So long and thanks for all the fish!
You can find my new blog here:
And our company blog here:
It appears Apple has taken an unusual approach when it comes to handling suspicious iCloud login activity. Unlike other tech giants, Apple immediately locks you out of your account whenever a string of bad sign-ins occurs. Other companies like Google or Facebook force you to review suspicious activity when it occurs, but do not lock you out of your account.
At first glance, this seems like an unusual, but decent security mechanism to prevent brute-force password guessing, but it has a number of nasty side-effects that I’ll explore below.
When locked out, Apple forces you to regain access through a 10 minute, 3-step process. It starts by clicking on the info link in the lock prompt, which takes you to iforgot.apple.com to receive a verification email.
The site claims the verification email will let you back in, but unfortunately the email you get actually contains password reset instructions, and not a verification link. When you follow the emailed instructions, you are forced to choose a password you haven’t used in the last 6 months as the final step in order to regain access. Resetting your password means you have to re-log-in to all your Apple devices in order to renew their iCloud sessions.
There is no way to disable this suspicious activity auto-lockout feature, and all Apple services are rendered immediately inaccessible when it happens.
Maybe you’re starting to see where this is headed…
You can essentially DoS someone out of their account continuously using only their email (which you can usually find online). You can cause extreme inconvenience to anyone, even Tim Cook. By just repeatedly entering wrong passwords on appleid.apple.com you deny them access to all their Apple communications and products indefinitely. They are forced to answer their security questions or click an email link in order to change their password, and it’s a process that takes at least 15 minutes (including the time it takes to log back in to all your devices).
When I asked a support rep on the phone, they confirmed that is a real issue that support deals with frequently, and that they have no power to stop the auto lock-out behavior.
To elaborate on that last one, a thief who steals your iPad can find your iCloud email easily, then DoS you out of your account to prevent you from seeing the device’s location using Find My iPhone. This is important because even though the device can be put in Airplane Mode, it will still report its last known location to iCloud. Thieves can effectively prevent you from seeing that last reported location or any of your other devices locations for a lengthly period of time by using this lock-out trick.
Change your AppleID email.
The obvious solution is to follow the recovery steps but change your iCloud email address immediately once you get in. If the attacker is unable to guess your new email, they wont be able to lock you out of your account.
This is not a great solution, as they can still deny you access initially, and it forces you to burn an email address every time this happens, which is a huge ordeal for normal users who don’t have access to infinite email addresses or their own domain.
The other issue with this fix is that several major iCloud features are tied to your email, and issues will crop up whenever it changes (e.g. iMessage is tied to your email, and you may receive email at your iCloud address). There is a reason Gmail doesn’t force you to change your Gmail address and password every time suspicious sign-in activity occurs, the same should be true for your iCloud address.
Enable 2-factor Auth?
This is a good idea anyway if people are attacking your account. Unfortunately it doesn’t help the root problem, as you can still cause lock-outs for people with 2-factor-auth by trying wrong passwords. More Info…
There are number of options:
As it stands, Apple is currently forcing users to burn a password, and potentially an email address every time they get locked out, whether triggered by malicious activity or by accident. This implementation allows for an unacceptable DoS vector, and lets anyone cause massive inconvenience to their victim using only their email. To fix it, they should follow the lead of other major tech companies, and implement a way to review suspicious login activity without forcing a password reset.
A formal bug (#24129504) has been filed with Apple Support (see this support thread), if you encounter iCloud lock-outs, please call Apple Support and urge them to fix this bad implementation.
I gave a talk at PyGotham 2018 that goes into detail about concurrency and dealing with critical data in django.
How I Learned to Stop Worrying and Love atomic()
I expended upon the short post below in a much more detailed article, I recommend you read that one instead of this.
Architecting a Banking service for
Real-Time Gaming at OddSlingers
Sometimes when dealing with Django models accessed by multiple people, you want a way to make sure two requests don’t perform writes at the same time.
For example, lets say you run a poker site, and you have 3 users playing a poker game together in the browser.
You want only one active player to be able to perform game actions, and you want only one action accepted at a time. Imagine the catastrophe if your active player could open the game in 2 tabs, fold his hand in one, and bet in the other simultaneously! Continue reading “Two Approaches to Concurrent-Write Safety in Django”
When writing an app using Redux and React, you may run into the common problem of having to share state between multiple components in your app.
