This blog is archived ūüď¶

So long and thanks for all the fish!

You can find my new blog here:

And our company blog here:


How an attacker can lock you out of your iCloud account

It appears Apple has taken an unusual approach when it comes to handling suspicious iCloud login activity.  Unlike other tech giants, Apple immediately locks you out of your account whenever a string of bad sign-ins occurs.  Other companies like Google or Facebook force you to review suspicious activity when it occurs, but do not lock you out of your account.

At first glance, this seems like an unusual, but decent security mechanism to prevent brute-force password guessing, but it has a number of nasty side-effects that I’ll explore below.

Screen Shot 2016-12-08 at 7.11.11 PM.PNG

When locked out, Apple forces you to regain access through a 10 minute, 3-step process. It  starts by clicking on the info link in the lock prompt, which takes you to to receive a verification email.


Screen Shot 2016-12-08 at 7.29.58 PM.PNG

The iforgot process.

The site claims the verification email will let you back in, but unfortunately the email you get actually contains password reset instructions, and not a verification link. ¬†When you follow the emailed instructions, you are forced to choose a password you haven’t used in the last 6 months¬†as the final step in order to regain access. ¬†Resetting your password means you have to re-log-in to all your Apple¬†devices in order to renew their iCloud sessions.

There is no way to disable this suspicious activity auto-lockout feature, and all Apple services are rendered immediately inaccessible when it happens.

Maybe you’re starting to see where this is headed…

What are the effects?

You can essentially DoS someone out of their account continuously using only their email (which you can usually find online). ¬†You can¬†cause extreme inconvenience to anyone, even Tim Cook. ¬†By just repeatedly entering wrong passwords on you deny them access to all their Apple communications and products indefinitely. ¬†They are forced to answer their security questions or click an email link in order to change their password, and it’s a process that takes at least 15 minutes (including the time it takes to log back in to all your devices).

When I asked a support rep on the phone, they confirmed that is a real issue that support deals with frequently, and that they have no power to stop the auto lock-out behavior.

Who can take advantage of this?

  • any angry ex who knows your email
  • any old twitter troll who can Google and find your email online
  • anyone who wants to prevent you from reading an email or receiving an iMessage
  • anyone with access to one of your Apple devices
  • a thief who steals¬†one of your devices

To elaborate on that last one, a thief who steals your iPad can find your iCloud email easily, then DoS you out of your account to prevent you from seeing¬†the device’s location using Find My iPhone. ¬†This is important because even though the device can be put in Airplane Mode, it will still report its last known location to iCloud. ¬†Thieves can¬†effectively prevent you from seeing that last reported location or any of your other devices locations for a lengthly period of time by using this lock-out trick.

What can you do when you get locked out?

Change your AppleID email.

The obvious solution is to follow the recovery steps but change your iCloud email address immediately once you get in.  If the attacker is unable to guess your new email, they wont be able to lock you out of your account.

This is not a great solution, as they can still deny you access initially, and it forces you to burn an email address every time this happens, which is a huge ordeal for normal users who don’t have access to infinite email addresses or their own domain.



The other issue with this fix is that several major iCloud features are tied to your email, and issues will crop up whenever it changes (e.g. iMessage is tied to your email, and you may receive email at your iCloud address). ¬†There is a reason Gmail doesn’t force you to change your Gmail address and password every time suspicious sign-in activity occurs, the same should be true for¬†your iCloud address.

Enable 2-factor Auth?

This is a good idea anyway if people are attacking your account. ¬†Unfortunately it doesn’t help the root problem, as you can still cause lock-outs for people with 2-factor-auth by trying wrong passwords. ¬†More Info…

What can Apple do to address this?

There are number of options:

  1. follow Gmail’s approach by notifying you of suspicious login attempts and prompting you to review¬†all recent activity (without forcing a password reset)


    Gmail’s suspicion prompt.

  2. get rid of auto-lock in favor of exponential backoff of login attempt delays
  3. keep the auto-lock feature, but allow users to unlock their Apple account without forcing a password change (still require email verification for safety)
  4. allow you to disable auto-lockout i you are confident your password cannot be realistically brute-forced

As it stands, Apple is currently forcing users to burn a password, and potentially an email address every time they get locked out, whether triggered by malicious activity or by accident.  This implementation allows for an unacceptable DoS vector, and lets anyone cause massive inconvenience to their victim using only their email.  To fix it, they should follow the lead of other major tech companies, and implement a way to review suspicious login activity without forcing a password reset.

