Monday, September 29

Physical Fitness #2

Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.

Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.

Subscribe in a reader

Physical Fitness #2

Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.

Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.

Subscribe in a reader

Sunday, September 21

A tale of Physical Fitness

Quick background -- I used to be in the Army. I joined the Army in 1997, and got out in 2003. In the Army we used to have this thing called a PFT, or Physical Fitness Test.

One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)

I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.

So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)

I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.

I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).


Subscribe in a reader

A tale of Physical Fitness

Quick background -- I used to be in the Army. I joined the Army in 1997, and got out in 2003. In the Army we used to have this thing called a PFT, or Physical Fitness Test.

One of the events in the PFT was a 2 mile run. I was always pretty good at this event, as I am not a huge guy. My best time in the 2 mile run was 10 minutes 26 seconds. A pretty respectable time. But, that was about 8 years ago. I was pretty good at running and ran several 10k's, 5k's and even a marathon. (Honolulu Marathon 2000)

I recently had a friend of mine, who is NOTORIOUS for making outrageous claims, say he could beat me at a marathon. Well, seeing as how this dude weighs about 100 more lbs than me, and is almost a foot taller than me, I KNOW I can beat him. 100 bucks says I can.

So I went out yesterday, got me a new pair of running sneakers (which I haven't had in about 5 years -- not even a new pair, but a pair period) and a Nike+ module for my shoe. (You know, one of those things that goes in your shoe and connects to your iPod Nano and tracks your progress)

I have to say, that's a pretty cool little thing. Now, please keep in mind that I haven't ran AT ALL in about 5 years. Not even to the mailbox. So this morning I woke up, and ran my first two miles.

I'm happy to report that I am still alive. I am also happy to report that I can still pass the 2 mile run on the Army PT test. But I have a long way to go to build up to 26 miles again. (Seeing as how, before the Marathon I ran in 2000, I as 8 years younger and trained by running 10 miles every morning).


Subscribe in a reader

Friday, September 19

Quicktime/iTunes DoS

I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.

I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.

Call me when this vulnerability is remotely exploitable. THEN i'll be interested.


Subscribe in a reader

Quicktime/iTunes DoS

I've received several emails from readers and reporters asking me if I am going to post anything about this QT/iTunes DoS vulnerability, and my opinion..etc.

I think it's a much ado about nothing. Okay, so QT or iTunes stops working. Uh. So? Really. So what. The programs stops. That's it. It's a media app.

Call me when this vulnerability is remotely exploitable. THEN i'll be interested.


Subscribe in a reader

Monday, September 15

OSX Update 10.5.5 and Security Update 2008-006

Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.

Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.

This update releases updates to the following items:

ATS -- Apple Type Services -- CVE-2008-2305

BIND --

10.5 -- Updated to 9.4.2-P2

10.4.11 -- Updated to 9.3.5-P2

ClamAV -- Antivirus included with OSX Server

Updated to version 0.93.3.

CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215

Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329

Finder x2 -- CVE-2008-2331, CVE-2008-3613

ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382

Kernel -- CVE-2008-3609

libresolv -- CVE-2008-1447

Login Windows x2 -- CVE-2008-3610, CVE-2008-3611

mDNSResolver -- CVE-2008-1447

OpenSSH -- CVE-2008-1483, CVE-2008-1657

QuickDraw Manager -- CVE-2008-3614

Ruby -- CVE-2008-2376

SearchKit -- CVE-2008-3616

System Configuration -- CVE-2008-2312 (For 10.4.11)

System Preferences x2 -- CVE-2008-3617, CVE-2008-3618

Time Machine -- CVE-2008-3619

VideoConference -- CVE-2008-3621

Wiki Server -- CVE-2008-3622

So, all in all, quite a few updates here in this one.

Subscribe in a reader

OSX Update 10.5.5 and Security Update 2008-006

Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.

Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.

This update releases updates to the following items:

ATS -- Apple Type Services -- CVE-2008-2305

BIND --

10.5 -- Updated to 9.4.2-P2

10.4.11 -- Updated to 9.3.5-P2

ClamAV -- Antivirus included with OSX Server

Updated to version 0.93.3.

CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215

Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329

Finder x2 -- CVE-2008-2331, CVE-2008-3613

ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382

Kernel -- CVE-2008-3609

libresolv -- CVE-2008-1447

Login Windows x2 -- CVE-2008-3610, CVE-2008-3611

mDNSResolver -- CVE-2008-1447

OpenSSH -- CVE-2008-1483, CVE-2008-1657

QuickDraw Manager -- CVE-2008-3614

Ruby -- CVE-2008-2376

SearchKit -- CVE-2008-3616

System Configuration -- CVE-2008-2312 (For 10.4.11)

System Preferences x2 -- CVE-2008-3617, CVE-2008-3618

Time Machine -- CVE-2008-3619

VideoConference -- CVE-2008-3621

Wiki Server -- CVE-2008-3622

So, all in all, quite a few updates here in this one.

Subscribe in a reader

Friday, September 12

iPhone 2.1 actually lists its updates?!

Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.

Wow.

