The line that jailbroken phones can be used to "steal software" is just plain wrong. If I shop at Joe's Drugs instead of Walmart, I'm not "stealling" anything. Even in the linked article, the author points out you can only buy software from third-party vendors that APPLE REFUSES TO SELL. You're not even "stealing business" in the metaphorical sense, if the owner won't stock the item. Very poor, sensationalist wording.
No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.
Not the same situation at all.
These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.
These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.
You have no clue what you are talkign about. If the passwords were encrypted with a user password, like has been done hundreds of times by others who get security, simple access to the disk would not be enough to retrieve and access them. The problem is Apple did not use a user entered password (including possibly the device lock password) in order to encrypt that data. In a properly designed system, stored passwords can be available tot he OS after the user enters a single sign on, but remain unaccessible to system adminstrators with root or admin access to the disk. This is 100% Apple's fault for ignoring age old industry best practice.
These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.
I see, I don't know much about keychain since I don't use it except in ssh as a server key but that is encrypted fingerprint of known hosts from the server.
No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.
No, it is more like a hacker gets one copy, alters it to remove the DRM and then makes it available in a public repository for hacked software. This is not a common practice for iPhone owners within the US, but the capability is there. It appears to be more accepted practice in Russia and some other countries. Most jailbreakers and members of the community are anti-piracy because it gives them a bad name from bigotted press and forums like AI, and also because many of them sell their own software in the Cydia store and are themselves potential victems.
I see, I don't know much about keychain since I don't use it except in ssh as a server key but that is encrypted fingerprint of known hosts from the server.
I don't believe those are actually stored in Keychain.
That is just plain stupid. The root account does not need access to the unencrypted file, and for that matter nor does the user. The file can be stored encrypted and the data can be unencrypted by the user account WHEN THE USER PROVIDES THE KEY. Relying on the user password and or filesystem permissions to protect unencrypted passwords was considered a major security flaw in 1990, anyone wwho thinks that is OK in 2010-2011 is beyond incompetent.
Thanks for your contributions to this thread, Aladdict.
Fortunately this should be a fairly easy fix (as far as security fixes go), right? Apple "just" needs to include the access code that the user enters to unlock their phone as part of the encryption/decryption process. You're absolutely right that's it is insane that this wasn't done from the beginning. What's the point of encrypting something, if everything you need to decrypt it is available on the same device?
Sounds like this method would not work if the root password is changed on the JB phone. Granted, this doesn't protect someone who's phone was stolen and freshly JB, but anyone who is ALREADY JB and changed their root password (which is suggested--sort of) should be okay. Correct?
Thanks for your contributions to this thread, Aladdict.
Fortunately this should be a fairly easy fix (as far as security fixes go), right? Apple "just" needs to include the access code that the user enters to unlock their phone as part of the encryption/decryption process. You're absolutely right that's it is insane that this wasn't done from the beginning. What's the point of encrypting something, if everything you need to decrypt it is available on the same device?
Well, it COULD be an easy security patch, except Apple has yet to provide such a thing for the iPhone. They only make fixes in new iOS releases and we only get them when the OS update is made available. I would not be surprised if we don't see a fix for this until iOS 5 in June, and then any older models such as the 3G and possibly 3GS may not get the patch if they are not compatible with the latest iOS like has been done with the iPhone 2G already.
Sounds like this method would not work if the root password is changed on the JB phone. Granted, this doesn't protect someone who's phone was stolen and freshly JB, but anyone who is ALREADY JB and changed their root password (which is suggested--sort of) should be okay. Correct?
I am not sure, but it would not be the only security BENEFIT to jailbreaking your phone. Unfortunately there are also security downsides.
Not being the proud owner of an iPhone or iPad (yet), an obvious question would be does Apple have the user selectable option of creating a "Log-On" password?
Would a feature such as that be a help with this problem?
Obviously, a password could be an issue when answering a call, but there may be a work around for this sort of thing. No?
You have no clue what you are talkign about. If the passwords were encrypted with a user password, like has been done hundreds of times by others who get security, simple access to the disk would not be enough to retrieve and access them. The problem is Apple did not use a user entered password (including possibly the device lock password) in order to encrypt that data. In a properly designed system, stored passwords can be available tot he OS after the user enters a single sign on, but remain unaccessible to system adminstrators with root or admin access to the disk. This is 100% Apple's fault for ignoring age old industry best practice.
