Pearl_Diva
Well-known member
Someone posted the iPhone ringtones and I listened to them the other day. Lame, very lame if that's truly all you get included. Are you sure we can't use our own ringtones?
WWDC: Jobs’ Keynote: iPhone, Safari for Windows, Etc.
By Staci D. Kramer - Mon 11 Jun 2007 11:14 AM PST
The Steve Jobs keynote isn’t being live webcast but it is being live blogged by, among others. Engadget and B20. Some of the relevant highlights:
iPhone: Sales start at 6 p.m. June 29. Developers will be able to create Safari-based apps. No SDK—can go live June 29. (B20) Jobs: “So you can write amazing Web 2.0 and AJAX apps that look and behave exactly like apps on the iPhone, and these apps can integrate perfectly with iPhone services. They can make a call, check email, look up a location on Gmaps… don’t worry about distribution, just put ‘em on an internet server. They’re easy to update, just update it on your server. They’re secure, and they run securely sandboxed on the iPhone. And guess what, there’s no SDK you need! You’ve got everything you need if you can write modern web apps...”
http://www.boingboing.net/2007/07/22/report_security_flaw.htmlReport: security flaw lets hackers pwn iPhone
Computer security researchers at Independent Security Evaluators say they've found a way to take control of an iPhone by way of a WiFi connection or by tricking users into accessing malware on a website.
This is the first report of a verified data security vulnerability with Apple's iPhone, but no known exploit incidents have occurred. Apple says they're evaluating ISE's findings.
John Schwartz reports in Monday's New York Times:
[ISE's Charles A.] Miller, a former employee of the National Security Agency who has a doctorate in computer science, demonstrated the hack to a reporter by using his iPhone’s Web browser to visit a Web site of his own design.
Once he was there, the site injected a bit of code into the iPhone that then took over the phone. The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.
“We can get any file we want,” he said. Potentially, he added, the attack could be used to program the phone to make calls, running up large bills or even turning it into a portable bugging device.
Link to article.
exploitingiphone.com has more info, including a preliminary version of the paper describing the attack. the ISE's Dr. Miller is scheduled to present the details of the exploit at BlackHat in Las Vegas on August 2.
The website also includes an h.264 (= iphone-compatible) video that demonstrates the exploit: Video Link. Note that scotch tape and pretzels are required to complete this sophisticated hack.
Now, given all that, I love the way the NYT story ends:
[ISE founder Aviel D.] Rubin said, “I will think twice before getting on a random public WiFi network now,” but his overall opinion of the phone has not changed. “You’d have to pry it out of my cold, dead hands to get it away from me,” he said.
anaknipedro 07-22-2007 10:43 PM
--------------------------------------------------------------------------------
Not
I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.
badtzmaru 07-22-2007 11:01 PM
--------------------------------------------------------------------------------
at least we know an iphone update is coming before, or around, august 2!!
ErikGrim 07-22-2007 11:02 PM
--------------------------------------------------------------------------------
Quote:
--------------------------------------------------------------------------------
Originally Posted by anaknipedro (Post 3950329)
I don't believe this. A website crafted to force the iPhone to make unsolicited calls? These guys can't be for real. This is FUD FUD FUD.
--------------------------------------------------------------------------------
Why would this be FUD? Unlike the other recent claims of OS X worms and not to mention the whole Month of OS X bugs debacle, these are "ethical" hackers, disclosing the information to Apple FIRST so that they can issue a fix before releasing the information to the general public.
These kind of independent security analyses actually benefit the end user rather than harm them. There's no FUD here at all. Read their FAQ.
Lancetx 07-22-2007 11:04 PM
--------------------------------------------------------------------------------
I'll bet Apple gets a fix out there before this August 2nd conference occurs. I'm not alarmed, as this will get fixed soon enough. In the meantime though, I'll just make sure not to connect to any unknown wi-fi networks.
badtzmaru 07-22-2007 11:05 PM
--------------------------------------------------------------------------------
before anyone says "this is impossible" visit the firm's website and read their preliminary paper (ignore the part about the iphone being released on june 28
http://www.securityevaluators.com/
dfnj123 07-22-2007 11:06 PM
--------------------------------------------------------------------------------
we should all really be happy about this. It points out a flaw made by apple that they can now fix.
~Shard~ 07-22-2007 11:12 PM
coolfactor 07-22-2007 11:29 PM
--------------------------------------------------------------------------------
Quote:
--------------------------------------------------------------------------------
Originally Posted by dfnj123 (Post 3950366)
we should all really be happy about this. It points out a flaw made by apple that they can now fix.
Dippo 07-22-2007 11:35 PM
--------------------------------------------------------------------------------
Then why can't we run 3rd Party Apps?
If this "virus" is for real, then it could be considered a 3rd party app.
So then it should be possible to run other 3rd Party apps on the iPhone.
Maybe it is good news in disguise.
Personally, I think it is fake.
SC68Cal 07-22-2007 11:46 PM
--------------------------------------------------------------------------------
This is why you don't run everything as Root
macrumors12345 07-22-2007 11:50 PM
--------------------------------------------------------------------------------
Quote:
--------------------------------------------------------------------------------
Personally, I think it is fake.
--------------------------------------------------------------------------------
It's not a fake. One of the principal analysts at the company is a friend of mine (he told us about this hack two days ago), not to mention a devoted Apple fan (and fulltime iPhone user).
The hack is definitely real (and it's not really a virus in the sense that it doesn't self-replicate - it's just an exploitable flaw that allows arbitrary code execution). That said, it really doesn't make a significance difference (though Apple should, and undoubtedly will, fix it). Unless you lock your iPhone with a passcode (which would be a major PITA), it's an inherently insecure device and should be treated as such. This hack doesn't give someone substantially more information than they could get by just pick-pocketing your iPhone or finding your lost iPhone. In other words, don't store anything on your iPhone (or any phone) that you feel must stay confidential.
