that they redirect requests to to their own internal server before forwarding the request along to Google’s They also do wildcard matching for unregistered domain names, a move most DNS experts consider a no-no. They’re open about these “features” (e.g. here’s their explanation for the Google redirection), but I tend to take the side that any sort of “DNS+” service is worse than just plain DNS.

I think it’s worth keeping OpenDNS on deck for use in a pinch if your regular DNS server conks out, but I can’t recommend them for primary use.

On the other hand, OpenDS saved me today. The resort we're staying at has very marginal net access, and today I could reach Google and Microsoft but not much else. I figured their DNS was down. From a Google Cache page I retrieved the openDNS addresses:
OpenDNS > Get Started > Enable OpenDNS

Our nameservers are and
Bingo, that worked. Now everyone on the resort is switching.

I may start using OpenDNS - especially when traveling. The filtering options are appealing for our home use too, so I may well sign up and pay them. More on that after I review Gruber's comments in context.

iTunes for OS X is not a Mac application

There are many great features of iTunes. The query implementation, including the ability to nest queries, is superb.

Against this must be set the fact that iTunes is not a Mac application. If it were produced by anyone but Apple we'd all dump on it.

iTunes does not respect the Dock, for heavens sake! It ignores it when sizing windows. Even Firefox 3 respects the Dock (a very nice improvement over FF 2 in that regard, among many others).

Click the green plus icon on any Mac app and the primary window sizes to the "largest size consistent with good screen practices". Click it on iTunes/OS X and you get the mini-player.

That's just gross.

Firefox 3 is a vastly better OS X citizen than iTunes.

Isn't there anyone in Cupertino with a modicum of shame?

I get video output from my (old) video iPod. Finally.

Greed has a different meaning when applied to a corporation.

By human standards corporations are supposed to be greedy. "Greed is Good".

But there's still such a thing as a Corporate Greed. That's when a corporation takes bites that generate near term returns, but make customers bitter and lead to longer term losses.

Apple does that on occasion, most recently with the way they sell their current iPod video out connector. More on that in a moment, but first ...

I have an old fifth generation video iPod [1]. I've never done much with the video -- the few times I've tried to output to a TV I failed. We're heading out for a long road trip though, and I've loaded up the iPod with TV shows. Time to see if I can get video output working. A good Father's Day project.

The output will go to an incredibly cheap very low end 2 panel auto DVD player marketed using a recycled "Kawasaki" brand [2] with a min-jack AV.

It's probably been 3 years since I failed to get video out of the iPod. I'd forgotten ...

  • you can get video output through the earphone jack as well as the dock connector
  • there's a settings option hidden in the video menu that controls which connector gets the video stream. I use the "ask" option.

Both options require proprietary Apple video connectors [3]. Years ago, however, people discovered you could use a standard AV camcorder with the fifth generation (not current!) iPods if you swapped the output cables ...

O'Reilly Network -- Getting the Video out of Your New iPod--for Cheap! (Derrick Story, Nov 2005)

...In order to make your TV play back the iPod signal, you've got to redirect the outputs. You can't just plug the yellow RCA plug into the yellow RCA jack and the red into the red or the white into the white. No. Those geniuses at Apple send the video signal over the red RCA output. (Normally it arrives on yellow.) The sound comes through the white and yellow plugs.

I ended up going to an Apple store and testing this on iPod after iPod. They all have this quirk. It was intentional. But hey, it's proprietary. Woohoo. So here's what you have to do:

  • Plug the red RCA plug into your TV's yellow RCA jack.
  • Plug the yellow RCA plug into your TV's white RCA jack.
  • Plug the white RCA plug into your TV's red RCA jack.

Except that never worked for me. Today I gave it another go, as the alternative was a trip to the Apple Store to buy the iPhone-compatible $50 DRMd, counterfeit-preventing, Apple-only dock connector video out cable set [4].

I tried 3 mini-jack to component cables, first against my TV's component inputs.

  • white cable that came with my original iBook. It has the swapped cables Story describes, but it didn't work. I think it's a slightly different form of proprietary. It works with my camcorder if I swap its outputs!
  • black camcorder cable: nope, just got hash
  • another camcorder cable: worked perfectly.

The "Kawasaki" has a mini-AV input, so I used a short male-to-mini-AV adapter to plug in there, mating the connectors as per Story's description. Works very well, with a lovely image. If you turn it around, however, it doesn't work. Since it's a mini Av to mini-Av cable it should work in either "direction" but this hacked mini-mini cable is one directional.

My guess is that Apple's variation isn't just a cable swap, but differs slightly in connector layout as well. This may not be a simple attempt to make a steep margin on cables -- though Apple is certainly not above that. The analog output jack on the fifth generation iPod, like the analog output on the iBook, is serving two purposes. It has to work perfectly with standard audio output, but it also has to support a video channel. This is different from a camcorder output, which need not support a stereo audio cable.

So Apple's analog output from this device may be justifiably atypical. Even so, we know some AV cables work - albeit with swapped outputs. I've run into less defensible variations of this elsewhere, such as converters that claim to allow 3.5mm stereo headsets to work with "standard" 2.5mm phone earset (microphone) connectors.

If you're trying to get video from the 5G iPod headphone jack start with a good quality AV cable and test at the store if possible.

Of course if you have a modern iPod/iPhone/iTouch you're out of luck, you need to buy Apple's $50 connector kit.[4]

[1] You can figure out which iPod you have with this rather complex Apple support document.

[2] I can spend $2000 for Apple iMacs with heat problems and screens that last two years, and $200 for something from an anonymous Chinese factory that lasts forever and just works. Why?

[3] That's not the greedy part.

[4] Yep, that's the Corporate Class Greed. The kit includes a USB charger -- I have maybe six of those. If Apple had sold the cable for $25 without the charger I'd say they were greedy by human standards, but within corporate norms. I need to buy one of these when I get iPhone 2, I'll try to find a used one first or hope some counterfeiter has broken Apple's anti-counterfeiting scheme. Of course if Apple eliminated the charger and dropped the price to $25 I'd buy it from them.

Apple is greedy with the way they package their proprietary AV output connector, but there is some justification for their proprietary approach.

For example:

In this world of seemingly standard audio-video 3.5mm and 2.5 mm mini-jack output my sense is the only reliable standard is the 3.5 mm stereo output connector. Everything else is more or less proprietary.

Burn: The best optical disk burn solution for OS X.

I love Burn.

I've tried tried other commercial alternatives, particularly trying to get rid of the invisible .DS_Store and other dot files OS X can put on CDs.

They flopped. I was back to using the built-in burning tool, but it doesn't let me readily enforce the lowest common denominator (PC Juliet) standard, and I'm not sure it fully excludes the treacherous dot files.

Today though, my OS X gave me the ridiculous 0x8002006D error message during a burn. That means something is wrong. Helpful.

I fired up Burn for the first time. Simple. Lets me set PC Joliet easily. Shows dot files so I can remove them. It also showed the error, but said my CD burner couldn't calibrate. That's really helpful, it suggests a hardware problem. I blew in some compressed air and used a different CD and it completed the burn.

Great app. Open source and free. If they provide something other than PayPal for donations I'll send money.

As for the burner -- well, this is a G5 iMac. Those machines should never have been made. Fantastic heat problems, especially with the buggy hardware control software Apple used for the first year or two of the G5 iMac life. I suspect the DVD is another victim of too much heat for too long -- this machine is heading for the scrap heap at age 2.7 years. Not happy.

I'll try more CD cleaning methods of course. The compressed air jet was a quickie.

: Rich T says Simply Burns is also very well done.