walled garden not so bad after all.. - Page 2

=X= · 07-29-2010, 11:41 AM

Quote:

Originally Posted by scottjl

that statement is pretty misleading. no iOS apps have been stealing money from itunes accounts. there was an issue with hacked itunes accounts and false charges, but an itunes account could be hacked as easily as a google checkout account.

Yeah it seems Apple is hush hush about everything. It is unclear if the apps gathered the itune/CC info or if it was iTunes itself that was hacked.

=X=

murraypaul · 07-29-2010, 11:46 AM

Quote:

Originally Posted by =X=

Yeah it seems Apple is hush hush about everything. It is unclear if the apps gathered the itune/CC info or if it was iTunes itself that was hacked.

Where does this FUD come from?
There has been no suggestion that any app was doing anything wrong.
The developer got access to peoples' iTunes account names and passwords, and used those accounts to buy his apps.
How does that suddenly become apps stealing money?

vaughnmr · 07-29-2010, 11:47 AM

Quote:

Originally Posted by Roger Parkinson

If I understood the story correctly the app asked permission to access the information and the user gave permission. I haven't spent enough time on Android yet but Unix and Linux generally work that way. You don't run apps as root and you can protect stuff from apps that don't have access rights. I'd rather rely on a solid operating system, and I'd expect both the iPhone OS and Android to be similar.

A little more clarification on Engadget (the walled garden isn't as safe as you are led to believe):

http://www.engadget.com/2010/07/29/l...ps-you-may-ha/

EowynCarter · 07-29-2010, 12:04 PM

Quote:

I don't care what anybody says, there is no way anybody can fool proof these kind of apps. And it is up to the user to be vigilant about what they install on their apps.

scottjl · 07-29-2010, 12:07 PM

hmm. that article just explains further what the app was stealing and about user notifications that most ignored. it's as bad as windows vista/7's UAC. they spammed users with so many notices people just wanted to shut it all off.

the hacked itunes accounts were exactly that, itunes accounts, they had nothing to do with iOS or iphone apps. to my knowledge not a single iOS application asks you for the details of your iTunes account and there is no way to get this information off of your iOS device. even apple's applications ask for your password when making purchases, so the information is not stored anywhere. and i highly doubt any application that asked for such information would be allowed to pass through apple's gatekeepers. a developer couldn't even come up with a plausible excuse for needing such information as apps have no data stored in the itunes store.

=X= · 07-29-2010, 12:07 PM

Quote:

Originally Posted by murraypaul

Where does this FUD come from?
There has been no suggestion that any app was doing anything wrong.
The developer got access to peoples' iTunes account names and passwords, and used those accounts to buy his apps.
How does that suddenly become apps stealing money?

From the article

Quote:

"Apple’s response stops short of admitting that the App Store had been hacked"

Isn't there a "App store" both on the iPhone and on the Desktop? So I figured it could have been hacked on either end, and the article did not say which side it was.

However after re-reading the article I do see at the end they do think it was the iTunes account that got hacked.

=X=

scottjl · 07-29-2010, 12:12 PM

the app store application on an iOS device asks for your password when you make purchases, this information is not stored (it is, however cached in memory for a short period of time). given iOS's jailing of applications run space both on disk and in memory, it would be very difficult to steal that information out of cached RAM (and i doubt it's even stored as a password as opposed to a hash).

desktop itunes works in a similar manner, so again, trying to hack a saved password out of itunes is unlikely.

what is most likely is that the users simply had weak passwords. itunes does not require any particular strength in a password. so if you know a list of usernames you can simply spend some time attempting to hack passwords. or perhaps they were phished like so much other account information is these days, or keylogged by a virus, we will never know. and no company goes about giving detailed information on their hacked accounts, so apple is not doing anything unusual in keeping that information private.

weateallthepies · 07-29-2010, 12:24 PM

Quote:

Originally Posted by scottjl

hmm. that article just explains further what the app was stealing and about user notifications that most ignored. it's as bad as windows vista/7's UAC. they spammed users with so many notices people just wanted to shut it all off.

the hacked itunes accounts were exactly that, itunes accounts, they had nothing to do with iOS or iphone apps. to my knowledge not a single iOS application asks you for the details of your iTunes account and there is no way to get this information off of your iOS device. even apple's applications ask for your password when making purchases, so the information is not stored anywhere. and i highly doubt any application that asked for such information would be allowed to pass through apple's gatekeepers. a developer couldn't even come up with a plausible excuse for needing such information as apps have no data stored in the itunes store.

UAC isn't really a bad thing though, users are just lazy given the chance. Anyone from a linux background will be used to authorising anything that makes changes to the system and understand the need for that. Windows users much less so hence the perceived annoyance of UAC. It is a good idea though, and given the fragmented nature of PC software it's the only real option short of only allowing a central controlled repository of software to be installed.

The walled garden is only as secure as the gatekeeper though, and even the most security clued up companies have been known to make mistakes.

The problems are still largely what was known as PIBKAC (problem is between keyboard and chair).

scottjl · 07-29-2010, 12:46 PM

i never said UAC was bad, or unnecessary, but MS's implementation of it was overbearing, resulting in most people disabling it. as for linux authorization, it's a whole different world. if you're installing anything in your home directory you rarely need any extra privilege. root is only required if you're going where most users don't need to tread. and /usr/local was created years ago to keep people out of system areas.

if you know unix programming you'll know that invading another application's memory space is very difficult to do, the kernel is pretty good at enforcing that.

"operator errors" will always be the weakest point.

murraypaul · 07-29-2010, 01:37 PM

Quote:

Originally Posted by =X=

From the article

Quote:

"Apple’s response stops short of admitting that the App Store had been hacked"

Isn't there a "App store" both on the iPhone and on the Desktop? So I figured it could have been hacked on either end, and the article did not say which side it was.

So they don't admit the App store was hacked, and that means it was?

Quote:

However after re-reading the article I do see at the end they do think it was the iTunes account that got hacked.

Indeed. If someone responds to a bank phishing email and loses money, would you say the bank was hacked?

tyche · 07-29-2010, 02:06 PM

I run firewall software on my iOS devices just like on my desktop pc. I do not like the spying that goes on, however benign, in software these days. Nothing gets out unless I let it.

Maggie Leung · 07-29-2010, 02:26 PM

Quote:

Originally Posted by tyche

I run firewall software on my iOS devices just like on my desktop pc. I do not like the spying that goes on, however benign, in software these days. Nothing gets out unless I let it.

How do you do that? I'm a tech bonehead and would appreciate instructions or a pointer to them if possible.

scottjl · 07-29-2010, 02:32 PM

Quote:

Originally Posted by Maggie Leung

How do you do that? I'm a tech bonehead and would appreciate instructions or a pointer to them if possible.

if your iOS devices are jailbroken you can buy Firewall IP. It will alert you to any outbound connections an app tries to make. You can choose to allow or deny any and all connections one-time, for your session or forever. It's a pretty nice program, similar to Little Snitch on Mac OS X. Well worth the money in my opinion. If you have more than one device you can buy it once and run it on all of them.

Just be warned, if you load new apps frequently you will get alerts often. If they get annoying and you disable it then you won't really have any protection.

It's also very useful for blocking connections to mobile ad servers.

Maggie Leung · 07-29-2010, 02:34 PM

Quote:

Originally Posted by scottjl

if your iOS devices are jailbroken you can buy Firewall IP. It will alert you to any outbound connections an app tries to make. You can choose to allow or deny any and all connections one-time, for your session or forever. It's a pretty nice program, similar to Little Snitch on Mac OS X. Well worth the money in my opinion. If you have more than one device you can buy it once and run it on all of them.

