C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
Mac Developer: Apple begins encrypting iCloud email sent between providers | 9to5Mac
Apple begins encrypting iCloud email sent between providers | 9to5Mac
The change is documented on Google’s transparency website that shows the percentage of emails encrypted in transit for both inbound and outbound email exchanges
I can't tell if the world is changing or if we all simply woke up and smelled the malware.
Mac Developer: Crypto certificates impersonating Google and Yahoo pose threat to Windows users | Ars Technica
Crypto certificates impersonating Google and Yahoo pose threat to Windows users | Ars Technica: "A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India's Controller of Certifying Authorities (CCA)."
My personal opinion is that many of the so-called trusted technologies that are in use on the internet have never really been properly audited or stress-tested. It's only as the malware networks reap their rewards that anyone is paying any real attention to exploits. Software is complex and hard to debug and it gets much worse when you consider a heterogenous system such as the global internet. On the plus side, a truly heterogenous system based on standards says that someone is going to emerge as a clear leader in this area.
I personally think the monolithic bloatware OS is going to be superseded in the coming years by something very minimalistic. Maybe a hypervisor. Something so small it can be completely tested and debugged.
This mad race to add OS features isn't really serving anyone. Except the marketers. In other words, people who don't have any vested long-term interest in the integrity of a user's experience. Just as long as the gloss is still the most prevalent consideration.
Oh, wait. Icon gloss has been deprecated for flat minimalistic design. By design I mean fashion fad.
Labels: certificate trust chain, security, self-signed certificates
Mac Developer: Malwarebytes takes in $30M, its first round since launching in 2008 | VentureBeat | Deals | by Richard Byrne Reilly
Malwarebytes takes in $30M, its first round since launching in 2008 | VentureBeat | Deals | by Richard Byrne Reilly: "It is an astonishing tale that continues to amaze. Today, Malwarebytes’ anti-virus security software protects the computers and mobile devices of more than 206 million clients who are fiercely loyal, employs 140 — 90 of whom occupy R&D roles — and will soon begin acquiring smaller players in the space."
The number of malware attacks per minute is troubling.
Mac Developer: Inside App Extensions: the Cloud Kit-savvy Photos future of Apple's iPhoto & Aperture
Inside App Extensions: the Cloud Kit-savvy Photos future of Apple's iPhoto & Aperture
At the same time, the fact that Extensions are always bundled in an app means that developers can deploy new Extensions as an app update (allowing Instagram to make its filters available in Photos, for example), and sell Extensions as an additional feature for their existing apps.
Even though everyone is articulating the idea that XPC is some new technology, it's really just a security-wise reworking of distributed objects. Which is great. Because DO is a terrific tool for Objective-C developers. The fact that it is coming to iOS is awesome. It signals the end of the era of monolithic iOS apps and the beginning of something entirely new.
Labels: app extensions, distributed objects, XPC service
Mac Developer: genkiyooka/MacRuntimeSandboxDetection
For CFPlugIn and AudioUnit developers - how to check Mac App Store sandbox capabilities at runtime.
If you write system components (i.e. CoreAudio AudioUnit), CFPlugIn bundles or loadable Cocoa frameworks which are shared among applications (like haxies), you may wish to detect the capabilities of the sandbox environment into which you've been loaded so you can gracefully disable features and so forth.
Naive implementations of such loadable code often dump huge volumes of system messages into the Console.log - not useful to anyone.
Labels: app store, c++, cocoa, mac runtime sandbox detection, sandbox, secure coding mac, security tools mac
Mac Developer: Secure Coding Guide: Introduction to Secure Coding Guide
Secure Coding Guide: Introduction to Secure Coding Guide
The document begins with “Types of Security Vulnerabilities,” which gives a brief introduction to the nature of each of the types of security vulnerability commonly found in software. This chapter provides background information that you should understand before reading the other chapters in the document. If you’re not sure what a race condition is, for example, or why it poses a security risk, this chapter is the place to start.
A good overview that just popped up on my radar.
Labels: sandbox, secure coding mac, security
Mac Developer: Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers
Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers
In the DDC technique, source code is compiled twice: once with a second (trusted) compiler (using the source code of the compiler’s parent), and then the compiler source code is compiled using the result of the first compilation. If the result is bit-for-bit identical with the untrusted executable, then the source code accurately represents the executable.
You are in a maze of twisty passages, all alike.
Mac Developer: Who Is Paunch? — Krebs on Security
Who Is Paunch? — Krebs on Security
“As I have done before, I am asking all the users as well as IT Security professionals to disable all plug-ins and add-ons in their browsers,” Fedotov warned forum members. “Do not think that if you are not users of Internet money (web money), there is no danger of being infected. In this case, the infected PCs are turned into socks proxies, spam/ddos bots and all the bad activity is done under your name, so that law enforcement can place all the blame on your shoulders. Safe surfing and good luck to you.”
I think this means you.
