Berkeley CSUA MOTD:Entry 54034
Berkeley CSUA MOTD
2018/11/17 [General] UID:1000 Activity:popular

2011/2/10-19 [Computer/SW/Security] UID:54034 Activity:nil
        Summary: iPhone passwd storage is unsafe after all
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2018/11/17 [General] UID:1000 Activity:popular

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
2012/7/13-8/19 [Computer/Companies/Yahoo, Computer/SW/Security] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
2011/2/14-4/20 [Computer/SW/Unix] UID:54039 Activity:nil
2/14    You sure soda isn't running windows in disguise?  It would explain the
        \_ hardly, My winbox stays up longer.
        \_ Nobody cares about uptime anymore brother, that's what web2.0 has
           taught us.  Everything is "stateless".
           \_ You;d think gamers would care more about uptime.
Cache (1848 bytes)
have proven that the combination of a modified jailbreaking technique and the installation of an SSH server on a device running iOS results in a complete circumvention of the passcode. According to the researchers, this is not the first time that someone managed to access great portions of the data stored in these devices without having to know the passcode. "Tools are available for this tasks that require only small effort. This is done by tricking the operating system to decrypt the file system on behalf of the attacker. This decryption is possible, since on current iOS devices the required cryptographic key does not depend on the users secret passcode," they explain. So, they chose to concentrate their efforts on gaining access to the data stored in the keychain, which usually contains various user accounts and passwords for e-mail, VPN, WiFi, various websites and sometimes also passwords and certificates used in 3rd party applications. This data is also encrypted, and for the sake of the experiment, they assumed the device is in the hands of a thief or someone who found it, that it is protected by a strong passcode and that it's not jailbroken. After having bypassed the passcode using the previously mentioned procedure, software on the device can be used to access the encrypted keychain database. A specially crafted script is then copied into the device via the SSH connection and, when executed, it reveals information concerning the found accounts in the shell screen. "We judge the effort for the shown attack method as low, since the used jailbreaking tools are freely available and the additional steps to decrypt the keychain requires only moderate programming skills," conclude the researchers, and advise everyone who lost their iPhone or iPad or had it stolen to immediately change all the passwords stored on it.