Just be warned, if you load new apps frequently you will get alerts often. If they get annoying and you disable it then you won't really have any protection.

It's also very useful for blocking connections to mobile ad servers.

Thanks, Scott. So it's not possible without jailbreaking?

scottjl · 07-29-2010, 02:41 PM

no. sorry. direct access to the networking hardware is a big NO with apple's approved programming methods. you can even use Firewall IP to block apple's advertising. lol.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Seriously thoughtful What's out in your garden now ....	GeoffC	Lounge	1527	03-26-2024 03:28 PM
Madness, Revenge, Betrayal--Now Available in The Garden	williamcharles	Self-Promotions by Authors and Publishers	0	08-03-2010 06:01 PM
Hello from Garden State	blueoyster	Introduce Yourself	13	05-21-2010 01:59 PM
Zen Garden	brewt	ePub	4	09-25-2009 02:26 AM
Draft telecom bill could limit Walled Gardens	Brian	Lounge	2	09-17-2005 10:18 PM

07-29-2010, 12:07 PM	#20
scottjl Reader of Books Posts: 1,632 Karma: 2697 Join Date: Oct 2009 Device: none	hmm. that article just explains further what the app was stealing and about user notifications that most ignored. it's as bad as windows vista/7's UAC. they spammed users with so many notices people just wanted to shut it all off. the hacked itunes accounts were exactly that, itunes accounts, they had nothing to do with iOS or iphone apps. to my knowledge not a single iOS application asks you for the details of your iTunes account and there is no way to get this information off of your iOS device. even apple's applications ask for your password when making purchases, so the information is not stored anywhere. and i highly doubt any application that asked for such information would be allowed to pass through apple's gatekeepers. a developer couldn't even come up with a plausible excuse for needing such information as apps have no data stored in the itunes store.

07-29-2010, 12:12 PM	#22
scottjl Reader of Books Posts: 1,632 Karma: 2697 Join Date: Oct 2009 Device: none	the app store application on an iOS device asks for your password when you make purchases, this information is not stored (it is, however cached in memory for a short period of time). given iOS's jailing of applications run space both on disk and in memory, it would be very difficult to steal that information out of cached RAM (and i doubt it's even stored as a password as opposed to a hash). desktop itunes works in a similar manner, so again, trying to hack a saved password out of itunes is unlikely. what is most likely is that the users simply had weak passwords. itunes does not require any particular strength in a password. so if you know a list of usernames you can simply spend some time attempting to hack passwords. or perhaps they were phished like so much other account information is these days, or keylogged by a virus, we will never know. and no company goes about giving detailed information on their hacked accounts, so apple is not doing anything unusual in keeping that information private.

07-29-2010, 12:46 PM	#24
scottjl Reader of Books Posts: 1,632 Karma: 2697 Join Date: Oct 2009 Device: none	i never said UAC was bad, or unnecessary, but MS's implementation of it was overbearing, resulting in most people disabling it. as for linux authorization, it's a whole different world. if you're installing anything in your home directory you rarely need any extra privilege. root is only required if you're going where most users don't need to tread. and /usr/local was created years ago to keep people out of system areas. if you know unix programming you'll know that invading another application's memory space is very difficult to do, the kernel is pretty good at enforcing that. "operator errors" will always be the weakest point.

07-29-2010, 02:06 PM	#26
tyche Addict Posts: 227 Karma: 2530 Join Date: Dec 2009 Device: PRS-505, iPad	I run firewall software on my iOS devices just like on my desktop pc. I do not like the spying that goes on, however benign, in software these days. Nothing gets out unless I let it.

07-29-2010, 02:41 PM	#30
scottjl Reader of Books Posts: 1,632 Karma: 2697 Join Date: Oct 2009 Device: none	no. sorry. direct access to the networking hardware is a big NO with apple's approved programming methods. you can even use Firewall IP to block apple's advertising. lol.