Labels: app security, security
Mac Developer: Open Threat Exchange (OTX) | AlienVault
Open Threat Exchange (OTX) | AlienVault
AlienVault Open Threat Exchange (OTX™) is an open threat information sharing and analysis network, created to put effective security measures within the reach of all organizations.
This is a terrific idea.
Mac Developer: Russian malware creators rule. Here's how they got so good | VentureBeat | Security | by Richard Byrne Reilly
Russian malware creators rule. Here's how they got so good | VentureBeat | Security | by Richard Byrne Reilly: "Eastern Europe, in particular Russia, is the malware capital of the world.
That’s the assertion of Adam Kujawa, a former Navy cryptologist and head of malware intelligence for Malwarebytes, a growing San Jose security outfit that has 100 employees and was originally founded in the windswept Baltic country of Estonia."
Labels: security, security law
Mac Developer: A programmer's view of Apple's new Swift language | VentureBeat | Dev | by Richard Byrne Reilly
A programmer's view of Apple's new Swift language | VentureBeat | Dev | by Richard Byrne Reilly
Objective-C is great and really powerful. It has served Apple well for a really long time. It’s older than the web though. It is pretty awkward to learn – especially for someone new to programming.
No real plans to change to Swift here, but Metal is definitely on the whiteboard. Of course, at same time, love them tuples and other innovative new language features (Yay! I watched the Advanced Swift WWDC talk). And I will much enjoy watching new programmers getting very confused over the difference between structs and classes.
I will use Swift for small tasks. Although I suppose if I'm going to learn a new language it might as well be C#. That mono runtime is really slutty.
Although I do think there are some merits to eliminating header files (Modula-2 "Interface"), I think it would be good to have an option. Really the last thing I want to do when studying a module's interface is read implementation details.
Labels: security, swift
Mac Developer: Apple, Inc. opens up access to its WWDC developer utopia
Apple, Inc. opens up access to its WWDC developer utopia: "Another reason why the hands-on labs are seen by developers as being a priority at WWDC is that Apple now makes the videos of its technical sessions available almost immediately, through either the WWDC app or iTunes. "
Favorite aspect of the new WWDC. Although everyone, I'm sure, would love to attend, it's just not feasible.
Mac Developer: Marc Andreessen & Bill Gates agree with Fox News on this: Snowden is a traitor | VentureBeat | Security | by Harrison Weber
Marc Andreessen & Bill Gates agree with Fox News on this: Snowden is a traitor | VentureBeat | Security | by Harrison Weber: "Silicon Valley investor and technologist Marc Andreessen today declared NSA whistleblower Ed Snowden a traitor on national television."
It's true that he spoke up. Who he betrayed is entirely dependent on your interpretation of the purpose of the Constitution of the United States of America.
"When they came for my friend I did not talk, when they came for my brother I did not talk, when they came for my neighbor I did not talk, soon they will come for me and there will be no one to speak for me".
I think he spoke for a lot of Americans.
Mac Developer: Apple's top secret Swift language grew from work to sustain Objective C, which it now aims to replace
Apple's top secret Swift language grew from work to sustain Objective C, which it now aims to replace: "We simplified memory management with Automatic Reference Counting (ARC). "
I don't necessarily agree ARC simplifies anything. It's also at least 20 percent slower than non-ARC code. Noticeable on the ARM platform, not as much on the Desktop. Alas, the future.
Mac Developer: A programmer's view of Apple's new Swift language | VentureBeat | Gadgets | by Richard Byrne Reilly
Of course, I'm no expert, but Swift looks more like Scala to me than any other language I've been exposed to.
Labels: scala, swift
Mac Developer: Apple unveils Swift, a brand new Xcode programming language for developers
Apple unveils Swift, a brand new Xcode programming language for developers: "In a demonstration, Apple showed off the 'Swift Playground,' where developers write code and how results are displayed as soon as code is written. Apple says Swift was designed from the ground up for Cocoa and Cocoa Touch.
Swift can be used for basic apps, like social networking, or advanced 3D games using the new 'Metal' graphics optimization. And because it operates alongside Objective-C, developers will be able to seamlessly interchange languages."
Looking forward to Swift and Metal. Together or individually.
Labels: metal, swift, wwdc
Mac Developer: WWDC 2014 Roundup: Enhanced iOS 8, redesigned OS X 10.10, new hardware (plus fresh details) | 9to5Mac
WWDC 2014 Roundup: Enhanced iOS 8, redesigned OS X 10.10, new hardware (plus fresh details) | 9to5Mac: "It is also uncertain which or if any of the above devices will be introduced at WWDC. Perhaps these are in store for later this year or next year."
I think it's a good sign that all of this is just speculation. Nobody let the cat out of the pajamas. Wait. As for user interface fashion, I'm still working on my HUD controls. HUD is dead, long live the HUD. Aqua is dead, long live the aqua.
Mac Developer: Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock
Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock
Apple recently patched a similar vulnerability in OS X and iOS, but iTunes on Windows remains susceptible. Loman believes that the issue is "either a beginner's mistake, or it was done on purpose" and alleges that it may have been designed to allow intelligence agencies access to iCloud. "
Hard to say where internet security is headed. So much code being written.