So, how would that work when you don't necessarily have to log into your iPhone?
This is why - for my most sensitive sites such as banks - I never store passwords. It is fine for scale sites - but never for anything financial or for email.
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.
You may be able to reset the password for a given Mac user but NOT for his keychain. That is NOT reset - i.e. remains the same as previously - when the account password is reset, and therefore that data is still protected -- at least from this level of attack.
BTW - you can change the keychain password anytime to be different form your login.
Once again - for the sensitive sites (banks, amazon, stocks) I always click "Never for this site"
This is why - for my most sensitive sites such as banks - I never store passwords. It is fine for scale sites - but never for anything financial or for email.
Whether is helps I do not store passwords either. However I do store text lists of codes for them (for example "1dnicky" would trigger that the password is my 1st dog's nickname and how old he was when he died. Maybe my code works and maybe not.
However if I do access a site that requires a log on. Does the iPhone remember the actual password I enter in a cookie or (similar file) and I can not stop the iPhone from storing this info?
Well, it COULD be an easy security patch, except Apple has yet to provide such a thing for the iPhone. They only make fixes in new iOS releases and we only get them when the OS update is made available. I would not be surprised if we don't see a fix for this until iOS 5 in June, and then any older models such as the 3G and possibly 3GS may not get the patch if they are not compatible with the latest iOS like has been done with the iPhone 2G already.
The problem with using the passcode for encryption is that most people don't use them to lock their iPhones. I agree that this is serious but the solution is not as simple as you think.
You give any security expert physical access to any computerized device and they can get any data out of it that they want.
and the jailbreakme exploit showed you can get the iphone to run remote commands and download data. if there is another exploit like that in the OS then someone can build trojans and viruses around this
Comments
The line that jailbroken phones can be used to "steal software" is just plain wrong. If I shop at Joe's Drugs instead of Walmart, I'm not "stealling" anything. Even in the linked article, the author points out you can only buy software from third-party vendors that APPLE REFUSES TO SELL. You're not even "stealing business" in the metaphorical sense, if the owner won't stock the item. Very poor, sensationalist wording.
No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.
Not the same situation at all.
These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.
Not the same situation at all.
These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.
You have no clue what you are talkign about. If the passwords were encrypted with a user password, like has been done hundreds of times by others who get security, simple access to the disk would not be enough to retrieve and access them. The problem is Apple did not use a user entered password (including possibly the device lock password) in order to encrypt that data. In a properly designed system, stored passwords can be available tot he OS after the user enters a single sign on, but remain unaccessible to system adminstrators with root or admin access to the disk. This is 100% Apple's fault for ignoring age old industry best practice.
Not the same situation at all.
These aren't system login passwords which ought to be one-way encrypted. These are passwords stored in your Keychain to make it easier for you to, for example, log in to web sites. So, they must be retrievable, other wise there would be no point in storing them. So, yes, with physical access and root authority, you can retrieve them.
I see, I don't know much about keychain since I don't use it except in ssh as a server key but that is encrypted fingerprint of known hosts from the server.
No I think the method is something like this: You buy one copy of the software then redistribute it to your friends who also have JB phones.
No, it is more like a hacker gets one copy, alters it to remove the DRM and then makes it available in a public repository for hacked software. This is not a common practice for iPhone owners within the US, but the capability is there. It appears to be more accepted practice in Russia and some other countries. Most jailbreakers and members of the community are anti-piracy because it gives them a bad name from bigotted press and forums like AI, and also because many of them sell their own software in the Cydia store and are themselves potential victems.
I see, I don't know much about keychain since I don't use it except in ssh as a server key but that is encrypted fingerprint of known hosts from the server.
I don't believe those are actually stored in Keychain.
That is just plain stupid. The root account does not need access to the unencrypted file, and for that matter nor does the user. The file can be stored encrypted and the data can be unencrypted by the user account WHEN THE USER PROVIDES THE KEY. Relying on the user password and or filesystem permissions to protect unencrypted passwords was considered a major security flaw in 1990, anyone wwho thinks that is OK in 2010-2011 is beyond incompetent.