Information I got from Apple Support:

  • When your password changes, Find My iPhone remains active and continues to send location on devices with the old password, even though all other iCloud services immediately become inactive. ¬†This is good, as it means you can change your password when a device is lost to protect your data, but still receive location updates from it in case it ever comes online.
  • Different Apple services use iCloud sessions with different expiration times, but all sessions except Find My iPhone are revoked server side when account information like email or password changes.¬† iMessage sessions are 24 hours, iCloud Photo Library and iCloud musics’s are shorter.
  • AppleIDs will be locked (they call it a Security Lock), if several wrong passwords are entered in a short period of time. ¬†I was unable to find exactly how many password attempts you need, but I’ve been able to reliably trigger it with 8 attempts in¬†10 minutes.
  • Locked AppleIDs can only be re-entered once you go to, and reset your password. ¬†Apple used to unlock them automatically if no more attempts occurred within 24 hours, but this no longer seems to be the case.
  • When locked out of your AppleID, you are immediately logged out on all devices, and prevented from accessing iMessage, Mail, Contacts, Calendars, iCloud Photos, iCloud Music, (including the Find My iPhone site), and all other Apple services

A formal bug (#24129504) has been filed with Apple Support (see this support thread), if you encounter iCloud lock-outs, please call Apple Support and urge them to fix this bad implementation.

Two Approaches to Concurrent-Write Safety in Django


I gave a talk at PyGotham 2018 that goes into detail about concurrency and dealing with critical data in django.
How I Learned to Stop Worrying and Love atomic()

Detailed Article:

I expended upon the short post below in a much more detailed article, I recommend you read that one instead of this.
Architecting a Banking service for
Real-Time Gaming at OddSlingers

Sometimes when dealing with Django models accessed by multiple people, you want a way to make sure two requests¬†don’t perform writes at the same time.

For example, lets say you run a poker site, and you have 3 users playing a poker game together in the browser.


You want only one active player to be able to perform game actions, and you want only one action accepted at a time. ¬†Imagine the catastrophe if your active player could open the game in 2 tabs, fold his hand in one, and bet in the other simultaneously! Continue reading “Two Approaches to Concurrent-Write Safety in Django”

Sharing state between Redux reducers

When writing an app using Redux and React, you may run into the common problem of having to share state between multiple components in your app.

Don’t worry, you aren’t the first to have this problem, here are some resources to help you out.

Your options:

  • don’t use combineReducers (write your own that shares state/selector between two components)
  • use thunk middleware
  • pass selectors on global store through all your actions
  • call directly to get the state (worst option)

On Managing state hierarchy in general:

Specifically on sharing state between reducers:

Related Documentation:

Taking iTunes a step further

In recent years, iTunes has become more of a money-making machine for Apple than it ever has been, so of course they’ve invested lots of dev time into making the storefront and payed portions of it beautiful user experiences.

Unfortunately for power-users, the energy they’ve diverted into Apple Music has left the song-management and iCloud syncing riddled with bugs that have had surprising longevity over several major versions.

For example:

Renaming an album or artist in iTunes prompts suggestions to fill in the box as you type. Unfortunately, there was no way to NOT choose¬†the auto-suggested item by backspacing or clicking out. ¬† This lead to having to add spaces after artist names in order to get ‘Cher ‘ without being forced to accept ‘Cherish’ by the autoprompt. ¬† This issue was in iTunes for over 20 months before being fixed in the latest release (12.2.3).

Screen Shot 2016-01-13 at 8.03.27 PM

So what’s next?

For a long time I’ve been thinking about writing a replacement to iTunes. ¬†It’s surely a mammoth task, but at heart it’s just a database interface with a media player built in. ¬†It involves dealing with lots of tabular data, and providing a way to edit and organize it, comparable to a SQL frontend like phpMyAdmin. ¬†In other ways it’s similar to Gmail, where you have some content with metadata that you sort out of¬†a central pool using labels and stars.

