Late yesterday, a flaw in a very important piece of the secure Internet, secure sockets layer or SSL, was announced to the public.
The bug, called Heartbleed affects Internet servers that use certain versions of the OpenSSL libraries. An attacker could see small portions of server memory, including data that would normally be encrypted, including password data and SSL private keys.
We have been rolling out fixes to affected machines we control over the last 24 hours, and believe we have completed patching of all critical systems by 4pm yesterday.
News stories on the issue range from urging you to change important passwords to imminent armageddon. As usual the truth is somewhere in the middle.
Unless a provider tells you that their servers were affected you really have no idea of knowing if they were compromised.
What we recommend in this case is caution and selective corrective action. Some high profile websites that were affected in some part include Dropbox, Yahoo, Facebook, Google, Twitter and Microsoft, and credentials for some of those could be revealed through a buffer overflow. The ability to perform this attack was out in the wild from Monday morning, and fixes were deployed as late as 3pm yesterday. If you accessed one of those services in that timeframe, it is possible, but not necessarily likely, that your username and password for those services was recoverable by third parties. We would recommend changing your password for that service.
Over the next week, we will be re-issuing SSL certificates for a few servers as a precautionary measure.
Happy Saturday. Late last night, Apple released 3 iOS updates, 6.1.6 and 7.0.6 for iPhone and iPad and 6.0.2 for AppleTV.
These updates contain a very important fix for a potential security issue.
There is a serious vulnerability regarding SSL websites on existing versions of iOS that would allow a web site that is not properly encrypted to pretend that it is.
This opens up a can of worms for making sure that you can trust what you’re seeing - and that you’re the only one seeing it when connected to a secure web site (that’s pretty much all social media, commerce and banking web sites).
We recommend that you upgrade to iOS 6.1.6, 7.0.6 or 6.02 for Apple TV as soon as possible.
MacOS X 10.7.x and 10.8.x are not vulnerable to this particular problem, but OS X 10.9.0 and 10.9.1 ARE affected. There is not yet a patch for this, but we suspect that we’ll be seeing one in the near future.
If you want to read more about it, there’s a good technical summary here: https://www.imperialviolet.org/2014/02/22/applebug.html
If you want to check if you’re affected, you can check here: https://www.imperialviolet.org:1266
Dear Clients & Friends,
As you may have heard, Apple held an event in Cupertino today to talk about the future of the Mac platform and announce some new hardware. Some of this news is quite interesting, and we wanted to share our thoughts about it with you.
First up is the next release of Mac OS X, called Mavericks. The new OS (10.9) was released to the public today, and in a move that caught many of us by surprise, they’re releasing it free to anyone with a machine that can run it. If you have a machine running 10.6.8 that meets the requirements (iMac from Mid 2007 or later, Laptops from 2008 or later, Mac Pros from 2008 or later), you can download and install Mavericks for free.
Mavericks is mainly an update that provides performance increases. I’m seeing about 90 minutes more battery life per charge under the last pre-release edition, which is substantial, and there are some significant improvements in the Finder (file tagging) and general OS, including how it handles multiple-monitor setups.
The free release of Mavericks has some wide-ranging effects that we’ll be talking with in the near future, but for the moment we would recommend holding off on upgrading. With the upgrade, Apple’s servers will be deluged with users rushing to download, and there may be claim and activation issues in downloading it right away.
We would recommend waiting a week at least to let the dust settle, and we can help you make sure that Mavericks can be deployed across your entire office without wrecking your bandwidth, and without wrecking anyone’s working environment.
Second up is the release of new MacBooks Pro. Apple upgraded the MacBook Pro with Retina Display with new, faster processors, as well as faster onboard solid state storage to make for significant increases in battery life, operating speed, and overall performance. If you’ve been holding on to an older generation of MacBook Pro, this would be the time to buy. The new hardware has been released to the purchasing channels today, and we’re happy to help you identify which MacBook Pro is right for you. The best part of the upgrades? They’ve dropped the price on the new MacBook Pro with Retina display. 13” models start at $1299, and 15” models start at $1999, a drop of $200 per machine.
Apple will still ship an old-style MacBook Pro, but with these new Retina machines at their current prices, I can’t fathom wanting to buy one.
Third up is the new announcement of a release date for new Mac Pros. If you’ve been waiting on bated breath for a new desktop workstation with proper power, December is your month, as Apple releases the new Mac Pro. It comes in 4, 6, 8 and 12-core models, is as quiet as the current Mac mini, and comes with dual GPUs, six Thunderbolt 2 ports for expansion, and supports up to 3 full-resolution 4K displays. It will start at $2999, with the 4 and 6 core versions arriving in December, and the rest shipping in 2014.
Fourth is the upgrade of Apple’s iWork and iLife suites. They will have new versions in the App Store for iOS and Mac OS today, and if you have purchased a new Mac or iPhone, those upgrades are free. In addition, they will be free on all new Macs, while existing Macs will have an upgrade option through the Mac App Store.
