iPhone 3GS Hardware Encryption Considered "Useless", even Harmful

2009-07-28 20:00:00 -0400


We agree with that assessment. When the iPhone 3GS was announced, Apple listed hardware encryption and better security among the new features, aimed at getting a better foothold in the enterprise marketplace where Blackberry tends to be the dominant mobile platform, and where corporate security policies can effectively shut out insecure technologies.

Surprising no one, details from Apple are scant, but based on their carefully worded statements it would appear that full-device hardware encryption (with the key on the device) was being employed to provide fairly scant security features. In fact, it poses the appearance of security with the potential for many considerable attack vectors. At the time of the announcement, Stephen wrote:

While there is no doubt that the encryption features will enhance iPhone device security, it remains to be seen how the practical improvements will compare to the launch hype. I strongly suspect that highly sensitive information storage will still require dedicated security applications.

More information is now coming to light. Brian X. Chen has an article in Wired titled, Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses, further making the case that what Apple is providing isn’t what security-conscious professionals really require:

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware. “It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

Obviously, we have a vested interest in making the case for our own security applications for the iPhone and why we think they are so useful and provide such better security. But the most glaring thing about all this is Apple’s lack of disclosure, and poor implementation with the appearance of security. It’s not suitable for our own personal use, never mind in the enterprise environment.

Zetetic is the creator of the encrypted iPhone data vault and password manager Strip and the open source encryption-enhanced database engine SQLCipher.

Open Letter: Worth more than "Free"

2009-07-23 20:00:00 -0400


An irate user sent us an email today about Strip, our iPhone data vault software. She wasn’t mad about a bug, or a missing feature. She was upset that we were charging money for it.

I am highly annoyed that your company would jump from a free app to a $9.99 app with such a limited number of entries. No, I will not be upgrading.

We don’t take this kind of feedback personally, but do feel it warrants a response. We decided to reply in an open letter explaining the motivation behind our software pricing.

Dear Customer,

I’m very sorry to hear that you’re upset about the charge associated with upgrading Strip. The App Store is filled with inexpensive applications: some of these are low quality, hastily developed, and quickly released. Hopefully you recognize through your evaluation that Strip doesn’t fall into that category.

Strip took 6 months for our team to build and represented a big investment for our company. We spent countless hours refining the design and adding features to make it easy and pleasing to use. Working with a large group of beta testers delayed our release but ensured the application was stable and high quality. It took months for us to wade through documentation and approval with the US Government to have Strip’s encryption classified for mass market release. On top of this we continue to provide support, bug fixes when problems occur, and new feature updates. We even released our secure database library as open source software to the community so that other developers can use it.

Strip Lite is as an opportunity for everyone to try the software without purchasing it first. That’s also why the description in the App Store clearly explains that the Lite version is an evaluation limited to a small number of records.

We are a small business that builds software. We have employees and families, and our objective is to make money. Our software, and the time that we spend building it, is worth more than “Free”. It’s worth more than $0.99 cents-a-pop, too.

What’s more, the vast majority of our customers agree. We have a growing community of active users that were happy to purchase a quality piece of software at a reasonable price.

The decision to upgrade or stop using Strip is entirely yours, but I really hope you will reconsider its value. Thanks so much for your time.

Cheers,

Stephen

Zetetic is the creator of the encrypted iPhone data vault and password manager Strip and the open source encryption-enhanced database engine SQLCipher.

Staying Motivated and Creative

2009-07-22 20:00:00 -0400


I saw this post from The Flying Jalapeño Lives just now, wherein Corey poses a couple of methods for staying motivated as a programmer, particularly somebody works solo or remotely, possibly out of his or her home. They aren’t bad suggestions, but I figured I’d respond with another take on things, since I have some first-hand experience with the matter.

No amount of mental tricks and playing with your IDE can make up for the importance of real human company. For about a year and a half I worked out of my home, just me and the cats, and it was incredibly isolating. When you work alone all the time, you begin to actively seek out distractions on the intertubes (as if there aren’t enough to begin with!) Being around other flesh-and-blood people is critical to staying grounded, and really helps me to focus and stay motivated, rather than distracting me. I’m not the only member of Team Z in a co-working setup, either. Our man Steve Kradel is a recent convert down in Philadelphia.

