Sunday, 29 November 2009

iPhone upgrades - a one-way control-freak street

By Rik Myslewski in San Francisco • Get more from this author

Comment For over 30 years, your personal computer has been, well, your personal computer. You could install whatever software you liked - provided it was compatible. After installing an app or an operating system, if you then decided you preferred the previous version, you were free to uninstall the new and revert to the old.

But nowadays, that's not entirely true. You can't revert software on your iPhone. Why? Because Apple doesn't trust you.

Last month, after Apple unveiled the new iPhone 3.1 OS, more than a few Reg readers asked how - or, indeed, if - they could revert their iPhone operating systems back to version 3.0 when they experienced battery, WiFi, and other problems after upgrading to version 3.1.

The answer is they can't. At least not officially. And much the same goes for iPhone applications.

After our recent story about Rogue Amoeba - the iPhone App developer who was snuffed for too much Appleness - one reader pointed out the simple truth: "If an update [to an iPhone app] introduces a bug, then you're screwed until the developer fixes it and the fix is approved by Apple (say 3 weeks). In contrast on any other platform you could just revert to the previous version immediately."

What does Apple say about this? Very little, of course.

Focusing first on the ability to revert to a previous version of the iPhone's OS, we contacted Apple with three quick questions:
1. What is Apple's official position on reverting from a current iPhone Software version to a previous one?
2. If such a reversion is not supported by Apple, does doing so void any existing and current iPhone warranty?
3. If such a reversion is supported by Apple, does Apple offer any tools/advice/support for such a reversion?

Simple and straightforward, don't you think? But nothing is ever simple and straightforward when dealing with Apple.

After over a week of back-and-forth exchanges with an Apple spokeswoman who wanted to know why we were asking, what kind of a story we were planning, and the like, we finally received a one-line response: "Apple always recommends that iPhone customers keep current with software updates for the best user experience."

Now, we have no personal beef with any Apple spokesfolks. They do their jobs, and we do ours. And their prime directive is to not deviate from the oh-so-carefully controlled company line. If anything, we look upon their daily deflection duties with sympathy.

To be honest, we didn't expect much help from Apple, so while we were waiting for the spokeswoman's non-response response we conducted a series of tests that led us to suggest a one-word edit to her statement: "Apple always requires that iPhone customers keep current with software updates for the best user experience."

Operating-system reversion can, indeed, be accomplished - but no thanks to Apple. In fact, in our experience Apple makes it as difficult as possible to install a previous version of your iPhone's OS then restore the iPhone's iTunes backup of apps and data.

Our test iPhone was a 3G model running iPhone Software version 3.1.2. We first backed up the phone using iTunes 9, then followed instructions published on BenM.at to revert the iPhone from 3.1.2 to 3.0.

Doing so was not rocket science - the most difficult part was timing the button dance needed to slip the phone into DFU (device firmware update) mode.

But whether performing this relatively simply hack is easy or not isn't the point. What is the point is that it's not supported by Apple - and that for the vast majority of iPhone users, using the command-line Terminal utility to run iRecovery is an unfamiliar, not to say daunting, task.

Why doesn't Apple make it easy to switch back to a previous version of the OS if you're dissatisfied with an upgrade? Because "Apple always recommends that iPhone customers keep current with software updates for the best user experience."

Our annoyance with Apple's heavy-handedness increased when we tried to restore our backed-up apps and data onto the now-3.0-equipped iPhone 3G. When we connected it back to iTunes 9, we were curtly informed that our iPhone OS wouldn't work with that version of iTunes, and should upgrade to 3.1.2.

Fair enough, we thought - although irritating. If you revert one aspect of a sync system, needing to revert the rest of that system might be a reasonable request. So we downloaded a copy of iTunes 8, and attempted to install it. No dice - we were told that was a no-no since we already had iTunes 9.

"Apple always recommends that iPhone customers keep current with software updates for the best user experience."

So we tried to install iTunes 8 on a different volume. No can do - iTunes must be installed on the boot volume. Okay, so we booted from an external FireWire drive and installed iTunes 8 on that volume. Success - but our backup was on the original boot volume, tied to iTunes 9.

After numerous frustrating and eventually futile attempts to associate the iTunes 9 backup with iTunes 8, we gave up. Possibly that feat is, indeed, possible, but we couldn't crack the code.

And we're willing to bet that your Average Joe can't, as well. Which is just the way Apple likes it. After all, "Apple always recommends that iPhone customers keep current with software updates for the best user experience."

This is ridiculous - and the ridiculousness extends to the inability to revert to previous versions of iPhone apps as well. Once an app has been upgraded on the iTunes App Store, its previous version is gone, extinct, kaput.

We asked a few iPhone devs if they knew of any way in which an iPhone app could be saved and then restored to the phone through the standard syncing process, and they each threw up their hands in defeat.

As John Muchow, founder of iPhoneDeveloperTips.com told us: "Working within the standard app delivery method provided by Apple, I don't believe there is any means to install a previous version of an application." He added, however, that "a release could be submitted to the App Store that roles back to a previous version."

But, of course, that version would have to pass muster with the App Store police - and we all know how time-consuming and uncertain that process can be.

Paul Kafasis of Rogue Ameoba fame knows exactly how unpredictable the App Store police's decision-making can be, but he doesn't know how a user can revert to an older version of an iPhone app. He does suggest one possible work-around, but one that requires a close working relationship with the app's vendor: Ad Hoc app delivery.

Apple allows developers to distribute apps outside of the App Store for beta-testing purposes. This so-called Ad Hoc process is a wonky one, but it does - in most cases - work.