Lastly, Apple refreshed the iPad line today. At the top of the line is the iPad Air, a thinner, lighter version of the iPad you’ve come to know and love, at the same pricepoint ($499 with WiFi/$629 with WiFi + LTE) as before. It is 20% thinner, and about 30% lighter, weighing in at just one pound. In the middle of the line is the new Retina version of the iPad mini, which will stay at the same at $399/$529. It features a new Retina display, which is double the resolution of the old version. At the bottom of the line, Apple is keeping the iPad 2 ($399) and the iPad mini ($299) available for those who want budget tablets.
Happy iOS 7 Day!
Sometime today, Apple will release iOS 7 to the masses. There’s a lot of great new features in iOS 7, from better Maps, to new enhanced quality ringtones, as well as a lot of “fit & finish” updates to the functionality of the phone. My personal favorite is the re-do of the Calendar application which dramatically enhances the usefulness of the application. You can read about all the changes at Apple.
If you have an iPhone 4, 4S or 5, an iPad 2 or later, or a 5th generation iPod touch, you can run iOS 7.
For those who want to leap right into the new OS, there are a couple of things you should do this morning to get ready:
1) Download the newest version of iTunes and make sure all your software is up to date.
On the computer that you plug your iPhone into, make sure your iTunes is at the most recent version, and that you have applied all the system software updates. The best way to do this is to use the AppStore (if you’re on on OS X 10.8), or by choosing Software Update… from the Apple menu. This may require you to reboot your computer.
2) Do a full encrypted backup of your iOS device using iTunes.
That means plugging your iPhone, iPad or iPod touch into your computer, opening iTunes and then selecting your device at the top of the screen, then under the Backups section of the Summary screen, you can check the box for Encrypt iPhone backup, then click Back Up Now.
Making an encrypted backup of your phone is the ONLY way to make sure that all your network passwords, email passwords, and other secure storage is kept on the when you upgrade between versions.
You will be prompted to choose a password when making an encrypted backup. You MUST remember this password when restoring all that data to your phone tomorrow during iOS 7 install, so you might want to consider writing that one down.
3) Make sure you have a good iCloud backup, too
Belt and Suspenders is a great way to think about backup. You never want to be caught with your pants down.
If your phone is set to make an iCloud backup, it will do that automatically when the phone is locked, plugged into a power source, and connected to a WiFi network. Usually this happens when you plug it in at night, but you can force the issue at any time from the phone itself. Go to Settings App > iCloud > Storage & Backup > Back Up Now
Now you’re ready for the update.
iOS 7 will be released at some point during the day, and you can plug your phone in to install it. For those of you who already use Find My iPhone (Which you all should!) you will have to turn that off before you can install iOS 7 on the phone. This is a new security measure built into iOS 7 that will strengthen the ability of the phone to be found after being stolen or lost.
Once you have iOS 7 installed, you can then restore from your encrypted backup (with all the passwords, and done over USB) or from your iCloud backup (you’ll need to re-enter account passwords). Remember to make sure to re-activate your Find my iPhone!
Happy New iPhone Day!
Today, Apple held a press event at their Cupertino offices to announce new phones and the release date for iOS 7, the next iteration of the OS that powers iPads and iPhones. We’ve now seen the keynote, which you can watch in its entirety at Apple.com, or via the Apple Events channel on AppleTV or on your iOS device.
We’re going to handle this in the form of some quick Q&A.
Q: What’s the lay of the land for new iPhones?
A: Starting next week, there are three iPhone models for sale: iPhone 4S, iPhone 5C, and iPhone 5S. The 4S is the new “cheapy/free” phone for most cell contracts. The iPhone 5C is a re-imagined iPhone 5, and the iPhone 5S is the brand new model.
Q: How much do they cost?
A: With an upgrade available on your wireless plan, the 4S will be free (or $0.01, legalities apply), the 5C will be $99 or $199 (16 or 32GB), the 5S will be $199, $299 or $399. (16, 32 or 64GB)
Q: And there’s colors?
A: Yep, there’s colors. The 4S is white & black, the 5C is White, Yellow, Green, Blue or Pink. The 5S is Space Gray (think black), Silver (think white), or Gold (white with gold metal backing). You can see all of this at Apple.com.
**Q: So what’s the difference between the 5C and 5S? **
A: The 5S has all the fanciest new technologies: 64-bit A7 processor, M7 motion coprocessor, fingerprint scanner, enhanced 8 megapixel camera. The phone is supposed to be about twice as fast for CPU and GPU tasks than the current iPhone 5, which will make it feel snappier. The new M7 coprocessor will work with new motion-based applications, like a forthcoming Nike app, to better show off how much you move around. The new Fingerprint Scanner makes it possible to unlock your phone by on your fingers, as well as buy things with just a tap, instead of typing in a long password.
The new Camera has a sensor that’s 15% larger, which means more light comes into the sensor, which means better pictures. It also does 120 frames-per-second slow-motion video. It also supports the ability to take bursts of photos, for action shots, and it can do auto-exposure within a panorama.
It’s better, trust me.
