032 iPhreaks Show – Security with Rob Napier

    0
    58

    Panel

    Rob Napier (twitter github blog)
    Andrew Madsen (twitter github blog)
    Jaim Zuber (twitter Sharp Five Software)
    Charles Max Wood (twitter github Teach Me To Code Rails Ramp Up)

    Discussion
    00:38 – Rob Napier Introduction

    iOS 7 Programming Pushing the Limits by Rob Napier & Mugunth Kumar
    RNCryptor

    01:30 – Apple and Security
    04:21 – Security Concerns

    Passwords
    Personal Information

    06:10 – Prevention

    SSL
    Verisign

    09:50 – Generating Certificates

    Rob's Practical Security Talk, Slides and Sample Code from CocoaConf
    Rob Napier: Get Security and Privacy Right
    PBKDF2

    13:05 – Initialization Vector

    AES
    Cipher Block Chaining (CBC)

    16:06 – RNCryptor
    17:34 – Formats

    OpenSSL
    HMAC
    AES Crypt

    20:55 – Device Encryption
    25:28 – Server Security and Storing Passwords

    Hashing
    Salting
    Shor’s Algorithm

    37:48 – Breaking Passwords

    Rainbow Table
    BitTorrent
    John the Ripper

    41:47 – Keeping Passwords Safe

    1Password
    LastPass
    Convenience and Security

    47:35 – Obfuscation

    Picks

    Use Option as Meta Key in Mac OS X Terminal (Jaim)
    iTerm2 (Chuck)
    Duct Tape Marketing Revised & Updated: The World's Most Practical Small Business Marketing Guide by John Jantsch (Chuck)
    Security Now (Chuck)
    Reflections on Trusting Trust by Ken Thompson (Rob)
    Coursera: Cryptography I (Rob)
    Learn You a Haskell for Great Good: A Beginner's Guide by Miran Lipovača (Rob)

    Next Week
    AFNetworking with Kevin Harwood
    Transcript

    CHUCK: Hey everybody and welcome to episode 32 of iPhreaks. This week on our panel, we have Andrew Madsen.

    ANDREW: Hi from Salt Lake City.

    CHUCK: Jaim Zuber.

    JAIM: I'm still recovering from the Black Friday deals with the pawn shop. I waited in line for three hours to save $5 on an Xbox 360. Totally worth it.

    CHUCK: [Laughs] I'm Charles Max Wood from devchat.tv. And we have a special guest this week and that’s Rob Napier.

    ROB: That's right. I'm here in Raleigh, North Carolina.

    CHUCK: So do you wanna introduce yourself really quickly for people who don’t know who you are?

    ROB: Sure. I'm an iOS and Mac developer. I was a Mac developer before iOS come around in the iPhone. I write the book iOS Pushing The Limits. And I do a lot of work in the security world, so I keep a security cryptography package called RNCrytor, for simplifying cryptography.

    CHUCK: Oh, nice. Isn’t that just a bunch of fancy math?

    ROB: It is just a lot of fancy math. But it’s easy to do it wrong.

    CHUCK: [Chuckles] That’s for sure.

    ROB: [Chuckles]

    ANDREW: Isn’t that computers? Just fancy math?

    ROB: It’s so true. We need more math.

    CHUCK: “So easy to do it wrong.” Don’t tell Adobe that.

    ROB: [Chuckles]

    CHUCK: So, speaking with security with iOS, it seems like Apple does a lot of things to provide you with security. I mean, they have sandboxing and all the other stuff that they do. Do we really need to worry about security when we are programming for the iPhone?

    ROB: Oh certainly, yeah. Apple has done a really great job — I feel — in iOS. While over the years, there have been various  problems; some of the earliest locks didn’t really work well and early device encryption have trouble, but they’ve improved over the years. But iOS is really the first main stream operating system that came out with least privilege as the default, which was really brilliant, that they said day 1, “You are going to be locked in a  little sandbox and you can't do anything,” which made it very hard to write malware against the iPhone. But it still doesn’t get us off the hook of managing user information carefully. While we may not get infected with the virus, we still have lots of ways that we could leak our customer information.

    CHUCK: What are some of those ways? If it’s just a self-contained app and it doesn’t talk to anything else, is that still a risk?

    ROB: That's true.