Thanks for your contributions to this thread, Aladdict.
Fortunately this should be a fairly easy fix (as far as security fixes go), right? Apple "just" needs to include the access code that the user enters to unlock their phone as part of the encryption/decryption process. You're absolutely right that's it is insane that this wasn't done from the beginning. What's the point of encrypting something, if everything you need to decrypt it is available on the same device?
Thanks for your contributions to this thread, Aladdict.
Fortunately this should be a fairly easy fix (as far as security fixes go), right? Apple "just" needs to include the access code that the user enters to unlock their phone as part of the encryption/decryption process. You're absolutely right that's it is insane that this wasn't done from the beginning. What's the point of encrypting something, if everything you need to decrypt it is available on the same device?
Well, it COULD be an easy security patch, except Apple has yet to provide such a thing for the iPhone. They only make fixes in new iOS releases and we only get them when the OS update is made available. I would not be surprised if we don't see a fix for this until iOS 5 in June, and then any older models such as the 3G and possibly 3GS may not get the patch if they are not compatible with the latest iOS like has been done with the iPhone 2G already.
Sounds like this method would not work if the root password is changed on the JB phone. Granted, this doesn't protect someone who's phone was stolen and freshly JB, but anyone who is ALREADY JB and changed their root password (which is suggested--sort of) should be okay. Correct?
I am not sure, but it would not be the only security BENEFIT to jailbreaking your phone. Unfortunately there are also security downsides.
Steve Jobs: "Just try not to lose your phone."
Far too many words
Would a feature such as that be a help with this problem?
Obviously, a password could be an issue when answering a call, but there may be a work around for this sort of thing. No?
You have no clue what you are talkign about. If the passwords were encrypted with a user password, like has been done hundreds of times by others who get security, simple access to the disk would not be enough to retrieve and access them. The problem is Apple did not use a user entered password (including possibly the device lock password) in order to encrypt that data. In a properly designed system, stored passwords can be available tot he OS after the user enters a single sign on, but remain unaccessible to system adminstrators with root or admin access to the disk. This is 100% Apple's fault for ignoring age old industry best practice.
So, how would that work when you don't necessarily have to log into your iPhone?
I can break into a Mac that has a password lock screen too. You just need the Snow Leopard install disk. You boot from there and use the utilities to reset the password for any user. That is one thing that can be done with Mac or Linux, but actually retrieving the existing password is much worse because that password may be used for other things like email or banking etc. The passwords should at least be shadowed.
You may be able to reset the password for a given Mac user but NOT for his keychain. That is NOT reset - i.e. remains the same as previously - when the account password is reset, and therefore that data is still protected -- at least from this level of attack.
BTW - you can change the keychain password anytime to be different form your login.
Once again - for the sensitive sites (banks, amazon, stocks) I always click "Never for this site"
This is why - for my most sensitive sites such as banks - I never store passwords. It is fine for scale sites - but never for anything financial or for email.
Whether is helps I do not store passwords either. However I do store text lists of codes for them (for example "1dnicky" would trigger that the password is my 1st dog's nickname and how old he was when he died. Maybe my code works and maybe not.
However if I do access a site that requires a log on. Does the iPhone remember the actual password I enter in a cookie or (similar file) and I can not stop the iPhone from storing this info?
Well, it COULD be an easy security patch, except Apple has yet to provide such a thing for the iPhone. They only make fixes in new iOS releases and we only get them when the OS update is made available. I would not be surprised if we don't see a fix for this until iOS 5 in June, and then any older models such as the 3G and possibly 3GS may not get the patch if they are not compatible with the latest iOS like has been done with the iPhone 2G already.
The problem with using the passcode for encryption is that most people don't use them to lock their iPhones. I agree that this is serious but the solution is not as simple as you think.
You give any security expert physical access to any computerized device and they can get any data out of it that they want.
Not if it's 256 bit encrypted with a strong password.
You give any security expert physical access to any computerized device and they can get any data out of it that they want.
and the jailbreakme exploit showed you can get the iphone to run remote commands and download data. if there is another exploit like that in the OS then someone can build trojans and viruses around this