  • Decrease in call set-up failures and call drops
  • Significantly improved battery life for most useres
  • Dramatically reduced time to backup to iTunes
  • Improved email reliability, notably fetching email from POP and exchange accounts.
  • Faster installation of 3rd party applications.
  • Fixed bugs causing hangs and crashed if you have lots of 3rd party applications
  • Improved performance in text messaging
  • Faster loading and searching of contacts
  • Improved accuracy of the 3G signal strength display
  • Repeat alert up to two additional time for incoming text messages
  • Option to wipe data after ten failed passcode attempts
  • Genius playlist creation.

Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!

Subscribe in a reader

iPhone 2.1 is out, and here it is

iPhone v2.1
  • Application Sandbox
CVE-ID: CVE-2008-3631

Available for: iPhone v2.0 through v2.0.2

Impact: An application may be able to read another application's files

Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.

  • CoreGraphics
CVE-ID: CVE-2008-1806, CVE-2008-1807, CVE-2008-1808

Available for: iPhone v1.0 through v2.0.2

Impact: Multiple vulnerabilities in FreeType v2.3.5

Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/

  • mDNSResponder
CVE-ID: CVE-2008-1447

Available for: iPhone v1.0 through v2.0.2

Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information

Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.

  • Networking
CVE-ID: CVE-2008-3612

Available for: iPhone v2.0 through v2.0.2

Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking

Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.

  • Passcode Lock
CVE-ID: CVE-2008-3633

Available for: iPhone v2.0 through v2.0.2

Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications

Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.

  • WebKit
CVE-ID: CVE-2008-3632

Available for: iPhone v1.0 through v2.0.2

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.

Subscribe in a reader

iPhone 2.1 actually lists its updates?!

Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.

Wow.

  • Decrease in call set-up failures and call drops
  • Significantly improved battery life for most useres
  • Dramatically reduced time to backup to iTunes
  • Improved email reliability, notably fetching email from POP and exchange accounts.
  • Faster installation of 3rd party applications.
  • Fixed bugs causing hangs and crashed if you have lots of 3rd party applications
  • Improved performance in text messaging
  • Faster loading and searching of contacts
  • Improved accuracy of the 3G signal strength display
  • Repeat alert up to two additional time for incoming text messages
  • Option to wipe data after ten failed passcode attempts
  • Genius playlist creation.

Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!

Subscribe in a reader

iPhone 2.1 is out, and here it is

iPhone v2.1
  • Application Sandbox
CVE-ID: CVE-2008-3631

Available for: iPhone v2.0 through v2.0.2

Impact: An application may be able to read another application's files

Description: The Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox, and lead to the disclosure of sensitive information. This update addresses the issue by enforcing the proper access restrictions between application sandboxes. Credit to Nicolas Seriot of Sen:te and Bryce Cogswell for reporting this issue. This issue does not affect iPhone versions prior to v2.0.

  • CoreGraphics
CVE-ID: CVE-2008-1806, CVE-2008-1807, CVE-2008-1808

Available for: iPhone v1.0 through v2.0.2

Impact: Multiple vulnerabilities in FreeType v2.3.5

Description: Multiple vulnerabilities exist in FreeType v2.3.5, the most serious of which may lead to arbitrary code execution when accessing maliciously crafted font data. This update addresses the issue by incorporating the security fixes from version 2.3.6 of FreeType. Further information is available via the FreeType site at http://www.freetype.org/

  • mDNSResponder
CVE-ID: CVE-2008-1447

Available for: iPhone v1.0 through v2.0.2

Impact: mDNSResponder is susceptible to DNS cache poisoning and may return forged information

Description: mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information. This update addresses the issue by implementing source port and transaction ID randomization to improve resilience against cache poisoning attacks. Credit to Dan Kaminsky of IOActive for reporting this issue.

  • Networking
CVE-ID: CVE-2008-3612

Available for: iPhone v2.0 through v2.0.2

Impact: Predictable TCP initial sequence numbers generation may lead to TCP spoofing or session hijacking

Description: TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection. This update addresses the issue by generating random TCP initial sequence numbers. This issue does not affect iPhone versions prior to v2.0.

  • Passcode Lock
CVE-ID: CVE-2008-3633

Available for: iPhone v2.0 through v2.0.2

Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications

Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode by double clicking the home button in emergency call. This update addresses the issue through improved handling of emergency calls. Credit to Matthew Yohe of The University of Iowa's Department of Electrical and Computer Engineering for reporting this issue. This issue does not affect iPhone versions prior to v2.0.

  • WebKit
CVE-ID: CVE-2008-3632

Available for: iPhone v1.0 through v2.0.2

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of document references.

Subscribe in a reader

Wow, Um, So hey, how you doing?

Haven't Blogged in awhile, I've been working on some other stuff as well over at dearcupertino.com.

For those of you that haven't seen, here's a bit of mac news, Apple released iTunes 8, a new set of iPod Nano's (going back to the more vertical shape), updated and dropped the price on the iPod Touch, as well as refreshing the iPod Classic line.

Basically, for the holiday shopping season. Good stuff.

They also released an update to the iPod Touch software (2.1), and it has some nifty features in it (like the Genius feature from iTunes 8.0). Reports are also, that it is faster. The iPhone update 2.1 is supposed to hit today, so I might blog again with some updates about that.

Otherwise, for those who know me, and know that i have been on a single customer site for the past year+, I have 12 days left (including weekends.)

Subscribe in a reader