Any limitations Apple puts on 3rd party apps are more likely for *reliability* than security. The iPhone is - like all cell phones - an inherently insecure device.
corywoolf 07-23-2007 12:00 AM
--------------------------------------------------------------------------------
It makes you wonder if watching that YouTube video (of the exploit) on your iPhone would make your iPhone explode in confusion?
33scottie33 07-23-2007 12:15 AM
--------------------------------------------------------------------------------
Ha, no patch needed, here is the solution!
How the exploit works
1. An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point.
Unless they set up APs across the world, this is no big issue. The odds are slim too, seeing that it has to be the same SSID and encryption type. Not to mention the range of WiFi.
2. A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread.
Stick with major, trusted forums like macrumors.
3. A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.
This can happen to any computer or device that connects to the Internet if you are not careful. Also, we all know not to click on links we are not familiar with or are unsolicited.
egdiroh 07-23-2007 12:16 AM
--------------------------------------------------------------------------------
Will this help the iphone modding community?
Depending on what they mean by arbitrary code, could this be used to open up the iphone to the home brew software crowd?
I'd love to get a native terminal+ssh or IM client on my phone. Then it would let me roam free from my laptop more.
Someone posted the iPhone ringtones and I listened to them the other day. Lame, very lame if that's truly all you get included. Are you sure we can't use our own ringtones?
I don't come across alot of threads /WM palm-WX that users are chatting about not having the features needed.A2dp was the big complaint but my friend hannip made that available hacking into the Verizon wx
.I think this comes down to the basics Jack.The future phone does not live up to it's blue ribbon so many users are finding out when viewing links that surur has provided.
I'm sure it's helped many that were thinking of going ipod phone make there decision.
This is a really great thread with no bull...just great lnks to real life iphone users post.
We must not forget about the Apple fan boys that post in the thread as well.We can only hope that there denial of facts will end.
The iPhone impresses me because of what it does with the web. If web on a handheld is a big thing to you, unless you are a phone fundamentalist, one can not help being impressed by it.
So Jack, the big thing about the iPhone is that it's the best mobile web browser out there? Should have been called iWeb.
I agree mobile Safari is good. But $2,300 good? I guess that is the question.
If you have a lot of contacts, WM is way, way faster.
I think I would go batty scrolling through hundreds or thousands of contacts manually.
Here's the thing...most people don't remember numbers...they remember the name (either first or last).
Only being able to get to them via rolodex interface, while pretty, can be slow and trying.
I bet Apple introduces a "spell-to-contact" function, like WM now has, and people will says, "Wow, look how innovative Apple is."
Mike - is the $2300 the two year cost? If so, I'm not sure it's fair to throw that number around as if other phones have free plans (the press keeps doing that, I notice). My sprint plan (i was month-to-month after finishing my contract a year ago, so the new plans may be different) cost me $5 more per month (two phones, unlimited data, etc). When I compared upgrading my treo to the mogul to switching to at&t/iphone, the main difference in two year cost seemed to be the cost of the phone. (But, of course, it's nearly impossible to figure out what a cell phone will cost you until you get your first bill. I hate all cellphone companies).
Of course, on sprint, in theory, i could have gotten a one year contract or even no contract (but they really do play games when you try not to get a contract, or try to get a one year contract - i did that once, and they raised the cost on everything over what they told me it would be, and I spent months arguing with them. And no contract=no subsidy, so that raises the upfront cost in the comparison.)
So I'd say the real issue is "is the iphone $500-$600 and a two-year-commitment worth it?" (And, to be fair, while the browser is excellent, there is more to the phone than that. The ipod features are also very well implemented, and, from a business perspective, I've never seen as functional a pdf viewer, to name two examples.)
I'm not saying it IS worth it. I love mine, but I wouldn't recommend it to anyone who didn't have a lot of disposable income or who needed the industrial-strength enterprise functionality of WM or BB. (Though, again, everyone in my office lusts after mine, especially when they see how beautifully it renders pdf and word attachments, of which we receive tons).
I don't think a lot of people buy phones without activating them. And, on sprint/verizon, you can't use your phone on any other network even if you have no contract. And you get no subsidy without contract. So, to a sprint or verizon customer, the only problem with the 2-year commit is that it isn't a 1-year commit. And most sprint customers, at least, do 2 year commits.
I think the contract/activate issues are mostly an issue for GSM customers, and particularly those who travel internationally. For people who are used to having to give up their phone when they switch carriers (cdma) and who do not travel a lot, it doesn't seem like such a big deal to me.
I'm not saying a lot of people do buy smarphones without activating them, I'm just saying you do this, unlike the iPhone. (Ignoring the subsidy).
Comparing Sprint/Verizon to this is not relevant, as CDMA locks the phone to the network. We should stick to GSM for comparisons of the iPhone (and I should have referenced buying the HTC GSM device, not a Sprint one).
GSM is also handy when your phone dies. If the iPhone dies, can you put it's sim into a spare dumbphone? I would hope so. You'll save that rental fee from Apple for one thing, and you'll be able to start making/receiving calls immediately.
BTW, if you want to go out jogging or to the beach, would you want to risk your $600 phone? Swapping out the SIM would be really important to me. Apple would be wise to make a $100 dumbphone 'mini' that works in tandem with the larger iPhone for these kinds of occasions.
According to posters on howardforums and elsewhere, you can indeed remove the sim from your iphone and place it in a "beach phone." Voice and text work. It's the reverse that is the problem (sim from another phone into the iphone).