We can learn from the strengths of iTunes:

  1. Add arbitrary SQL-style queries to search (a la smart playlists)
  2. Songs that act like normal ones but are stored in the cloud (a la Apple Music)
  3. Social network features like sharing music (a la iTunes Pulse)
  4. Machine learning on your music library to suggest playlists (a la Genius)

But we can add so much more:

  • Add songs from web to library without downloading them (like¬†
  • Soundcloud-style public feeds of your ‚̧ music (or any other playlist)
  • Songkick integration to flag your artists that¬†have nearby shows
  • “Inbox” for music that lets you treat music like email, incoming is selected from friends, soundcloud/bandcamp, machine learning, and you can “archive” music to your library/playlists, or delete it to never see it again (~10 new songs/day)
  • Automatic word2vec trained on your genres to make playlists along certain moods
  • Machine-learning analysis on your skips and plays for “smart shuffle”
  • Like and dislikes that have timestamps showing when you liked them
  • Shazam-style analysis on songs to correct ID3 tags and album art
  • Ability to “follow” other peoples streams in your library
  • Ability to live-broadcast what you’re playing like a radio channel to mobile users around you
  • Ability to publish your music feed as RSS/embed it in a website
  • Easy labels system for songs (like Gmail)
  • Smart, custom deduplication that will prefer higher quality audio files and merge ID3 fields
  • DJ¬†features that let you mark/flag individual points or sections of songs with tags, and optionally split them into separate files (as references) (also great for hour long radio shows to tag individual songs)
  • Ability to share entire playlists or folders
  • Full play history stored¬†separate from¬†last played & last skipped
  • Easy lyric fetching and display, including inline rap-genius explanations like lots of Chinese music apps



This could easily be done as a self-hosted web-app or native app that has access to local files on an HD, along with an internet connection and graceful degradation if one is not available.

The only way to keep it legal is to make it self-hosted, so that no central authority is collecting revenue for played songs, or controlling what sources are used to broadcast music.

It could also theoretically be done using iTunes plugins, a separate app, and a FUSE-like file system to create mock-audio-files for web songs that fetch audio on the fly when opened.

I’ll put it on my rapidly-glowring “next open source project to start but never finish” list.

Augmented Reality Social Networking

For several years now I’ve been designing and thinking out an invention in my head.¬† It started out as the stereotypical “eureka!” moment in the shower and then moved on to a baby of thought that I nurtured on every subway ride to school.¬† The reason I think of it the most on subways is because the core market for this idea would be commuters who have to take public transport, although the idea could be extended to private cars.

The idea is: visual-overlay virtual reality social networking

It has been approached many times before, the closest I’ve seen to my idea exactly is a project called Google Glass, and they almost hit my idea on the nail, except for a few key features.¬† The core idea is that you take a technology that lets you overlay information on your vision, be it glasses or contact lenses (or even a cranial implant), and you hook it up to a network that everyone else is connected to.


Offline info: Name, Date of Birth, blood type, house address etc.

Online info (maybe Facebook linked): Friend networks, maps, music, movies


Core Features: Flags, Tags, currently playing music for each person, destination, nationality, languages, interests, current website, music management


Technologies required: display: [lcd contact lenses/retinal projection glasses/HUD glasses], energy storage: [induction coupling, batteries], processing power, human interface: [bone conduction for humming commands, jaw movement racking, eye tracking, finger movement, phone linking, computer syncing, control jewelry], audio output: [headphones, implant], networking radios: [wifi, 4G, whisper net, bluetooth], cameras, audio input, environment tracking: [face recognition, distance measurement, compass, GPS, possibly synced with phone]

Lucid Dream Goggles

Based on:

I built these simple Lucid Dream goggles to achieve what I’ve been trying for months now, to have a solid dream that I am aware of, and able to control. ¬†I’ve been fascinated with the science of Lucid Dreaming, and being able to invent and explore infinite environments while sleeping. ¬†It finally makes those 8 hours of the night (more like 5) seem less of a waste to me.

Arduino after the break.

Continue reading “Lucid Dream Goggles”


Also an explanation before I ignite it here:

Thermite is an exothermic redox reaction involving the trading of oxygen atoms between the Iron (III) oxide and the Aluminum.  This is the ignition of the thermite mixture I created out of 1/8 magnesium powder, 4/8 Iron (III) oxide, and 3/8 Aluminum powder. Ignited with a magnesium strip and some magnesium powder dusted on top. The metal bowl is placed on top of an aluminum computer heatsink.

This slideshow requires JavaScript.