Labels: certificate authority, security
Mac Developer: Sprint was the only telco to stand up to the NSA | VentureBeat | Security | by Barry Levine
Sprint was the only telco to stand up to the NSA | VentureBeat | Security | by Barry Levine: "He added that there is now some legislative movement in Congress to modify the basic problem, which Geiger described as ‘insufficient oversight at every level.’"
That's actually quite a funny statement. Insufficient oversight at every level. Usually you would associate that problem with some backwards country. Hard to say who is leading the free world these days and where we're being led.
Mac Developer: Of Flash Player versions and codesigning and signatures | Jaharmi’s Irreality
Of Flash Player versions and codesigning and signatures | Jaharmi’s Irreality
However, it’s also diﬃcult to understand why a large corporation with the resources of Adobe cannot codesign a piece of software as critical to the Mac OS X browsing experience as the Adobe Flash plugin is — especially when its “Install Manager” application is signed."
One of the many problems with Flash vulnerabilities. You can't even check to see if the Flash plug-in is authentic.
Yesterday I opened a Safari session on Mavericks and was pummelled with dialog boxes (reminisent of Windows popups) asking me to upgrade Flash.
I was redirected to the Adobe website and didn't think to check the codesign on the Flash installer before installing. What a nightmare!
Labels: codesigning, security
Mac Developer: Adobe Flash Security Update Tackles Zero-Day Flaw | The Mac Security Blog
Adobe Flash Security Update Tackles Zero-Day Flaw | The Mac Security Blog
Adobe Systems has released a brand new Adobe Flash security update to patch a zero-day flaw in its Flash Player software, updating to version 126.96.36.199 for Mac and Windows. "
A little news to Tighten your day!
Mac Developer: Here comes a new, Web-wide security threat -- this time for OAuth & OpenID
Here comes a new, Web-wide security threat -- this time for OAuth & OpenID | VentureBeat | Security | by Barry Levine - When the flaw he calls Covert Redirect is exploited, you might click on a phishing link. It shows a popup window from a trusted site, and asks you to authorize a new app using, say, your Facebook login. But it then grabs your personal info – such as email address, birth date, or contacts — and sends it to the attacker.
Labels: oauth, openid, security
Mac Developer: Apple to routinely inform users of government data requests
Apple to routinely inform users of government data requests
Apple, Microsoft, Facebook and Google are planning to inform users of government data seizures on a more routine basis unless a gag order is handed down from the appropriate authorities, reports The Washington Post."
I'm not paranoid. People are really out to get me!
Mac Developer: 8 reasons we love the Last Hacker (& a free event where you can meet him yourself) | VentureBeat | Dev | by J. O'Dell
8 reasons we love the Last Hacker (& a free event where you can meet him yourself) | VentureBeat | Dev | by J. O'Dell
That is exactly why we’ve invited Stallman to appear at a one-night-only engagement to talk about copyright and community. On May 2, 2014, at 6 p.m., he’ll be speaking at the Automattic Lounge in San Francisco, and you’re invited to attend free of charge!"
It's been a really, really long time since I met Stallman handing out his Fanged Apple
badges at the Software Development conference back in, hmmm. '89? '90?
Mac Developer: How Apple dodged the Heartbleed bullet
How Apple dodged the Heartbleed bullet - When it announced plans to deprecate OpenSSL in June 2011, Apple wasn't aware of the Heartbleed flaw because it didn't yet exist. However, the company was aware of other problems with OpenSSL (libcrypto), a security toolkit Apple began using within the Common Data Security Architecture more than a decade ago.
OK, fair enough. But go ahead and try creating a fresh implementation of SSL without the source code from OpenSSL as a reference.
Labels: heartbleed, security
Mac Developer: 85% of Windows XP users say they're not upgrading, antivirus company finds | VentureBeat | Security | by Devindra Hardawar
85% of Windows XP users say they're not upgrading, antivirus company finds | VentureBeat | Security - Only 15 percent of Avast customers surveyed said they planned to upgrade from XP, even though Microsoft officially ended support for the aging OS last week.
The opportunity here is to act like a grown-up software company (like IBM) and support your operating systems until your customers don't need it anymore.
How's that go again? Those that don't know history are doomed to repeat it? IBM. Dominant for 30 years.
BBC News - Half-century milestone for IBM mainframes - The first System 360 mainframe was unveiled on 7 April 1964 and its arrival marked a break with all general purpose computers that came before.
Mac Developer: Play Nintendo DS games on non-jailbroken devices with the nds4ios emulator | 9to5Mac
Play Nintendo DS games on non-jailbroken devices with the nds4ios emulator | 9to5Mac
The app gets around Apple’s restrictions by using an enterprise provisioning profile reports TourchArcade. This is normally meant for businesses to distribute apps to company employees, but nds4ios is exploiting it as a way to enable widespread app distribution. "
I'm probably not alone in thinking that the App Store is now completely overcrowded with junk that would likely not be clogging the pipes if there were simpler ways to do ad-hoc distribution.