Apple turn iPhone security issue into 'Nothing to see here move along'

[BenMcr]

http://news.cnet.com/8301-13579_3-10354209-37.html

So this issue originally was:

iPhone OS 3.0 did not identify itself properly to Exchange 2007 on any iPhone. This means that if you had a 3G and Exchange 2007 was configured to require hardware encryption, you could still login, even though the device does not have hardware encryption.

Apple's response to the fact that all previous iPhones were essentially breaking the security of any company using them:

"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."

The only way to continue to use the older iPhones - which were sold with 'Exchange support' - is to turn off the hardware encryption rule for those devices.

I'm pretty sure if this was any other company then people would be down on them like a ton of bricks

[chrisjones]

lol I know this reply is a tad 'off course' but since no-one seems to be able to get hold of an Iphone for love nor money, wont be an issue for most :-P

Sorry cheeky answer I know - Ive been trying to get one for ages now!

[punky]

Quote:

Originally Posted by BenMcr

I'm pretty sure if this was any other company then people would be down on them like a ton of bricks

Apple are the most anti-consumer, anti-competitive, anti-trust company out there but slick marketing and image handily means they can side step any judgements that may land on..... oh, let's say Microsoft.

The sooner the FTC, FCC et al. start coming down on the consumer instead of Jobs, the better.

[Paul K]

Completely agree, they only get away with it because they aren't MS and quite often MS only get judged against because they are MS. It's one thing to attempt to level a playing field but when you end up tilting it in favour of everyone else then you aren't doing the job right.
Encourage competition but deal with all parties in the same way.

Quote:

Originally Posted by Paul

Completely agree, they only get away with it because they aren't MS and quite often MS only get judged against because they are MS. It's one thing to attempt to level a playing field but when you end up tilting it in favour of everyone else then you aren't doing the job right.
Encourage competition but deal with all parties in the same way.

---------- Post added at 13:30 ---------- Previous post was at 13:29 ----------

Quote:

Originally Posted by punky

Apple are the most anti-consumer, anti-competitive, anti-trust company out there but slick marketing and image handily means they can side step any judgements that may land on..... oh, let's say Microsoft.

The sooner the FTC, FCC et al. start coming down on the consumer instead of Jobs, the better.

Agreed! But again who has the ear of whom in these matters.Lobbyists are the devil...

[punky]

And whilst we are talking about Apple security:

http://apple.slashdot.org/story/09/0...unity?from=rss

Quote:

"Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"

Hmmm

Quote:

Originally Posted by Maggy J

---------- Post added at 13:30 ---------- Previous post was at 13:29 ----------



Agreed! But again who has the ear of whom in these matters.Lobbyists are the devil...

Lobbyists tend to be industry-based rather than company-based. There is something about Apple and the way its marketed and PR is handled. You know its an evil company but everyone ends up liking it. I mean the term "fanboy" was banned on here solely because of the Apple fans. That's nto a coincidence.

The regulatory bodies really need to step up against them. For example the FCC aren't investigating allegations that Apple are denying apps that hurt AT&T's (their main benefactor) bottom line.

Apple are finally being investigated... but nothing to do with their products. They have agreements with other like-minded companies [cough]Google[/cough] not to hire their workers. Its considered an anti-trust matter and the US DOJ is investigating. Of course, nothing will come of it.

[Tezcatlipoca]

I found this interesting...

http://www.saurik.com/id/12

I think he makes some good points about Apple.

A SF author, Charlie Stross, has his own view on why Apple is the way it is - Link - as part of a rant on so-called mobile technology.

Quote:

For starters I'm going to nail my colours to the mast and declare that I am a Mac user. There: I said it! I dislike Windows. Partly this is because I come from UNIX-land — I pre-date Windows — and I expect my operating systems to make sense, and to be designed along consistent lines. Windows wasn't designed along consistent lines; it just sort of happened, and bits got bolted on top. If operating systems were houses, Windows would be a chaotic jumbled rookery. Mac OS X is the current best-of-breed desktop workstation environment in UNIX-land; and although stuff's been bolted on top over the years, there's still a relatively clean BSD layer underneath all the cruft. Linux would be a contender if you could collectively slap the development community around the head with Apple's circa-1985 Human Interface Guidelines, but as things stand they're more interested in featuritis than usability.

Apple, for all their sins — have you noticed how Steve Jobs comes to resemble a Bond villain more with every passing year? — understand the value of industrial design (vital at a consumer level), and know that raw computing power is useless if the users can't get at it (vital at a developer level). Apple, as a friendly hack of my acquaintance put it, has one single customer: Steve. For any given product, if Steve doesn't like it, it doesn't ship. And Steve is reputedly a perfectionist a-hole and a control freak. These are personality traits I hate in my customers, but adore in my suppliers. So count me in on the cult of Mac (up to a point).

I quite like the 'new' Microsoft as I see it. They have become better, opened out, are more interested in cross platform compatibility. Somewhat forced on them by conditions in the industry but impressive none the less. Development wise their decision to include jQuery in a the ASP.Net MVC platform is very positive.

I agree they are sometimes unfairly targeted.

I don't think this incident proves anything about Apple, I think the market for exchange is too small for many people to have been affected and they resolved the bug.

[Stuart]

Quote:

Originally Posted by punky

And whilst we are talking about Apple security:

http://apple.slashdot.org/story/09/0...unity?from=rss



Hmmm

It's worth noting that there is supposed a major security flaw to do with the way Windows handles message passing. It's not easy to use, but Microsoft had not attempted to fix it in XP (don't know about Vista and 7) because to do so would have broken a lot of apps.