I mentioned my problem to Lennon/R-Coder last year at RubyFringe, and he said something to the effect of, “dude, you need to get out of your house! Find a coworking space!” I’d never heard of such a thing, but The Bossman went and looked up Williamsburg Coworking, and I’ve been there almost every work day since. My productivity shot up by a lot (we checked, using Tempo!) I get to work with really smart people like Alexis and Stan from Percent Mobile, I’m in a creative environment, I have people to talk to, and it’s really easy to stay focused. Can’t recommend it enough. If you’re looking for a space in your city, get in touch. There’s quite a network of coworkers out there (ours spread across some 47 cities) who’d be glad to have your company, and I’d be happy to put anyone in touch, just send me an email.

On a tangential note, I saw this great interview with Amanda Palmer, which has some delicious quotes about staying on your work (or not!):

I got to a certain point where I realized that the voices in my head were working on an old, conditioned blueprint of what it actually means to be fulfilled and happy.

Slowly, I started to let that blueprint go and starting to improvise another one, just for the day. And now, I draw a new blueprint every day and then set it on fire at the end of the night. I think the key for me has been realizing that every day and week and month is an improvisation…and that I can never define my success or happiness by last week’s measuring stick…I wrote when I feel like it, and I don’t feel catholic guilt anymore when I don’t.

Interesting stuff, and as a song-writer myself, I know that guilt, I know it well. Obviously, composition and programming aren’t the same thing, but you do have to know when to walk away and recharge. Having other people around can help prevent you from banging your head on your desk instead of relaxing and trying to look at things differently. It’s time we all started valuing one another’s company more.

Zetetic is the creator of the encrypted iPhone data vault and password manager Strip and the open source encryption-enhanced database engine SQLCipher.

Trading Ideas from #futureruby

2009-07-15 20:00:00 -0400


I’ve been meaning to get a post up about Future Ruby, the fantastic conference hosted by Unspace last weekend in Toronto, but I haven’t had a chance. Since we got back our team has been playing catch-up, so I wanted to pause quickly to highlight some interesting developments since the conference.

I got to chatting with Dan Grigsby about a possible means of offsetting the iTunes App Store’s negative review bias, and he went and made it a reality, with sample code and all. Very cool.

There were a number of inspiring and challenging presentations that have inspired post-con discussion and debate. If you search on the #futureruby hash tag on Twitter you’ll find all sorts of links to discussions, comment threads, summaries and even video. Looks like even BoingBoing took notice! Many of the attendees (including myself) have taken to watching the tag to keep up and keep in touch with each other.

More thoughts to come tomorrow, there’s more testing to do this afternoon on Tempo for the maintenance update.


IE users on Tempo have been dropping off

2009-07-15 20:00:00 -0400


Like most web programmers out there, we’ve wasted spent some “kwality” time trying to get our page layouts for Tempo to work and look good in Internet Explorer 7 (we don’t support IE6). The advent of IE8 has made this a bit easier by providing a compatibility mode for going back and forth, helping us to identify needed fixes for our ie7.css file.

As we delayed another over-due set of updates in order to fix some IE issues, I started to wonder what percentage of our users actually use IE, and if that percentage justifies spending all this time. According to Google Analytics, only 10.25% of our visitors (which is a larger group than our active subscribers) in the last two months were using some form of Internet Explorer.

Tempo Analytics Browser S

Ten-odd percent of our users certainly warrants us taking the time, but it’s still a surprising metric. Furthermore, it’s down 1% from July of 2008 when IE clocked in at 11.28% of our users, despite the fact that our traffic and active users have climbed substantially from that period. I’m not sure if this indicates a preference on the part of our customers and our would-be customers, or if it means we haven’t provided IE users with the kind of interface they really want.

That said, we’ve been hard at work on a number of adjustments to Tempo’s interface to tidy things up, and many of these adjustments specifically address some display issues in IE7. We’re working on it, dear customers!