Don’t worry, you aren’t the first to have this problem, here are some resources to help you out.
On Managing state hierarchy in general:
Specifically on sharing state between reducers:
In recent years, iTunes has become more of a money-making machine for Apple than it ever has been, so of course they’ve invested lots of dev time into making the storefront and payed portions of it beautiful user experiences.
Unfortunately for power-users, the energy they’ve diverted into Apple Music has left the song-management and iCloud syncing riddled with bugs that have had surprising longevity over several major versions.
Renaming an album or artist in iTunes prompts suggestions to fill in the box as you type. Unfortunately, there was no way to NOT choose the auto-suggested item by backspacing or clicking out. This lead to having to add spaces after artist names in order to get ‘Cher ‘ without being forced to accept ‘Cherish’ by the autoprompt. This issue was in iTunes for over 20 months before being fixed in the latest release (12.2.3).
So what’s next?
For a long time I’ve been thinking about writing a replacement to iTunes. It’s surely a mammoth task, but at heart it’s just a database interface with a media player built in. It involves dealing with lots of tabular data, and providing a way to edit and organize it, comparable to a SQL frontend like phpMyAdmin. In other ways it’s similar to Gmail, where you have some content with metadata that you sort out of a central pool using labels and stars.
We can learn from the strengths of iTunes:
But we can add so much more:
This could easily be done as a self-hosted web-app or native app that has access to local files on an HD, along with an internet connection and graceful degradation if one is not available.
The only way to keep it legal is to make it self-hosted, so that no central authority is collecting revenue for played songs, or controlling what sources are used to broadcast music.
It could also theoretically be done using iTunes plugins, a separate app, and a FUSE-like file system to create mock-audio-files for web songs that fetch audio on the fly when opened.
I’ll put it on my rapidly-glowring “next open source project to start but never finish” list.
Every room I’ve lived in since 2012, I’ve installed ceiling lights in. Since discovering the TIP-31 transistor, I’ve felt compelled to spread it like religion. I even made a halloween costume which ended up being quite a hit:
For several years now I’ve been designing and thinking out an invention in my head. It started out as the stereotypical “eureka!” moment in the shower and then moved on to a baby of thought that I nurtured on every subway ride to school. The reason I think of it the most on subways is because the core market for this idea would be commuters who have to take public transport, although the idea could be extended to private cars.
The idea is: visual-overlay virtual reality social networking
It has been approached many times before, the closest I’ve seen to my idea exactly is a project called Google Glass, and they almost hit my idea on the nail, except for a few key features. The core idea is that you take a technology that lets you overlay information on your vision, be it glasses or contact lenses (or even a cranial implant), and you hook it up to a network that everyone else is connected to.
Offline info: Name, Date of Birth, blood type, house address etc.
Online info (maybe Facebook linked): Friend networks, maps, music, movies
Core Features: Flags, Tags, currently playing music for each person, destination, nationality, languages, interests, current website, music management
Technologies required: display: [lcd contact lenses/retinal projection glasses/HUD glasses], energy storage: [induction coupling, batteries], processing power, human interface: [bone conduction for humming commands, jaw movement racking, eye tracking, finger movement, phone linking, computer syncing, control jewelry], audio output: [headphones, implant], networking radios: [wifi, 4G, whisper net, bluetooth], cameras, audio input, environment tracking: [face recognition, distance measurement, compass, GPS, possibly synced with phone]
I built these simple Lucid Dream goggles to achieve what I’ve been trying for months now, to have a solid dream that I am aware of, and able to control. I’ve been fascinated with the science of Lucid Dreaming, and being able to invent and explore infinite environments while sleeping. It finally makes those 8 hours of the night (more like 5) seem less of a waste to me.
Arduino after the break.
Also an explanation before I ignite it here: http://www.youtube.com/watch?v=WFFTTS2VoDY
Thermite is an exothermic redox reaction involving the trading of oxygen atoms between the Iron (III) oxide and the Aluminum. This is the ignition of the thermite mixture I created out of 1/8 magnesium powder, 4/8 Iron (III) oxide, and 3/8 Aluminum powder. Ignited with a magnesium strip and some magnesium powder dusted on top. The metal bowl is placed on top of an aluminum computer heatsink.