"With Ad Hoc," Kafasis told The Reg, "developers could [distribute an old version] on a one-off basis. Basically, if the user gets an Ad Hoc build, it can be any version, and it comes from outside the store. Developers are limited to 100 Ad-Hoc users, however, and the process is clunky." Promising, maybe, in extreme cases, but as Kafasis admitted, "This really isn't a viable solution."

Muchow agrees. "A developer could create an earlier version and provide that to users as an Ad Hoc release, yet the limitation here is that there is a finite number of devices on which an Ad Hoc build will run."

Neither Muchow and Kafasis claimed to be absolutely 100 per cent positive that there is no way to revert to a previous iPhone app version. But that proves our point. If there is such a mechanism, it's not immediately apparent - and Apple isn't helping.

One more time: "Apple always recommends that iPhone customers keep current with software updates for the best user experience."

The key to Apple's official position is that they use phrase "iPhone customers." Not "iPhone owners."

We're being told that such control is for our own good. As Apple's marketing veep Phil Schiller recently told BusinessWeek, "We review the applications to make sure they work as the customers expect them to work when they download them."

That's kind of you, Phil, but there are many of us who would prefer the freedom to take our own chances. Feel free to keep close tabs on the apps that you choose to sell to run on your company's smartphones, but let us yank 'em and replace them with previous versions as we see fit, and add - and subtract - any others without having to jump through jailbreaking hoops.

After all, it's my iPhone, isn't it? Or is it? ®

Gang sentenced for UK bank trojan

Almost £600,000 siphoned

By Dan Goodin in San Francisco • Get more from this author

Posted in Crime, 16th November 2009 18:45 GMT

Free whitepaper – Shopping for a secure file transfer solution for retail

A British court has sentenced four men to prison after they admitted they used sophisticated trojan software to steal almost £600,000 from bank accounts and send it to Eastern Europe.

London's Southwark Crown Court on Friday imposed sentences of as much as 4 and a half years on the men. According to IDG News, they used a trojan known as PSP2-BBB to stealthily monitor victims' browsers. It inserted special fields into banking pages that asked for sensitive information and then sent it to the criminals when the user complied.

To give it the pages air of legitimacy, they bore the logo of NatWest, according to other news reports. The gang used a stable of money mules to transfer the funds to countries including Ukraine, which is also the location of a computer server that was used in the scam.

At least 138 banking customers were affected with "just under £600,000 being fraudulently transferred," according to the Press Association. Almost £140,000 was later recouped from Royal Bank of Scotland, NatWest's parent company.

Azamat Rahmanov, 25 of London's Lewisham, received four and a half years and was considered one of the organizers, according to news reports. Shohruh Fayziev, a 23-year-old Uzbekistani who lived in Peckham Rye, Southwark, in south east London, got four years. He was regarded as a "trusted lieutenant."

The remaining two men were the Angolan-born "facilitator" Joao Cruz, 33, of South London, who received three years, and Portuguese Recardo Pereira, 36, of Essex, who was sentenced to 21 months.

UK authorities have hailed the case as the first collaboration between the financial industry and the Police Central e-Crime Unit, which was established earlier this year to crack down on cybercrime. ®

Smut-ladened spam disguises WoW Trojan campaign

Posted in Malware, 27th November 2009 15:12 GMT

Free whitepaper – A Healthy Prescription for Secure and Compliant File Transfer

A malicious spam campaign that attempts to harvest online game passwords under the guise of messages containing smutty photos is doing the rounds.

The tainted emails have subject line such as "Do you like to find a girlfriend like me?", and an attached archive file called "my photos.rar". The archive contains photos of young Asian women and content that poses as clips from a bongo flick.

The supposed video files actually harboured video files and a password-stealing Trojan called Agent-LVF, which is designed to steal the login credentials of World of Warcraft gamers. Security firm Sophos reckons it's likely the stolen credentials and associated in-game assets will be sold through underground sites, earning hackers a tidy profit in the process.

"A surprising amount of malware is designed to steal registration keys, passwords and data from players of computer games," said a consultant at Sophos. "This isn't just about doing better in a computer game. Criminals are stealing virtual assets like armour, money and weapons to trade for hard cash in the real world.”

More about the threat can be found in a blog posting by Sophos here. ®

Web host Daily recovers after Tux-themed defacement

UK-based web host Daily has largely restored services following an apparent hack attack on Thursday that replaced content on some sites it hosts with pictures of cartoon penguins.

The images of Linux penguin Tux parodied the 'hear/see/speak no evil' monkeys". Text included on the defacements claimed the hack in the name of 'Heart_Hunter - TH3_H4TTAB'.

pwned with cartoon penguins

Customers were advised to restore their sites from back-up copies. Daily has begun an investigation into the attack, which bears the hallmarks of a mass defacement. Groups of websites are regularly defaced by TH3_H4TTAB, as defacement archive Zone-H records. In many cases eastern folk music is uploaded onto compromised sites.

A status page on Daily's status site explains "We have received reports this [Thursday] morning of a small number of customer websites having their index or start page replaced with an image and in some cases text as well."

The host completed the restore process by 2100 on Thursday. Daily modified its PHP build as a security precaution. Services were largely restored on Friday but may proceed more slowly than possible after some servers were taken offline in order to mount an ongoing security investigation, a status update from Daily explains:

We are confident there will be no repeat events as all servers are locked down.

Some websites (in particular Database driven sites) will be running at slower speeds as we have taken some web servers from our cluster to carry on with our investigations and diagnosis.

A Reg reader who told us of the hack explained how the attack affected one of the web sites he managed, which was hosted by Daily. "Every file that included 'index' and 'php' in the name - including some buried in a child directory that's invisible to Google were defaced," he explained.

The reader expressed frustration that the attack had taken place. "When you go to great lengths to keep everything secure and then the hosting company lets them through the back door, it doesn't look good," he said. ®

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News