Quote:

Lobbyists tend to be industry-based rather than company-based. There is something about Apple and the way its marketed and PR is handled. You know its an evil company but everyone ends up liking it. I mean the term "fanboy" was banned on here solely because of the Apple fans. That's nto a coincidence.

Actually I don't think the term is banned. We (the CFT) didn't like it being used for a while because it was being used primarily as an insult in arguments between PS3 fans and Xbox 360 fans. Nothing to do with Mac or PC fanboys..

Quote:

The regulatory bodies really need to step up against them. For example the FCC aren't investigating allegations that Apple are denying apps that hurt AT&T's (their main benefactor) bottom line.

That, I will admit, stinks. I think Apple need to be a little more transparent (and consistant) in their approval standards. But it's worth noting that they aren't the first (and certainly not the largest) phone manufacturer to restrict certain things because the mobile networks say so. That honour goes to Nokia. Having said that, there is no reason (at least on a lot of nokias) that you can't just go and download your own software.

---------- Post added at 21:44 ---------- Previous post was at 21:36 ----------

Quote:

Originally Posted by BenMcr

http://news.cnet.com/8301-13579_3-10354209-37.html

So this issue originally was:

iPhone OS 3.0 did not identify itself properly to Exchange 2007 on any iPhone. This means that if you had a 3G and Exchange 2007 was configured to require hardware encryption, you could still login, even though the device does not have hardware encryption.

Apple's response to the fact that all previous iPhones were essentially breaking the security of any company using them:

"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."

The only way to continue to use the older iPhones - which were sold with 'Exchange support' - is to turn off the hardware encryption rule for those devices.

I'm pretty sure if this was any other company then people would be down on them like a ton of bricks

For the average consumer, this would not be a problem (chances are they wouldn't even have access to exchange). If Apple are going to market the phone as a business phone, however, then they should correct the problem rather than asking you to lower your security to get it to work.

Having said all that, it doesn't affect me. While we are gradually introducing Exchange at work, I personally find it to be crap, so I am fighting to keep my email account on our Unix based IMAP server for as long as possible.

In fairness, it's not exchange that's crap. It's Outlook 2007. How on earth any program can be slow on a Core 2 Duo with 4 gig of Ram and connected to the server via Ethernet (only 100 meg though) is beyond me.

[BenMcr]

Quote:

Originally Posted by Stuart C

If Apple are going to market the phone as a business phone, however, then they should correct the problem rather than asking you to lower your security to get it to work.

Agree with that 100%

It's as bad as all those programs (including V Stuff at times) that say 'please turn off X,Y,Z security protection to make our program work' rather than working out how to make it work with the security in place

But the main thing with Apple doing it is they are the first to jump down Microsoft's throat for security issues, yet they make sysadmins change their settings to work with the older iPhones

[Stuart]

Quote:

Originally Posted by BenMcr

http://news.cnet.com/8301-13579_3-10354209-37.html

So this issue originally was:

iPhone OS 3.0 did not identify itself properly to Exchange 2007 on any iPhone. This means that if you had a 3G and Exchange 2007 was configured to require hardware encryption, you could still login, even though the device does not have hardware encryption.

Apple's response to the fact that all previous iPhones were essentially breaking the security of any company using them:

"iPhone OS 3.1 is working properly with Exchange Server 2007," Apple representative Natalie Harrison told CNET News. "We added device encryption information to the data that can be managed by IT administrators using Exchange Server 2007. The policy of whether to support iPhone 3G, in addition to iPhone 3GS, which always has on-device encryption, on Exchange Server 2007 is set by the administrator and can be changed at any time."

The only way to continue to use the older iPhones - which were sold with 'Exchange support' - is to turn off the hardware encryption rule for those devices.

I'm pretty sure if this was any other company then people would be down on them like a ton of bricks

http://www.appleinsider.com/articles...ers_grief.html

An interesting article. Not least because it explains the exact problem. It's also worth noting that a *lot* of Windows Mobile phones (specifically all those with OSes earlier than WinMo 6) fail to provide the full security required by exchange.

So, Apple are joined in their action of not providing fully secured access to Microsoft's Exchange on anything but the latest hardware by, er, Microsoft.

Before you all jump down my throat and say it is possible to upgrade to Windows Mobile 6m I'll say this:

It's quite rare that it's possible to legally upgrade windows mobile on your mobile phone. The iPhone can legally be upgraded to the latest iPhone OS, it's just that the earlier models do not have the necessary encryption hardware.

So, to legally upgrade your Windows Mobile 5 (or earlier) phone to Windows Mobile 6 (legally), the chances are, you'd need to change your phone. Much as you would to get the encryption hardware on the iPhone.

I am not defending Apple. Far from it. They should not advertise a phone as having access to exchange and as being ideal for business if people need to lower the security on their exchange server to allow the iPhone to connect.

---------- Post added at 23:11 ---------- Previous post was at 22:57 ----------

Quote:

Originally Posted by BenMcr

Agree with that 100%

It's as bad as all those programs (including V Stuff at times) that say 'please turn off X,Y,Z security protection to make our program work' rather than working out how to make it work with the security in place

Reminds me of something that happened when I first started my current job. I was preparing installations of software for student use, and one major package I support (I honestly can't remember which) was causing problems. I spent nearly an hour on the phone to their tech support line, who, seriously, suggested that we give the students admin rights on the machines where this software was installed. For security reasons, we would not usually consider doing that on a general access machine. In my experience, where we have had to give students admin rights over machines, they've lasted one week before needing a reformat/reinstall.