You may have read about the tens of millions of usernames and passwords which have been recently been compromised/hacked/leaked on major websites in the last few weeks. If not, here are a few of the stories:
- 30 million passwords leaked from LinkedIn due to unsalted SHA-1 hashes stored centrally.
- 6 million passwords hacked at Last.FM, the popular music discovery service.
- 1.5 million passwords leaked from eHarmony.
In the last year other services have experience serious security breaches:
- 100 million accounts compromised on the Sony Playstation Network (PSN). Sony offered free credit monitoring and games to all PSN users to compensate them, a major departure from the typical “change your password” / sweep it under the rug response.
- All RSA SecureID tokens were compromised by the theft of RSA intellectual property and cryptographic keys. RSA tokens are used by most enterprises to login remotely as part of multi-factor authentication scheme.
How can you protect yourself?
Signup for a service like 1Password or LastPass, which offer convenient browser extensions. They generate unique passwords per website that you user, so the breach of security at Facebook won’t affect your password on Mint.
How can Web Developers protect users?
Move to standardized authentication methods, like OpenID or Facebook/Twitter/Google login integration. If the authentication mechanism is outsourced, your customers and users don’t need to worry about how you store their passwords.
If you absolutely want to store user passwords, please read How to Safely Store a Password and use bcrypt to do the heavy lifting. Then even if your login/password database is compromised, nothing will come of it.
This is interesting, and at the same time scary. According to Engadget, Apple’s Fairplay (TM) DRM has been hacked for the new iPhone 3G App Store, and the applications themselves are appearing on torrent sites:
There’s also a more traditional crack which allows apps to be stripped of DRM and shared without using iTunes, although you’ll have to jailbreak your phone to do it. The first app to be widely pirated is Super Monkey Ball, which isn’t surprising, and it seems like several other apps have followed it out onto various torrent sites. In addition to the relatively simple jailbreak procedure, running cracked apps requires you to open up SSH access and do some mucking around, so unless your time is worth less than $10, it’s probably not worth it.
The latest apps appearing on a torrent search for iPhone include Crash Bandicoot Nitro Kart 3D, Super Monkey Ball, iBeer, and Enigmo, a total (so far) of $32.96 of potential revenue destroyed by hackers.
The original post at Haklabs, Super Monkey Ball iPhone – Cracked, explains the motivation for the hack:
After the WWDC ‘08 Keynote, everyone wanted this iPhone game, it received almost as much hype as the iPhone itself. Super Monkey Ball from SEGA definitely has some good qualities, however it does have some bad qualities as well. First off, this game costs $9.99 which might be a little steep for some.
1. Make sure you are on firmware 2.0
2. Download the Super Monkey Ball Cracked file and extract the .ipa file from the archive to your desktop.
3. Drag and drop the Monkey Ball.ipa file into the iTunes application folder and wait for it to install.
So because an irate iPhone user believes the Super Monkey Ball game costs too much at $9.99, he creates a hacked version and gives it away for free. I actually paid for Super Monkey Ball, because it’s one of the few applications worth my $9.99, and I advise you to as well. If there’s no financial market for creating great iPhone applications, the entire market will suffer, and we’ll have crappy apps to run on our $400 phones.
The process of updating your 1.1.4 first-gen iPhone to 1.2.0 is simple. Even though the official winpwn release for Windows and the iPhone 3G isn’t out yet, here’s what you need to do to unlock, jailbreak, and upgrade your 1.4 iPhone to the 2.0 3G firmware!
[STEP 1] Download Winpwn 18.104.22.168 RC1 from the official source, or my local mirror. The filename is winpwn_22.214.171.124_RC1_Setup.zip; after you download it, download Apple’s 1.1.4 firmware, choose that ipsw from the “browse .ipsw” button, and click “iPwner” to WinPwn it. You’ll see something like this:
7/20/2008 4:10:49 PM – This is winpwn ver.:126.96.36.199 RC1
7/20/2008 4:10:50 PM – Apple Mobile Device Support Version 188.8.131.52 installed.
7/20/2008 4:11:01 PM – Debug level:1
7/20/2008 4:11:02 PM – Debug level:0
7/20/2008 4:11:02 PM – Debug level:1
7/20/2008 4:11:10 PM – File from: iPhone1,1_1.1.4_4A102_Restore.ipsw
7/20/2008 4:11:10 PM – Recognized as:iPhone1,1_1.1.4_4A102_Restore.ipsw Type: IPSW_iPhone
7/20/2008 4:11:10 PM – Be sure to connect an iPhone!
7/20/2008 4:11:13 PM – Failed to load image catalog
7/20/2008 4:11:34 PM – Failed to load payload catalog
7/20/2008 4:13:09 PM – Setting up iPhone device object
7/20/2008 4:13:09 PM – Registering callbacks
7/20/2008 4:13:10 PM – Unzipping .ipsw file to Application Data\cmw\winpwn\184.108.40.206\ipsw
7/20/2008 4:13:10 PM – Found device product id:4752
7/20/2008 4:13:10 PM – iPhone connected
7/20/2008 4:13:15 PM – OK
7/20/2008 4:13:15 PM – Creating ramdisk
7/20/2008 4:13:16 PM – Padding ramdisk
7/20/2008 4:13:16 PM – Ramdisk successfully created
7/20/2008 4:13:17 PM – Putting iPhone into recovery mode.
7/20/2008 4:13:17 PM – AMDeviceEnterRecovery res:0
7/20/2008 4:13:21 PM – iPhone disconnected
7/20/2008 4:13:29 PM – iPhone entered recovery mode
7/20/2008 4:13:30 PM – Sending ramdisk to iPhone.
7/20/2008 4:13:31 PM – Transfer took 1734.375ms
7/20/2008 4:13:31 PM – Modifying environment…
7/20/2008 4:13:31 PM – Starting pwnage
7/20/2008 4:13:41 PM – iPhone left recovery mode
7/20/2008 4:14:44 PM – Found device product id:4752
7/20/2008 4:14:44 PM – iPhone connected
7/20/2008 4:14:44 PM – Your iPhone has been pwned
[STEP 2]: Now you need to BootNeuter your phone. Using the Installer.App download an install it. Instruction on how to neuter the bootrom can be found on the dev team’s site. It’s quite easy, just run the app, select Neuter, and hit the “Flash” button.
[STEP 3]: Update iTunes to 7.7, if you haven’t already. Get a hold of a 2.0 firmware made with iPWNAGE 2.0 for the Mac. Firmwares, for example, are available on torrent file sharing sites.
[STEP 4]: Shift-click the “restore” button in iTunes and select the custom firmware you obtained above. Thanks to PWNAGE 2.0, you now have a first-gen iPhone running the 2.0 firmware, with full ability to run games and apps from the iTunes Application store! Enjoy Super Monkey Ball!
I am running through these steps right now on my first-gen iPhone, and so far everything works as advertised. Of course, I’m not responsible if something does go wrong and bricks your iPhone…
Update: If you have trouble getting your wallpaper to show up, or just see a black background, connect to the iPhone via SSH or from a terminal on the phone itself, delete private/var/mobile/Library/LockBackground.jpg, and restart. You’ll be able to set your own wallpaper.
Update 2: It’s official, WinPwn for Windows XP has been released, so just go use that!
Also, you should check out How to Unlock the iPhone 3G on Google Knol.