The 5C is no slouch, but it’s still carrying a 32-bit A6 processor. If you just have a 5, unless you really, really want colors, there’s no compelling reason to upgrade to a 5C. If you have an iPhone 3GS or 4 still, though, the 5C will feel like driving a new Ferrari.
Q: So, the 5C. It’s still pretty good?
A: Yeah, it’s essentially the current iPhone 5, but with a new lease on life. They rethought the casing so that it’s now a single piece of heavy-duty plastic with a steel-reinforced frame, and then a glass touchscreen front. The plastic is grippy, which means fewer dropped phones, which many should like. In addition, Apple has cases for the new phones, for those who may want to accessorize with a complementary color, or a similar one.
It also has a slightly larger battery than the 5. The 5S has the same battery capacity, we’re told.
Q: What are you going to buy?
A: The camera put me over the edge to buy a 5S, but I have to say I was really tempted by an electric blue 5C. Especially at that pricepoint.
Q: And if I don’t have an upgrade available?
A: Check with your carrier for pricing. Unlocked phones are going to be super expensive (starting at $600.) so be ready for a bit of sticker shock. Or, consider one of the plans that allows you to upgrade your phone more frequently. They’re more expensive per month, but include more frequent upgrades.
Q: Anything else?
A: iOS 7 comes out on the 18th. It’s a pretty drastic change in aesthetic for Apple, and there’s some good and some bad that goes with that. The new Notification Center and Control Center are major steps forward, and AirDrop will be a massive step forward for sharing stuff. It will work on most iOS devices still ticking today, starting with the iPhone 4, the iPad 2, the iPad mini, and iPod touch 5th generation and later. Siri gets a big boost, and multi-tasking will get a lot more productive, as well. We’ll have a follow-up email next week about that.
This is just a quick note to point your attention toward a vulnerability in the iPhone that was released at Black Hat 2013. It uses an unlikely source: a compromised charger. Phones plugged into this charger can have their current apps replaced with malicious copies that can be used to raid your contacts, calendar, email and other applications, which makes this a pretty serious vulnerability.
For the time being, we would recommend against plugging into public USB chargers, like those found in Airports, and in other restaurant and bar-type situations. We’re available for questions and concerns if you have them.
We believe that Apple will patch this in the near future, and we’ll be sure to let you know when this has been properly addressed.
In the meantime, if you wanted to read more about this hack, there’s a good story at ZDNet about this.
Here’s my list of wild guesses for WWDC today:
- New Mac Pros, MacBook Airs (Pro comes with an SSD by default)
- New AppleTV partners with content agreements. One major cable network with a co-broadcast agreement.
- New AppleTV SDK for Developers for selling Apps via new AppleTV Store.
- Siri Improvements and API in iOS 7
- Better Backgrounding for iOS Apps
- New non-password authentication for OS X
- Functional iCloud Syncing (hahahahah, just kidding)
- Something Wonderful (said like Dave Bowman)
So! how’d I do?
Let’s call this 3.5 out of 8? Not bad.
If you’re anything like most people we know, you probably have been holding on to some old hard drives or computers not sure what to do with them before you get rid of them. Here’s what we recommend:
Then, take the whole thing to your neighborhood ecycler. Most communities these days have free options for ecycling old electronics. Check with your neighborhood waste disposal group for options.
Other methods of destruction that will work include:
But really: just don’t burn it. Too many toxic chemicals that you don’t want to breath. That includes microwaving it, folks.
This afternoon I, and many others, received an alarming email from Twitter.
It said, in short, we’ve been compromised at least in part, and we’ve reset your password as a security measure.
The details of the hack are on Twitter’s blog and basically seem to say that Twitter lost a bunch of credentialing information.
What’s that mean?
Twitter may have given up a bunch of information related to your account.
I have a twitter account (@tbridge) that has an email address attached, a password attached, and some server-side security stuff like session tokens attached. This information, it seems, was compromised at Twitter.
This doesn’t mean that my plaintext password was compromised, because they don’t store my plaintext password anywhere. My password is mathematically altered by a “salt” which then results in a value that they store. Think of this like a secondary security measure that means if they DO get this information, it’s only useful insofar as they have an email they can target for a password reset (that’s what got Mat Honan), and it’s a way to link users to accounts.
So. What should you do now.
Well, if you got an email from Twitter - or someone claiming to be them - I would read it carefully, and then don’t click on anything in it. It’s not a good plan to be alarmist, but this is also a good time now for spearphishing. Instead, go to twitter.com, and use their site to reset your password.
Picking good passwords is simple if you do one of two things. Option 1 is my preference, and that’s using a password generator/rememberer like 1Password which stores secure information securely. Option 2 is to use techniques like correct horse battery staple from XKCD.
Either are good.
The recommendation this week from people who know is that 16 characters is a good place to start passwords, and 20-24 characters is a good place to be. If you need to write these down do just that but then store those like you’d store your passport, a stack of cash, or those pictures you told your high school sweetheart that you destroyed: in a box with metal walls and a lock on the front.
This whole thing has me wanting better technology than passwords, but I’m not sure that’s ready yet.