Good point. I guess that this never happened

Not in iOS6 it didn't. Apple started taking user security much more seriously in iOS6, anticipating a potential for such attacks. I always thought prior to that it was kind of nuts you could access the address book without permission - now you cannot.

Ah, the old "That vulnerability is completely theoretical" defense.

And yet it turns out to be true. The vulnerability is not real, only a theoretical possibility that relies on breaking the sandbox, which they have not done (using private API calls is not breaking out of the sandbox). You don't need to do anything sneaky in an app to do private API calls, but it remains true the sandbox is pretty secure and stops most REAL attacks.

You are crazy if you are more worried about a possible attack via an unknown hole in the sandbox, vs. very real attacks that are happening every day on Android...

There was a time you could jailbreak via pdf or just visiting a webpage.

The only reason THAT worked is because the Safari javascript engine has native code JIT that an app cannot use. And now you know why...

So still true that you cannot jailbreak out of an arbitrary app, only ever from system apps that have elevated privileges, and then only once years ago...

Im not saying such an attack will never exist, it's just exceedingly unlikely and far more unlikely inside of an app you deploy to the store.

Private API calls are not breaking the sandbox.

Pretty much none of what they did that they consider an attack is possible in IOS 6., much less iOS7 which is on the eve of release - and some 95% of active devices are running iOS6 now.

I can break into Windos95 pretty easy too. But who cares and why would it warrant an article? The whole paper really boils down to "sometimes the app reviewers do not run an app for long" which is news to pretty much no-one.

I looked for the paper but could not find the link. Thanks for the extra info.

As I thought, they did not break the sandbox at all. Attacks that don't work in iOS6 are irrelevant at this point...

It's totally sensationalized. It remains true there's no way a real app can "wreak havoc" even if you inject code later.

You can't attack other apps?
So how does jailbreaking work?

Jailbreaking works by attacking the device over USB, generally the update mechanism - not something you can do through an app.

I can totally see getting an app through the submission process that does something a bit sneaky. Sometimes the app reviewers hardly look at a thing (though sometimes they look very carefully, it just depends on the reviewer).

But the claim the app could "wreak havoc" needs some proof. They said:

a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps â" all without the users knowledge

Every single one of those, requires permission from the user to do - posting tweets an app cannot do directly, it brings up a sheet. Same thing for email/SMS. Taking photos requires an OK from the user to access the camera. You cannot "attack other apps" because of the sandbox.

Extraordinary claims, like a complete breaking of the sandbox, require more proof than they have presented. I would bet they are saying they THEORETICALLY could break out of the sandbox but have absolutely no actual working exploits that go outside of existing user permissions and the sandbox...

For a napkin calculation you can probably keep a 100 mph average with a 150-200 mph train, so around 300 miles starts being the threshold where you'd rather fly than go by train. New York - Washington DC and LA to San Francisco seem like reasonable HSR distances

Taking a train to Amsterdam from Berlin was significantly slower than flying, even dealing with airport security. It's 406 miles...

The thing you are not factoring in is other stops. Even in an express train you may have a few stops, or points the train has to slow.

It is a bit more comfortable, I'll grant that! I myself will tend to drive anywhere within about 500 miles rather than fly, even though it's a lot slower.

Again though, even if it's comparable the thing about the hyper-loop is that it could blow both plane and train out of the water in terms of convenience and time. The things we would learn from building it could have enormous value.

When I first read about it I just figured it was a stupid wacky idea. But serving short runs as he says, that has a lot of value and beats out trains in every metric including cost! No way a train is going to get finished anyway, so why not just switch to the hyperloop?

Other than up to $5,000-$10,000 in federal and state tax credits

The point is the Telsa is the first electric car that does not NEED to subsidies to sell, not that they do not exist - people would still be buying the car without those credits.

Google Maps reports LA-->SF at 382 mi, 5 hours 35 minutes.

He said "if it were not for CHP, I could make it in five every time".

Shaving 35 minutes off a five hour trip is really easy if you drive reasonably (i.e. non-dangerously) fast.

In fact pretty much all the time I am somewhere five-ten minutes per hour faster than the Google estimate.

If you waste money to procure a handshake, you shouldnt be in business.

If you don't understand the true value of a real face to face handshake is at times immeasurable, you DEFINITELY should not be in business.

"conventional" high-speed rail is a proven concept in use today in many non-North American countries.

I have used high speed rail in Europe, including Germany.

It's nice but usually slower than planes.

The hyperloop has the chance to be significantly better than airplane travel, at a reduced environmental (and noise) impact compared to a train.

I am totally against the California rail project because even the current high estimates are probably 5x lower than actual cost. But if we build the hyperloop, we advance all kinds of technology and leapfrog the state of the art in ground travel.

If you make a smartphone app or a desktop application users have to install your app to run it.

While technically true it is irrelevant since installing is just as easy as clicking a link, and discovery of teh app itself is far easier than your web site that exists only in the abstract until someone can find it.

If I were writing a new thing from scratch these days (and I am), there's no way I would start with web if I had any desire to make it a lasting concern.

If you are hacked, all of the people using your application between when you are hacked and when you take down the site until it's fixed are hacked.

But there's then also the downtime if you have to take it offline...

But so many applications depend upon a web service anyway, so you get the worst of both - a native app that still doesn't work correctly if the backend is not available.

You really cannot write a mobile app for which that is true, because mobile apps are just not going to be able to connect at times. A semi-disconnected state is where they fare best.

That's why I think web-apps are a lot more practical for desktop use than mobile, all of the restrictions just make it very hard to write a web app that works well on mobile.

With the single code base across all applications, I mean it in the sense that it's all HTLM5 plus Javascript.

Language is the least of your issues with any application. The savings of being able to use teh same language across platforms is slight because all of the work in GUI is in testing.

And with mobile web apps if you use too many libraries it bogs down the thing to unusablity on many devices. I really think there's a huge distinction between mobile web apps and desktop web apps...

What if the windshield fogs over at a critical moment during your trip???

Well being a white surface on which the projection would be even more visible I'd be pretty damn happy I had an IR view of the road ahead instead of nothing at all!!

I would of course run the defroster rather than rely on the video for long...

If iTunes isn't real money, then why is PayPal real money?

I regularly get iTunes gift cards at a discount off face value, so do lots of people.

Meanwhile whoever gets discounts off the money they send through PayPal? I think there's on introductory credit for getting a PayPal VISA, and that is it.

That's why I say iTunes is less like "real" money to people, because you can load it up at a lesser expense than using real money.

But none of that affects the application developer, they get the same amount on their end...