Forgot your password?

Comment: Re:Not responsible disclosed (Score 1) 143

by Trillan (#46528167) Attached to: Weak Apple PRNG Threatens iOS Exploit Mitigations

I've reported three security issues. Two of them were fixed in the next release — the third was fixed in the next release after that (but I reported it two days before the next release).

So I have to call bullshit. Report security issues through channels, they'll get fixed. Post them to your blog or on a forum, Apple will never see them.

Comment: Re:Not responsible disclosed (Score 2) 143

by Trillan (#46484827) Attached to: Weak Apple PRNG Threatens iOS Exploit Mitigations

Thanks for your reply. I've softened on this since making that comment. I think there's a huge grey area for responsible disclosure. A week ahead of time? A day ahead of time? I'd consider these fairly grey, but whatever. But I still think not disclosing it to Apple at all and relying on them picking it up through the grapevine is pretty irresponsible.

I've reported three security issues to Apple. While the issues I reported were relatively minor (one was a design flaw in Time Machine, the other a buffer overrun in one of the image decoders; I don't even remember which, and the final one in the DMG handling), I wasn't at all happy with how Apple handled them. I received no email until a couple weeks later when they asked me how I'd like credit. They got patched in the next version of the OS, but in both cases I was left with several weeks of wondering if they'd even read my bug report. The design flaw was easy for the user to workaround (you just had to make sure to remove insecure apps from your Time Machine backup), so I mentioned the workaround a few days after reporting it.

But I can't imagine not at least telling Apple. In fact, one of the bugs I reported was a longstanding bug I found documented in public. I was just the first one to report it to Apple. It got fixed two weeks after I reported it. I just think it's absurd that we accept the bystander effect when it comes to computer security.

(I originally wrote this reply having forgotten of one of the issues I reported, so if there's anything left that implies only two that's why.)

Comment: Re:Pretty easy. (Score 1) 374

by Trillan (#46452029) Attached to: Ask Slashdot: How Can I Prepare For the Theft of My Android Phone?

First, you can set the password to much longer than 4 characters.

Secondly, any parent can tell you that even without "wipe after 10 failed attempts" turned on, the iPhone will not allow you to enter PINs continuously. You'll start getting increasing delays fairly quickly, including delays that are quite long.

Comment: Re:How about OS X? (Score 1) 101

by Trillan (#46325331) Attached to: Apple Fixes Dangerous SSL Authentication Flaw In iOS

10.7 probably isn't vulnerable, as it predates iOS 5 (which doesn't have this flaw).

If 10.8 is vulnerable, the suggested upgrade would be 10.9.3 anyway. (10.9 has the same requirements as 10.8, and is a free upgrade.)

I would like to see an article that explains which versions are vulnerable, however.

Every young man should have a hobby: learning how to handle money is the best one. -- Jack Hurley